PRIVACY POLICY

Last Updated: [Insert Date]

Effective Date: [Insert Date]

This Privacy Policy explains how SupplyAlert (“SupplyAlert,” “we,” “us,” or “our”) collects, uses, discloses, and protects personal information when you access or use our Services.

SupplyAlert maintains a privacy program designed to align with generally accepted global privacy principles. Certain jurisdiction-specific rights or obligations described in this Policy apply only if and when SupplyAlert offers its Services in those jurisdictions.

1. WHO WE ARE

SupplyAlert
118 North Bedford

Mount Kisco, NY 10549

United States

Privacy Email: privacy@supplyalert.com

Data Protection Officer (DPO): Hadley Griffin

Email: hadley@supplyalert.com
Phone: +1 313-318-6612

SupplyAlert has not appointed an EU GDPR Article 27 representative, a UK GDPR representative, or a China-based data localization entity. If SupplyAlert expands service availability into those jurisdictions, this Policy will be updated accordingly.

1. SCOPE OF THIS POLICY

This Privacy Policy applies to all personal data processed when you:

• Access or use the SupplyAlert website
• Sign up for an account
• Submit vendor data
• Communicate with us
• Use AI-supported vendor classification features
• Interact with our analytics and security systems
• Make payments processed by Stripe (if applicable)

This Policy does not apply to:

• Third-party websites linking to or from our platform
• Offline interactions not related to our Services
• Employee or job applicant personal data

Service Availability by Jurisdiction.

SupplyAlert does not currently offer its Services to individuals or entities located in the European Union, European Economic Area, United Kingdom, or the People’s Republic of China. Users located in these jurisdictions are not permitted to create accounts or use the Services at this time.

1. KEY DEFINITIONS

To avoid duplication across jurisdictions, these definitions apply globally unless a local law requires a specific definition.

• Personal Data / Personal Information: Any information that identifies or could reasonably identify an individual. Examples: Name, Email, User account details, IP address, Vendor contact data
• Sensitive Personal Data: Depending on law, this may include: Government identifiers, Financial data, Geolocation, Biometric data, Racial/ethnic origin, Health data.

SupplyAlert does not collect sensitive data unless it is voluntarily uploaded as part of vendor data.

• Processing: Any operation performed on personal data, including: collection, storage, analysis, deletion, sharing, or anonymization.
• Controller / Business: SupplyAlert, the entity deciding why and how data is processed.
• Processor / Service Provider: Vendors who process data on our behalf (e.g., Stripe, Google Analytics, hosting providers).

1. CHILDREN’S PRIVACY

Our Services are intended only for users aged 18 and older. We do not knowingly collect personal data from individuals under 18. If we learn that a minor has provided personal information, we will delete it promptly.

For jurisdictions that establish specific age thresholds, including COPPA (under 13), we do not knowingly collect or process personal data belonging to individuals below the applicable age requirement. If such information is identified, we will delete it in accordance with legal obligations.

1. INFORMATION WE COLLECT

SupplyAlert collects only the data necessary to operate and improve our Services. We gather information in four main ways:

• Information You Provide Directly
  • Account Registration: When you create an account, we collect: Full name, Email address, Password (stored in hashed form), Company or vendor details you choose to provide.
  • Vendor Data You Upload: Users may upload vendor-related information to our platform. This may include: Vendor name, Vendor contact details, Email addresses and phone numbers, Business-related documents, Notes or descriptions. We assume you have authority to share any vendor information you submit.
  • Communications: If you contact us, we collect: Your name, Your email address, Content of your message, Any attachments or supporting information.
• Information Collected Automatically
  • Device and Usage Information: When you access the Services, we automatically collect: IP address, Browser type and version, Device identifiers, Operating system, Pages viewed, clicks, and navigation paths, Date, time, and duration of visits. This information helps us operate, secure, and improve the platform.
• Cookies and Tracking Technologies

We use minimal tracking, specifically: Strictly necessary cookies, Analytics cookies (Google Analytics only).

We do not use: Third-party advertising cookies, Retargeting pixels (e.g., Facebook Pixel). Details are provided in the Cookies section.

