SupplyDesk website

Privacy Policy

Effective July 17, 2026 · Version v2026.1

1. Scope and who is responsible

This Privacy Policy explains how SupplyDesk ("SupplyDesk", "we", "us", or "our") handles personal information in the SupplyDesk application, supplier dashboards, buyer portals, support channels, and related services. SupplyDesk is currently the operator's trading name and is the organization responsible for the account, billing, security, support, and direct-use information described below.

A supplier using SupplyDesk generally decides why and how its buyer, contact, catalog, pricing, quote, and order data is used. For that Customer Data, the supplier is the organization responsible for the information and SupplyDesk processes it on the supplier's instructions to provide the Service. Buyers should contact their supplier first about the supplier's business records or decisions.

2. Personal information we collect

Depending on how you use the Service, we collect:

  • Account and identity data: name, business email, company name, role, account identifiers, authentication status, and password credentials handled in hashed form by Supabase.
  • Supplier and buyer business data: contact details, addresses, catalog items, SKUs, prices, stock quantities, buyer access rules, RFQs, quotes, orders, purchase-order references, notes, invoices, and uploaded files.
  • Billing data: Stripe customer and subscription identifiers, plan and payment status, invoice metadata, card brand, and last four digits. Stripe—not SupplyDesk—collects full card details.
  • Integration data: QuickBooks company identifiers, encrypted OAuth credentials, connection status, and the catalog, customer, inventory, and invoice data selected for sync.
  • Device and security data: IP address, approximate country, browser and device details, timestamps, authentication events, request metadata, and security and error logs.
  • Legal records: the version and time of Terms acceptance and Privacy Policy acknowledgement, IP address, approximate country, acceptance source, and user agent.
  • Communications: support messages and transactional email delivery details.
  • Optional analytics: page views and limited product-usage information collected through PostHog only after you allow analytics.

3. How information is collected

  • directly from you when you register, accept an invitation, configure an account, order, or contact us;
  • from the supplier that creates or manages a buyer or team-member account;
  • automatically from your browser, device, and interactions with the Service;
  • from connected services such as QuickBooks Online and Stripe at your or the supplier's direction; and
  • from infrastructure and security providers that operate requests, authentication, email, and error logs.

4. Why we use personal information

  • create and secure accounts, authenticate users, and enforce permissions;
  • provide supplier dashboards, buyer portals, catalogs, pricing, ordering, RFQs, quotes, and integrations;
  • process subscriptions, taxes, invoices, and billing administration;
  • send invitations, password actions, receipts, order updates, and other transactional communications;
  • detect abuse, investigate incidents, debug errors, maintain availability, and protect users and the Service;
  • provide support, improve functionality, and understand product usage where analytics is allowed;
  • keep evidence of contracts and legal-policy acceptance; and
  • comply with legal obligations and establish, exercise, or defend legal claims.

5. Legal grounds where GDPR or UK GDPR applies

We rely on the ground appropriate to each activity:

  • Contract: account administration and processing needed to provide the Service requested by a customer or authorized user.
  • Legitimate interests: B2B service operations, security, fraud prevention, support, service improvement, and protecting legal rights, balanced against individual rights.
  • Legal obligation: tax, accounting, regulatory, and lawful-request requirements.
  • Consent: optional analytics and any other processing clearly presented as optional. Consent can be withdrawn without affecting earlier lawful processing.

Accepting the Terms is a contract action. Acknowledging this Privacy Policy confirms that the notice was presented; it is not bundled consent for optional analytics.

6. Service providers and disclosures

We disclose only information reasonably needed for the purpose. Providers may include:

  • Supabase: database, authentication, and file storage;
  • Vercel: application hosting, delivery, request routing, and platform logs;
  • Stripe: subscription checkout, billing, payment, and tax-related processing;
  • Resend: transactional email delivery;
  • Intuit QuickBooks Online: customer-enabled accounting integration;
  • Sentry: application error and performance diagnostics when configured; limited session-replay samples used to diagnose failures are captured only after you allow analytics;
  • PostHog: optional product analytics after permission is granted;
  • Cloudflare: optional Turnstile bot protection when configured; and
  • Upstash Redis: temporary rate-limit and abuse-protection counters keyed by hashed identifiers such as IP or email.

