WholesaleUp is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and protect your personal data when you use our website and services.
Effective Date: 26 April 2026
Identity and Business Data. Name, surname, title or salutation, username, profile picture, company name, company registration number, VAT or Tax ID, role in company, year established, company size, and subscription tier.
Contact Data. Email address (personal and business), postal address, telephone numbers (mobile and landline), WhatsApp number, Microsoft Teams handle, LinkedIn profile URL, and social media handles (Facebook, Instagram).
Buyer Profile Data. Business type, product categories of interest, brands, quality tier preferences, certification requirements, annual purchasing and sales volumes, payment and delivery preferences, sourcing models, target markets, languages spoken, and communication preferences.
Supplier Profile Data. Supplier type, products offered, product categories, brands distributed, certifications held, facility size, catalogue size, customisation abilities, sample availability, minimum order amounts, payment terms, discount structures, delivery methods, shipping reach, lead times, Incoterms, return policies, and business hours.
Transactional and Behavioral Data. Records of products and services you have purchased or accessed, deals you have viewed or saved, supplier profiles you have visited, search terms you have used, and how deals appeared in your browsing (impressions). We record the source of each interaction (e.g. search, category page, homepage). This data is collected for both registered users and non-registered visitors. Raw event data is retained for 7 days and then aggregated into anonymised daily statistics.
Technical and Account Data. IP address, browser type and version, device information, cookies, session tokens, login history (including success and failure records), OAuth authentication tokens from third-party sign-in providers (Google, Apple, Facebook), push notification subscription details, notification delivery logs, and notification preference settings (including timezone, quiet hours, and digest schedules).
Communication Preferences. Newsletter and marketing email subscription preferences, notification channel preferences (email, push), and personalisation frequency settings.
Uploaded Content. Files and images you upload through our contact form or profile pages, such as company logos or supporting documents.
AI Chat Conversations. When you use the WholesaleUp AI chat assistant, your messages and the assistant's replies are recorded for quality assurance, support, and to improve the service. Email addresses, phone numbers, and card numbers are automatically scrubbed before any conversation is stored, so durable records contain redaction markers (e.g. "[email redacted]") rather than your raw personal details. Conversations are retained for 90 days by default; conversations that escalate to a support ticket follow the same retention as the resulting ticket. Authorized WholesaleUp support staff can access conversations for review under audit logging. You may request deletion of your AI chat history at any time via a GDPR subject-access request to service@wholesaleup.com. In addition, we derive anonymised, aggregated insights from these conversations — such as recurring unanswered questions, help-content gaps, and overall answer quality — to improve the assistant's accuracy and helpfulness and the quality of our help content. These aggregated insights contain no personal data and are not used to build a profile of you; because they are fully anonymised, we may retain them even after the underlying conversation has been deleted. Our lawful basis for this processing is our legitimate interest (Article 6(1)(f) UK/EU GDPR) in improving our service, as assessed in our Legitimate Interests Assessment.
Device Fingerprinting and License-Abuse Detection. To prevent unauthorised account-sharing on paid subscriptions, we collect a small set of technical signals at sign-in and during normal platform use: a one-way SHA-256 hash of your browser's user-agent string, language preferences, and screen geometry (the "device fingerprint"); the country inferred from your IP address (via Vercel and Cloudflare edge headers, never resolved to a precise location at this time); and per-week aggregate counts of how often you load dashboard pages (the "behavioural baseline"). These signals power four detection layers: (a) a single-active-session check that may sign you out from older sessions when a new sign-in occurs (you can mark up to two devices as trusted to avoid this — see the Account Access page), (b) cross-account device-reuse detection (the same hash appearing on multiple accounts in a short window), (c) impossible-travel detection (e.g. a sign-in from the UK and another from Mumbai within an hour), and (d) behavioural-anomaly detection (sudden bursts of activity inconsistent with your prior weekly baseline). The legal basis is Article 6(1)(f) UK GDPR — our legitimate interest in protecting our community from license-sharing abuse, supported by Recital 47 of the GDPR which expressly recognises fraud prevention as a legitimate interest. The fingerprint hash is one-way (we cannot reverse it to recover your raw browser data) and is not used for cross-site tracking or advertising. Device-fingerprint records are retained for 90 days; behavioural aggregates for 90 days; raw login records for 12 months for audit purposes; abuse-event audit rows indefinitely for legal compliance. You have the right to object to this processing under Article 21 UK GDPR by emailing service@wholesaleup.com — note that objection requests are weighed against the platform's legitimate interest and may be declined where compelling grounds for processing exist (e.g. an active suspension review). You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO).
