bizSupply
Legal

Legal

Privacy Policy

Infosistema bizSupply — Procurement Contract Management Platform

Effective: April 1, 2026INFOSISTEMA, SISTEMAS DE INFORMAÇÃO, S.A.

This Privacy Policy explains how INFOSISTEMA, SISTEMAS DE INFORMAÇÃO, S.A. (hereinafter "Infosistema", "we", "us") collects, uses, stores, and protects personal data when you use the bizSupply platform and related services. bizSupply is a cloud-based procurement contract management platform that helps businesses track vendor contracts, automate renewal alerts, benchmark pricing, and manage procurement spend.

1. Controller Identification

INFOSISTEMA, SISTEMAS DE INFORMAÇÃO, S.A., a company incorporated under Portuguese law, with NIF 502 081 631, headquartered at Rua de Salazares 842, 4149-002 Porto, Portugal, is the data controller responsible for the processing of personal data collected through the bizSupply platform.

For users in the United States, the relevant entity is Infosistema Inc., incorporated in Delaware.

2. Data We Collect

2.1 Account Data

When you create a bizSupply account or subscribe to our services, we collect:

  • Full name, email address, and job title
  • Company name, website, and company size
  • Billing and payment information (processed by our payment provider)
  • Phone number (optional, when provided via contact forms)

2.2 Platform Usage Data

When you use the bizSupply platform, we collect:

  • Feature usage patterns and frequency (e.g., dashboards accessed, alerts configured)
  • API usage and plugin activity metrics
  • Search queries and filter configurations
  • Performance telemetry (page load times, error rates)

2.3 Customer Data

Customer Data refers to the procurement data you upload or import into bizSupply, including vendor contracts, pricing information, renewal dates, and spend analytics. You retain full ownership of your Customer Data. We process it solely to provide the bizSupply service to you and do not use it for any other purpose.

2.4 Technical Data

  • IP address, browser type, operating system
  • Device identifiers and session information
  • Cookies and similar tracking technologies (see our Cookie Policy)

3. Purposes of Processing

We process personal data for the following purposes:

  • Service delivery — providing, maintaining, and improving the bizSupply platform
  • Account management — creating and managing your account, processing subscriptions
  • Communication — sending service notifications, renewal alerts, support responses
  • Analytics — understanding how the platform is used to improve features and performance
  • Security — detecting and preventing fraud, unauthorized access, and abuse
  • Legal compliance — fulfilling legal obligations, responding to lawful requests
  • Marketing — with your consent, sending product updates and relevant content (you can opt out at any time)

4. Legal Basis for Processing

We process personal data based on the following legal grounds under GDPR:

  • Contract performance (Art. 6(1)(b)) — processing necessary to provide the bizSupply service under your subscription agreement
  • Legitimate interest (Art. 6(1)(f)) — analytics, security, and service improvement, balanced against your privacy rights
  • Consent (Art. 6(1)(a)) — marketing communications and non-essential cookies
  • Legal obligation (Art. 6(1)(c)) — compliance with applicable laws and regulations

5. Data Retention

We retain personal data for as long as necessary to fulfill the purposes described above:

  • Account data — retained during your active subscription and for 30 days after termination to allow data export
  • Customer Data — deleted within 60 days of account termination, unless you request earlier deletion
  • Usage data — retained in anonymized/aggregated form for analytics (no longer personally identifiable)
  • Legal records — retained as required by applicable law (typically 5–10 years for financial records)

6. Data Sharing

We do not sell your personal data. We may share data with:

  • Service providers — cloud infrastructure (Google Cloud Platform), payment processing, email delivery, analytics providers (Google Analytics), advertising platforms (Meta/Facebook, LinkedIn), affiliate tracking (Reditus) — all bound by data processing agreements
  • Affiliated companies — within the Infosistema / Joyn Group corporate family, for internal administration purposes
  • Legal authorities — when required by law, regulation, or valid legal process
  • Business transfers — in connection with a merger, acquisition, or sale of assets (with notice to affected users)

7. International Transfers

bizSupply's infrastructure is hosted on Google Cloud Platform in the EU (europe-west1, Belgium) for non-US customers and in the US (us-central1, Iowa) for US customers. When personal data is transferred outside the European Economic Area, we ensure appropriate safeguards are in place:

  • EU Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions where applicable
  • Data processing agreements with all sub-processors

8. Security Measures

We implement industry-standard security measures to protect your data:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Access controls with role-based permissions
  • Regular security audits and vulnerability assessments
  • Incident response procedures with breach notification within 72 hours (GDPR requirement)
  • ISO 27001 security practices as reference framework

9. Your Rights

Under GDPR and applicable data protection laws, you have the right to:

  • Access — request a copy of your personal data
  • Rectification — correct inaccurate or incomplete data
  • Erasure — request deletion of your data ("right to be forgotten")
  • Restriction — limit processing of your data in certain circumstances
  • Portability — receive your data in a structured, machine-readable format
  • Objection — object to processing based on legitimate interest or for direct marketing
  • Withdraw consent — where processing is based on consent, withdraw it at any time

To exercise these rights, contact us at privacy@infosistema.com. We will respond within 30 days. For complex or numerous requests, this period may be extended by up to 60 additional days, in which case we will notify you of the extension and reasons within the initial 30-day period.

You also have the right to lodge a complaint with the Portuguese Data Protection Authority (CNPD) at www.cnpd.pt, or with your local supervisory authority.

9.1 Additional Rights for California Residents

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with the following additional rights regarding your personal information:

  • Right to know — you have the right to know the categories of personal information we have collected about you, the categories of sources, the business purpose for collecting it, and the categories of third parties with whom we share it
  • Right to delete — you have the right to request deletion of personal information we have collected from you, subject to certain exceptions
  • Right to opt-out of sale — bizSupply does not sell or share personal information for cross-context behavioral advertising
  • Right to non-discrimination — we will not discriminate against you for exercising any of your CCPA rights

To exercise your CCPA rights, contact us at privacy@infosistema.com.

9.2 Automated Decision-Making

bizSupply uses AI-powered features for contract analysis, spend categorization, and price benchmarking. These features serve as decision-support tools and do not make automated decisions with legal or similarly significant effects on individuals. All AI-generated insights require human review before action.

10. Children's Privacy

bizSupply is a business-to-business platform and is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will promptly delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes by email or through the platform at least 30 days before they take effect. The "Effective" date at the top of this page indicates the latest revision.

12. Contact Information

For questions about this Privacy Policy or our data practices: