Frequently asked questions

Three levers do the work. First, no vendor takes money from us — no affiliate commissions tied to rank, no paid placement, no sponsored slots inside the leaderboard. Second, the rubric is published in full at /methodology/v1.0 and every score is reproducible from public signals a third party can re-fetch. Third, every change to a supplier's rank or score gets logged to /changelog with the timestamp and the triggering signal, so drift is auditable rather than invisible.

Integers telegraph the right level of precision. A score like 78.43 implies a rubric that can tell apart 78 from 79 at two decimals, and it cannot — public signals are too noisy for that. Rounding to whole numbers keeps the eye on movements that actually mean something and it makes side-by-side comparisons legible without squinting at a decimal point.

Editorial drift is the Δ between the score the rubric computes from raw signals and any score an editor typed in by hand. Publishing the delta per supplier is how we keep ourselves honest: if drift is non-zero, readers can see exactly where judgement overrode the machine, and we can tune the rubric to close the gap. Zero drift is the goal state.

Yes, and we want you to. Every supplier's profile page links to its /supplier/:slug/signals record — the raw Trustpilot rating, the Shopify App Store review count, the parsed pricing page, the ISIN if one exists. Plug those into the weights published at /methodology/v1.0 and you should land on the same integer we published, within rounding.

The eight dimensions were chosen because each maps onto a public signal that can be refetched, timestamped, and verified without signing up for anything. "Customer service feel" would be a great dimension on paper and a terrible one in practice — there is no public signal for it. We stuck with what we could prove.

Baseline cadence is 24 hours — a scheduled Cloudflare Workers cron fires every 6 hours, but the publish gate holds until a full day rolls over to keep the leaderboard from flapping. Spike detection overrides the gate: if a supplier moves ≥2 positions, or a supplier's primary site goes up or down, the pipeline publishes instantly. Every instant publish is logged to /changelog.

Two things. A ≥2-position move in either direction triggers an instant publish, because that size of move means the signal change was decisive and readers deserve to see it immediately. A binary site-status flip (reachable → unreachable, or the reverse) also triggers, because going dark is the single biggest supplier-risk signal we track.

Every page footer surfaces the snapshot timestamp, and /api/latest returns the same value in machine-readable form. If a snapshot is older than 24 hours the homepage shows a visible staleness chip — the pipeline may be temporarily wedged and we want you to know before you cite a stale number.

Realtime has a cost nobody benefits from: noise in the signals plus load on the sites we scrape. Six hours lands in the sweet spot where genuine shifts surface fast enough to be useful, and we are not hammering Trustpilot or the Shopify App Store every minute for data that barely moves.

Cron runs on UTC and does not take holidays off. Spike detection fires seven days a week. The only human-in-the-loop step is disputes, which are answered on business days within the published 14-day SLA — and the SLA clock does not pause for holidays either.

Inclusion criteria are narrow on purpose. A supplier is added when two conditions hold: it appears on a reputable 2026 dropshipping-supplier list (so someone else has already vetted relevance) and it fulfills individual-order volume (so it is actually a dropshipping supplier, not a pure-wholesale catalog). If you think a supplier meets both tests and is missing, open a /corrections request with evidence and we will evaluate.

No. There is no paid inclusion, no paid tier, no priority-review fee, no sponsored-profile upgrade. The only way onto the leaderboard is the inclusion criteria above, and the only way up or down the list is a change in the underlying public signals. Sponsorship rules live at /sponsorship-policy and make this crisp.

Capterra works through our residential-proxy pipeline and feeds the reviews dimension normally. G2 currently defends aggressively against the user-agent fingerprint we run, so G2 ratings are temporarily disabled as a signal — we would rather drop the input than publish flaky numbers. Follow /changelog; we will flip it back on when the access picture changes.

Claim flows start at /claim/:slug (linked from every supplier profile). Claiming does not let you move the score — it lets you submit corrected public signals: a new Trustpilot link, an updated legal entity, a refreshed pricing page URL. Those corrections feed the rubric the same way any other signal does.

Yes. Open /dispute/:slug and include the evidence: a screenshot, a primary-source URL, a filing reference. Disputes are logged publicly, tracked against a 14-day outcome SLA, and closed with a written decision — whether we agreed, disagreed, or needed more. See /corrections for the full track record.

Yes. All scores, rankings, and fact rows are licensed CC BY 4.0 — use them in articles, decks, dashboards, internal reports, academic work, whatever. The one requirement is attribution: cite "SupplierSpy (supplierspy.com)" with a link back when the medium allows. Code is MIT, live at github.com/DB-Shadow/supplierspy_com.

Yes. /api/leaderboard returns the full ranked list; /api/supplier/:slug returns a single supplier with every dimension score and every raw signal. Both endpoints are CORS-open so a browser-side app can hit them directly. No authentication, no token, no sign-up.

Not at the application layer — we do not meter requests. Cloudflare's edge may rate-limit egregious traffic to protect the Worker, but normal usage (a dashboard polling hourly, a research script pulling once a day) is effectively unlimited. If you need sustained high-volume access email hello@supplierspy.com and we will make sure your IP range is not caught by a generic shield.

Our stance is published at /ai.txt — the emerging standard for per-site AI training consent. Short version: reading for answer generation is fine, bulk training corpora require attribution, and any use that creates a derivative benchmark must honor the CC BY 4.0 terms. We welcome assistants citing us; we are less interested in being silently laundered into a competitor rubric.

Fastest path is /corrections — it takes a URL, a screenshot or primary source, and the specific fact you are disputing. For anything sensitive, email hello@supplierspy.com directly. We log every correction with an outcome, including the ones we decided not to act on, so readers can see the full record.

No. The site runs on Cloudflare Workers with KV for snapshots, D1 for relational history, R2 for large artifacts, and Browser Rendering for pipelines that need a real DOM. The whole repo is public at github.com/DB-Shadow/supplierspy_com — fork it, audit it, run your own copy against our published rubric, we encourage it.

D.B. Shadow is the editor and only byline. There is no ghostwriting, no content farm, no LLM-generated supplier copy. When we use AI it is for internal tooling — rubric calculation, signal normalization — never for the prose on supplier profiles. /about has the full editorial standard.

The editor has no ownership, board seat, advisor relationship, or affiliate contract with any supplier on the list, and will not accept one while operating SupplierSpy. If that ever changes, the relationship gets disclosed at the top of every supplier profile and the affected supplier is removed from the ranking. /sponsorship-policy has the full rules.