Translated Message Content. When you receive a message in /dashboard/messages whose source language differs from your preferred reading language, the message body is sent to Anthropic's Claude API for AI-powered translation into your preferred language. Both the original message and the translated version are stored in our database (in the MessageTranslation table, scoped to your user account) so subsequent reads are served from cache without a fresh API call. The translation also surfaces a small badge below the message bubble ("Translated from {language} · Show original") that lets you toggle between the translated and original versions per-message. The legal basis is Article 6(1)(b) UK GDPR — performance of the contract that lets you communicate with international suppliers and buyers across language barriers — supplemented by Article 6(1)(f) where translation is necessary to deliver the messaging feature you have signed up for. Anthropic processes the message body under their standard Data Processing Agreement; the same vendor relationship that covers our AI chat assistant (§1.9 above) covers translation. We do not send your name, email address, or any other identifier alongside the message body — Anthropic only sees the message text, the source-language hint (when known), and your preferred target language. You can opt out of translation entirely via /dashboard/account-profile → Contact Options → Communication Preferences → "Opt out of AI translation". When opted out, all received messages render in their original language with a per-message "Translate" link that surfaces translation only on demand (and only for that one message). Translated content is retained for as long as the underlying message is retained; if you delete a message (or your account), the corresponding translation rows are cascade-deleted under our GDPR Article 17 right-to-erasure obligations. You have the right to object to this processing under Article 21 UK GDPR by emailing service@wholesaleup.com.
To provide and manage your access to our services (Contract).
To improve our website, products, and services (Legitimate Interests).
To personalise newsletters, browsing experience, and product recommendations (Consent).
To send you promotional emails, special offers, and updates (Consent or Legitimate Interests, where applicable).
To protect the security of our service and prevent fraud, including bot detection, rate limiting, login monitoring, and password breach checking (Legitimate Interests).
To generate aggregated, anonymised statistics about platform usage, supplier performance, and category trends (Legitimate Interests).
To display a real-time presence indicator (an "online now" marker) to other Users with whom you are in active conversation or contact. We record the timestamp of your most recent activity while you are signed in and, from that timestamp, derive a boolean flag indicating whether you have been active within the last ten minutes. Only this derived flag, not the underlying timestamp, is shared with peer Users (Legitimate Interests — facilitating responsive communication between buyers and suppliers).
Consent. For marketing communications and use of non-essential cookies or personalised advertising.
Contract. Where processing is necessary to provide our service to you.
Legitimate Interests. For internal analytics, service improvement, and customer relationship management.
Legal Obligation. Where required to comply with legal or regulatory duties.
If we transfer your personal data outside the European Economic Area (EEA) or UK (e.g., to our service providers in the US), we use appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission and UK Information Commissioner.
Where one of our United States–based sub-processors is certified under the EU-US Data Privacy Framework (DPF) and the UK Extension to the DPF, transfers to that provider rely on the adequacy decision adopted by the European Commission in July 2023 and the UK extension recognised by the UK Government in October 2023, in addition to the SCCs as a defence-in-depth measure. Google LLC is one such provider; its DPF certification can be verified at https://www.dataprivacyframework.gov/list. If a sub-processor's DPF certification is suspended, withdrawn, or otherwise invalidated, transfers continue to rely on the SCCs cited in 6.1.
Copies of the relevant SCCs and details of the legal basis applied to each cross-border transfer are available upon request.
We retain your personal data for as long as you maintain an active account with us.
For the duration of our service offering.
Or until you request its deletion by contacting our support team, who will process your request within 30 days.
