Privacy Policy

SupplySustain Innovation Ltd

A private company incorporated in the Dubai International Financial Centre ·   Registered No. 7471   ·   DIFC Commercial Licence CL7471

admin_panel_settingsPrivacy Policy:Trading as “SupplySustain”

Controller

DIFC Registered No.

Registered Office

Privacy Contact

Legal Contact

Applicable Law

Version

Effective Date

SupplySustain Innovation Ltd

7471

Unit IH-00-01-01-OF-01, Level 1, Innovation One, Dubai International Financial Centre, Dubai, UAE

Data Protection Law, DIFC Law No. 5 of 2020 (the “DP Law”)

1.0

1 June 2026

Our promise to you.

We take the protection of your data seriously. We will NOT sell your personal data, and we will NOT share or disclose your personal data to any other company, organisation, or person for that party’s own marketing or commercial purposes. This Privacy Policy explains exactly what data we collect, why, how we protect it, and the rights you have over it.

1. Introduction

This Privacy Policy (the “Policy”) explains how SupplySustain Innovation Ltd (“SupplySustain”, “we”, “us”, or “our”) collects, uses, shares, and protects personal data when you access or use our software platform (the “Platform” or the “SupplySustain Network”), including our website at supplysustain.com, our web and mobile applications, and our APIs.

SupplySustain is a private company incorporated in the Dubai International Financial Centre (DIFC) with registered number 7471 and operating under DIFC Commercial Licence CL7471 (licensed activities: Portal; Software House). We are a software platform only and are not a financial services provider.

We process personal data in accordance with the Data Protection Law, DIFC Law No. 5 of 2020 (the “DP Law”) and any regulations made under it. For the purposes of the DP Law, SupplySustain acts as a Controller in respect of the processing activities described in this Policy, except where we expressly act as a Processor on behalf of a User (for example, when you upload personal data of your own employees or counterparties so that we can host and transmit it through the Platform on your behalf).

This Policy applies to professional business Users of the SupplySustain Network. It does not apply to the websites or services of any third party that we link to or that interacts with the Platform.

This Policy should be read together with our Terms and Conditions. Capitalised terms used but not defined in this Policy have the meanings given to them in the Terms and Conditions.

2. Who We Are

The data controller responsible for your personal data is:

SupplySustain Innovation Ltd

Unit IH-00-01-01-OF-01, Level 1

Innovation One

Dubai International Financial Centre

Dubai, United Arab Emirates

DIFC Registered No.:7471

Privacy contact:[email protected]

3. What Personal Data We Collect

We collect and process the following categories of personal data:

3.1 Account and identity data

  • Full name and job title or role

  • Business email address and phone number

  • Login credentials (password is stored in encrypted form)

  • Profile photo (if you choose to upload one)

  • Communication preferences

3.2 Company and business data

  • Company name, trade name, and business address

  • Trade licence number and licensing authority

  • Business activities, capabilities, and service categories

  • Company size, year established, and similar profile information

  • Certifications, accreditations, and insurance details (where you provide them)

  • Bank or invoicing details (only where required to issue Subscription Fee or Success Fee invoices to you; not for any User-to-User payment)

3.3 Platform activity data

  • Requests for Quotation (RFQs) you create, including bills of quantities, line items, deadlines, and notes

  • Quotations you submit or receive

  • Approved Vendor List (AVL) entries and vendor applications

  • Messages and communications between you and other Users on the Platform

  • Awards, decisions, and status changes

  • Ratings, reviews, and performance signals (where applicable)

3.4 Technical and usage data

  • IP address, browser type and version, operating system, device identifiers

  • Pages and features visited, click paths, timestamps, session duration

  • Login events, security logs, and error logs

  • Referring URL and outbound link activity

3.5 Cookies and similar technologies

  • Session cookies (to keep you logged in)

  • Functional cookies (to remember preferences)

  • Analytics cookies (to understand how the Platform is used) See clause 11 for more on cookies.

3.6 Marketing data

  • Your responses to surveys, polls, or feedback requests

  • Marketing communication preferences and consent records

3.7 Data you submit about other people

When you submit personal data about other people (for example, your colleagues, suppliers, or counterparties) so that we can host and transmit it through the Platform on your behalf, you are responsible for ensuring that you have a lawful basis for sharing that data with us and that you have provided any required notices to the individuals concerned.

