← Trust Centre/ Privacy

Plain English.
Real rights.
No surprises.

This is the page. The Privacy Policy at /legal/privacy is the contract. Both say the same thing.

/ 01 — The 30-second summary
  • We don't sell your data. We don't share it for cross-context behavioural advertising.
  • We collect what's necessary to run the Platform — account, billing metadata (no full card numbers), RFQ content, supplier verification documents, usage and device data.
  • We share data only with Subprocessors listed at /trust/compliance, on documented data-protection terms.
  • You can export, correct, or delete your data at any time — see "Your rights" below.
/ 03 — What we collect, why, on what basis

Mapped end-to-end.

WhatWhyLegal basis
Account info, organisation profileRun your accountContract
Billing metadata (Stripe holds full card numbers)Process subscriptions, tax, invoicesContract; legal obligation
RFQ content, supplier profiles, verification documentsMatch buyers and suppliers; verify suppliersContract; legitimate interests
Usage & device dataOperate, secure, and improve the PlatformLegitimate interests
Transactional email metadataSend receipts, renewal reminders, payment failuresContract
Marketing emailOptional product updatesConsent (opt-in), withdrawable any time
/ 04 — Region-specific disclosures

Acknowledged in your jurisdiction.

EU / UK / EEA / Switzerland
  • · GDPR & UK GDPR compliant.
  • · Legal bases documented per category.
  • · Article 27 representative / DPO published at /legal/dpo when appointed.
  • · Lodge complaints with your local DPA or the UK ICO.
United States (CA · CO · VA · CT · UT · TX & others)
  • · No sale or share of personal information.
  • · No cross-context behavioural advertising.
  • · Global Privacy Control (GPC) honoured.
  • · Right to know · delete · correct · opt-out · limit use · non-discrimination.
New Zealand
  • · Privacy Act 2020 + Information Privacy Principles.
  • · Complaints lodgeable with the Office of the NZ Privacy Commissioner (privacy.org.nz).
  • · Notifiable breaches reported via NotifyUs as soon as practicable.
Australia
  • · Privacy Act 1988 + Australian Privacy Principles.
  • · Complaints lodgeable with OAIC (oaic.gov.au).
  • · Eligible data breaches under APP 11A cooperated with OAIC and affected individuals.
/ 05 — Binding documents

We summarise here. The contract is in Doc 24 (Privacy Policy). The DPA terms are in Doc 29. The cookie commitments are in Doc 28. The Subprocessor list is Doc 31. All documents become downloadable from the Trust Centre once counsel sign-off is recorded.

Privacy questions: privacy@giwahs.com
See also: Security · Compliance

Made with Emergent