Supply Index

Privacy Policy

Effective date: 25 March 2025

Version: v1.0

1. Data Controller

Indexeli Intelligence Limited (“we”, “us”, “our”) is the data controller for personal data processed through supplyindex.io (“Supply Index”, “the Service”). Registered in England and Wales. For data protection enquiries, contact our DPO at dpo@supplyindex.io.

2. What Data We Collect

  • Account data: Name, email address, clinic name, postcode, CQC/GDC registration numbers.
  • Invoice data: Supplier invoices you upload, including supplier names, product names, quantities, and prices (ex-VAT, GBP pence).
  • Usage data: Pages visited, features used, timestamps — for product improvement only.
  • Price entries: Product prices you manually enter for benchmarking.
  • Consent records: Timestamped records of your data sharing and marketing consent choices, including IP address and browser user agent at the time of consent, stored in an immutable audit log.

3. How We Use Your Data

  • To provide pricing benchmarks aggregated across all participating clinics.
  • To verify invoice authenticity and prevent fraud.
  • To send transactional emails (invoice confirmations, access grants, alerts).
  • To improve our benchmark accuracy and product matching.

We never sell your data. We never share identifiable pricing data with other clinics or suppliers.

4. Data Sharing with Third Parties

We may share anonymised, aggregated data with the following categories of third parties:

  • Commercial partners: Aggregated market intelligence reports and benchmarking data for industry analysis. No data shared can identify individual clinics, their pricing, or their supplier relationships.
  • Regulatory bodies: Anonymised, aggregated supply chain data that may be used for market oversight and policy research.
  • Industry bodies: Aggregated benchmarking data for sector reports and publications.

All shared data is subject to the same minimum thresholds applied throughout the platform: a minimum of 5 clinics and 20 data points must contribute to any aggregated figure. This ensures no individual clinic can be identified from shared data.

We will never share your raw invoice images, identifiable pricing data, or clinic-level information with any third party.

5. Legal Basis (UK GDPR)

  • Contract: Processing necessary to provide the benchmarking service you signed up for.
  • Legitimate interest: Aggregated benchmarking across participating clinics, fraud prevention, product improvement, and maintaining data quality. We have conducted a legitimate interest assessment and concluded that the benefits to clinic owners (transparent pricing) outweigh any limited privacy impact, given that all outputs are anonymised and aggregated.
  • Consent (data sharing): At registration, you explicitly consent to your anonymised supply chain data being used for industry benchmarking and shared with regulatory and commercial partners in aggregated form. You may withdraw this consent at any time by contacting dpo@supplyindex.io.
  • Consent (marketing): Marketing emails and benchmarking reports are only sent if you opt in. You can unsubscribe at any time via the link in any email or by contacting us.

6. Data Storage and Security

  • Invoice files stored on Cloudflare R2 with encryption at rest.
  • Database hosted on Neon Postgres with TLS encryption in transit.
  • All benchmark queries aggregate across a minimum of 5 clinics and 20 data points.
  • Supplier accounts cannot access individual clinic pricing data.

7. Data Retention

  • Invoice image files: deleted after 24 months from upload date.
  • Extracted pricing data: retained in anonymised, aggregated form indefinitely for benchmark accuracy.
  • Account data: retained while your account is active, deleted within 30 days of account closure.
  • Audit logs: retained for 36 months for security and compliance.
  • Consent audit records: retained indefinitely as evidence of consent under UK GDPR.

8. Your Rights

Under UK GDPR, you have the right to:

  • Access: Request a copy of all personal data we hold about you.
  • Rectification: Correct inaccurate personal data.
  • Erasure: Request deletion of your personal data (subject to legal retention obligations).
  • Portability: Receive your data in a machine-readable format.
  • Objection: Object to processing based on legitimate interest.
  • Restriction: Request restricted processing while we address your concerns.

To exercise any right, email dpo@supplyindex.io. We respond within 30 days.

9. Erasure Process

To request full account deletion:

  1. Email dpo@supplyindex.io with subject “Erasure Request” from your registered email.
  2. We verify your identity and process the request within 30 days.
  3. We delete: your account, clinic profile, uploaded invoice files, and manual price entries.
  4. We retain: anonymised, aggregated benchmark data that cannot be linked back to you (this is no longer personal data under GDPR).

10. Cookies

We use essential cookies only (authentication session). We do not use advertising or tracking cookies. No third-party analytics cookies are placed without explicit consent.

11. Third-Party Processors

  • Neon (database): EU-hosted PostgreSQL.
  • Cloudflare R2 (file storage): EU region.
  • Anthropic (AI extraction): Invoice content sent for automated data extraction. No data retained by Anthropic beyond the API call.
  • Resend (email): Transactional email delivery.
  • Vercel (hosting): Application hosting.
  • Stripe (payments): Supplier subscription billing only.

12. Contact

Data Protection Officer: dpo@supplyindex.io

General enquiries: hello@supplyindex.io

You have the right to lodge a complaint with the ICO (ico.org.uk) if you believe your data rights have been infringed.