Privacy Policy

Effective Date: March 22, 2026  |  Last Updated: March 22, 2026

Steeled Inc., a Delaware Corporation ("Company," "we," "us," "our") operates SupplyChainStack ("Service") at supplychainstack.ai. This Privacy Policy describes how we collect, use, store, share, and protect your personal information and business data when you use the Service.

This Privacy Policy applies to all users of the Service, including visitors, registered users, and Marketplace participants. By using the Service, you consent to the practices described in this Privacy Policy. If you do not agree, please do not use the Service.

1. Data Controller

The data controller responsible for your personal data is:

Steeled Inc., a Delaware Corporation
Email: supplychainstack@polsia.app

If you have any questions about this Privacy Policy or our data practices, please contact us at the email address above.

2. Information We Collect

We collect information in several ways depending on how you interact with the Service:

2.1 Account Information

When you create an account, we collect:

  • Full name
  • Email address
  • Company or organization name
  • Password (stored in hashed form; we never store plaintext passwords)
  • Billing information (processed securely through our third-party payment processor)

2.2 Business Data You Upload

When you use the Service, you may upload supply chain data including:

  • Sales records and transaction history
  • Inventory levels and product catalogs
  • Supplier information and contact details
  • Cost and pricing data
  • Logistics and shipping records
  • Custom datasets for analysis

You retain full ownership of all business data you upload. We process this data solely to provide the Service to you.

2.3 Usage Data

We automatically collect information about how you interact with the Service, including:

  • Pages visited and features used
  • Time spent on different sections of the Service
  • Actions taken (uploads, analyses requested, reports generated)
  • Device type, browser type, and operating system
  • IP address and approximate geographic location (city/region level)
  • Referring URL and search terms used to find the Service

2.4 Communication Data

When you contact us for support, provide feedback, or communicate through the Service, we collect the content of those communications along with associated metadata (timestamps, subject lines).

2.5 Marketplace Data

If you participate in the SupplyChainStack Marketplace:

  • Providers: We collect business profiles, service descriptions, certifications, pricing information, and contact details that you submit for listing purposes.
  • Buyers: We collect inquiry details, requirements, and contact information that you submit when requesting quotes or matches.

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Service Delivery

  • To provide, maintain, and improve the Service, including AI-powered forecasting, analytics, and optimization features;
  • To process your uploaded data and generate analyses, reports, and recommendations;
  • To facilitate Marketplace connections between Providers and Buyers;
  • To process payments and manage your subscription.

3.2 Communication

  • To send transactional emails (account confirmation, password resets, billing receipts);
  • To send product updates, new feature announcements, and important service notices;
  • To respond to your support requests and inquiries;
  • To send marketing communications (only with your consent; you may opt out at any time).

3.3 Analytics and Improvement

  • To analyze usage patterns and improve the Service;
  • To develop new features based on aggregate usage data;
  • To monitor and improve the accuracy of our AI models using aggregate, anonymized data;
  • To conduct A/B testing and measure feature effectiveness.

3.4 Security and Compliance

  • To detect, prevent, and respond to fraud, abuse, or security incidents;
  • To enforce our Terms of Service;
  • To comply with applicable legal obligations, court orders, or regulatory requirements.

4. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we process personal data under the following legal bases:

PurposeLegal Basis
Providing the ServicePerformance of contract (Article 6(1)(b) GDPR)
Processing paymentsPerformance of contract (Article 6(1)(b) GDPR)
Sending transactional emailsPerformance of contract (Article 6(1)(b) GDPR)
Analytics and service improvementLegitimate interest (Article 6(1)(f) GDPR)
Marketing communicationsConsent (Article 6(1)(a) GDPR)
Security and fraud preventionLegitimate interest (Article 6(1)(f) GDPR)
Legal complianceLegal obligation (Article 6(1)(c) GDPR)

5. Data Sharing and Third Parties

We do not sell your personal data or your business data to third parties.

We may share data with the following categories of recipients, solely for the purposes described:

5.1 Service Providers

We work with trusted third-party vendors to operate the Service, including:

  • Cloud hosting: Infrastructure providers that store and process data on our behalf (all data encrypted at rest and in transit);
  • Payment processing: Secure payment processors that handle billing transactions (we do not store full credit card numbers);
  • Analytics: Aggregate usage analytics to improve the Service;
  • Email delivery: Transactional and marketing email service providers;
  • AI processing: AI model providers that process data to generate forecasts and recommendations (under strict data processing agreements).

All service providers are bound by data processing agreements that require them to protect your data and use it only for the purposes we specify.

5.2 Marketplace Participants

When you submit an inquiry through the Marketplace, your contact information and inquiry details are shared with the specific Provider(s) you selected or were matched with. Your data is visible only to the Provider who received the specific lead notification. Providers are contractually prohibited from sharing, reselling, or misusing your data (see our Terms of Service, Section 7.3).

5.3 Legal Requirements

We may disclose personal data if required to do so by law, or in the good-faith belief that disclosure is necessary to:

  • Comply with a legal obligation, subpoena, court order, or regulatory request;
  • Protect and defend the rights or property of Steeled Inc.;
  • Prevent or investigate potential wrongdoing in connection with the Service;
  • Protect the personal safety of users or the public.

5.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your personal data may be transferred to the acquiring entity. We will provide notice before your data is transferred and becomes subject to a different privacy policy.

