Privacy Policy

Effective Date: 1 April 2026 · Last Updated: 1 April 2026

This policy explains how GulfStockHub handles your personal data. It is designed to comply with the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) and the KSA Personal Data Protection Law.

1. Introduction

In plain terms: GulfStockHub is a B2B marketplace. This policy explains what data we collect, why, and how we protect it. By using the platform you acknowledge this policy.

GulfStockHub ("Platform", "we", "us", or "our") is a B2B industrial surplus marketplace connecting buyers and sellers of industrial equipment across the Gulf Cooperation Council (GCC) region at gulfstockhub.com.

This Privacy Policy explains what personal data we collect and why; how we use and protect that data; who we share it with; how long we retain it; and what rights you have over your data.

By registering an account or using the Platform you acknowledge that you have read and understood this Privacy Policy.

2. Data Controller

In plain terms: GulfStockHub is the data controller responsible for your personal data. Contact us at info@gulfstockhub.com for any privacy matter.

The data controller responsible for your personal data is:

GulfStockHub

Email: info@gulfstockhub.com

Website: gulfstockhub.com

For all data protection enquiries, access requests, and deletion requests, contact us at the email above with the subject line "Privacy Request".

3. What Personal Data We Collect

In plain terms: We collect what you give us when you register, create listings, negotiate, and verify your mobile. We also collect basic session data so you stay logged in. We do not run advertising trackers.

3.1 Data You Provide Directly

Account registration

Full name, email address, password (stored as a cryptographic hash — never in plain text)
Country and city of operation
Optional: company name, professional designation

Mobile verification

Mobile phone number (country code + local number)
Verification status and date of verification

Listing creation

Product details: title, description, category, condition, technical specifications
Commercial terms: price, currency, payment terms, delivery terms, lead time, warranty
Location: country and city of the item
Uploaded files: product images and technical documents (PDF)

Negotiation messages

Text content of structured pre-contractual discussion threads
Timestamps and read status of messages

Reports

Content of reports you submit about listings (reason and details)

3.2 Data Generated Automatically

Session data: authentication tokens (JWT) stored in browser cookies
Usage data: listing view counts (aggregated), watchlist additions
Device and access data: IP address and browser type retained by our infrastructure provider (Supabase) as part of normal server logs

What we do NOT collect: We do not run advertising trackers, cross-site tracking pixels, or analytics scripts (e.g., Google Analytics). We do not build advertising profiles. We do not sell or rent your personal data to third parties.

4. How and Why We Use Your Data

In plain terms: We use your data to run the platform: create your account, show your listings, send notifications, and handle negotiations. We do not use your data for advertising or sell it to anyone.

Purpose	Data Used	Legal Basis
Creating and managing your account	Name, email, password, country, city	Contract performance
Enabling mobile verification (OTP)	Mobile number	Contract performance; fraud prevention
Displaying your listings to other users	Listing content, images, documents, location	Contract performance
Sending transactional email notifications	Email address	Contract performance
Enabling the negotiations system	Negotiation messages, email	Contract performance
Reviewing reports of fraudulent listings	Reporter ID, reported listing, reason	Legitimate interests (platform integrity)
Bot and fraud protection (Turnstile)	Browser fingerprint signals	Legitimate interests (security)
Responding to enquiries and support requests	Email, account details	Contract performance; legitimate interests
Complying with legal obligations	As required by law	Legal obligation

We do not use your data for targeted advertising, selling or licensing to third parties, or automated decision-making that produces significant legal effects on you.

5. Data Sharing and Disclosure

In plain terms: Your listing content is public. We share data with our technology providers (Supabase, Resend, Cloudflare) only so they can run the platform. We don't sell your data.

5.1 With Other Users of the Platform

When you post a listing, its content (title, description, specifications, price, location, images, and documents) is publicly visible to all visitors, including non-registered users. Your name and account details are not automatically shown on listings but may be accessible to logged-in users who initiate a negotiation with you.

5.2 With Our Technology Service Providers

Provider	Purpose	Data Processed
Supabase (USA)	Database, authentication, file storage	All account and listing data, session tokens
Resend (USA)	Transactional email delivery	Email address, notification content
Cloudflare (Global)	Bot protection (Turnstile)	Browser signals, IP address
Unifonic (KSA) (planned)	SMS OTP delivery	Mobile number, OTP message

These providers are authorised to process your data only for the purposes listed above and in accordance with our instructions. We have, or will have, data processing agreements in place with each of them.

5.3 Legal Requirements

We may disclose your personal data if required by applicable law, court order, regulatory authority, or government request in any GCC jurisdiction or elsewhere. We will notify you where legally permitted to do so.