• Information from Integrations
  • Google Analytics: We collect: Pseudonymized IP address, Device and browser metadata, Usage patterns and interactions. Google does not receive personal data for advertising.
  • Stripe (Payment Processor): Stripe collects payment card data on our behalf. We receive only: Payment confirmation, Transaction status, Non-sensitive billing metadata. SupplyAlert never receives or stores credit card numbers or CVV codes.
• Information Processed Using AI

SupplyAlert uses AI tools to: Categorize vendor data, Suggest vendor classifications, Improve data clarity.

We process: User-submitted vendor content, Metadata about your interactions with the AI system.

We do not: Use AI to profile users, Allow AI models to train on user data outside SupplyAlert, Perform automated decisions with legal impact.

All AI output is subject to human review.

• Information from Third Parties

We do not buy personal data. We receive only: Analytics data from Google, Payment metadata from Stripe.

No other third-party data sources are used.

1. LEGAL GLOBAL STANDARD BASIS FOR PROCESSING

Because we voluntarily comply with global privacy frameworks, we rely on the following legal bases depending on region and purpose:

• Consent

Used for: Analytics cookies, AI-powered features (where required), Any optional personal data you provide. Consent may be withdrawn at any time. Where required under applicable law, we will obtain explicit consent before processing any sensitive personal data. Users should avoid uploading sensitive personal data unless strictly necessary for business purposes and permitted by applicable law.

• Performance of Contract

We use your data to: Provide the Services, Manage your account, Authenticate you, Process payments via Stripe.

• Legitimate Interests

We rely on legitimate interests for: Improving platform functionality, Performing analytics, Preventing fraud or misuse, Ensuring security, Internal administrative purposes. Where required by applicable law, we assess and balance our legitimate interests against individual privacy rights.

• Legal Obligations

We process data to: Comply with accounting and tax laws, Respond to lawful government requests, Maintain required business records.

• Vital Interests

Rarely, we may process data to: Prevent potential harm, Respond to urgent safety concerns.

1. HOW WE USE PERSONAL DATA

SupplyAlert uses personal information solely for the purposes described in this Policy. We do not use data in ways that are incompatible with the purposes for which it was collected.

• To Provide and Operate the Services

We use your information to: Register and manage user accounts, Authenticate access, Store and manage vendor information, Provide platform features and updates, Deliver AI-assisted vendor classification.

• To Improve and Maintain the Platform

We analyze aggregated usage data to: Understand platform performance, Optimize user experience, Fix bugs and troubleshoot issues, Develop new features.

• To Process Payments (via Stripe)

When payments are enabled through the Services: Stripe processes payment card details, We receive transaction confirmation and pricing metadata. We maintain financial records as required by law.

SupplyAlert never receives or stores: Credit card numbers, CVV codes, Bank account numbers.

• To Communicate With You

We may use your information to: Send service-related notifications, Respond to support requests, Provide updates and administrative messages, Address technical issues or security notices.

We do not send marketing emails unless you explicitly opt in.

• To Ensure Security and Prevent Fraud

We process data to: Detect suspicious behavior, Prevent unauthorized access, Monitor usage for potential threats, Investigate or prevent potential harm.

• Data Processing Agreements

We maintain written Data Processing Agreements with all third parties that process personal data on our behalf. These agreements require such parties to protect the information in accordance with applicable privacy laws, limit their use of the data to specific instructions given by SupplyAlert, and notify us promptly of any security incidents. We will inform users in advance where required by law if we add or replace any sub-processor that may process personal data.

• For Legal and Compliance Purposes

We may process data to: Comply with regulatory obligations, Respond to lawful requests, Maintain business records, Enforce our Terms of Service.

1. AUTOMATED DECISION-MAKING & PROFILING

SupplyAlert does not use automated systems to make decisions that produce legal or similarly significant effects.

