Last updated: 1 June 2025 · Contact: privacy@supplira.io
Contents
Supplira is a supplier risk management platform operated by a legal entity registered in Sweden (reg. no. 559458-4533). References to "Supplira", "we", "us", or "our" in this policy refer to that entity.
For data protection purposes, we act as a data controller for personal data we collect in connection with your use of the Supplira website and account management. For personal data you submit to the platform as part of your supplier risk workflow, we act as a data processor on your behalf — governed by our Data Processing Agreement.
When you create a Supplira account, we collect your name, work email address, and company name. If you contact us, we collect the content of your message and the email address you use.
We collect data about how you use the platform — pages visited, features used, and actions taken — to operate the service, detect security issues, and improve the product. This data is associated with your account.
We store your password in hashed form (bcrypt). If you enable MFA, your TOTP secret is stored encrypted. We log authentication attempts (login, MFA) for rate limiting and security purposes. These logs contain hashed IP addresses and email domains — not full IP addresses or plaintext emails.
Data you submit to the platform in connection with your supplier risk workflow — supplier names, contact details, assessment responses, findings, and notes — is Customer Data processed on your behalf. See the DPA for how we handle this data.
When you visit supplira.io, standard web server logs are generated. We may use privacy-respecting analytics to understand how the website is used. We do not use advertising trackers or third-party profiling on our website.
We do not sell personal data. We do not use account or supplier data for advertising or profiling.
We process your personal data on the following legal bases:
We share personal data only with subprocessors necessary to provide the Services. A current list of subprocessors is maintained on the Subprocessors page. We do not sell data to third parties or share it for advertising purposes.
We may disclose personal data if required by law, court order, or to protect the rights and safety of Supplira, its users, or others.
We retain account data for the duration of your subscription and for a reasonable period thereafter to handle disputes, legal obligations, or support requests. Upon account deletion, personal data is deleted in accordance with our standard deletion process. Aggregated, anonymised data may be retained for longer.
Authentication logs and security-related data are retained for up to 90 days for security monitoring purposes.
Under the GDPR, you have the following rights in relation to personal data we hold about you as a controller:
To exercise any of these rights, contact privacy@supplira.io. We will respond within 30 days.
For personal data processed as part of your supplier workflow (Customer Data), requests should be handled by you as the data controller — we can assist you in fulfilling those requests under the DPA.
The Supplira application uses a session cookie (HTTP-only, secure-flagged) to maintain your login session. This cookie is strictly necessary for the service to function and does not require consent under ePrivacy rules.
The website (supplira.io) may use minimal, privacy-respecting analytics. We do not use advertising cookies or third-party tracking pixels.
We implement technical and organisational security measures appropriate to the risk, including those described on our Security page. No method of electronic transmission or storage is completely secure, and we cannot guarantee absolute security.
For privacy-related questions or to exercise your rights: privacy@supplira.io.
You have the right to lodge a complaint with a supervisory authority. In Sweden, this is the Integritetsskyddsmyndigheten (IMY). You may also lodge a complaint with the supervisory authority in your country of residence or place of work.