Privacy Policy

Last updated: 2026-04-24 · v2.0

1. Controller

The controller within the meaning of Art. 4(7) GDPR is:
suPlay BV
Enschede, The Netherlands
KvK 70176264 · BTW NL858175691B01
Email: info@suplay.nl

For survey content that a buying firm (our customer) processes about its suppliers and respondents, suPlay acts as a processor under Art. 28 GDPR; the buying firm is the controller. See the Data Processing Agreement for terms.

2. Categories of personal data

Account data — email, name, password hash, role, membership in firms and consultancies.
Authentication and session data — session cookie (SSA_SESSID), last login time, IP address of the login request.
Survey response data — answers to supplier-satisfaction questionnaires. Depending on the survey's anonymity setting, responses may be fully anonymous, tracked anonymously by invitation token, or linked to a named supplier contact.
Invitation data — recipient email, name, and invitation token for personalized survey links.
Billing data (only when billing is enabled) — payer identifier, transaction history, company name and VAT ID captured at checkout.
Technical log data — IP address, user-agent, requested URL, response code, timestamp; kept in web server logs for at most 90 days.

3. Purposes and legal bases (Art. 6 GDPR)

Purpose	Legal basis
Operating the platform (authentication, survey distribution, analysis, reporting)	Contract, Art. 6(1)(b)
Billing and accounting	Contract (Art. 6(1)(b)); legal obligation for tax records (Art. 6(1)(c); Dutch tax law)
Security logging, abuse prevention, audit trail	Legitimate interest, Art. 6(1)(f)
Transactional email (invitations, password reset, account notifications)	Contract, Art. 6(1)(b)
Anonymized/aggregated academic research on buyer-supplier relationships	Legitimate interest, Art. 6(1)(f) — only on data that can no longer identify individuals

We do not use your data for profiling, advertising, or automated decision-making with legal effect.

Research opt-out. You may object to the research use of anonymized data at any time by emailing info@suplay.nl. Because research data is anonymized at extraction, opt-out applies to future extractions; already anonymized datasets cannot be tied back to an individual.

4. Recipients and subprocessors

We share personal data only with the subprocessors listed at /subprocessors, all of which process data on our behalf under GDPR-compliant contracts. We do not sell or rent personal data.

Categories of recipients:

Hosting and backups — TransIP (NL), Scaleway (NL).
Transactional email — Resend, Inc. (US, Standard Contractual Clauses).
Billing — PayPal (Europe) S.à r.l. (LU); only when subscription billing is enabled on your account.
Error monitoring — Sentry (EU region, Frankfurt) for application error traces.

5. International transfers

Where subprocessors are located outside the European Economic Area, we rely on the European Commission's Standard Contractual Clauses (SCCs) and supplementary safeguards. See the subprocessors page for the per-vendor list.

6. Retention

Active account data: kept while your account is active.
Server logs: 90 days.
Backups: 30 days rolling; encrypted.
Billing records: 7 years (Dutch tax law).
Survey responses: retained by the buying firm as controller. On customer request or account closure of the buying firm, data is deleted or anonymized within 30 days.
After account deletion: personal data is erased within 30 days (grace period 7 days, then scheduled job). Fully anonymized data may be retained for research.
Inactive accounts: automatically deleted after 24 months of inactivity, with a warning email at 23 months.

7. Cookies

This application uses only essential cookies required for the platform to function:

SSA_SESSID — session cookie, expires on logout or inactivity.
ssa_sidebar_collapsed — UI preference, one year.
cookie_notice_dismissed — records dismissal of the cookie notice, one year.

We do not use tracking, analytics, or marketing cookies. When subscription billing is enabled, the PayPal checkout popup may set cookies under the paypal.com domain during a transaction only; these are loaded only after you click Subscribe (consent by action).

8. Your rights (GDPR Art. 15–22)

You have the right to:

access, rectify, or erase your personal data;
restrict or object to processing;
receive your data in a portable format;
withdraw any consent you have given, without affecting the lawfulness of processing before withdrawal;
lodge a complaint with the Dutch supervisory authority, the Autoriteit Persoonsgegevens.

Self-service access, export, and deletion are available on your account page at /admin/profile once you are logged in. For requests you cannot complete in-platform, email info@suplay.nl. We respond within one month per Art. 12(3).

9. Security

We protect personal data with HTTPS, bcrypt password hashing, hardened server configuration (SELinux, fail2ban), encrypted off-site backups, role-based access control, and least-privilege access for staff. Survey responses can be configured as fully anonymous. See /security for a summary of technical and organizational measures.

10. Data breach notification

In the event of a personal-data breach likely to result in a risk to the rights and freedoms of data subjects, we will notify the Dutch supervisory authority within 72 hours and affected data subjects without undue delay, as required by Art. 33–34 GDPR.

11. Changes to this policy

We may update this privacy policy. The version and date at the top of the page indicate the current revision. Material changes are announced by email or in-platform notice before taking effect.

← Back