Our AI tools:

• Assist with vendor data classification
• Provide non-binding suggestions
• Operate under human oversight
• Do not evaluate or profile individuals

We do not conduct:

• Behavioral profiling
• Automated creditworthiness assessments
• Automated eligibility determinations

1. NO SALE OR SHARING OF PERSONAL DATA

SupplyAlert guarantees the following across all global jurisdictions:

• We do not sell personal data: This includes jurisdictions where “sale” is broadly defined, such as California (CCPA/CPRA).
• We do not share personal data for targeted advertising: We do not: Use advertising cookies, Engage in cross-site tracking, Use third-party ad networks, Sell browsing behavior to marketing companies.
• We do not disclose vendor data to third parties: Vendor information you upload is used only within your organization’s SupplyAlert account.
• We do not monetize data: Personal information is never used for revenue generation outside the core service.

Compliance With Global Standards

Our non-sale commitment applies under:

• CCPA/CPRA (California)
• CDPA (Virginia)
• CPA (Colorado)
• CTDPA (Connecticut)
• UCPA (Utah)
• TDPSA (Texas)
• OCPA (Oregon)
• LGPD (Brazil)

SupplyAlert does not engage in any activities that fall within the definitions of “sale,” “sharing,” or “targeted advertising.”

1. HOW WE SHARE PERSONAL DATA

SupplyAlert shares personal information only as necessary to provide the Services and comply with legal obligations. We do not sell or disclose personal data for advertising purposes. We share information exclusively with the following categories of recipients:

• Service Providers/ Processors: These third parties process data solely on our instructions and are bound by strict confidentiality and data protection agreements.
  • Hosting & Infrastructure Providers: We share data with U.S.-based cloud hosting providers to: store platform data, operate our website, ensure performance and reliability
  • Analytics Providers — Google Analytics

We share device and usage data with Google Analytics for: performance measurement, functional insights, aggregate usage statistics.

Google Analytics is configured to: disable advertising features, anonymize IP addresses where required, prevent data sharing for Google Ads purposes.

• Payment Processor- Stripe

Stripe processes: payment card details, transaction data, billing metadata.

SupplyAlert only receives: transaction confirmation, non-sensitive metadata, basic payment status.

• IT, Security & Support Providers

We may use third parties for: cybersecurity services, fraud detection tools, error monitoring, system diagnostics

• Legal Requirements

We may disclose personal data if required by: court orders, subpoenas, government or regulatory authorities. We will notify you where legally permitted.

• Enforcement and Protection

We may disclose data to: investigate and prevent fraud, protect our legal rights, enforce terms of service, protect the safety of users.

• Business Transfers

If SupplyAlert undergoes: a merger, acquisition, financing, or sale of assets personal data may be disclosed under confidentiality obligations. Your data will remain protected by this Policy unless replaced by a successor policy.

1. INTERNATIONAL DATA TRANSFERS

Because SupplyAlert is based in the United States, your information may be transferred to and processed in the U.S., even if you are located in another country. We use robust legal mechanisms to protect data globally.

• Data Storage Location: All data is stored in secure servers located in the United States.
• Brazil (LGPD): Transfers comply with- LGPD-approved clauses, International cooperation frameworks.
• Asia-Pacific Transfers: For Singapore, Japan, Korea, Australia, and India- Contractual safeguards, Encryption, Restricted access controls.
• Additional Safeguards: Depending on jurisdiction: Encryption at rest and in transit, Pseudonymization of analytics data, Vendor security vetting, Internal access controls.
• SupplyAlert is based in the United States, and all data is stored and processed in the U.S. SupplyAlert does not currently offer Services to users located in the European Union, United Kingdom, or the People’s Republic of China. If international transfers become applicable due to future service expansion, SupplyAlert will implement appropriate safeguards and update this Policy as required by law.

1. DATA RETENTION

We retain data only as long as necessary for the purposes described in this Policy or as required by law.

General timeframes:

• Account data: retained while account is active
• Vendor data: retained until deleted by the user
• Analytics data: per Google Analytics retention settings
• Communications: typically up to 24 months
• Payment records: per financial and tax laws

If data is no longer needed, we permanently delete it, or irreversibly anonymize it.

Default Retention Limitation.

Where a user does not actively delete their account or data, SupplyAlert will not retain personal data indefinitely. Personal data associated with inactive accounts may be deleted or anonymized after a reasonable period of inactivity, unless retention is necessary for legal compliance, security, fraud prevention, dispute resolution, or enforcement of contractual obligations.

