Privacy policy
Short version: SupplierSpy does not track you. No cookies for advertising, no third-party analytics, no shared visitor data. This page spells out exactly what happens.
What we collect
Here is the complete list of data our systems touch when you visit:
- Standard web-server access logs (kept by Cloudflare, our hosting provider, by default). This includes IP address, user agent, URL requested, and timestamp. We use these only for operational purposes — making sure the site is up and catching abuse.
- Google Analytics 4 (GA4), ONLY if you click "Accept" on the consent banner. GA4 sets two first-party cookies (
_ga,_ga_G-9XSQMGB7DV) and sends aggregate events (page views, session length, outbound click clusters) to Google. We run GA with IP anonymization on, Google Signals off, and ad-personalization off — so GA sees pseudonymous session data, not a profile. If you decline or your browser sends Sec-GPC or DNT, GA loads in "Consent Mode denied" — no cookies, no identifiers, just cookieless pings that Google uses for aggregate modeling. You can flip your choice anytime at /cookies. - Outbound supplier-link clicks. When you click a link to a supplier's website, we append UTM parameters (
utm_source=supplierspy,utm_medium=referral,utm_campaign=benchmark) so the destination site knows the traffic came from us. We do this so suppliers can see SupplierSpy-referred traffic in their own analytics — we do not receive or store any click data back, and we do not get paid for these clicks.
ssp_view (Lite/Pro reading mode, only after you click the toggle), ssp_consent (your consent choice, so we don't re-ask every page), _ga + _ga_G-9XSQMGB7DV (GA4 — set on visit unless your browser sends Sec-GPC / DNT, or you click Decline), and __cf_bm (Cloudflare bot defense, always on the edge). Full breakdown + how to revoke: /cookies.
What we do not do
- No advertising networks. No ad tags, no retargeting pixels, no ad personalization — we don't run ads.
- No visitor-data sharing with suppliers or brokers. We do not sell, rent, or share your IP or any server-log data with suppliers, advertisers, data brokers, or AI training providers. GA4 data goes to Google per Google's privacy policy — no one else.
- No email newsletter. There isn't one yet. If we ever start one, it will be opt-in only and on a separate subdomain.
- No user accounts. You cannot sign up for SupplierSpy. There is nothing to sign up for.
- No fingerprinting. We do not run canvas, audio, or device-level fingerprinting scripts.
- No Meta Pixel, no TikTok Pixel, no LinkedIn Insight, no Hotjar, no Mixpanel, no Segment. GA4 is the only analytics tag on the site. It loads under Google Consent Mode v2 with analytics on by default, and auto-revokes for any browser that sends
Sec-GPC: 1orDNT: 1, or for any visitor who clicks Decline on the banner.
Privacy signals we honor automatically
- Global Privacy Control (GPC) — if your browser sends
Sec-GPC: 1, GA stays denied. The consent banner doesn't show. - Do Not Track (DNT) — if your browser sends
DNT: 1, same behavior. DNT is deprecated by most browsers but still honored here.
Both signals produce the same outcome as clicking Decline: no analytics cookies, no identifiers, no profile. You don't have to click anything.
Legal basis (GDPR / UK-GDPR)
For EU and UK visitors, the legal basis we rely on is legitimate interest for the minimal access logs Cloudflare keeps by default — we cannot responsibly run a website without a basic operational log. No other processing takes place on our side, so no other legal basis is needed.
Cloudflare is our data processor for hosting and log retention. Their own privacy policy governs how long those logs are retained and under what conditions they can be disclosed.
Your rights
You can ask for a copy of any data we hold about you (almost certainly: none), request deletion, or lodge a complaint. Because we don't maintain identity-linked records, most requests are answered with "we don't have anything tied to you" — but the door is open.
Write to hello@supplierspy.com. Include enough context (rough visit date, IP if you know it) so we can check the Cloudflare logs. Expect a reply within 30 days.
Changes to this policy
If the privacy model changes — for example if we add an opt-in newsletter — we will update this page and bump the "Last updated" date. Material changes are announced in the site changelog, which is append-only.