6. Data Retention

We retain your data for as long as necessary to provide the Service and fulfill the purposes described in this Privacy Policy:

  • Account data: Retained for the duration of your active account, plus 30 days after account deletion to allow for data export requests;
  • Business data you upload: Retained for the duration of your active account. Permanently deleted 30 days after account deletion or upon your earlier request;
  • Usage data: Retained in identifiable form for up to 24 months, then anonymized for aggregate analytics;
  • Communication records: Retained for up to 36 months for support quality and legal compliance;
  • Billing records: Retained for up to 7 years as required by tax and financial regulations;
  • Marketplace inquiry data: Retained for 12 months after the inquiry, unless the parties establish an ongoing business relationship.

You may request earlier deletion of your data at any time (see Section 8: Your Rights).

7. Data Security

We implement industry-standard security measures to protect your data:

  • Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher;
  • Encryption at rest: All stored data, including uploaded business data and personal information, is encrypted using AES-256 encryption;
  • Access controls: Access to personal data is restricted to authorized personnel on a need-to-know basis;
  • Regular audits: We conduct regular security assessments and vulnerability scans;
  • Secure infrastructure: Our servers are hosted in SOC 2 compliant data centers;
  • Password security: User passwords are hashed using industry-standard algorithms and never stored in plaintext;
  • Incident response: We maintain an incident response plan and will notify affected users within 72 hours of discovering a data breach, as required by applicable law.

While we implement reasonable security measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security of your data.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

8.1 Rights Under GDPR (EEA, UK, Switzerland)

  • Right of Access: You may request a copy of the personal data we hold about you;
  • Right to Rectification: You may request correction of inaccurate or incomplete personal data;
  • Right to Erasure ("Right to be Forgotten"): You may request deletion of your personal data, subject to legal retention obligations;
  • Right to Restriction: You may request that we restrict the processing of your personal data in certain circumstances;
  • Right to Data Portability: You may request a machine-readable copy of your personal data to transfer to another service;
  • Right to Object: You may object to processing based on legitimate interests, including direct marketing;
  • Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.

8.2 Rights Under CCPA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to Know: You may request information about the categories and specific pieces of personal information we collect, use, disclose, and sell;
  • Right to Delete: You may request deletion of your personal information, subject to certain exceptions;
  • Right to Correct: You may request correction of inaccurate personal information;
  • Right to Opt-Out of Sale: We do not sell your personal information. If this changes, we will provide an opt-out mechanism;
  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise any of the above rights, contact us at supplychainstack@polsia.app. We will respond to verified requests within 30 days (GDPR) or 45 days (CCPA).

9. International Data Transfers

Your data may be processed in the United States or other countries where our service providers operate. When we transfer data outside the EEA, UK, or Switzerland, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission;
  • Data processing agreements with all third-party processors;
  • Compliance with applicable data protection laws in the receiving country.

10. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience. Here is how we categorize our cookies:

10.1 Essential Cookies

These cookies are necessary for the Service to function properly. They enable core features such as user authentication, session management, and security. You cannot opt out of essential cookies while using the Service.

10.2 Analytics Cookies

These cookies help us understand how visitors interact with the Service by collecting anonymous usage data. Analytics cookies track page views, feature usage, and navigation patterns. You may opt out of analytics cookies through our cookie consent banner.

10.3 Marketing Cookies

These cookies are used to deliver relevant advertisements and measure advertising effectiveness. We may use marketing cookies in the future to support targeted advertising campaigns. You may opt out of marketing cookies through our cookie consent banner.

10.4 Managing Cookies

When you first visit the Service, you will see a cookie consent banner that allows you to:

  • Accept all cookies: Enables essential, analytics, and marketing cookies;
  • Decline: Enables essential cookies only;
  • Customize: Select which categories of cookies to enable.

You can also manage cookies through your browser settings. Note that disabling certain cookies may affect the functionality of the Service.

11. Children's Privacy

The Service is not directed to children under the age of 16. We do not knowingly collect personal information from children. If you believe we have inadvertently collected data from a child under 16, please contact us immediately at supplychainstack@polsia.app and we will take steps to delete it.

12. Third-Party Links

The Service may contain links to third-party websites, tools, or services. We are not responsible for the privacy practices of those third parties. We encourage you to read the privacy policies of any third-party services you interact with through our platform.

13. Do Not Track Signals

Some browsers offer a "Do Not Track" (DNT) feature. There is currently no industry-wide standard for DNT signals. We do not currently respond to DNT signals, but we respect your cookie preferences as set through our consent banner.

14. Data Processing Agreements

For business customers who require a formal Data Processing Agreement (DPA), we offer standard DPA templates that comply with GDPR and CCPA requirements. Contact us at supplychainstack@polsia.app to request a DPA.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make material changes:

  • We will post the revised Privacy Policy on this page with an updated "Last Updated" date;
  • We will send an email notification to registered users;
  • For material changes that affect how we process your data, we will seek your renewed consent where required by law.

We recommend reviewing this Privacy Policy periodically to stay informed about our data practices.

16. Supervisory Authority

If you are located in the EEA, UK, or Switzerland, you have the right to lodge a complaint with your local supervisory authority if you believe our processing of your personal data violates applicable data protection law. We encourage you to contact us first so we can try to resolve your concern directly.

17. Contact Information

For any questions, concerns, or requests related to this Privacy Policy or our data practices, please contact us:

Email: supplychainstack@polsia.app

Data Controller: Steeled Inc., a Delaware Corporation

We aim to respond to all privacy-related inquiries within 30 days of receipt.