Who We Are
Biohippo Inc ("BioHippo", "we", "us") is the data controller responsible for personal data collected in connection with supplier partnerships. We operate the life science research reagent marketplace at shop.ebiohippo.com and associated regional partner storefronts.
Contact: vendors@biohippo.com
Address: Biohippo Inc, 900 Clopper Rd, Suite 140, Gaithersburg, MD 20878 USA
What Data We Collect
We collect data in two categories: data you provide directly, and data we generate through the platform relationship.
2.1 Data You Provide
| Data Type | Examples | When Collected |
|---|---|---|
| Business identity | Company name, registration number, country, business address | Application & onboarding |
| Contact personal data | Name, job title, business email address, phone number | Application & ongoing relationship |
| Financial data | Banking details for payment, tax identification numbers, VAT/GST numbers | Distribution agreement execution |
| Product & technical data | Product specifications, validation data, CoA, SDS, application images, catalog numbers | Onboarding & ongoing product updates |
| Compliance documents | Export licenses, biosafety certifications, regulatory filings | Onboarding where required |
| Communications | Emails, messages, meeting notes exchanged with BioHippo team | Throughout the relationship |
2.2 Data We Generate
| Data Type | Description |
|---|---|
| Account activity | Login records, portal access logs, document submission timestamps |
| Performance data | Product page impressions, click-through data, lead counts, sales volumes (Tier 1) |
| Validation records | Tier classification history, gap reports, re-validation records |
| Communication logs | Records of customer inquiries forwarded, lead delivery confirmations |
How We Use Your Data
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Processing your supplier application | Business identity, contact data, product data | Pre-contractual steps |
| Executing and managing the partnership agreement | All onboarding data, financial data | Contract performance |
| Building and hosting product listing pages | Product data, images, documentation | Contract performance |
| Validating products against scientific criteria | Technical/validation data | Contract performance |
| Delivering qualified leads to Tier 2 suppliers | Contact data for lead delivery | Contract performance |
| Processing payments (Tier 1) | Financial data, sales records | Contract performance |
| Sending performance reports | Contact data, performance data | Contract performance / Legitimate interest |
| Compliance with legal and regulatory requirements | Business identity, export docs | Legal obligation |
| Fraud prevention and platform security | Account activity, login records | Legitimate interest |
| Improving platform scientific standards | Anonymized validation data | Legitimate interest |
| Sending relevant product or platform updates | Contact data | Legitimate interest (opt-out available) |
We do not use supplier personal data for behavioral advertising, third-party marketing, or any purpose not listed above without your explicit consent.
Legal Basis for Processing
We process supplier personal data on the following legal bases under applicable data protection law:
- Contract performance — processing necessary to enter into or perform the supplier partnership agreement
- Legal obligation — processing required by applicable law (tax reporting, export compliance, anti-money laundering)
- Legitimate interests — processing for fraud prevention, platform security, and communication about the partnership, where our interests are not overridden by your rights
- Consent — where we rely on consent (e.g., optional marketing communications), you may withdraw consent at any time without affecting the lawfulness of prior processing
Data Sharing
5.1 We Share Data With
| Recipient | Purpose | Safeguards |
|---|---|---|
| Regional platform partners | Operating localized storefronts where your products are listed | Data processing agreements; limited to product data and performance metrics |
| Payment processors | Processing supplier payments (Tier 1) | PCI-DSS compliant; contractual protections |
| Cloud infrastructure providers | Hosting platform data (e.g., Shopify, AWS) | Standard contractual clauses / DPA in place |
| Legal and compliance advisors | Legal obligations, dispute resolution | Professional privilege / confidentiality obligations |
| Tax and accounting services | Financial reporting obligations | Contractual data protection obligations |
5.2 We Do Not Share Data With
- Third-party advertisers or data brokers
- Competitor platforms or distributors
- Research institutions or end-user researchers (beyond contact details included in forwarded Qualified Leads for Tier 2, which is the service being provided)
- Any party for purposes unrelated to your BioHippo supplier partnership
5.3 Business Transfer
In the event of a merger, acquisition, or sale of BioHippo's business, supplier data may be transferred to the successor entity. You will be notified of any such transfer with at least 30 days' advance notice.