1. DATA SECURITY

SupplyAlert employs industry-standard technical and organizational measures to safeguard personal data.

Technical Measures

• TLS encryption for all data in transit
• Encryption at rest (where supported)
• Network security and monitoring
• Automated threat detection
• Rate-limiting and intrusion prevention

Organizational Measures

• Limited access based on job role
• Employee confidentiality agreements
• Regular security and privacy training
• Vendor risk assessments
• Incident response protocols

Data Breaches

If a breach occurs, we notify affected individuals and relevant authorities of data breaches in accordance with applicable law and regulatory requirements.

1. GLOBAL PRIVACY RIGHTS

Because SupplyAlert operates globally, we extend a baseline set of privacy rights to all users worldwide, even where not legally required. You may request any of the following:

• Right to Access

You may request copies of the personal data we hold about you.

• Right to Correction

You may request correction of inaccurate, incomplete, or outdated information.

• Right to Deletion/Right to be Forgotten

You may request deletion of:

• Your account
• Vendor data you entered
• Any personal data we hold

We will honor deletion requests unless:

• We must retain data for legal compliance
• Data is needed to resolve disputes
• Data is required to protect security
• Right to Withdraw Consent

If processing is based on consent (e.g., analytics cookies), you may withdraw consent at any time.

• Right to Restrict Processing

In certain jurisdictions, you may request that we temporarily limit processing.

• Right to Data Portability

We can provide your data in a structured, machine-readable format.

• Right to Object

You may object to processing based on:

• Legitimate interests
• Analytics
• Any non-essential purpose
• Right Not to Be Subject to Automated Decision-Making

SupplyAlert does not make automated decisions with legal or significant effects.

• Right to File a Complaint

You may file complaints with:

• Your local data protection authority
• Our DPO at privacy@supplyalert.com

1. HOW TO EXERCISE YOUR RIGHTS

You may submit a rights request through:

• Our data deletion request form 
• Email us at privacy@supplyalert.com

We may require verification of identity to protect user privacy.

Timeframes: We respond to privacy right requests within legally required periods as per applicable law:

• US State Laws: 45 days (extendable once)
• Brazil LGPD: 15 days
• Other global jurisdictions: witn reasonable or statutory periods

1. JURISDICTION-SPECIFIC PRIVACY RIGHTS

Below is a clear breakdown of rights by region.

• California (CCPA/CPRA)

Users have rights to:

• Know what personal information is collected
• Access specific pieces of information
• Delete personal information
• Correct inaccurate information
• Opt out of “sale” or “sharing” of personal data
• Limit use of sensitive personal information
• Non-discrimination

SupplyAlert:

• Does not sell personal data
• Does not share data for targeted advertising
• Does not use sensitive personal information outside permitted purposes
• Oregon (OCPA)

These state laws grant rights to:

• Access
• Correction
• Deletion
• Portability
• Opt out of:
  • • Targeted advertising
    • Sale of personal data
    • Profiling for significant decisions

SupplyAlert does not engage in any targeted advertising, sale, or profiling.

• Canada (PIPEDA)

Users have:

• Right to access
• Right to correct inaccuracies
• Right to meaningful consent
• Right to challenge non-compliance

SupplyAlert follows the ten PIPEDA Fair Information Principles.

• Singapore (PDPA)

Rights include:

• Access
• Correction
• Withdrawal of consent
• Data portability (once regulations take effect)

We follow PDPA’s Notification and Reasonableness Obligations.

• India (DPDP Act)

Users have:

• Right to access personal data
• Right to correction
• Right to deletion
• Right to grievance redressal

No processing of children’s data occurs.

• Japan (APPI)

Rights include:

• Access
• Correction
• Suspension or deletion of use
• Notification of purpose
• Restrictions on cross-border transfers
• South Korea (PIPA)

One of the strictest privacy regimes in the world; rights include:

• Access
• Correction
• Suspension of processing
• Deletion
• Strong data breach safeguards
• Brazil (LGPD)

Users may request:

• Access
• Correction
• Deletion
• Anonymization
• Portability
• Revocation of consent
• Explanation of automated processing

Mandatory response period is 15 days.

