Founding access open — 50% off for first 50 brands. 38 spots left.

Request access →
Suplo

Legal

Privacy Policy

Last updated: 2026-05-23

Who we are

Suplo is operated by Profores LLC, 30 N Gould St Ste R, Sheridan, WY 82801, US. For any question about this policy, contact hello@suplo.co.

Data we collect

Marketing site (suplo.co)

  • Contact form: name, email, company, message.
  • Analytics: anonymized pageview data via Google Analytics 4.
  • Technical: IP address for rate limiting and security.

Suplo App (app.suplo.co)

  • Account data: email address and name.
  • Business data: purchase orders, factory contacts, product catalogues, shipment records.
  • Shopify data: product catalogue and inventory levels (read-only via OAuth); orders (read-only) for demand planning.
  • WooCommerce data: product catalogue (read-only via API key).
  • PO messaging: messages within purchase order threads.
  • Payment data: handled entirely by Stripe/Shopify — we never store card numbers.
  • SMS verification: phone numbers for factory two-factor authentication (optional; tenant-configured via Twilio).

Legal basis (GDPR)

  • Contract performance: app data processed to deliver the service you signed up for.
  • Legitimate interest: analytics, security, and fraud prevention.
  • Consent: marketing cookies (requested via the cookie banner).

Shopify data usage

When you connect your Shopify store, Suplo accesses:

  • Products and variants (read): to sync your product catalogue with purchase orders.
  • Inventory levels (read/write): to update stock levels after goods-received notes (GRN).
  • Orders (read): for demand planning.

We do not sell Shopify data, use it to train AI models, or share it with other customers.

Sub-processors

Each processor handles only the data described and only on our behalf, under a data-processing agreement or equivalent.

App

  • Neon — database hosting (all app data).
  • Vercel — hosting and CDN.
  • Resend — transactional email.
  • Stripe — payment processing.
  • Twilio — SMS verification (optional, tenant-configured).
  • Shopify — OAuth integration for store data.

Marketing site

  • Resend — contact form email delivery.
  • Upstash — serverless Redis for contact form rate limiting (IP hash + counter only; no form content).
  • Cloudflare — DNS, TLS, and bot verification (Turnstile). Turnstile does not fingerprint users or share data with advertisers.
  • Google Analytics 4 — aggregate traffic analytics, running with Google Consent Mode v2 defaulted to denied.
  • Vercel — hosting and edge CDN.

Data retention

  • App data: retained while your account is active, plus 90 days after cancellation, then archived for 60 days, then deleted.
  • Contact form submissions: up to 12 months.
  • Payment records: 7 years (legal obligation).
  • Analytics (GA4): 14 months (GA4 default).

Your rights (GDPR)

If you are in the EU, UK, or a jurisdiction with comparable data-protection law, you have the right to access, rectify, erase, port, restrict, or object to our processing of your personal data (GDPR Articles 15–21).

To exercise any of these rights, email hello@suplo.co. We respond within 30 days. You can also lodge a complaint with your national supervisory authority (e.g., the ICO in the UK).

GDPR requests — Shopify merchants

Data deletion and access requests from Shopify merchants are processed within 30 days. Submit requests to hello@suplo.co.

Cookies

See our Cookie Policy for a full list of cookies and how to manage them.

Changes to this policy

Material changes will be notified by email at least 30 days before taking effect. The “last updated” date at the top of this page reflects the most recent revision.

Contact

Questions, access requests, or complaints: hello@suplo.co.