Privacy Policy
Last updated: February 9, 2026
1. Introduction
SupplierDataStatement.com ("we", "us", "our", or the "Platform") is a self-service emissions documentation tool that generates Scope 3 emissions data statements. This Privacy Policy explains how we collect, use, store, share, and protect information when you access or use our website at www.supplierdatastatement.com and related services (collectively, the "Service").
By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, you must not use the Service.
2. Information We Collect
2.1 Information You Provide
- Account information: Email address, full name, and a hashed password when you register.
- Company information: Company name, registration number, industry sector, company size, address, country, and contact details (name, email, phone).
- Emissions data: Energy consumption, fuel usage, material inputs, transport logistics, and waste/water data that you enter through our statement wizard. This data is stored as structured JSON in our database.
- Payment information: Transaction identifiers, amounts, and currency. We do not store full credit card numbers, CVVs, or bank account details. All payment processing is handled by our third-party payment processors (Razorpay and/or Stripe).
2.2 Information Collected Automatically
- Usage analytics: We use Vercel Analytics, Vercel Speed Insights, and Google Analytics (measurement ID: G-EKKRB8HQ40) to collect anonymous usage data including page views, session duration, referral sources, browser type, device type, and approximate geographic location (country/city level).
- Server logs: IP address, request timestamps, HTTP method, URL path, response status codes, and user-agent strings for security monitoring and abuse prevention.
- Cookies & local storage: We use HTTP-only secure cookies for authentication session management. We do not use advertising or tracking cookies. Third-party analytics services may set their own cookies subject to their respective privacy policies.
2.3 Information from Third Parties
We may receive transaction status updates and payment confirmation data from our payment processors (Razorpay and Stripe) via secure webhooks.
3. How We Use Your Information
We use your information strictly for the following purposes:
- Service delivery: To create your account, generate emissions data statements, perform Scope 3 emissions calculations, produce PDF/CSV deliverables, and process payments.
- Transactional communications: To send email verification, password reset emails, payment confirmations, and statement delivery notifications via our email provider (Resend).
- Security & integrity: To generate SHA-256 integrity hashes for your statements, detect fraud, prevent abuse, enforce rate limits, and maintain audit logs.
- Service improvement: To analyse anonymous, aggregated usage patterns and improve the Platform's performance and user experience.
- Legal compliance: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests.
We do not sell, rent, or trade your personal information or emissions data to any third party for marketing or advertising purposes. Ever.
4. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA), our legal bases for processing your personal data are:
- Contractual necessity (Art. 6(1)(b) GDPR): Processing required to fulfil our contract with you — creating accounts, generating statements, processing payments.
- Legitimate interests (Art. 6(1)(f) GDPR): Security monitoring, fraud prevention, audit logging, and anonymous analytics to improve the Service.
- Legal obligation (Art. 6(1)(c) GDPR): Where processing is required by applicable law (e.g., financial record-keeping).
- Consent (Art. 6(1)(a) GDPR): Where required by law for non-essential cookies or communications. You may withdraw consent at any time.
5. Data Sharing & Third-Party Processors
We share your data only with the following categories of service providers, each bound by data processing agreements:
| Provider | Purpose | Data shared |
|---|---|---|
| Supabase (AWS) | Database hosting & file storage | All account, company, statement, and document data |
| Vercel | Application hosting & analytics | Request logs, anonymous usage analytics |
| Razorpay / Stripe | Payment processing | Transaction amounts, contact details for payment prefill |
| Resend | Transactional email delivery | Email address, email content |
| Google Analytics | Website analytics | Anonymous usage data, IP (anonymised) |
We will not disclose your information to any other third party unless (a) required by law, subpoena, or court order; (b) necessary to protect our rights, property, or safety; or (c) with your explicit written consent.
6. Data Retention
- Account data: Retained for as long as your account is active. Upon account deletion, personal data is permanently deleted within 30 days, except where retention is required by law.
- Statement & calculation data: Retained for a minimum of 7 years from the date of creation to support audit and compliance obligations under CSRD and applicable financial regulations.
- Payment records: Retained for 7 years as required by financial record-keeping regulations.
- Audit logs: Retained for 3 years for security and dispute resolution purposes.
- Analytics data: Anonymous, aggregated analytics are retained indefinitely. Individual session data is governed by each analytics provider's retention settings.
7. Data Security
We implement the following security measures to protect your data:
- Passwords are hashed using bcrypt with per-user salts — we never store plaintext passwords.
- Authentication tokens are signed using HMAC-SHA256 (JWT via the jose library).
- All data in transit is encrypted via TLS 1.2+.
- Database access is restricted to service-role credentials with Row Level Security (RLS) policies.
- Statement documents are stored in a private storage bucket inaccessible to the public.
- Each generated statement includes a SHA-256 integrity hash for tamper detection.
- Rate limiting is applied to authentication endpoints to prevent brute-force attacks.
- HTTP-only, Secure, SameSite cookies are used for session tokens.
Despite these measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data. You are responsible for maintaining the confidentiality of your account credentials.
8. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
- Access: Request a copy of the personal data we hold about you.
- Rectification: Request correction of inaccurate or incomplete data.
- Erasure: Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
- Restriction: Request that we restrict processing of your data in certain circumstances.
- Portability: Receive your personal data in a structured, machine-readable format (CSV export is available for statement data).
- Objection: Object to processing based on legitimate interests.
- Withdraw consent: Where processing is based on consent, you may withdraw it at any time.
To exercise any of these rights, contact us at privacy@supplierdatastatement.com. We will respond within 30 days (or as required by applicable law).
9. International Data Transfers
Your data may be processed and stored in servers located outside your country of residence, including in the United States (Vercel, Supabase on AWS) and India (Razorpay). Where data is transferred outside the EEA, we rely on Standard Contractual Clauses (SCCs) or the service provider's certification under applicable data transfer frameworks.
10. Children's Privacy
The Service is intended for business users and is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 18, we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by posting the updated policy on this page and updating the "Last updated" date. Your continued use of the Service after any changes constitutes acceptance of the updated policy.
12. Contact
If you have questions or concerns about this Privacy Policy or our data practices, please contact us at:
- Email: privacy@supplierdatastatement.com
- Website: www.supplierdatastatement.com
If you are in the EEA and are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.