Version 2026-05-25 · Draft for counsel review
Catieno Supplier Privacy Policy
Effective date: [EFFECTIVE_DATE]
Version: 2026-05-25
1. Introduction
This Supplier Privacy Policy ("Policy") describes how [COMPANY_LEGAL_NAME] ("Catieno," "we," "us," or "our") collects, uses, discloses, and protects personal information when you access or use the Catieno supplier portal, APIs, and related procurement integration services (collectively, the "Service").
This Policy applies to supplier organizations and their authorized users (employees, contractors, and agents) who register for or use the Service. It does not govern:
- End users of your buyers' eProcurement systems (your buyers' procurement users), except as described in Section 4 regarding data you cause to flow through the Service; or
- Visitors to our public marketing website, who are covered by a separate notice if published.
By creating a supplier account, accepting an invitation, or continuing to use the Service after we post an updated Policy, you acknowledge this Policy. Where the Data Processing Agreement Exhibit ("DPA") applies, it governs our processing of Supplier Personal Data (as defined in the DPA) when we act as your processor.
2. Who we are
Data controller (for supplier account and portal data):
[COMPANY_LEGAL_NAME]
[COMPANY_ADDRESS]
Privacy contact: [PRIVACY_EMAIL]
EU representative (if applicable): [EU_REPRESENTATIVE]
UK representative (if applicable): [UK_REPRESENTATIVE]
Data Protection Officer (if designated): [DPO_CONTACT]
3. Scope of the Service
Catieno provides B2B software that helps suppliers integrate with enterprise buyers' eProcurement platforms, including hosted catalog (CIF) generation, live pricing, PunchOut sessions, catalog import and field mapping, integration logging, usage metering, and optional AI-assisted onboarding tools.
The Service may process:
- Information you and your users submit in the portal;
- Catalog and product data you upload or sync;
- Configuration for buyer relationships (e.g., SAP Ariba, Coupa, Jaggaer);
- Technical logs and session metadata generated when buyers interact with your integrations; and
- Custom integration code you author in the implementor workspace (production environments).
Your own e-commerce storefront, except for URLs and snippets you configure in Catieno, is not operated by Catieno.
4. Information we collect
4.1 Information you provide directly
| Category | Examples | Purpose |
|---|---|---|
| Account & company profile | Company name, storefront URL, e-commerce platform, plan tier | Account setup, service delivery, billing |
| Portal users | Name, email address, password (stored hashed), team role | Authentication, authorization, audit |
| Buyer program setup | Buyer organization name, eProcurement platform, PunchOut URLs, shared secrets | Configure integrations per buyer |
| Catalog connections | Connection name, schedule, SFTP/S3/API endpoints, credentials | Automated catalog sync |
| Catalog content | SKUs, descriptions, prices, images, URLs, custom fields | CIF, live price, PunchOut |
| Support & AI chat | Messages you send to in-product assistants or implementor tools | Support, configuration assistance |
| Communications | Emails to our support or success teams | Support, account management |
4.2 Information collected automatically
| Category | Examples | Purpose |
|---|---|---|
| Integration API logs | HTTP method, path, status, duration, truncated request/response bodies (see Section 11) | Debugging, security, usage metering |
| PunchOut session data | Session identifiers, buyer cookies, cart summaries, sanitized capture payloads | Dashboards, troubleshooting |
| Usage metering | Daily/monthly API call counts per buyer relationship (not full request bodies) | Plan visibility, billing support |
| Security & operations | Authentication events, administrative actions | Security, compliance |
We do not intentionally collect sensitive personal information (e.g., health, biometric, or government ID data) through the Service. Do not upload such data into catalog files or chat unless strictly necessary and lawful.
4.3 Information about your buyers' users
When buyers use PunchOut or hosted catalog features, procurement protocol messages (e.g., cXML) and session tokens may include identifiers or professional contact information relating to your buyers' employees or agents. You are typically the data controller for that information; Catieno processes it on your instructions as described in the DPA. You are responsible for providing appropriate notices to your buyers and establishing a lawful basis for such processing.
4.4 Marketing website (separate context)
If you previously submitted a form on our public marketing site, we may have collected your name, email, company, phone, and IP address under our Website Privacy Policy. That data is not part of your supplier tenant unless you later create a supplier account using the same email.
5. How we use information
We use personal information to:
1. Provide and maintain the Service — including catalog ingest, mapping, CIF generation, PunchOut, live pricing, and buyer-specific configuration.
2. Authenticate and authorize portal and API access.
3. Secure the Service — fraud prevention, abuse detection, incident response.
4. Provide support — including optional AI-assisted tools.
5. Improve the Service — aggregated analytics, reliability, and feature development (not for cross-customer advertising profiles).
6. Meter usage — counts of integration calls for plan management.
7. Comply with law — respond to lawful requests and enforce our agreements.
8. Communicate with you — service announcements, security alerts, and policy updates.
Legal bases (EEA/UK): For supplier account data we rely on contract (Art. 6(1)(b) GDPR) and legitimate interests (Art. 6(1)(f)) for security and product improvement. Where we process buyer-side personal data on your behalf, you determine the lawful basis as controller; we process as processor under the DPA.
6. AI and automated processing
Catieno may use large language models (LLMs) to suggest catalog field mappings, answer product questions in the supplier assistant, and help authorized users configure integrations in the implementor workspace.
- Providers: Requests are routed through OpenRouter and underlying model providers. A current list appears in our subprocessor list and the DPA Annex III.
- Inputs: Mapping assistance typically sends column headers and field metadata—not your full catalog file—unless you explicitly include additional content in a chat message. Assistant and implementor chats send the messages and context you submit.
