Privacy Policy

Last updated: 13 April 2025

This Privacy Policy explains how CounterCarbon Ltd ("we", "us", "our"), company number 17061500, registered in England and Wales, collects, uses, and protects personal data when you use SupplyFi ("the Service"). We are the data controller for personal data processed under this policy.

We are committed to compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. What data we collect

We collect the following categories of personal data:

  • Account data: name, email address, job title, and organisation name provided at registration.
  • Authentication data: login credentials managed by Clerk (our authentication provider). We do not store passwords directly.
  • Product submission data: product information, dimensions, compliance details, and other data submitted through the platform by suppliers.
  • Usage data: pages visited, features used, timestamps, IP addresses, and browser information collected automatically.
  • Billing data: payment and subscription information processed by Stripe. We do not store full card details.
  • Communications data: emails and messages you send to us.

2. How we use your data

We process your personal data on the following legal bases:

  • Contract performance: to provide the Service you have subscribed to, including account management, platform access, and support.
  • Legitimate interests: to improve the Service, prevent fraud, ensure security, and send product updates relevant to your use of SupplyFi.
  • Legal obligation: to comply with applicable law, including tax and financial reporting obligations.
  • Consent: to send marketing communications where you have opted in.

3. Data sharing and sub-processors

We share your data only with trusted third-party services necessary to operate the platform:

  • Clerk — authentication and session management
  • Supabase — database hosting (your data is stored in an isolated database per organisation)
  • Vercel — application hosting and deployment
  • Stripe — payment processing and billing
  • Resend — transactional email delivery
  • Inngest — background job processing

All sub-processors are required to process data in accordance with UK GDPR. We do not sell your personal data to any third party.

4. Data storage and transfers

Your data is stored on servers located within the European Economic Area (EEA) or the United Kingdom. Where data is transferred outside the UK/EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or equivalent mechanisms.

Each customer organisation's data is stored in a fully isolated database. No data is shared between separate customer organisations.

5. Data retention

We retain your personal data for as long as your account is active or as needed to provide the Service. Upon termination of your subscription we will retain data for 90 days before deletion, unless you request earlier deletion or we are required to retain it by law (e.g. for tax purposes, typically 6 years under UK law).

6. Your rights

Under UK GDPR, you have the following rights:

  • Access: request a copy of the personal data we hold about you.
  • Rectification: request correction of inaccurate data.
  • Erasure: request deletion of your data ("right to be forgotten"), subject to legal obligations.
  • Restriction: request we restrict processing of your data in certain circumstances.
  • Portability: receive your data in a structured, machine-readable format.
  • Objection: object to processing based on legitimate interests or for direct marketing.
  • Withdraw consent: where processing is based on consent, withdraw it at any time.

To exercise any of these rights, contact us at privacy@supplyfi.co.uk. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

7. Cookies

We use cookies and similar technologies to operate and improve the Service. See our Cookie Policy for full details.

8. Security

We implement appropriate technical and organisational measures to protect your personal data, including encryption in transit (TLS), encryption at rest, access controls, and regular security reviews. No method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

9. Children

The Service is intended for business use only and is not directed at individuals under the age of 18. We do not knowingly collect personal data from children.

10. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or via a notice in the platform at least 14 days before they take effect.

11. Contact

CounterCarbon Ltd
Company No. 17061500
Registered in England and Wales
Email: privacy@supplyfi.co.uk