• Australia (Privacy Act & APPs)

Users may:

• Access their personal information
• Request corrections
• Expect reasonable protection measures
• Receive notice of cross-border transfers

Future Jurisdictional Rights.

If SupplyAlert expands its Services to jurisdictions with additional statutory privacy rights (such as the European Union, United Kingdom, or the People’s Republic of China), users in those jurisdictions may be entitled to additional rights under applicable law. Any such rights will apply only after SupplyAlert formally offers Services in those regions and updates this Policy accordingly.

1. COOKIES & TRACKING TECHNOLOGIES

SupplyAlert uses a minimal set of cookies to ensure the platform operates securely and efficiently. We do not use cookies for advertising, retargeting, or behavioral profiling.

• Types of Cookies We Use
• Strictly Necessary Cookies

These cookies are essential for: Logging into your account, Security and fraud prevention, Core platform functionality. They cannot be disabled.

• Analytics Cookies (Google Analytics)

Used only to understand:

• Website performance
• User navigation flow
• Aggregate usage statistics
• Page load speeds
• Basic interaction patterns

We configure Google Analytics to:

• Disable advertising features
• Prevent cross-site tracking
• Avoid combining analytics data with third-party datasets
  • Apply IP anonymization and similar privacy protective measures where required by applicable law or platform configuration.
• No Marketing Cookies

SupplyAlert does not use:

• Google Ads cookies
• Facebook Pixel
• LinkedIn Insight Tag
• TikTok Pixel
• Third-party advertising trackers
• Cookie Consent Requirements
• U.S. State Privacy Laws

Consent is not required for analytics cookies under CCPA/CPRA, CDPA, CPA, CTDPA, UCPA, TDPSA, or OCPA, but users may still opt out.

• Canada (PIPEDA)

Consent may be implied or explicit depending on sensitivity and context.

• Singapore, Japan, Korea, Australia

Non-essential cookies require disclosure and, in some cases, express consent.

• Brazil (LGPD)

Analytics cookies typically require consent.

• Managing Cookies

You can manage cookies by adjusting your browser settings. Common paths:

• Chrome: Settings → Privacy and Security → Cookies
• Safari: Preferences → Privacy
• Firefox: Settings → Privacy & Security

You may block all non-essential cookies.

1. GOOGLE ANALYTICS

SupplyAlert uses Google Analytics solely to analyze platform usage and performance.

• Information Collected by Google Analytics
• Pseudonymized IP address
• Browser and device details
• Pages visited and time spent
• Referring source
• General usage behavior

Google Analytics does not receive:

• Usernames
• Email addresses
• Vendor data
• Payment information
• Privacy Controls for Google Analytics

We configure Google Analytics to:

• Disable advertising personalization
• Disable cross-site identifiers
• Prevent data sharing with Google for ads
• Apply IP anonymization for EU/UK users

Users may opt out using:

• Browser settings
• Google Analytics Opt-Out Add-On

1. PAYMENT PROCESSING

If payments are used within the platform, Stripe- our payment portal, processes all financial information.

• Stripe Collects
• Card number
• CVV
• Expiration date
• Billing information
• Fraud-checking metadata

Stripe processes this data under its own privacy policy.

• What SupplyAlert Receives

We only receive:

• Payment confirmation
• Transaction status
• Non-sensitive metadata (e.g., invoice number, amount)

SupplyAlert never stores:

• Card numbers
• CVV codes
• Bank account details
• Stripe Compliance

Stripe is:

• PCI-DSS Level 1 certified
• GDPR compliant
• Globally recognized for secure payment handling

1. DO WE SELL OR SHARE PERSONAL DATA?

No. We want to be absolutely clear:

SupplyAlert does not:

• Sell personal information
• Share personal information for targeted advertising
• Use or disclose data for cross-context behavioral advertising
• Rent, trade, or monetize personal data
• Build advertising profiles
• Use vendor data for any third-party purpose

This applies universally across all global privacy laws, including:

• CCPA/CPRA
• CDPA
• CPA
• CTDPA
• UCPA
• TDPSA
• OCPA
• LGPD

This is a core policy commitment.

