Privacy Policy
Effective date: 19 April 2026
This privacy policy explains how Supply Forge collects, uses, stores and shares personal data when you use SupplyForge. It is intended to support UK GDPR and Data Protection Act 2018 transparency requirements for platform users in the UK and, where relevant, the EU.
1. Controller details
- Controller: Supply Forge
- Email: hello@supplyforge.co.uk
- Postal address: [Insert registered office address]
- Company number: [Insert company number]
If you need this notice in another format or need to exercise your rights, contact us using the details above.
2. Personal data we collect
Depending on how you use the platform, we may collect:
- account data such as name, company name, username, email address, telephone number and job title;
- supplier profile data such as location, capabilities, materials, approvals, website, company number, VAT number and service coverage;
- buyer and RFQ data such as company details, RFQ descriptions, deadlines, drawings, technical files and purchase-order related communications;
- quote data such as pricing, notes, lead times, shortlist status and award information;
- billing data such as Stripe customer IDs, subscription status and payment event records. We do not store full payment card details;
- technical and usage data such as login activity, IP-related security logs, browser metadata, file upload records, audit trails and email delivery events.
3. How we collect personal data
We collect personal data directly from you when you create an account, complete a profile, post an RFQ, upload files, submit a quote, request support, correspond with us, or make a payment. We may also receive data from other users on your organisation's behalf and from service providers such as Stripe, hosting providers and email services.
4. Purposes and lawful bases
We use personal data for the following purposes and lawful bases:
- To provide the platform and match buyers with suppliers — contract and legitimate interests.
- To manage accounts, verify businesses, moderate listings and maintain trust and safety — legitimate interests and, where necessary, legal obligation.
- To process subscription billing, administer launch-period access and maintain payment records — contract, legitimate interests and legal obligation.
- To send transactional emails and service notifications — contract and legitimate interests.
- To improve the platform, troubleshoot issues, investigate misuse and secure the service — legitimate interests.
- To comply with legal, regulatory, tax, fraud prevention or law-enforcement requirements — legal obligation and legitimate interests.
- To send optional marketing communications — consent where required, otherwise legitimate interests for limited B2B communications permitted by law.
5. Who we share data with
We may share personal data with:
- other platform users where necessary to operate RFQ, quoting, award and PO workflows;
- Stripe and related payment providers to process subscriptions and manage billing events;
- hosting, infrastructure, analytics, logging, email and support providers that process data on our behalf;
- professional advisers, insurers, auditors and legal or regulatory authorities where necessary.
We do not sell personal data to third parties.
6. International transfers
Where personal data is transferred outside the UK, we will use an appropriate transfer mechanism such as adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum or other recognised safeguards, as applicable.
7. Retention
We keep personal data only for as long as reasonably necessary for the purposes described above. In practice, this usually means:
- account data: while the account remains active and for a reasonable period afterwards to manage disputes, reactivation, audit and legal obligations;
- RFQs, quotes, awarded-order data and files: while commercially relevant and normally for up to 7 years after the last material activity, unless a longer period is required by law or litigation risk;
- billing and tax records: typically up to 6 years plus the current financial year, or longer where required by law;
- security, email and audit logs: for operational, security and evidential periods appropriate to the service.
8. Security
We use reasonable technical and organisational measures to protect personal data, including access controls, authentication, audit logging, hosting controls and role-based restrictions on RFQ file access. No internet-based service can be guaranteed to be completely secure, so users should also take care with their own credentials and information-sharing practices.
9. Cookies and similar technologies
SupplyForge uses essential session and security mechanisms needed for login, CSRF protection, navigation and service operation. If non-essential analytics or advertising technologies are introduced later, we will update this notice and any related cookie controls as required.
10. Your rights
Depending on the circumstances, you may have rights to access, correct, erase, restrict, object to, or port your personal data, and to withdraw consent where consent is relied on. You also have the right to lodge a complaint with the UK Information Commissioner's Office.
ICO contact details are available via the ICO website. We would appreciate the chance to resolve concerns first, but you are not required to do so.
11. Children
SupplyForge is intended for business users and is not designed for children.
12. Changes to this policy
We may update this privacy policy from time to time. The latest version will be published on the platform with the effective date shown at the top of this page.
13. Contact and complaints
Questions, access requests or complaints about personal data should be sent to hello@supplyforge.co.uk.