Privacy Policy
This policy explains how OptiSupply collects, uses, and protects your personal data. It applies to all visitors and users of optisupply.tech.
Who We Are
OptiSupply ("we", "us", "our") is a supplier compliance intelligence company operating under Portuguese law. We provide CSRD-ready due diligence dossiers and ESG risk assessments for EU procurement teams.
For the purposes of the General Data Protection Regulation (GDPR — Regulation (EU) 2016/679), OptiSupply is the data controller responsible for your personal data collected via optisupply.tech.
| DETAIL | INFORMATION |
|---|---|
| Company | OptiSupply |
| Country | Portugal |
| Website | optisupply.tech |
| Contact Email | contact@optisupply.tech |
| Data Protection Contact | contact@optisupply.tech |
Data We Collect
2.1 — Data You Provide Directly
When you submit a supplier vetting request or contact us via our website form, we may collect:
- Your name and job title
- Your company name and business email address
- The name or VAT number of the supplier you wish to vet
- Any additional information you choose to include in your message
2.2 — Data Collected Automatically
When you visit optisupply.tech, we automatically collect limited technical data including:
- IP address (anonymised before storage)
- Browser type and version
- Device type and operating system
- Pages visited and time spent on each page
- Referring URL (where you came from)
- General geographic location (country / city level only)
This data is collected via Google Analytics 4 and is used solely for aggregate site analytics. We do not use it to identify you personally.
2.3 — Data We Do Not Collect
How We Use Your Data
| PURPOSE | DATA USED | LEGAL BASIS |
|---|---|---|
| Responding to your supplier vetting request | Name, email, company, supplier name/VAT | Contract / Legitimate interest |
| Sending your completed due diligence report | Business email address | Contract performance |
| Improving our website and services | Anonymised analytics data | Legitimate interest |
| Analytics and traffic measurement | Cookies, IP (anonymised), device/browser data | Consent |
| Legal compliance and fraud prevention | Any data relevant to the obligation | Legal obligation |
We will never sell, rent, or trade your personal data to third parties for their own marketing purposes.
Legal Basis for Processing
Under GDPR Article 6, we rely on the following legal bases:
- Consent (Art. 6(1)(a)): For analytics cookies — you can withdraw consent at any time via our cookie banner.
- Contract (Art. 6(1)(b)): To process your supplier vetting request and deliver the agreed report.
- Legitimate Interest (Art. 6(1)(f)): To operate and improve our website, respond to enquiries, and detect fraud or abuse. We have assessed that our legitimate interests are not overridden by your rights.
- Legal Obligation (Art. 6(1)(c)): To comply with applicable Portuguese and EU law.
Cookies & Analytics
We use cookies — small text files stored on your device — to make our website function and to understand how visitors use it. Our cookie banner allows you to accept or decline non-essential cookies.
| COOKIE | TYPE | PURPOSE | DURATION |
|---|---|---|---|
| os_cookie_consent | Essential | Stores your cookie consent preference | 1 year (localStorage) |
| _ga | Analytics | Google Analytics — distinguishes unique users | 2 years |
| _ga_* | Analytics | Google Analytics 4 — session tracking | 2 years |
| _gid | Analytics | Google Analytics — session identification | 24 hours |
Declining analytics cookies will not affect your ability to use the website. Essential cookies (like consent storage) cannot be disabled as they are necessary for the site to function.
Data Retention
We retain personal data only for as long as necessary for the purposes described in this policy:
| DATA TYPE | RETENTION PERIOD | REASON |
|---|---|---|
| Supplier vetting request data | 3 years from date of request | Service delivery, legal compliance |
| Email correspondence | 3 years from last contact | Legitimate business records |
| Analytics data (GA4) | 14 months (GA4 default) | Site performance analysis |
| Cookie consent records | 1 year | GDPR compliance audit trail |
| Financial / invoicing records | 10 years | Portuguese tax law obligation |
When data is no longer needed, it is securely deleted or anonymised so that it can no longer be attributed to any individual.
Third Parties & Data Sharing
We share your data with the following trusted service providers, strictly for the purposes described:
| PROVIDER | PURPOSE | LOCATION | SAFEGUARD |
|---|---|---|---|
| Google LLC | Analytics (GA4) | USA / EU | EU Standard Contractual Clauses |
| Vercel Inc. | Website hosting & CDN | USA / EU | Data Processing Agreement |
| GitHub Inc. | Source code repository | USA | Standard Contractual Clauses |
We do not share your data with any other third parties unless required to do so by law, court order, or to protect the rights, safety, or property of OptiSupply or others.
International Data Transfers
Some of our service providers are located outside the European Economic Area (EEA), primarily in the United States. Where we transfer personal data outside the EEA, we ensure appropriate safeguards are in place, including:
- EU Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions where applicable
- Data Processing Agreements with all sub-processors
You can obtain a copy of the relevant safeguards by contacting us at contact@optisupply.tech.
Your Rights Under GDPR
Under the GDPR, you have the following rights regarding your personal data. You can exercise any of these rights by contacting us at contact@optisupply.tech. We will respond within 30 days.
Request a copy of the personal data we hold about you (Art. 15).
Ask us to correct inaccurate or incomplete data (Art. 16).
Request deletion of your data ("right to be forgotten") where it is no longer needed (Art. 17).
Ask us to restrict processing of your data in certain circumstances (Art. 18).
Receive your data in a structured, machine-readable format (Art. 20).
Object to processing based on legitimate interest, including for direct marketing (Art. 21).
Withdraw consent for analytics cookies at any time via our cookie banner. Withdrawal does not affect prior processing.
Lodge a complaint with the Portuguese data protection authority (CNPD) if you believe your rights have been violated.
Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or alteration, including:
- HTTPS encryption for all data in transit (TLS 1.2+)
- Access controls limiting data access to authorised personnel only
- Regular review of our security practices and third-party providers
- Secure deletion procedures for data that is no longer required
No method of transmission over the internet is 100% secure. In the event of a data breach that is likely to result in a risk to your rights, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR Article 33.
Children's Privacy
Our website and services are directed exclusively at business professionals and are not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us immediately at contact@optisupply.tech.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law. When we make material changes, we will update the "Last Updated" date at the top of this page.
We encourage you to review this policy periodically. Continued use of our website following any changes constitutes your acknowledgement of the updated policy.
Contact & Complaints
For any questions about this Privacy Policy, to exercise your rights, or to raise a data protection concern, please contact us:
OptiSupply
EMAIL — contact@optisupply.tech
WEBSITE — optisupply.tech
COUNTRY — Portugal, European Union
If you are not satisfied with our response, you have the right to lodge a complaint with the Portuguese data protection authority: CNPD — Comissão Nacional de Proteção de Dados (cnpd.pt)