1. DATA RETENTION

SupplyAlert retains personal information only as long as necessary for the purposes described in this Policy or as required by law.

• General Retention Periods
• Account Information: Retained for as long as your account is active.
  If you delete your account, we delete or anonymize your data unless retention is legally required.
• Vendor Data: Retained until: You delete it, or you delete your account. You fully control vendor data stored in your account.
• Analytics Data: Retained per Google Analytics settings and applicable legal requirements.
• Communication Records: Emails, support chats, and system messages are retained for up to 24 months, unless longer retention is needed for: Legal compliance, Fraud investigation, Security purposes.
• Payment Metadata: Retained as required by: Tax laws, Accounting standards, Financial compliance regulations.
• Retention Criteria

We consider:

• The purpose for which the data was collected
• Legal requirements in relevant jurisdictions
• Whether data is needed for ongoing obligations
• Security and fraud prevention considerations
• Deletion & Anonymization

When data is no longer needed, we:

• Securely delete the data, or
• Permanently anonymize it so it cannot be linked to any individual

SupplyAlert never re-identifies anonymized data.

1. DATA SECURITY

SupplyAlert applies industry-standard technical and organizational measures to safeguard personal data.

• Technical Safeguards
• Encryption in transit using TLS
• Encryption at rest where supported
• Network firewalls and intrusion detection
• Rate limiting and brute-force prevention
• Monitoring for suspicious activity
• Regular vulnerability testing
• Organizational Safeguards
• Access to data limited to authorized staff
• Confidentiality and security training for employees
• Zero-trust access principles
• Strong authentication requirements internally
• Vendor due diligence and security audits
• Data Breach Protocol

In case of a security incident:

• We investigate promptly
• Contain and mitigate the issue
• Notify users where required
• Notify regulators within required timeframes

Examples of required notice:

• LGPD: “reasonable time”
• Australia, Singapore, Korea, Canada, U.S. States: per local breach laws

SupplyAlert maintains a documented incident response plan.

1. AI USAGE & DATA HANDLING

SupplyAlert uses AI responsibly and transparently.

• What our AI tools do

Our AI functionality is limited to:

• Categorizing vendor information
• Suggesting vendor tags or classifications
• Offering data insights
• Improving system efficiency

AI outputs are assistive, not authoritative.

• What AI does not do

SupplyAlert’s AI systems do not:

• Make decisions with legal or significant effects
• Profile users
• Evaluate individuals
• Generate AI-based eligibility decisions
• Train external models using your data
• Share your data with any machine learning provider

AI processing is always subject to human oversight.

• AI Data Governance

We implement:

• Human review checkpoints
• Transparency of AI methods
• Input and output logging for accountability
• Ethical risk assessments
• Limited retention of AI processing data

Users maintain full control over vendor information.

User data processed through AI-supported features is not used to train external machine learning models and remains within SupplyAlert’s controlled systems. All AI outputs remain subject to human oversight.

1. YOUR RESPONSIBILITIES

To maintain security and compliance, users agree to:

• Protect Account Credentials
• Use strong passwords
• Keep login credentials confidential
• Notify us immediately of unauthorized access
• Ensure Accuracy of Vendor Data

You are responsible for:

• Ensuring you have the right to upload vendor details
• Ensuring vendor data is accurate
• Not uploading sensitive personal data unless required
• Comply with Laws

Users must comply with applicable laws when providing data to SupplyAlert.

• Use the Platform appropriately

Users must not:

• Exploit platform vulnerabilities
• Attempt unauthorized access
• Upload malicious or illegal content

1. EXERCISING YOUR RIGHTS

You may exercise your privacy rights at any time.

• Primary Method (Recommended): Submit a request through our Data Deletion Request Form.
• Alternative Method: Email us at privacy@supplyalert.com

We may require identity verification before fulfilling your request.

• Verification Process

To protect account security, we may verify:

• Account ownership
• Email address associated with the request
• Information needed to confirm identity

We do not use verification data for any other purpose.

• Reasons a request may be declined

We may refuse a request if:

• Identity cannot be verified
• The request is excessive or manifestly unfounded
• Disclosure would violate another person’s privacy
• Data must be retained for legal or business reasons

We will explain the reason for any denial (unless restricted by law).

