Legal

Privacy Policy

Last updated: May 2026

This Privacy Policy explains how Suplivia, operated by Macro Global Business Sp. z o.o., collects, uses, stores, and protects your personal data in accordance with the EU General Data Protection Regulation (GDPR), the Polish Personal Data Protection Act, and applicable US privacy regulations including the California Consumer Privacy Act (CCPA).

Contents

  1. 1. Data Controller
  2. 2. Data We Collect
  3. 3. How We Use Your Data
  4. 4. Use of AI and Automated Processing
  5. 5. Legal Basis for Processing (GDPR)
  6. 6. Data Retention
  7. 7. Your Rights (GDPR + CCPA)
  8. 8. Cookies
  9. 9. Third-Party Services
  10. 10. International Transfers
  11. 11. Contact & DPO

1. Data Controller

The data controller responsible for your personal data is:

Macro Global Business Sp. z o.o.

KRS: 0000889077

Spektrum Tower, Twarda 18, 00-105 Warsaw, Poland

Email: info@suplivia.com

Macro Global Business Sp. z o.o. operates the Suplivia platform accessible at www.suplivia.com, a controlled-access B2B medical procurement network connecting verified buyers and distributors with verified manufacturers worldwide.

2. Data We Collect

We collect the following categories of personal data:

Account Registration Data

  • Full name and job title
  • Business email address
  • Company name, country, and website
  • Password (stored in encrypted form)
  • Role type (manufacturer, distributor, procurement professional)
  • LinkedIn profile URL (where voluntarily provided)

Platform Usage Data

  • Manufacturer profile views and search history
  • RFQ (Request for Quotation) activity — submissions, responses, and status history
  • Saved manufacturers and watchlists
  • Login timestamps and session metadata
  • IP address and browser/device type for security purposes
  • Profile view activity, including your identity as a registered user, which may be shared with the manufacturer whose profile you have viewed

Uploaded Documents and Files

  • CE Certificates, ISO Certificates, FDA Approvals, Free Sale Certificates
  • Product catalogues and technical documentation
  • Any other files voluntarily uploaded to your manufacturer or sourcing profile

We do not collect sensitive personal data (special categories under GDPR Article 9) and do not knowingly collect data from persons under 18 years of age.

3. How We Use Your Data

We use the personal data we collect for the following purposes:

  • To create, verify, and maintain your account on the Suplivia platform
  • To review and verify manufacturer and buyer registrations, and to manage access permissions based on verification status
  • To facilitate connections between verified buyers and verified manufacturers
  • To enable and manage the structured RFQ system
  • To display verified manufacturer profiles and certification documents to approved buyers
  • To send transactional emails (e.g. application status updates, RFQ notifications)
  • To monitor platform activity for fraud prevention, security, and compliance
  • To improve platform functionality and user experience based on anonymised usage analytics
  • To comply with applicable legal obligations
  • To share profile view activity, including viewer identity and contact details, with verified manufacturers for the purpose of facilitating B2B connections on the platform

We do not sell your personal data to third parties. We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects.

4. Use of AI and Automated Processing

Suplivia uses automated systems, including artificial intelligence technologies, to process and structure publicly available and user-submitted information.

These systems are used to:

  • Organize and categorize manufacturer and product data
  • Enable semantic and similarity-based search functionality
  • Generate aggregated market insights and sourcing intelligence
  • Improve relevance and discovery across regions and product categories

AI systems are used as a data processing tool and do not independently make legal, compliance, or certification decisions regarding manufacturers or products.

All verification of submitted documentation is performed by human review where applicable.

6. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law:

  • Active account data: retained for the duration of your account and for 3 years after account closure
  • RFQ records and correspondence: retained for 5 years for contractual and legal compliance purposes
  • Uploaded certification documents: retained for the period your manufacturer profile is active, plus 3 years
  • Security and login logs: retained for 12 months
  • Financial and invoicing records (if applicable): retained for 5 years as required under Polish and EU accounting law

When data is no longer required, it is securely deleted or anonymised. You may request earlier deletion of your personal data subject to our legal retention obligations — see Section 6 for your rights.

