Privacy Policy

Effective Date: 1 April 2026 · Last Updated: 1 May 2026

This policy explains how GulfStockHub handles your personal data.

1. Introduction

In plain terms: GulfStockHub is a B2B marketplace. This policy explains what data we collect, why, and how we protect it. By using the platform you acknowledge this policy.

GulfStockHub ("Platform", "we", "us", or "our") is a B2B industrial surplus marketplace connecting buyers and sellers of industrial equipment across the Gulf Cooperation Council (GCC) region at gulfstockhub.com.

This Privacy Policy explains what personal data we collect and why; how we use and protect that data; who we share it with; how long we retain it; and what rights you have over your data.

By registering an account or using the Platform you acknowledge that you have read and understood this Privacy Policy.

2. Data Controller

In plain terms: GulfStockHub is the data controller responsible for your personal data. Contact us at [email protected] for any privacy matter.

The data controller responsible for your personal data is:

GulfStockHub

Email: [email protected]

Website: gulfstockhub.com

For all data protection enquiries, access requests, and deletion requests, contact us at the email above with the subject line "Privacy Request".

3. What Personal Data We Collect

In plain terms: We collect what you give us when you register, create listings, negotiate, and verify your mobile. We also collect basic session data so you stay logged in. We do not run advertising trackers.

3.1 Data You Provide Directly

Account registration

Full name, email address, password (stored as a cryptographic hash — never in plain text)
Country and city of operation
Optional: company name, professional designation

Mobile verification (via WhatsApp)

Mobile phone number (country code + local number)
Verification status and date of verification
To verify your number, we send a one-time code to your WhatsApp account

Listing creation

Product details: title, description, category, condition, technical specifications
Commercial terms: price, currency, payment terms, delivery terms, lead time, warranty
Location: country and city of the item
Uploaded files: product images and technical documents (PDF)

Negotiation messages

Text content of structured pre-contractual discussion threads
Timestamps and read status of messages

Reports

Content of reports you submit about listings (reason and details)

3.2 Data Generated Automatically

Session data: authentication tokens (JWT) stored in browser cookies
Usage data: listing view counts (aggregated), watchlist additions
Device and access data: IP address and browser type retained as part of normal server logs

What we do NOT collect: We do not run advertising trackers, cross-site tracking pixels, or analytics scripts (e.g., Google Analytics). We do not build advertising profiles. We do not sell or rent your personal data to third parties.

4. How and Why We Use Your Data

In plain terms: We use your data to run the platform: create your account, show your listings, send notifications, and handle negotiations. We do not use your data for advertising or sell it to anyone.

Purpose	Data Used	Legal Basis
Creating and managing your account	Name, email, password, country, city	Contract performance
Enabling mobile verification (via WhatsApp)	Mobile number	Contract performance; fraud prevention
Displaying your listings to other users	Listing content, images, documents, location	Contract performance
Sending transactional email notifications	Email address	Contract performance
Enabling the negotiations system	Negotiation messages, email	Contract performance
Reviewing reports of fraudulent listings	Reporter ID, reported listing, reason	Legitimate interests (platform integrity)
Bot and fraud protection (Turnstile)	Browser fingerprint signals	Legitimate interests (security)
Responding to enquiries and support requests	Email, account details	Contract performance; legitimate interests
Complying with legal obligations	As required by law	Legal obligation

We do not use your data for targeted advertising, selling or licensing to third parties, or automated decision-making that produces significant legal effects on you.

5. Data Sharing and Disclosure

In plain terms: Your listing content is public. We share data with trusted technology providers only so they can run the platform. We don't sell your data.

5.1 With Other Users of the Platform

When you post a listing, its content (title, description, specifications, price, location, images, and documents) is publicly visible to all visitors, including non-registered users. Your name and account details are not automatically shown on listings but may be accessible to logged-in users who initiate a negotiation with you.

5.2 With Our Technology Service Providers

We use trusted third-party service providers for hosting, security, email delivery, and phone verification. These providers only process the minimum data necessary to operate the platform, and each operates under their own published terms and privacy policies, which apply alongside this policy.

5.3 Legal Requirements

We may disclose your personal data if required by applicable law, court order, regulatory authority, or government request in any GCC jurisdiction or elsewhere. We will notify you where legally permitted to do so.

5.4 Business Transfer

If GulfStockHub is acquired, merged, or restructured, your data may be transferred to the successor entity. We will notify registered users by email before any such transfer and provide an opportunity to delete your account.

