Privacy Policy – Supply Finder

Version: V3 — Last updated: March 25, 2026

Data Controller

The processing of users' personal data is carried out by BuyrBox SAS, a SAS company with a capital of 15,000 euros, registered with the RCS of Nice under number 987 962 982, with its registered office at 21 avenue Caravadossi, France. For any questions or requests regarding personal data, you can contact us at: support@supply-finder.com.

BuyrBox has appointed a Data Protection Officer (DPO). For any questions related to personal data, you can contact our DPO at: dpo@supply-finder.com.

Data Collected

In the context of using the Supply Finder platform, BuyrBox collects the following data:

• First and last name
• Professional email address
• Connection logs and technical data
• Platform usage statistics
• Session recordings (session replay) for user experience improvement purposes
• Professional information voluntarily provided in briefings or deal-related discussions
• Payment information (processed via Stripe, not stored by BuyrBox)

Purposes of Processing

The data is collected and processed for the following purposes:

• Creation and management of user accounts
• Provision of the Supply Finder service
• Continuous improvement of the platform (features, user experience, security)
• Analysis of user journeys and identification of usability issues via session replay
• User support and assistance
• Targeted communication related to the service, its development, or features (optional, based on your consent)
• Onboarding and transactional emails (via Mailchimp)
• Access to YouTube API Services to power certain features of the platform. By using these features, users are also subject to Google's Privacy Policy, available at http://www.google.com/policies/privacy

Legal Basis of Processing

The processing activities carried out by BuyrBox are based on the following legal grounds:

• Performance of the contract (acceptance of the T&Cs when creating an account)
• Legitimate interest (usage analysis, service improvement, support, professional B2B communication)
• Consent (for targeted communication, analytical cookies, and session recordings)

Data Retention Period

• Account data: Retained as long as the user account is active. Deleted within 30 days of a deletion request or after 24 months of inactivity.
• Technical logs: Kept for a maximum of 12 months, unless legally required otherwise.
• Session recordings: Retained for a maximum of 90 days.
• Payment data: Processed by Stripe in accordance with their privacy policy and PCI DSS standards. BuyrBox does not store payment information.

Recipients and Subcontractors

The data collected is exclusively intended for BuyrBox. It may be processed by the following technical service providers acting as subcontractors:

Subcontractor	Purpose	Data Processed	Location/Guarantees
HubSpot	CRM, customer support	User contact details, interaction history	EU-hosted, SCCs for transfers
Amplitude	Product analytics and session replay	Usage statistics, behavioral data, session recordings, email address	EU-hosted (serverZone: EU configured)
OpenAI	Analysis of user briefings	Text entered in designated input fields	US, SCCs and API terms limit data use
Stripe	Payment processing	Payment details	US, SCCs and PCI DSS compliance
Mailchimp	Onboarding and transactional emails	Email address, user preferences	US, SCCs and EU-US Data Privacy Framework
Zapier	Workflow automation	Data necessary for integration between tools	US, SCCs and security certifications

These providers are contractually bound to strict confidentiality and security obligations. For providers outside the EU, Standard Contractual Clauses (SCCs) validated by the European Commission are implemented.

Use of Amplitude and Session Replay

Supply Finder uses Amplitude to analyze platform usage and improve user experience. This solution includes a session replay feature that captures user interactions with the interface.

Data collected via Amplitude includes:

• Actions performed on the platform (clicks, navigation, form interactions)
• Email address (used as user identifier)
• Video recordings of user sessions (mouse movements, clicks, scrolling)
• Technical information (browser type, operating system, screen resolution)

Session recordings are used solely to identify usability issues, fix bugs, and improve the interface. Sensitive data (passwords, payment information) is automatically masked. Recordings are retained for a maximum of 90 days.

All Amplitude data is hosted in the European Union (serverZone: EU configuration) and is GDPR compliant.

Use of OpenAI

Supply Finder uses OpenAI's API to assist users in formulating or analyzing their needs. The data sent to the API is:

• Strictly limited to the text entered by the user in a designated input field
• Devoid of any confidential, personal, or identifying information unless voluntarily included by the user
• Not reused to train models or retained by OpenAI

Use of YouTube API Services

Supply Finder uses YouTube API Services to retrieve public channel and video data for use within the platform. By using features powered by YouTube API Services, users acknowledge that they are also bound by:

• The YouTube Terms of Service: https://www.youtube.com/t/terms
• Google's Privacy Policy: http://www.google.com/policies/privacy

YouTube API data displayed within the platform is refreshed at minimum every 30 days and is never stored beyond that period, in accordance with the YouTube API Services Developer Policies. Users may revoke Supply Finder's access to YouTube API data at any time via Google's security settings page: https://security.google.com/settings/security/permissions.

Deal Processing via SSP API

At the user's explicit request, BuyrBox may create or configure deals within SSP platforms via an integrated API. BuyrBox acts as a technical processor, in accordance with the user's explicit instructions. No independent recording or secondary use of deal data is carried out by BuyrBox.

Data Hosting and Security

Collected data is hosted on Fly.io, whose infrastructure is compliant with GDPR. BuyrBox ensures that all technical partners meet security standards equivalent to those required by European legislation.

BuyrBox implements the following security measures:

• Encryption of data in transit (TLS) and at rest (AES-256)
• Restricted access to personal data based on the principle of least privilege
• Regular security audits by independent third parties

In the event of a data breach, BuyrBox commits to notifying the competent supervisory authority (CNIL) within 72 hours and, where applicable, affected users without undue delay.

User Rights

Under the GDPR, you have the following rights:

• Right of access, rectification, and erasure of your data
• Right to restrict or object to processing
• Right to data portability (where applicable by law)
• Right to withdraw consent for marketing communications and session recordings at any time

To exercise your rights, please contact us at: support@supply-finder.com. A response will be provided within 30 days.

Cookies and Trackers

Supply Finder uses:

• Technical cookies (strictly necessary for the service's operation)
• Analytical cookies (Amplitude, subject to your consent)

You can manage your cookie preferences via our Cookie Banner.

Policy Updates

This privacy policy may evolve. Significant changes will be communicated via email and a banner on the platform. Continued use of the service constitutes acceptance of the updated policy.

BuyrBox integrates data protection by design and by default in the development of all its features.