Privacy Policy

Last updated: April 4, 2026

WholesaleBridge ("we," "us," or "our") operates the WholesaleBridge Analytics platform. This Privacy Policy describes how we collect, use, store, and protect information when you use our service.

1. Information We Collect

Account Information

When you create an account, we collect your name, email address, and organization affiliation. If you use password authentication, your password is hashed using bcrypt via Supabase Auth and is never stored in plaintext.

Business Data

With your authorization, we connect to your business systems (TMS, accounting, carrier databases) and ingest operational data including:

• Load/shipment records (revenue, margins, dates, customer and carrier names)
• Commission calculations and compensation plan assignments
• Carrier safety data from public sources (FMCSA)
• Invoice and payment records
• CRM activity data (calls, tasks, leads)

This data belongs to your organization. We process it to provide the analytics service you subscribed to.

API Credentials

When you connect external systems (Salesforce, Sage Intacct, TriumphPay, etc.), the OAuth tokens and API keys you provide are encrypted using pgsodium (libsodium) vault encryption before storage. We never store API credentials in plaintext, environment variables (beyond the platform's own Supabase keys), or application logs.

Usage Data

We collect basic usage data including pages viewed, features used, and session duration to improve the platform. We do not use third-party analytics trackers or advertising pixels.

2. How We Use Your Information

• To provide, operate, and maintain the analytics dashboard
• To calculate commissions, generate reports, and surface business insights
• To monitor carrier safety and compliance status
• To send service-related notifications (sync errors, security alerts, account updates)
• To improve platform performance and fix bugs

We do not sell, rent, or share your business data with third parties. We do not use your data to train machine learning models outside of your organization's own analytics.

3. Data Storage and Security

• Database: Data is stored in Supabase PostgreSQL with row-level security (RLS) policies enforcing organization isolation
• Encryption at rest: Database encryption provided by Supabase's infrastructure (AES-256)
• Encryption in transit: All connections use TLS 1.2+
• Credential encryption: API keys and OAuth tokens encrypted via pgsodium vault (libsodium XSalsa20-Poly1305)
• Access control: Three-tier RBAC (Owner, Admin, Member) with org_id extracted from JWT, never from client input
• Audit logging: All credential changes, data imports, and administrative actions are logged with PII automatically sanitized

4. Data Ownership

Your organization retains full ownership of all business data processed through WholesaleBridge. We are a data processor, not a data owner. Upon termination of your account, we will provide a complete data export and delete your data from our systems within 30 days, unless a longer retention period is required by law.

5. Multi-Tenant Isolation

WholesaleBridge is a multi-tenant platform. Each organization's data is isolated by organization_id enforced at the database level via row-level security policies and at the application level via JWT-based authentication. No organization can access, view, or query another organization's data.

6. Third-Party Services

We use the following third-party services to operate the platform:

• Supabase (database, authentication, vault encryption)
• Railway (application hosting)
• Resend (transactional email — password resets, notifications)
• FMCSA (public carrier safety data)

We do not share your business data with these providers beyond what is necessary to operate the service.

7. Cookies

We use a single HttpOnly session cookie (sb-access-token) for authentication. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

8. Data Retention

We retain your business data for the duration of your active subscription. Historical data is preserved to enable year-over-year trending and audit trail integrity. Upon account termination, data is deleted within 30 days unless otherwise agreed or required by law.

9. Your Rights

You have the right to:

• Access all data we hold about your organization
• Request correction of inaccurate data
• Request deletion of your data (subject to audit trail requirements)
• Export your data in standard formats (CSV, XLSX)
• Revoke API connections at any time via the Settings page

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify account administrators of material changes via email. Continued use of the service after notification constitutes acceptance of the updated policy.

11. Contact

For privacy-related questions or data requests, contact us at:

WholesaleBridge
Email: privacy@wholesalebridge.io