We periodically review and securely delete data that is no longer required.
Granular browsing activity data (such as individual page views, deal impressions, and search interactions) is retained for 7 days, after which it is aggregated into anonymised daily statistics and the raw records are permanently deleted.
Third-Party Analytics Retention (Google Analytics). The user- and event-level data that Google Analytics holds on our behalf is retained for a maximum of 14 months, after which Google automatically deletes it; aggregated reports are unaffected by this limit. This retention period is configured in our Google Analytics property and may be shortened at our discretion.
Legal-Retention Archive of Messaging Correspondence. When you close your account, the business messages you sent to other users on WholesaleUp are moved into a restricted, admin-access-only legal-retention archive rather than being deleted immediately. Each archived message is kept for five years, measured from the date the message was sent. We rely on this archive to prevent and investigate fraud and abuse, and to allow either trading party to bring or defend a claim about an agreed transaction within the contractual limitation period (Spanish Civil Code Art. 1964). The lawful basis is our legitimate interests under GDPR Art. 6(1)(f) — set out in our Legitimate Interests Assessment — together with Art. 17(3)(e), which recognises that personal data may be retained despite an erasure request to the extent it is needed for the establishment, exercise, or defence of legal claims. The archive is segregated; it is reached only by a targeted lookup for a specific legal purpose (a court order, a regulator request, an active legal claim, an internal compliance investigation, or your own access request), and every access is logged. After five years — or once any related matter is resolved and any litigation hold is lifted — the archived message is permanently destroyed.
Erased Data in Operational Backups. WholesaleUp keeps short-lived operational backups of its database for disaster-recovery purposes only. These comprise our database provider's point-in-time restore history and short-lived snapshots, together with an encrypted off-site copy held in storage we control. No backup is retained for longer than 30 days; backups are rotated out and overwritten on a rolling basis (in practice within about 7 days). Because a backup is a point-in-time copy, personal data you have asked us to erase — and data destroyed at the end of a retention window — may continue to exist inside an existing backup until that backup is rotated out and overwritten. Backups are retained for a short, fixed period for recovery purposes only, are never used as a legal or business archive, and erased data is not resurrected into live service: if we ever restore from a backup we re-apply all account deletions, erasures, and retention-window destructions before the restored data is returned to production.
Your Rights Over Archived Correspondence. The legal-retention archive does not remove your data-subject rights. You may still ask us, at service@wholesaleup.com, to confirm what archived correspondence concerns you and to receive a copy of it (right of access), to correct inaccurate identity information held with it (right to rectification), and to object to the retention (right to object) — in which case we will review whether the legitimate-interests and legal-claims grounds in clause 7.7 still outweigh your objection and tell you the outcome. A subject-access request is itself one of the recognised reasons we are permitted to retrieve records from the archive.
Support Enquiries You Send Us (Chat & Email). If you contact us through the on-site chat or by email and you are not signed in, we ask for an email address so our team can reply to your question. We use that email address and the contents of your enquiry only to answer you — we do not add you to any marketing list and we do not use it for any other purpose. The lawful basis is our legitimate interests under GDPR Art. 6(1)(f) — providing the customer-service reply you asked for — assessed in our Legitimate Interests Assessment. Giving the email is optional; the chat works without it. We keep support correspondence for up to 24 months after the last message in the thread and then delete or anonymise it. You can ask us at service@wholesaleup.com to access, correct, or erase this data, or to object to our using it — in which case we will stop unless we have an overriding legitimate reason and will tell you the outcome. (If you are signed in, we already hold your account email and reply in-product, so we do not ask again.)
This section summarises what happens to your personal data and your messages when you close your WholesaleUp account, and how to exercise your rights. It brings together the account-deletion aspects of the "Data Retention" and "Your Rights" sections, which remain the full statement of each point.
Requesting deletion. You can ask us to delete your account and associated personal data at any time by contacting service@wholesaleup.com. We process verified deletion requests within 30 days. On deletion we remove or anonymise your personal data from our live systems, except for the limited categories described below that we are permitted or required to retain.
