Privacy Policy

SupplySignal is a UK-based platform for third-party supplier risk intelligence. We are the data controller for personal data collected through our website at supplysignal.co.uk and our application at app.supplysignal.co.uk.

If you have any questions about this Privacy Policy or how we handle your data, you can contact our team at hello@supplysignal.co.uk.

We collect and process the following categories of personal data:

Account and registration data

• Name and email address provided during registration
• Organisation name and details
• User role and team information

Payment and billing data

• Billing contact name and email address
• Payment method details (processed and stored by our payment provider, Stripe, and not stored on our systems)
• Transaction history and subscription records

Platform usage data

• Supplier data you upload, including company names and related corporate information
• Monitoring activity, alerts reviewed, and compliance decisions recorded in the audit trail
• Log data, including IP addresses, browser type, device identifiers and access timestamps

Communications

• Messages you send us via the contact form or by email
• Support desk communications within the platform

Publicly sourced data

• We retrieve information about companies and individuals from public sources including Companies House, official sanctions lists (such as OFSI and OFAC) and publicly available news sources. This may include names of company directors, persons with significant control, and beneficial owners.

We use your personal data for the following purposes and on the following legal bases:

We will not use your data for direct marketing without your consent. If you have given consent, you can withdraw it at any time by contacting us at hello@supplysignal.co.uk.

The core function of SupplySignal involves processing publicly available data about companies and individuals associated with those companies (directors, persons with significant control, beneficial owners). This data is sourced from public registers and official watchlists.

The legal basis for processing this publicly sourced data is our legitimate interests and those of our customers in meeting their legal and regulatory obligations relating to sanctions compliance, anti-money laundering, and supply chain due diligence.

If you are an individual whose information appears in our platform as a result of a public register or sanctions list, you have certain rights under the UK GDPR (see Section 8). Please note that some processing of this data may be necessary for our customers to comply with their legal obligations under anti-money laundering and sanctions legislation.

Our public website (supplysignal.co.uk) does not currently use cookies, analytics scripts, or any third-party tracking technologies. We do not place advertising cookies or use fingerprinting techniques.

Our application (app.supplysignal.co.uk) may use strictly necessary session cookies to keep you logged in. These cookies are essential to the operation of the Service and do not require your consent under the UK PECR.

If we introduce analytics or other non-essential cookies in the future, we will update this policy and implement a consent mechanism before doing so.

We do not sell your personal data. We share data only with the following categories of third parties and only to the extent necessary:

• Stripe: our payment processor. Stripe processes payment card data on our behalf and is subject to its own privacy policy and PCI DSS compliance obligations.
• Cloud infrastructure providers: we host the platform on cloud infrastructure based in the UK or EEA. These providers act as data processors under appropriate data processing agreements.
• Companies House and public data sources: we query public databases to retrieve corporate and individual information for risk intelligence purposes.
• Legal and regulatory authorities: we may disclose data where required by law, court order or a regulatory authority.

We store and process data in the United Kingdom and European Economic Area. If we ever transfer personal data to countries outside the UK or EEA, we will ensure that appropriate safeguards are in place, such as UK International Data Transfer Agreements (IDTAs) or UK adequacy decisions, in accordance with the UK GDPR.

Under the UK GDPR, you have the following rights regarding your personal data:

• Right of access: to request a copy of the personal data we hold about you.
• Right to rectification: to request correction of inaccurate or incomplete data.
• Right to erasure: to request deletion of your personal data in certain circumstances.
• Right to restrict processing: to request that we limit how we use your data.
• Right to data portability: to receive your data in a structured, machine-readable format.
• Right to object: to object to processing based on legitimate interests.
• Rights related to automated decision-making: we do not make solely automated decisions that produce legal or similarly significant effects on individuals.

To exercise any of these rights, contact us at hello@supplysignal.co.uk. We will respond within one calendar month. We may need to verify your identity before processing your request.

We retain account and billing data for the duration of your subscription and for up to 6 years afterwards to comply with UK tax and accounting obligations. Platform usage and audit log data is retained for the duration of your subscription and for 30 days after termination, after which it is securely deleted or anonymised. Contact form submissions are retained for up to 24 months.

We implement appropriate technical and organisational security measures to protect your personal data against unauthorised access, alteration, disclosure or destruction. These include encryption in transit (TLS) and at rest, access controls, and regular security reviews. Payment card data is never stored on our servers; it is handled directly by Stripe.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours and, where required, notify affected individuals without undue delay.

The Service is not directed to children under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected such data, please contact us and we will delete it promptly.

If you have a concern about how we handle your personal data that we are unable to resolve, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

We may update this Privacy Policy from time to time. Where changes are material, we will notify registered users by email before the changes take effect. The current version will always be available at supplysignal.co.uk/privacy.

For all data protection enquiries, please contact us at hello@supplysignal.co.uk.