We may also disclose information to professional advisers under confidentiality, in a corporate transaction, to comply with valid legal process, or where reasonably necessary to protect rights, safety, and security. We do not sell personal information. We do not share personal information for cross-context behavioural advertising.

7. QuickBooks Online

When an authorized supplier connects QuickBooks, SupplyDesk receives authorization to access the selected QuickBooks company. The Service may read and synchronize item, SKU, category, price, quantity-on-hand, customer, and invoice information and may create invoices only when an authorized supplier initiates or enables that workflow. OAuth access and refresh tokens are encrypted at rest using authenticated encryption. Disconnecting stops future API access, subject to token revocation and records already lawfully retained.

8. International processing

SupplyDesk and its providers may process information in Canada, the United States, India, the European Economic Area, or other countries where they operate. Those countries may have different privacy laws, and lawful authorities may access information under local law. Where required, we use contractual and organizational measures intended to provide an appropriate level of protection. Contact us for information about safeguards relevant to your data.

9. Retention

We retain information only for as long as reasonably needed for the purposes described here. Retention depends on the account and subscription lifecycle, the type and sensitivity of data, customer instructions, backup cycles, security needs, contractual commitments, and tax, accounting, dispute, and legal requirements. Legal-acceptance records may be retained for the applicable limitation period as evidence of the agreement. Data no longer needed is deleted, de-identified, or isolated from routine use.

Suppliers control many buyer and business records. A buyer deletion request may therefore need to be handled by the supplier, while we assist as appropriate.

10. Security and incident response

Safeguards include encrypted transport, Supabase row-level security, role-based authorization, protected administrative credentials, rate limiting, security headers, audit records, and AES-256-GCM encryption for QuickBooks OAuth tokens. Access is limited according to operational need. No method of storage or transmission is completely secure.

We investigate suspected personal-data incidents and notify affected customers, individuals, or authorities when required by applicable law. Please report suspected security issues to support@supplydesk.ca.

11. Your privacy choices and rights

Subject to applicable law and exceptions, you may ask to access, correct, delete, or obtain a copy of personal information; restrict or object to processing; withdraw consent; or complain to a privacy or data-protection authority. You may change optional analytics choices through the Cookie Policy. We may verify identity and authority before acting and may retain information where lawfully required.

Canadian residents may challenge compliance with applicable private-sector privacy law. EEA and UK residents may complain to their local supervisory authority. Residents of US states with applicable privacy laws may exercise the rights available in their state and appeal a refusal where required. Individuals covered by India's Digital Personal Data Protection framework may exercise applicable access, correction, erasure, grievance, and consent-withdrawal rights as its provisions apply.

Submit a request to support@supplydesk.ca. We will respond within the period required by the law that applies.

12. Cookies and similar technologies

Essential authentication, security, and preference technologies make the Service work. Optional PostHog analytics remains disabled unless you allow it. Our Cookie Policy explains the technologies, purposes, durations, and available controls.

13. Children

The Service is a business product and is not directed to children or individuals under 18. We do not knowingly collect children's personal information through account registration. Contact us if you believe a child has provided personal information.

14. Changes to this Policy

We may revise this Policy to reflect changes in the Service, providers, or law. We will publish the version and effective date and give additional notice of material changes where appropriate. If a change requires renewed acknowledgement or consent, we will request it before the relevant processing continues.

15. Contact and complaints

The person responsible for privacy inquiries can be reached at support@supplydesk.ca. Please include enough information to understand the request, but do not email passwords, payment-card details, OAuth tokens, or other secrets.

SupplyDesk is currently identified by its trading name. Legal-entity, registered-address, and any formally appointed grievance or data-protection contact details will be added when incorporation and appointments are completed.