SupplierClear
← Privacy

GDPR Compliance

Lawful basis

| Processing | Basis | |------------|-------| | Account sign-in (email OTP) | Contract / legitimate interest | | Paid report storage | Contract | | Enterprise audit logs | Legitimate interest / contract | | Optional clarity layer (OpenAI) | Contract — see [`CLARITY.md`](../CLARITY.md) | | Product analytics (PostHog, when enabled) | Consent / legitimate interest |

Data subject rights

Users may **export** or **delete** account data from Settings or via `/api/privacy/export-data`. Deletion removes assessments, reports metadata, and auth sessions subject to legal retention limits.

EU jurisdiction pack

The `EU` jurisdiction pack applies EUR pricing, Stripe payments, and EU-specific disclaimer text. It does not constitute legal advice on GDPR compliance for your organization.

Sub-processors

See `DPA-TEMPLATE.md` for standard processor list and SCC references. When `OPENAI_API_KEY` is configured, optional clarity features use OpenAI as a sub-processor — see [`SUB-PROCESSORS.md`](SUB-PROCESSORS.md). Set `LLM_CLARITY_ENABLED=false` to disable LLM paths entirely. Enterprise customers may execute a custom DPA.

Data location

Production deployment region is configured per environment. Enterprise tier supports isolated tenant deployment on request.

Contact

Privacy inquiries: privacy@bacenik.com