Your business messages. When you close your account, the business messages you sent to other users are not deleted immediately. They are moved into a restricted, admin-access-only legal-retention archive and kept for five years from the date each message was sent, so that either trading party can bring or defend a claim about an agreed transaction within the applicable limitation period (Spanish Civil Code Art. 1964). Our lawful basis is our legitimate interests in preventing fraud and enabling legal claims (GDPR Art. 6(1)(f)), together with Art. 17(3)(e), which permits retention despite an erasure request where the data is needed to establish, exercise, or defend legal claims. The archive is segregated, reached only by a targeted lookup for a specific legal purpose, and every access is logged. After five years — or once any related matter is resolved — the archived message is permanently destroyed.
Data in operational backups. Because our short-lived disaster-recovery backups are point-in-time copies, personal data you have asked us to erase may continue to exist inside an existing backup until that backup is rotated out and overwritten. No backup is retained for longer than 30 days (in practice within about 7 days), backups are never used as a business or legal archive, and if we ever restore from one we re-apply all account deletions and erasures before the restored data returns to service.
Your rights over deleted and archived data. Deleting your account does not remove your data-subject rights. You may still ask us at service@wholesaleup.com to confirm and receive a copy of any archived correspondence that concerns you (right of access), to correct inaccurate identity information held with it (right to rectification), and to object to the retention (right to object) — in which case we review whether the legitimate-interests and legal-claims grounds still outweigh your objection and tell you the outcome. Your broader rights to erasure, restriction, portability, and to lodge a complaint with a supervisory authority (in Spain, the AEPD; in the UK, the ICO) are set out in full in the "Your Rights" section.
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, or misuse. However, no method of transmission over the internet or electronic storage is 100% secure.
We cannot guarantee absolute security, but we do our best to safeguard your data using industry-standard practices.
Payment Card Data. WholesaleUp does not collect, process, or store full payment card details. All card data is captured and processed directly by our PCI-DSS-certified payment providers (Stripe and PayPal); we receive only a non-sensitive transaction reference, the last four digits of the card, and the card brand for display in your purchase history.
Right to access your data.
Right to rectify inaccurate data.
Right to erase your data ("right to be forgotten").
Right to restrict processing.
Right to data portability.
Right to object to processing (including direct marketing).
Right to withdraw consent at any time (where processing is based on consent).
Right to lodge a complaint with a supervisory authority.
If you believe we have not adequately addressed your concern, you have the right to lodge a complaint with a supervisory authority. As we are established in Spain, our lead supervisory authority is the Spanish Data Protection Authority (AEPD) at www.aepd.es. If you are based in the United Kingdom, you may also contact the UK Information Commissioner's Office (ICO) at www.ico.org.uk, or any other competent data protection authority in the EU/EEA.
We may update this Privacy Policy periodically. Updates will be posted on this page with an updated "Effective Date." If we make material changes, we will notify you via email or through a prominent notice on our website.
To exercise your rights or for privacy-related inquiries, please contact us at: Tradegenius SL, Calle Villalba Hervas 2, 4-2, Santa Cruz de Tenerife, 38002, Spain.
For data-protection enquiries, subject-access requests, or any other privacy matter, you may email us directly at service@wholesaleup.com.
You may also reach us via the contact form on our website.
How to Exercise Your Rights. To exercise any of the rights listed in Section 10, please send a request to service@wholesaleup.com or use the postal address above. We will respond to verified requests (including access, rectification, erasure, restriction, portability, and objection) within 30 days of receipt, as required under GDPR Article 12. Where your request is particularly complex or we receive a high volume of requests, we may extend this period by up to two further months, and we will notify you of any such extension — together with the reasons for the delay — within 30 days of receiving your request. For data portability requests, we will provide your personal data in a structured, commonly used, and machine-readable format (e.g. JSON or CSV). We may need to verify your identity before acting on a request in order to protect your data from unauthorized disclosure.
Last updated: 26 April 2026. If you have questions about this notice, please contact us.
Access 30,600+ verified suppliers and exclusive wholesale deals with the best margins.