1. AUTHORIZED AGENTS

In certain jurisdictions (e.g., California), you may appoint an authorized agent to make rights requests on your behalf. Agents must provide:

• Written and signed authorization
• Proof of their identity
• Proof of your identity (unless agent is acting under power of attorney)

SupplyAlert may contact you directly to confirm authorization.

1. APPEALS PROCESS- REQUIRED BY CERTAIN LAWS

Some U.S. state laws require a formal appeals process if we deny your rights request. You may submit an appeal by emailing: privacy@supplyalert.com.

Subject Line: “Privacy Rights Appeal – [Your Full Name]”

Response timeframes (per law):

• Virginia (CDPA): 60 days
• Colorado (CPA): 45 days
• Connecticut (CTDPA): 60 days
• Oregon (OCPA): 45 days
• Texas (TDPSA): Within a reasonable time

If your appeal is denied, you may contact your state’s Attorney General.

1. NON-DISCRIMINATION / NON-RETALIATION

SupplyAlert will never discriminate against you for exercising your privacy rights.

This includes:

• Refusing services
• Providing a different level of service
• Charging different prices
• Imposing penalties

We comply with anti-discrimination provisions in:

• CCPA/CPRA
• LGPD
• Other global privacy laws

This protection applies to all users worldwide.

1. ADDITIONAL RIGHTS AND DISCLOSURES BY REGION

This section addresses important variations in global privacy regulations.

• India (DPDP Act) – Grievance Redressal

Indian users may:

• File grievances regarding data handling
• Request review of automated processing
• Contact our DPO for dispute resolution

We acknowledge grievances within a reasonable timeframe per DPDP guidelines.

• South Korea (PIPA) – High-Security Jurisdiction

Korean regulations require:

• Enhanced cybersecurity practices
• Strict breach reporting rules
• Stronger user control mechanisms

We align with PIPA’s elevated requirements whenever applicable.

• Japan (APPI) – Cross-Border Transfer Notices

APPI requires:

• Notice before transferring data to foreign entities
• Assurance of equivalent protection
• Disclosure of third-party sharing practices

We comply with all APPI transparency requirements.

• Australia (Privacy Act & APPs) – Cross-Border Disclosure

Australia requires:

• Notice before overseas disclosure
• Ensuring recipients comply with APP-equivalent standards
• Reasonable steps to secure personal data

SupplyAlert fulfills these obligations for Australian users.

• Canada (PIPEDA) – Accountability Principle

Under PIPEDA:

• Organizations remain responsible for data handled by processors
• Users may challenge our compliance
• Additional safeguards apply during cross-border transfers

We follow the 10 PIPEDA Fair Information Principles.

1. THIRD-PARTY WEBSITES AND SERVICES

Our Services may contain links to websites, tools, or resources operated by third parties.
These third parties may collect information independently. We are not responsible for:

• Their privacy policies
• Their data collection practices
• Their security measures
• Their content or services

If you follow a link to a third-party website, you do so at your own risk.
We recommend reviewing their privacy policies before providing any personal information.

1. INTERNATIONAL USERS

Although SupplyAlert is headquartered in the United States, we serve users worldwide.

• Users Outside the United States

By using our Services, you acknowledge that:

• Your data will be transferred to, stored in, and processed in the U.S.
• U.S. privacy and data protection laws may differ from those in your country
• We apply global compliance measures to protect your information regardless of your location
• Users in Canada, Australia, Singapore, Japan, Korea & India

We follow regional privacy requirements such as:

• Canada PIPEDA
• Australia Privacy Act / APPs
• Singapore PDPA
• Japan APPI
• Korea PIPA
• India DPDP Act

Each requires safeguards for cross-border transfers and appropriate notice.

• Brazil (LGPD)

We comply with:

• LGPD international transfer rules
• Contractual clauses
• Global cooperation mechanisms

1. CHANGES TO THIS PRIVACY POLICY

SupplyAlert may update this Privacy Policy periodically.