- Outputs: Suggestions require your review and confirmation before affecting production catalog mappings.
- Training: We contractually require subprocessors not to use your content to train generalized models. We do not use your tenant data to train third-party foundation models for unrelated customers.
- Retention: Chat and session histories are retained for up to 18 months after last activity, then deleted or archived, unless a longer period is required for legal hold or an active dispute.
You may limit use of AI features by not using assistant/implementor tools and by confirming mappings manually.
7. How we share information
We do not sell personal information. We do not share personal information for cross-context behavioral advertising.
We disclose information only to:
| Recipient | Why |
|---|---|
| Subprocessors | Cloud hosting, databases, object storage, cache, email delivery, LLM routing (Section 8) |
| Professional advisers | Lawyers, accountants, insurers under confidentiality |
| Authorities | When required by law or to protect rights and safety |
| Business transfers | Merger, acquisition, or asset sale (with notice where required) |
We may share aggregated or de-identified statistics that cannot reasonably identify you.
8. Subprocessors
We use the following categories of subprocessors to operate the Service:
| Category | Provider (representative) | Processing location |
|---|---|---|
| Cloud infrastructure | Amazon Web Services (AWS) | United States (primary) |
| LLM routing | OpenRouter and underlying model hosts | United States / varies by model |
| Email delivery | Configured SMTP or cloud email provider | As configured |
An up-to-date list with legal entity names and services is maintained at [SUBPROCESSOR_LIST_URL]. We will provide notice of material subprocessor changes as described in the DPA.
9. International transfers
Catieno is based in the United States. Personal information may be transferred to, stored in, and processed in the United States and other countries where we or our subprocessors operate.
Where EEA, UK, or Swiss personal data is transferred to a country without an adequacy decision, we rely on appropriate safeguards, including:
- The Data Processing Agreement Exhibit incorporating EU Standard Contractual Clauses (2021), Module 2 (controller-to-processor); and
- The UK International Data Transfer Addendum or UK IDTA, as applicable.
10. Security
We implement technical and organizational measures appropriate to the risk, including:
- Encryption in transit (TLS) for network communications;
- Encryption at rest for stored connection credentials and shared secrets using application-level encryption keys separate from general session secrets;
- Access controls — role-based portal access, tenant isolation, and least-privilege operations access;
- Secret handling — API responses do not return stored passwords or API keys after initial save;
- Logging limits — integration log bodies are truncated and high-volume endpoints may be sampled;
- Retention jobs — automated pruning of integration API logs after the retention period.
No method of transmission or storage is 100% secure. You are responsible for safeguarding portal credentials and connection secrets on your side.
11. Retention
| Data category | Retention period |
|---|---|
| Supplier account & buyer configuration | Duration of subscription + up to 90 days after termination (unless legal hold) |
| Portal user accounts | Duration of membership + 30–90 days after deletion request or account closure |
| Catalog / product data | Until you delete or terminate; deleted with tenant offboarding |
| Connection credentials | Until connection is removed |
| Integration API logs | 90 days (configurable by Catieno operations; default 90) |
| Usage metering rollups | 24 months |
| AI assistant / implementor sessions | 18 months after last activity |
| Implementor workspace files | Duration of contract; removed on offboarding |
Backups may retain data for a limited additional period before overwrite.
12. Your choices and rights
12.1 Account settings
Portal administrators can update company profile, manage team members, and remove catalog connections. Contact [PRIVACY_EMAIL] for account deletion requests.
12.2 United States (CCPA/CPRA and similar laws)
If you are a California resident or where similar laws apply, you may have the right to know, access, correct, delete, and limit certain processing of personal information, and to opt out of sale/sharing. Catieno does not sell personal information and does not share it for cross-context behavioral advertising as defined under the CPRA.
To exercise rights, email [PRIVACY_EMAIL]. We will verify requests using information associated with your account. You may designate an authorized agent where permitted by law.
12.3 EEA, UK, and Switzerland
For personal information where Catieno is the controller (supplier account and portal users), you may contact us to access, rectify, erase, restrict, port, or object to processing, and to withdraw consent where processing is consent-based. You may lodge a complaint with your local supervisory authority.
For personal information where you are the controller (typically buyer-side or catalog data relating to your customers' personnel), submit requests to us through your organization's DPA process (Section 7 of the DPA), or contact [PRIVACY_EMAIL] with your supplier account details.
We will respond within timeframes required by applicable law (generally 30 days, extendable where permitted).
13. Supplier responsibilities
You agree to:
1. Provide accurate account information and keep credentials confidential;
2. Ensure you have a lawful basis to upload catalog data and configure buyer integrations;
3. Inform your buyers as required when their users' data flows through Catieno;
4. Avoid uploading unnecessary sensitive personal data;
5. Promptly notify us at [PRIVACY_EMAIL] if you believe your tenant credentials are compromised;
6. Execute the DPA when you process EEA/UK/Swiss personal data through the Service.
14. Children
The Service is a business-to-business offering not directed to individuals under 16 (or the age of digital consent in your jurisdiction). We do not knowingly collect children's personal information.
15. Changes to this Policy
We may update this Policy from time to time. We will post the revised Policy at /legal/privacy/ and update the effective date. For material changes, we will provide notice through the portal or email to account administrators at least 30 days before the change takes effect where required by law.
Continued use after the effective date constitutes acceptance where permitted.
16. Contact us
[COMPANY_LEGAL_NAME]
[COMPANY_ADDRESS]
Privacy: [PRIVACY_EMAIL]
Legal / DPA notices: [LEGAL_EMAIL]
*This document is a draft for counsel review. It does not constitute legal advice.*