5.4 Business Transfer

If GulfStockHub is acquired, merged, or restructured, your data may be transferred to the successor entity. We will notify registered users by email before any such transfer and provide an opportunity to delete your account.

6. International Data Transfers

In plain terms: Our providers (Supabase, Resend, Cloudflare) are US-based. Your data may be processed outside the GCC, but always under appropriate safeguards.

Our primary technology providers are headquartered in the United States and may process your data on servers located outside the GCC. We rely on standard contractual clauses or equivalent mechanisms required by applicable data protection law, and on the use of service providers who maintain internationally recognised security certifications (SOC 2, ISO 27001). By using the Platform, you acknowledge that your data may be transferred internationally as described above.

7. Data Retention

In plain terms: We keep your data only as long as needed. Your account data is kept while your account is open, plus 3 years after closure. You can request deletion at any time.

Data Type	Retention Period
Account data (name, email, profile)	Duration of account + 3 years after closure
Listing content	While listing is active; archived for 2 years after expiry or removal
Uploaded images and documents	While listing is active; deleted within 90 days of listing removal
Negotiation messages	3 years from the date of the last message
Reports submitted	3 years from submission date
Authentication logs (session tokens)	30 days (rolling JWT expiry)
Email delivery logs (Resend)	As per Resend's retention policy (typically 30–90 days)

Account deletion requests: Email info@gulfstockhub.com with the subject "Account Deletion Request". We will process your request within 30 days, subject to any legal retention obligations.

8. Your Rights

In plain terms: You have the right to access, correct, delete, or export your data. Email us at info@gulfstockhub.com with the subject "Privacy Request" and we will respond within 30 days.

Right	What it means
Access	Request a copy of the personal data we hold about you
Correction	Request correction of inaccurate or incomplete data
Deletion	Request deletion of your data where it is no longer needed
Restriction	Request that we limit how we use your data in certain circumstances
Portability	Request your data in a structured, machine-readable format
Objection	Object to processing based on our legitimate interests
Withdraw consent	Where processing is based on consent, withdraw it at any time

To exercise any of these rights, email us at info@gulfstockhub.com with the subject "Privacy Request", specifying which right you wish to exercise and your registered email address. We will respond within 30 days. We may need to verify your identity before processing your request. We will not charge a fee unless a request is manifestly unfounded or excessive.

9. Cookies and Session Tokens

In plain terms: We only use two essential cookies — both are required to keep you logged in. We have no advertising or tracking cookies.

Cookie	Purpose	Type	Duration
sb-access-token	Authentication session (JWT)	Essential	Session / rolling 30-day refresh
sb-refresh-token	Refreshes your login session	Essential	30 days

We do not use advertising cookies, tracking pixels, or analytics cookies. You cannot opt out of the session cookies listed above without losing the ability to log in — they are strictly necessary for the Platform's core functionality.

10. Security

In plain terms: We use row-level database security, encrypted passwords, HTTPS, and access controls to protect your data. No system is 100% secure — contact us immediately if you suspect a breach.

We take reasonable technical and organisational measures to protect your personal data, including:

Row Level Security (RLS): enforced at the database level — each user can only access their own records unless explicitly shared.
Encrypted authentication: passwords are hashed using bcrypt via Supabase Auth; session tokens are signed JWTs.
HTTPS everywhere: all data in transit is encrypted using TLS.
Access controls: administrative database access is restricted to authorised personnel.
Principle of least privilege: application components are granted only the minimum database permissions required.

Despite these measures, no internet transmission or storage system is completely secure. If you believe your account has been compromised, contact us immediately at info@gulfstockhub.com.

11. Children's Privacy

In plain terms: This platform is for adults (18+) operating in a business capacity. We do not knowingly collect data from children.

The Platform is intended exclusively for users aged 18 and over who are acting in a business or professional capacity. We do not knowingly collect personal data from children under 18. If we become aware that a user is under 18, we will promptly close their account and delete their data.

12. Changes to This Privacy Policy

In plain terms: We may update this policy as the platform evolves. We'll email registered users before material changes take effect.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or applicable law. We will notify registered users by email before material changes take effect. The "Last Updated" date at the top of this page indicates when the policy was last revised. Continued use of the Platform after the effective date of changes constitutes acceptance of the updated policy.

13. Contact and Data Requests

In plain terms: Email info@gulfstockhub.com for any privacy matter. We respond within 5 business days and resolve requests within 30 days.

GulfStockHub

Email: info@gulfstockhub.com

Use subject line "Privacy Request" — general data enquiries

Use subject line "Account Deletion Request" — to delete your account and data

Use subject line "Data Request" — to request a copy of your data

We will acknowledge your request within 5 business days and respond in full within 30 days.

Also see: Terms of Service · Contact Us