← Trust Centre/ PrivacyPlain English.
Plain English.
Real rights.
No surprises.
This is the page. The Privacy Policy at /legal/privacy is the contract. Both say the same thing.
/ 01 — The 30-second summary
- We don't sell your data. We don't share it for cross-context behavioural advertising.
- We collect what's necessary to run the Platform — account, billing metadata (no full card numbers), RFQ content, supplier verification documents, usage and device data.
- We share data only with Subprocessors listed at /trust/compliance, on documented data-protection terms.
- You can export, correct, or delete your data at any time — see "Your rights" below.
/ 02 — Your rights
With verbs, not nouns.
Access
See exactly what we hold about you.
Email privacy@giwahs.com
Rectify
Fix anything that is wrong.
Email privacy@giwahs.com
Erase
Delete your account and data (subject to legal retention).
Email privacy@giwahs.com
Restrict / object
Limit what we do with your data.
Email privacy@giwahs.com
Portability
Get your data in a machine-readable format.
Email privacy@giwahs.com
Complain
Lodge a complaint with us, or escalate to a regulator.
Email privacy@giwahs.com
We respond within 30 days (or shorter, where the law requires) and may need to verify your identity first.
/ 03 — What we collect, why, on what basis
Mapped end-to-end.
| What | Why | Legal basis |
|---|---|---|
| Account info, organisation profile | Run your account | Contract |
| Billing metadata (Stripe holds full card numbers) | Process subscriptions, tax, invoices | Contract; legal obligation |
| RFQ content, supplier profiles, verification documents | Match buyers and suppliers; verify suppliers | Contract; legitimate interests |
| Usage & device data | Operate, secure, and improve the Platform | Legitimate interests |
| Transactional email metadata | Send receipts, renewal reminders, payment failures | Contract |
| Marketing email | Optional product updates | Consent (opt-in), withdrawable any time |
/ 04 — Region-specific disclosures
Acknowledged in your jurisdiction.
EU / UK / EEA / Switzerland
- · GDPR & UK GDPR compliant.
- · Legal bases documented per category.
- · Article 27 representative / DPO published at /legal/dpo when appointed.
- · Lodge complaints with your local DPA or the UK ICO.
United States (CA · CO · VA · CT · UT · TX & others)
- · No sale or share of personal information.
- · No cross-context behavioural advertising.
- · Global Privacy Control (GPC) honoured.
- · Right to know · delete · correct · opt-out · limit use · non-discrimination.
New Zealand
- · Privacy Act 2020 + Information Privacy Principles.
- · Complaints lodgeable with the Office of the NZ Privacy Commissioner (privacy.org.nz).
- · Notifiable breaches reported via NotifyUs as soon as practicable.
Australia
- · Privacy Act 1988 + Australian Privacy Principles.
- · Complaints lodgeable with OAIC (oaic.gov.au).
- · Eligible data breaches under APP 11A cooperated with OAIC and affected individuals.
/ 05 — Binding documents
We summarise here. The contract is in Doc 24 (Privacy Policy). The DPA terms are in Doc 29. The cookie commitments are in Doc 28. The Subprocessor list is Doc 31. All documents become downloadable from the Trust Centre once counsel sign-off is recorded.
Privacy questions: privacy@giwahs.com
See also: Security · Compliance
