Privacy Policy
This policy explains how Qurium Solutions, Inc. dba Supplier.io (including “CVM” and “CVM Solutions”; collectively, “Qurium Solutions”, “Supplier.io”, “we”, “us”, or “our”) process and protect personal information and data collected via our websites (“Sites”), products, and services (“Services”), collectively referred to as “Online Services.”
This policy applies to the entire global organization of Supplier.io and complies with applicable privacy laws and other applicable state and international privacy regulations.
Registered Business Address:
Qurium Solutions, Inc. dba Supplier.io
1 Mid America Plaza, 3rd Floor
Oakbrook Terrace, IL 60181
1. Scope
This policy governs all information collected or processed via our Online Services for website visitors, customers, suppliers, and business partners worldwide. It does not apply to information collected by other means.
By using our Online Services, you accept this Privacy Policy. If you do not agree, please do not use the Online Services.
1.1 Jurisdiction-Specific Rights
Depending on your location, you may have additional rights under your local privacy laws:
- European Union/UK residents: GDPR and UK GDPR protections
- California residents: CCPA/CPRA consumer rights
- India residents: DPDPA protections
- Canada residents: PIPEDA rights
- Brazil residents: LGPD protections
Or other applicable privacy regulations in your local jurisdiction
2. Information We Collect
2.1. Categories of Personal Information
We collect information you provide through:
- Requests for information or proposals
- Surveys
- Our social media pages
- Job applications
- Newsletter subscriptions
- Content you submit on the Sites
Typical data collected: name, email address, job title, business information, usage data, location information, interests, and page views.
We may supplement collected data with public or third-party records as allowed by law.
2.2. Business Information (For Registered Users)
For registered customers, suppliers, and partners, we may require:
- Business name, address, web domain, Federal Employer ID Number
- Financial and insurance details
2.3. Technical and Usage Information
We use automated tools (such as cookies and analytics) to collect:
- IP address, device/browser type
- Online activity and usage logs (domain, referrer, session data)
- Cookie, pixel, and tracking identifiers
2.4. Sensitive Information
We may collect sensitive information as defined by applicable laws, including:
- Account login credentials (passwords, security questions)
- Approximate geolocation data (via IP address)
- Contents of communications (support messages, feedback)
We limit use of sensitive information to:
- Provide requested services and customer support
- Security and fraud prevention
- Legal compliance
- Short-term, transient use
2.5 Special Category Data & Children’s Data
We do not intentionally collect special category (sensitive) data without clear notice and explicit, documented consent.
Our Online Services are not intended for individuals under 16 in the EU/UK, under 13 if in the US, or under the applicable age of consent in your jurisdiction. If a child’s data is discovered, it will be promptly deleted.
3. How We Collect Information
- Direct: Forms, account registration, email, or direct correspondence.
- Automatic: Cookies, analytics, and similar technologies.
- Indirect: Supplementary business verification via public or partner sources.
3.1 Cookie and Tracking Technology Management
We use the following types of cookies and tracking technologies:
Essential Cookies: Required for basic site functionality (cannot be disabled)
Analytics Cookies: Help us understand site usage and performance
Marketing Cookies: Enable personalized advertising and content
Social Media Cookies: Allow social sharing and embedded content
You can manage your cookie preferences through:
- Our Cookie Preference Center
- Browser settings (may impact functionality)
- Opt-out links provided in marketing communications
We obtain your explicit consent before placing non-essential cookies, and you can withdraw consent at any time, however site functionality may be impacted.
4. Legal Basis and Purposes
We process your information for the following purposes with the corresponding legal bases:
A. Service Provision and Contract Performance
- Providing and fulfilling requested or contracted services
- Billing, collections, supplier/customer management
- Legal Basis: Contract performance, legitimate interests
B. Business Operations and Analytics
- Analytics and aggregated risk/trend reporting
- Communicating about the Sites, Online Services, or company
- Personalizing user experience
- Legal Basis: Legitimate interests (balanced against your privacy rights)
C. Marketing and Advertising
- Advertising and interest-based marketing (with opt-out options)
- Legal Basis: Consent (where required), legitimate interests
D. Legal and Security
- Legal and regulatory compliance
- Fraud prevention and protection of rights/property
- Legal Basis: Legal obligation, legitimate interests, vital interests
No mobile information will be shared with third parties/affiliates for marketing/promotional purposes. All other categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.
4.1 Legitimate Interests Assessment
Where we rely on legitimate interests, we have balanced our interests against your privacy rights. Key legitimate interests include:
- Fraud prevention and security
- Business analytics and improvement
- Direct marketing to existing customers
- Network and information systems security
5. Data Inventory, Processing, and Flow
- We maintain a comprehensive inventory of data types, sources, purposes, retention periods, locations, and access controls.
- Data flow diagrams and process maps are maintained as internal documentation and made available to regulators or data subjects upon verified request.
- Access is restricted to staff who need it for their work, controlled through robust role-based access.
6. Data Processing Agreements (DPAs), Subprocessors & Sharing
- Data Processing Agreements are maintained with customers, suppliers, and subprocessors as required by law and industry standards.
- All subprocessors undergo regular privacy, security, and compliance reviews.
- Information about subprocessors and third-party sharing is available on request.
- Personal information (including mobile phone information) is never sold or shared to third parties for direct marketing.