4. How We Collect Personal Data

We collect personal data in three ways:

4.1 Directly from you.

When you register an Account, complete your company profile, create or respond to an RFQ, submit a quotation, send messages on the Platform, contact our support team, respond to surveys, or otherwise interact with us.

4.2 Automatically as you use the Platform.

Through cookies, server logs, security tools, analytics tools, and similar technologies that record technical and usage data as you interact with the Platform.

4.3 From third-party sources.

From time to time we may obtain limited information from third-party business-information services or public registries (such as DIFC, government commercial registries, or industry directories) to verify the company information you provide and to help maintain the integrity of the SupplySustain Network.

5. Why We Process Your Data

We process personal data only where we have a lawful basis to do so under Article 10 of the DP Law. The table below summarises the main purposes, the categories of data involved, and the lawful basis on which we rely.

admin_panel_settingsPrivacy Policy:Trading as “SupplySustain”

Purpose

Create and operate your Account; provide the Platform to you

Facilitate communication and transactions between Users (e.g. routing RFQs to suppliers, sending quotations to contractors)

Issue invoices and collect Subscription Fees / Success Fees due to SupplySustain

Verify identity and business legitimacy; detect, prevent, and investigate fraud, abuse, and security incidents

Improve, debug, and develop new features for the Platform

Produce aggregated and anonymised insights, benchmarks, and reports (see clause 7)

Send transactional communications (e.g. account, security, service notices)

Send marketing communications about new features, content, and SupplySustain news

Comply with legal, regulatory, tax, and audit obligations

Establish, exercise, or defend legal claims

Data used

Account, company, activity

Activity, company, communication

Account, company, billing

Account, technical, third-party verification

Technical, usage

Platform activity (anonymised once aggregated)

Account, communication

Account, marketing preferences

Account, company, billing, activity

Whatever is necessary in the circumstances

Lawful basis

Performance of contract (the Terms & Conditions)

Performance of contract

Performance of contract; legal obligation

Legitimate interests (protecting the Network and its Users)

Legitimate interests (improving the service)

Legitimate interests under Article 10(f) DP Law (right to object — see clause 12)

Performance of contract

Consent (which you can withdraw at any time)

Legal obligation

Legitimate interests

Where we rely on consent, you can withdraw it at any time without affecting the lawfulness of any processing carried out before withdrawal. See clause 12 for more on your rights.

6. Who We Share Your Data With

We do NOT sell your personal data.

We do NOT share or disclose your personal data to any other company, organisation, or person for that party’s own marketing or commercial use. We share data only in the limited circumstances described below.

6.1 Sharing with other Users (by design)

Content you submit to the Platform with the intention that other Users see it will be displayed to those Users as part of the normal operation of the Platform. For example: your company profile is visible in the Business Network; an RFQ you create is broadcast to relevant suppliers; a quotation you submit is sent to the issuing contractor; vendor application data is shared with the contractor running the AVL.

6.2 Sharing with our service providers (processors)

  • Cloud hosting and infrastructure providers (to host the Platform and store data securely);

  • Email and communication providers (to deliver transactional and marketing emails on our behalf);

  • Analytics and product-intelligence providers (to help us understand how the Platform is used);

  • Customer-support tools (to manage your support requests and tickets);

  • Security, anti-fraud, and identity-verification providers (to protect the Network);

  • Subscription billing providers (to invoice and collect fees due to SupplySustain).

These service providers act only on our instructions, only for the purposes we specify, and only for as long as necessary. They are not permitted to use your data for their own purposes.

6.3 Sharing with legal and regulatory authorities

We may disclose personal data where required by applicable law, regulation, court order, or lawful request from a competent authority, or where necessary to establish, exercise, or defend legal claims.

6.4 Sharing in connection with corporate transactions

If SupplySustain is involved in a merger, acquisition, restructuring, financing, or sale of all or part of our business, personal data may be transferred to the counterparty or successor entity, subject to appropriate confidentiality and data-protection arrangements.

6.5 Sharing for marketing of SupplySustain

As described in our Terms and Conditions, you grant us permission to use your company name and logo for the limited marketing and communications purposes set out in that document. This is the use of business identifiers (name and logo), not personal data about individuals.

7. Aggregated and Anonymised Data

Notice — Use of Aggregated and Anonymised Data.

