Legal

Privacy

Last updated: 2026-04-20

Placeholder. Full policy coming before first paid ad spend or 100th contact submission — whichever comes first. Until then, this page describes exactly what Suplo does with the small amount of data the marketing site collects today. We add nothing that isn't listed here.

Who we are

Suplo is operated by Profores LLC, 30 N Gould St Ste R, Sheridan, WY 82801, US. For any question about this policy, contact hello@suplo.co.

Data we collect via the contact form

When you submit the form at /contact, Suplo collects:

  • Name — so we know who's writing.
  • Work email — to reply and to identify duplicate submissions.
  • Company — to understand which brand / factory the enquiry relates to.
  • Message — the body of your enquiry.
  • Technical metadata — your IP address (for rate limiting), the submission timestamp, and the outcome of an automated bot-verification check (Cloudflare Turnstile).

We do not collect: phone numbers, payment data, location beyond the IP address, or any special-category data (health, biometric, political, etc.).

Legal basis (GDPR / UK-GDPR): legitimate interest for replying to a sales enquiry you initiated, and legitimate interest for fraud / spam prevention on the technical metadata.

Sub-processors

Suplo uses the following third parties to operate the marketing site. Each processes only the data described below and only on our behalf, under a data-processing agreement (DPA) or equivalent.

  • Resend — transactional email delivery for the contact form. Receives the submitted name, email, company, and message in order to deliver the email to our team. See Resend DPA.
  • Upstash — serverless Redis used solely for rate limiting the contact form (3 submissions / 10 minutes per IP). Stores only a hash of your IP plus a counter; no form content. See Upstash privacy.
  • Cloudflare — DNS, TLS termination, and invisible bot-verification (Turnstile) on the contact form. Turnstile does not fingerprint users or share data with advertisers. See Turnstile privacy policy.
  • Google Analytics 4 — aggregate traffic analytics. We run GA4 with Google Consent Mode v2 defaulted to denied for all advertising and analytics storage — no ad cookies are set until you give consent. Pre-consent pageviews are sent as cookieless pings (aggregate only, no user profile built).
  • Vercel — hosting and edge CDN. Standard web-server logs (IP, URL, user-agent) retained by Vercel for a short rolling window. See Vercel privacy policy.

Retention

  • Contact-form submissions: retained for up to 12 months after your last interaction with us, then deleted.
  • Rate-limit counters (Upstash): expire automatically after the sliding window (10 minutes).
  • Turnstile tokens: single-use, never stored — verified and discarded within the request.
  • Google Analytics 4: default event / user-level retention of 14 months (GA4 property default). Aggregate reports retained longer per Google's product-level policy.
  • Vercel server logs: retained by Vercel per their published policy; we do not independently archive them.

Your rights

If you are in the EU, UK, or a jurisdiction with comparable data-protection law, you have the following rights with respect to personal data Suplo holds about you (GDPR / UK-GDPR Articles 15–21):

  • Access — ask us what data we hold about you.
  • Rectification — ask us to correct inaccurate data.
  • Erasure ("right to be forgotten") — ask us to delete your data.
  • Portability — ask for a copy of your data in a machine-readable format.
  • Restriction — ask us to stop processing while a question is resolved.
  • Objection — object to our legitimate- interest processing.

To exercise any of these rights, email hello@suplo.co. We respond within 30 days. You can also lodge a complaint with your national supervisory authority (in the UK: the Information Commissioner's Office).

Contact

Questions, access requests, or complaints: hello@suplo.co.