7. Your Rights (GDPR + CCPA)

Under the GDPR, if you are located in the European Economic Area (EEA) or United Kingdom, you have the following rights:

  • Right of access — request a copy of the personal data we hold about you
  • Right to rectification — request correction of inaccurate or incomplete data
  • Right to erasure ("right to be forgotten") — request deletion of your data where we have no lawful basis to retain it
  • Right to restrict processing — request that we limit how we use your data
  • Right to data portability — receive your data in a structured, machine-readable format
  • Right to object — object to processing based on legitimate interests, including direct marketing
  • Right to withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing
  • Right to lodge a complaint — with the Polish Data Protection Authority (UODO) at uodo.gov.pl or your local supervisory authority

Under the CCPA, if you are a California resident, you have the following rights:

  • Right to know what personal information we collect, use, disclose, or sell
  • Right to delete personal information we have collected from you
  • Right to opt out of the sale of personal information (we do not sell personal information)
  • Right to non-discrimination for exercising your privacy rights

To exercise any of these rights, contact us at info@suplivia.com. We will respond within 30 days (GDPR) or 45 days (CCPA). We may request verification of your identity before processing your request.

8. Cookies

Suplivia uses the following types of cookies:

  • Strictly necessary cookies — session authentication tokens required to operate the platform (no consent required)
  • Analytics cookies — anonymised usage data to understand how the platform is used (requires consent)
  • Preference cookies — to remember your language, display, and session preferences (requires consent)

We do not use third-party advertising or tracking cookies. You may manage cookie preferences through your browser settings. Strictly necessary cookies cannot be disabled as they are required for platform functionality.

9. Third-Party Services

We use a limited number of carefully selected third-party processors to operate the Suplivia platform:

ProcessorPurposeLocation
Supabase Inc.Database hosting, authentication, and file storageUSA (EU region available)
Vercel Inc.Platform hosting and content deliveryUSA / Global CDN

All processors are bound by Data Processing Agreements (DPAs) and are required to implement appropriate technical and organisational measures to protect your data. We do not share your personal data with any other third parties without your explicit consent, except where required by law.

Supabase is used as our primary backend infrastructure provider. Your account data, profile information, uploaded documents, and RFQ records are stored in Supabase-managed databases. Supabase complies with GDPR and provides EU-region database hosting options. Their privacy policy is available at supabase.com/privacy.

10. International Transfers

Suplivia is operated from Poland (EU) and your data is primarily processed within the European Economic Area. However, some of our third-party processors (including Supabase and Vercel) are headquartered in the United States.

Where personal data is transferred outside the EEA, we ensure that appropriate safeguards are in place in accordance with GDPR Chapter V, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions where applicable
  • Technical and organisational measures including encryption in transit and at rest

By using the Suplivia platform, you acknowledge that your data may be transferred to and processed in countries outside your country of residence, subject to the safeguards described above.

11. Contact & DPO

For all privacy-related enquiries, rights requests, or complaints, please contact us at:

Privacy & Data Enquiries

Macro Global Business Sp. z o.o.

Spektrum Tower, Twarda 18, 00-105 Warsaw, Poland

Email: info@suplivia.com

We aim to respond to all privacy enquiries within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the Polish data protection supervisory authority:

Urząd Ochrony Danych Osobowych (UODO)

ul. Stawki 2, 00-193 Warsaw, Poland

Website: uodo.gov.pl

This Privacy Policy was last reviewed and updated in May 2026. We may update this policy from time to time to reflect changes in our practices or applicable law. Material changes will be communicated to registered users via email. Continued use of the Suplivia platform following notification constitutes acceptance of the updated policy.

Privacy Policy — Suplivia