6.1 Current Subprocessors and Third-Party Sharing
We maintain a current list of subprocessors at https://supplier.io/terms-of-use/subprocessors.
We share personal information with third parties for the following business purposes:
- Service providers: IT services, payment processing, customer support
- Business partners: Joint ventures, co-marketing (with consent)
- Legal requirements: Courts, regulators, law enforcement
- Business transfers: Mergers, acquisitions (with equivalent protections)
Commercial purposes for sharing (California residents):
- Marketing and advertising (with opt-out rights)
- Analytics and business intelligence
- Customer service and support
7. International Data Transfers
Your information may be stored or processed on servers outside your country, including in the United States, Canada, or India. All cross-border transfers are protected by Standard Contractual Clauses, adequacy decisions, or other recognized safeguards.
8. Data Retention and Secure Disposal
- Data is retained only as long as necessary for its stated purposes, legal compliance, or contractual requirements.
- Periodic reviews ensure timely deletion or anonymization.
- Deletion/correction/erasure requests are tracked, validated, and fulfilled in line with regulation.
9. Data Security and Incident/Breach Management
Layered safeguards include:
- Encryption at rest and in transit with enterprise-grade algorithms (AES-256, TLS v1.2 or later)
- Multi-factor authentication, access logging
- Network, endpoint, and physical security with 24/7 monitoring
- Regular privacy and security training for staff with mandatory annual updates
- Anonymization/pseudonymization of data when possible
- Segregated environments for live and anonymized/test data
- Documented, tested incident response and disaster recovery plans
9.1 Security Frameworks and Certifications
We maintain compliance with:
- SOC 2 Type II controls (Supplier.io maintains an annual SOC 2 Type II certification)
- Industry-specific security standards
- Regular third-party security assessments
Data Breach Notification:
In the event of a security incident or data breach affecting your personal data, you and any required authorities will be notified promptly—as required by law (typically within 48 hours for applicable regulations). Notifications include the nature and impact of the breach, mitigation steps, and recommendations.
10. Your Rights and Choices
Depending on your jurisdiction, you have rights to:
- Access, correct, or delete your data
- Object or restrict processing
- Withdraw consent for data processed on that basis
- Request data portability
- Lodge complaints to a supervisory authority
- Request details about third-party transfers or disclosures
We respond to data subject requests within the required timeframes applicable by jurisdiction.
We verify and process each data subject request for which we are the controller promptly using reasonable verification methods including email confirmation, account authentication, or government ID verification.
If Supplier.io is acting as a data processor when fielding a data subject request then we will promptly convey your request to the applicable data controller.
Contact for all requests: [email protected] or 708-236-2000.
11. Opt-Out Rights and How to Exercise Them
You may opt out of the following at any time:
- Marketing and Promotional Emails:
Use the “unsubscribe” link in any message received or email [email protected]. - Targeted Advertising, Data Sale, or Data Sharing:
Email [email protected] or use site-provided opt-out links. California residents may further opt out of “sale” or “sharing” as defined by law. - Non-Essential Cookies and Analytics:
Adjust your browser preferences or site cookie settings to refuse non-essential cookies. - Other Data Sharing:
Email [email protected] to limit or object to data sharing for non-core purposes.
All opt-out requests are honored promptly, and your preference is recorded.
12. Roles and Responsibilities
- Data Protection Officer (DPO): Oversees compliance, policy implementation, incident response, and staff training.
- Contact: [email protected], 1 Mid America Plaza, 3rd Floor, Oakbrook Terrace, IL 60181, 708-236-2000
- Employees & Contractors: Must complete annual privacy training, follow this policy, and promptly report suspected incidents.
- Vendors/Subprocessors: Required by contract to maintain privacy/security and to report any incidents.
- Senior Management: Ensures adequate resources/enforcement for privacy and security.
12.1 Privacy by Design and Default
We implement privacy by design principles in all processing activities:
- Proactive rather than reactive measures
- Privacy as the default setting
- Privacy embedded into design
- Full functionality with privacy protection
- End-to-end security
- Visibility and transparency
- Respect for user privacy
13. Training, Accountability, and Disciplinary Actions
All relevant staff receive annual privacy and information security training. Non-compliance is subject to investigation and disciplinary consequences, up to termination or contract revocation.
14. Accountability and Audit
We conduct regular audits and privacy policy reviews; all systems and safeguards are continually improved for compliance and transparency. Documentation is maintained to demonstrate these standards.
15. Third-Party Links and Hosted Platforms
We are not responsible for third-party privacy practices. Please review their policies before providing information.
Customer Branded Sites, jointly operated with clients, may share your provided data with the relevant client as disclosed at registration.
16. Business Transfers
If Supplier.io is acquired or reorganized, your data will be transferred to successors under conditions guaranteeing at least equivalent privacy protection.
17. Policy Changes and Review
We review this policy annually or following major business/incidence or regulatory changes. Significant changes are posted on our sites, with the current effective date clearly indicated.
18. Contact for Data Privacy
For any privacy questions, rights requests, or complaints:
- Email: [email protected]
- Address: 1 Mid America Plaza, 3rd Floor, Oakbrook Terrace, IL 60181
- Phone: 708-236-2000
This Privacy Policy is designed to comply with global data protection laws and all other applicable laws, and applies globally throughout Supplier.io’s business operations.