Updates may occur to:

• Reflect changes in law
• Reflect changes to our Services
• Clarify our practices
• Improve transparency
• Notification of Changes

We will update the “Last Updated” date at the top of this Policy. For material changes, we may also:

• Send an email to registered users
• Provide an in-platform notice
• Request renewed consent if required by law
• Material vs. Non-Material Changes

Examples:

Material changes include:

• New categories of personal data collected
• Changes to data sharing practices
• New uses of existing personal data
• Introduction of targeted advertising (we do not do this)

Non-material changes include:

• Formatting improvements
• Clarifications of existing text
• Corrections of typographical errors

1. INTERPRETATION & CONFLICT OF LAWS

If any portion of this Privacy Policy conflicts with:

• Local privacy laws
• Supervisory authority guidance
• Applicable regulations

The stricter requirement will apply for the relevant jurisdiction. Nothing in this Policy limits rights provided under:

• LGPD
• APPI
• PIPA
• Other mandatory privacy laws

1. NO WAIVER

Our failure to enforce any part of this Privacy Policy is not a waiver of our rights.
Any waiver must be explicit and in writing.

1. SEVERABILITY

If any provision of this Privacy Policy is found invalid or unenforceable:

• The remaining provisions will continue in full force
• The invalid provision will be interpreted to best reflect the original intent
• If interpretation is impossible, the clause will be replaced with the closest enforceable alternative

1. ASSIGNMENT

We may assign or transfer this Privacy Policy in connection with:

• A merger
• Acquisition
• Financing
• Corporate restructuring
• Sale of assets

Your information will remain protected under this Policy unless replaced with a successor policy. We will notify users of any ownership changes if legally required.

1. CONTACT US

If you have questions, concerns, requests, or complaints regarding this Privacy Policy or our data practices, you may contact us using the information below:

SupplyAlert
118 North Bedford

Mount Kisco, NY 10549

United States

Privacy Email: privacy@supplyalert.com

General Support: [Insert support email if any]

Data Protection Officer (DPO): Hadley Griffin

Email: hadley@supplyalert.com
Phone: +1 313-318-6612

We will respond within the timelines required by applicable law.

1. DATA CONTROLLER INFORMATION

For all users worldwide, the data controller responsible for your information is:

SupplyAlert
118 North Bedford

Mount Kisco, NY 10549

United States

We currently do not maintain:

• An EU GDPR Article 27 representative
• A UK GDPR representative

If these are appointed, we will update this Policy accordingly.

SupplyAlert has not appointed, and does not currently maintain, an EU GDPR Article 27 representative, a UK GDPR representative, or a China-based data localization entity. SupplyAlert does not currently direct, market, or offer its Services to individuals or entities located in these jurisdictions.

1. COMPLAINTS TO SUPERVISORY AUTHORITIES

If you believe your privacy rights have been violated, you may lodge a complaint with your regional authority. Examples include:

• Canada: Office of the Privacy Commissioner (OPC) priv.gc.ca.
• Australia: Office of the Australian Information Commissioner (OAIC) oaic.gov.au.
• Brazil (LGPD): National Data Protection Authority (ANPD).
• Singapore: Personal Data Protection Commission (PDPC).
• Japan: Personal Information Protection Commission (PPC).
• South Korea: Personal Information Protection Commission (PIPC).
• United States: Your State Attorney General (e.g., California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon).

1. GOVERNING LAW

Unless otherwise required by mandatory local law, this Privacy Policy is governed by and interpreted as per the laws of the State of New York, USA. This choice of law does not limit rights granted under mandatory and non-waivable privacy laws applicable to users at the time Services are offered in a given jurisdiction.

1. LANGUAGE AND INTERPRETATION

This Policy may be translated into multiple languages. In cases of conflict the English version prevails. Translations exist only for convenience unless required by local law.

1. ENTIRE AGREEMENT

This Privacy Policy constitutes the complete and exclusive statement of our privacy practices with respect to the Services. It supersedes any prior version of the policy.

1. UPDATES TO THIS PRIVACY POLICY

We may amend this Policy periodically. When updates occur:

• The “Last Updated” date will be updated
• Material changes may prompt additional notice (e.g., email or an in-app banner)
• In certain jurisdictions, we may seek renewed consent

You are encouraged to review this Policy regularly.