SupplySustain processes data generated by your use of the Platform — including RFQ activity, category demand, response times, quotation patterns, supplier performance signals, pricing distributions, lead times, geographic coverage, and other Platform activity — on the basis of our legitimate interests under Article 10(f) of the DP Law (specifically, the legitimate interest of operating, improving, and developing the SupplySustain Network and producing anonymised market intelligence), for the following purposes:

(i) produce aggregated and anonymised market reports, indices, benchmarks, statistics, and analytics; (ii) build, train, and improve features, models, and tools of the Platform; (iii) generate insights to be displayed to Users (including, where applicable, to other Users in aggregated and anonymised form); (iv) publish industry studies and market commentary; and (v) share such aggregated and anonymised outputs with partners, investors, the public, or for any other lawful business purpose.

Anonymisation boundary.

Once data has been aggregated and anonymised in this way, it can no longer reasonably be used to identify you, your company, or any specific User, and is no longer treated as personal data under the DP Law. Such anonymised outputs are accordingly outside the scope of the DP Law.

Your right to object.

You have the right under Article 33 of the DP Law to object at any time to the processing described in this clause 7, which is carried out on the basis of our legitimate interests. To exercise this right, contact us at [email protected]. We will then stop the processing of your identifiable personal data for the purposes set out above unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or that the processing is necessary for the establishment, exercise, or defence of legal claims. Aggregated and anonymised outputs already produced before your objection will not be unwound, as they no longer constitute your personal data.

Balancing test.

In line with Article 13 of the DP Law, SupplySustain has carried out and documents an internal Legitimate Interests Assessment to ensure that the processing described above is necessary and proportionate, and that the interests, rights, and freedoms of data subjects have been duly considered.

8. International Data Transfers

SupplySustain is established in the DIFC. Some of our service providers (such as cloud hosting, email, and analytics providers) may be located outside the DIFC, including in jurisdictions that have not been recognised by the DIFC Commissioner of Data Protection as providing an adequate level of data protection.

Where we transfer personal data outside the DIFC, we apply appropriate safeguards as required by the DP Law, which may include:

  • transferring only to jurisdictions recognised by the Commissioner as providing an adequate level of protection;

  • using standard data-protection clauses approved under the DP Law;

  • relying on binding corporate rules of the recipient where applicable; or

  • relying on another lawful transfer mechanism set out in the DP Law.

You may contact us at [email protected] for more information about the safeguards we apply to any specific transfer.

9. How Long We Keep Your Data

We keep personal data only for as long as necessary to fulfil the purposes for which it was collected, including to meet legal, regulatory, tax, accounting, or reporting requirements, and to establish, exercise, or defend legal claims. The main retention periods we apply are:

Category

Account profile data

Platform activity data (RFQs, quotations, awards, vendor applications)

Communications between Users on the Platform

Subscription Fee / Success Fee invoicing and billing records

Security and system logs

Marketing consent records

Cookies

Aggregated and anonymised data

Retention period

For the duration of your Account, plus a period after closure for legal and compliance purposes

For a period appropriate to the commercial and regulatory context, typically up to seven (7) years after the relevant activity, in line with general DIFC record-keeping practice

For the duration of your Account, plus a reasonable period after closure

As required by applicable tax, accounting, and audit laws (typically a minimum of five (5) years)

Typically up to twelve (12) months, unless retained longer to investigate a specific incident

Until you withdraw consent, plus a reasonable period to evidence the withdrawal

See clause 11 for cookie-specific durations

Retained indefinitely (this data is no longer personal data once anonymised)

When the retention period for personal data ends, we will delete the data, anonymise it, or otherwise place it beyond use.

10. How We Protect Your Data

We apply appropriate technical and organisational security measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, and unauthorised access. These measures include:

  • encryption of data in transit and at rest where appropriate;

  • access controls limiting who within SupplySustain can access personal data, on a need-to-know basis;

  • password and credential hashing using industry-standard algorithms;

  • network security controls and monitoring;

  • regular security reviews and incident-response procedures;

  • contractual confidentiality and data-protection obligations on our service providers.

However, no method of transmission over the internet or method of electronic storage is 100% secure. We cannot guarantee absolute security of the Platform or any data transmitted to or from it. You play a critical role in protecting your data — please keep your login credentials confidential, use a strong unique password, and notify us immediately at [email protected] if you suspect any unauthorised use of your Account.