6. International Data Transfers

In plain terms: Your data may be hosted or processed by our service providers outside the GCC, including in the EU and other regions.

Your account and listing data, files, email delivery, and mobile verification message delivery are handled by trusted third-party service providers whose infrastructure may be located in the EU, the US, or elsewhere. We choose providers that publish their own privacy and security commitments. By using the Platform, you acknowledge that your data may be transferred internationally as described above.

7. Data Retention

In plain terms: We keep your data only as long as needed. Your account data is kept while your account is open, plus 3 years after closure. You can request deletion at any time.

Data Type	Retention Period
Account data (name, email, profile)	Duration of account + 3 years after closure
Listing content	While listing is active; archived for 2 years after expiry or removal
Uploaded images and documents	While listing is active; deleted within 90 days of listing removal
Negotiation messages	3 years from the date of the last message
Reports submitted	3 years from submission date
Authentication logs (session tokens)	30 days (rolling JWT expiry)
Email delivery logs	As per our email provider's retention policy (typically 30–90 days)

Account deletion requests: Email [email protected] with the subject "Account Deletion Request". We will process your request as soon as reasonably possible, subject to any legal retention obligations.

8. Your Rights

In plain terms: You can ask us to access, correct, delete, or export your data. Email us at [email protected] with the subject "Privacy Request" and we'll get back to you as soon as we reasonably can.

Right	What it means
Access	Request a copy of the personal data we hold about you
Correction	Request correction of inaccurate or incomplete data
Deletion	Request deletion of your data where it is no longer needed
Restriction	Request that we limit how we use your data in certain circumstances
Portability	Request your data in a structured, machine-readable format
Objection	Object to processing based on our legitimate interests
Withdraw consent	Where processing is based on consent, withdraw it at any time

To exercise any of these rights, email us at [email protected] with the subject "Privacy Request", specifying which right you wish to exercise and your registered email address. We aim to respond as quickly as we reasonably can. We may need to verify your identity before processing your request.

9. Cookies and Session Tokens

In plain terms: We only use two essential cookies — both are required to keep you logged in. We have no advertising or tracking cookies.

Cookie	Purpose	Type	Duration
sb-access-token	Authentication session (JWT)	Essential	Session / rolling 30-day refresh
sb-refresh-token	Refreshes your login session	Essential	30 days

We do notuse advertising cookies, tracking pixels, or analytics cookies. You cannot opt out of the session cookies listed above without losing the ability to log in — they are strictly necessary for the Platform's core functionality.

10. Security

In plain terms: We use row-level database security, encrypted passwords, HTTPS, and access controls to protect your data. No system is 100% secure — contact us immediately if you suspect a breach.

We take reasonable technical and organisational measures to protect your personal data, including:

Row Level Security (RLS): enforced at the database level — each user can only access their own records unless explicitly shared.
Encrypted authentication: passwords are stored as cryptographic hashes (never in plain text); session tokens are signed and time-limited.
HTTPS everywhere: all data in transit is encrypted using TLS.
Access controls: administrative database access is restricted to authorised personnel.
Principle of least privilege: application components are granted only the minimum database permissions required.

Despite these measures, no internet transmission or storage system is completely secure. If you believe your account has been compromised, contact us immediately at [email protected].

11. Children's Privacy

In plain terms: This platform is for adults (18+) operating in a business capacity. We do not knowingly collect data from children.

The Platform is intended exclusively for users aged 18 and over who are acting in a business or professional capacity. We do not knowingly collect personal data from children under 18. If we become aware that a user is under 18, we will promptly close their account and delete their data.

12. Changes to This Privacy Policy

In plain terms: We may update this policy as the platform evolves. We'll email registered users before material changes take effect.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or applicable law. We will notify registered users by email before material changes take effect. The "Last Updated" date at the top of this page indicates when the policy was last revised. Continued use of the Platform after the effective date of changes constitutes acceptance of the updated policy.

13. Contact and Data Requests

In plain terms: Email [email protected] for any privacy matter. We aim to respond as quickly as we can and to resolve requests within a reasonable time.

GulfStockHub

Email: [email protected]

Use subject line "Privacy Request" — general data enquiries

Use subject line "Account Deletion Request" — to delete your account and data

Use subject line "Data Request" — to request a copy of your data

We aim to acknowledge your request and respond in full as quickly as we reasonably can.

Also see: Terms of Service · Contact Us