10.1 Data breach notification

If a personal-data breach occurs that is likely to result in a high risk to the rights of affected data subjects, we will notify the DIFC Commissioner of Data Protection and the affected data subjects as required by the DP Law.

11. Cookies and Similar Technologies

We use cookies and similar technologies to operate the Platform, remember your preferences, understand how the Platform is used, and improve your experience. A cookie is a small text file placed on your device when you visit a website.

11.1 Types of cookies we use

  • Strictly necessary cookies — required for the Platform to function (for example, to keep you logged in and to maintain security). These cannot be switched off.

  • Functional cookies — remember your preferences and choices (for example, language and display preferences).

  • Analytics cookies — help us understand how Users interact with the Platform so we can improve it.

  • Marketing cookies — used only if you give consent through our cookie banner; help us measure and improve our marketing.

11.2 Managing cookies

When you first visit the Platform you will be shown a cookie notice and, where required by law, asked for consent for non-essential cookies. You can change your cookie preferences at any time through the cookie settings link on the Platform or through your browser settings. Disabling certain cookies may affect how the Platform works for you.law.

12. Your Rights

Under the DP Law you have the following rights in respect of your personal data:

  • Right of access.You may ask us to confirm whether we process personal data about you and to provide you with a copy of that data.

  • Right to rectification.You may ask us to correct any inaccurate or incomplete personal data we hold about you.

  • Right to erasure (“right to be forgotten”).In certain circumstances you may ask us to delete your personal data — for example, where it is no longer needed for the purpose for which it was collected, or where you have withdrawn consent and we have no other lawful basis to keep it.

  • Right to restriction of processing.You may ask us to limit how we use your personal data in certain circumstances.

  • Right to data portability.You may ask us to provide certain personal data to you, or to transmit it to another controller, in a structured, commonly used, machine-readable format.

  • Right to object.Under Article 33 of the DP Law, you may object to processing carried out on the basis of our legitimate interests — including, for example, our use of Platform data to produce aggregated and anonymised benchmarks and reports (see clause 7), and including any direct marketing.

  • Right to withdraw consent.Where we rely on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

  • Right not to be subject to automated decisions.You have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects on you. We do not currently make such decisions.

  • Right to lodge a complaint.You may lodge a complaint with the DIFC Commissioner of Data Protection — see clause 16.

Some of these rights are subject to conditions and exceptions under the DP Law. We will explain in our response if any exception applies to a specific request.

13. How to Exercise Your Rights

To exercise any of the rights described in clause 12, please contact us at [email protected]. To help us respond, please describe your request as clearly as possible and tell us what right you are exercising.

We may need to verify your identity before responding, to make sure we do not disclose personal data to anyone who is not entitled to receive it. We will respond to your request within one (1) month of receipt. If your request is complex or we receive a large number of requests, we may extend that period by a further two months and will tell you why.

The exercise of rights of access, rectification, and erasure is free of charge. For other requests, we may charge a reasonable fee, or refuse to act on the request, where the request is manifestly unfounded or excessive, as permitted by the DP Law.

14. Children’s Privacy

The SupplySustain Platform is a business-to-business (B2B) service intended exclusively for professional Users acting in the course of their trade, business, or profession. It is not directed at, and is not intended to be used by, anyone under the age of eighteen (18). We do not knowingly collect personal data from anyone under 18. If you believe a person under 18 has provided personal data to us, please contact us at [email protected] so we can take appropriate steps.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. The current version of the Policy is always accessible on the Platform, with a clear version number and effective date.

Where the changes are material, we will notify you in advance by email to your registered Account email address, by an in-Platform notice on next sign-in, or by another reasonable means. Non-material changes (such as clarifications, corrections, or formatting changes) may be made without separate notice.

Your continued use of the Platform after the effective date of any change constitutes your acceptance of the updated Policy. If you do not accept the updated Policy, you should stop using the Platform and close your Account.

16. Complaints

If you are not satisfied with how we have handled your personal data or your data-protection request, please contact us first at [email protected] so that we have an opportunity to resolve the issue.

You also have the right to lodge a complaint directly with the DIFC Commissioner of Data Protection

Commissioner of Data Protection

Dubai International Financial Centre Authority

Level 14, The Gate Building

DIFC, Dubai, United Arab Emirates

Email:[email protected]

Website:difc.com (Data Protection section)