International Data Transfers
BioHippo operates globally and may transfer supplier personal data across international borders in the course of the partnership. We apply appropriate safeguards for all cross-border transfers:
- EU/EEA → US transfers: Standard Contractual Clauses (SCCs) adopted by the European Commission
- UK → US transfers: UK International Data Transfer Agreement (IDTA) or UK Addendum to SCCs
- China → US transfers: Compliance with PIPL cross-border data transfer requirements, including standard contracts issued by the Cyberspace Administration of China (CAC) where applicable
- Other jurisdictions: Equivalent transfer mechanisms as required by local law
By entering into a supplier partnership with BioHippo, you acknowledge that your business contact data may be processed in the United States and by regional partners in other countries.
Data Retention
| Data Category | Retention Period | Reason |
|---|---|---|
| Application data (declined applications) | 12 months from decision | Reconsideration; record of review |
| Active partnership contact data | Duration of partnership + 3 years | Contractual relationship management |
| Financial / payment records (Tier 1) | 7 years from transaction | Tax and legal compliance |
| Product listing data | Duration of listing + 2 years | Scientific record integrity |
| Validation records | Duration of listing + 5 years | Scientific accountability record |
| Communication records | 3 years from last communication | Dispute resolution reference |
| Performance / analytics data | 3 years | Platform improvement; supplier reporting |
| Legal hold data | Until legal matter is resolved | Legal obligation |
After the applicable retention period, personal data is securely deleted or anonymized. Anonymized, aggregated data may be retained indefinitely for platform analytics.
Your Rights
Depending on your jurisdiction, you have the following rights regarding your personal data:
To exercise any of these rights, contact vendors@biohippo.com. We will respond within 30 days (or within the timeframe required by applicable law). We may ask you to verify your identity before processing the request. We do not charge a fee for reasonable requests.
Data Security
We implement appropriate technical and organizational measures to protect supplier personal and business data against unauthorized access, loss, alteration, or disclosure. Measures include:
- Encryption of data in transit (TLS 1.2+) and at rest
- Access controls: role-based permissions; principle of least privilege
- Regular security assessments and penetration testing of platform infrastructure
- Supplier portal authentication with multi-factor authentication support
- Contractual data security obligations for all third-party processors
- Incident response procedures with 72-hour breach notification to affected parties and regulators as required by law
No data transmission over the internet is completely secure. While we take reasonable precautions, we cannot guarantee the absolute security of data transmitted to our platform.
Cookies & Tracking
The BioHippo Supplier Portal uses cookies and similar tracking technologies for the following purposes:
- Essential cookies: Required for portal login sessions and security. Cannot be disabled.
- Analytics cookies: Used to understand how suppliers interact with the portal (e.g., Google Analytics). Anonymized where possible. Can be opted out via cookie settings.
- Preference cookies: Remember your language and display preferences.
We do not use advertising or retargeting cookies in the Supplier Portal. Cookie preferences can be managed through the cookie settings banner on first portal visit.
GDPR Provisions (EU/EEA & UK Suppliers)
If you are based in the European Economic Area or United Kingdom, the General Data Protection Regulation (GDPR) and UK GDPR apply to your personal data processed by BioHippo.
11.1 Data Controller
Biohippo Inc is the data controller for personal data processed under this policy. Our EU/UK representative can be contacted at vendors@biohippo.com.
11.2 Supervisory Authority
You have the right to lodge a complaint with your national data protection supervisory authority if you believe we have processed your personal data in violation of GDPR. A list of EU supervisory authorities is available at edpb.europa.eu. For UK residents, the supervisory authority is the Information Commissioner's Office (ICO) at ico.org.uk.
11.3 Data Protection Officer
Inquiries regarding GDPR compliance can be directed to vendors@biohippo.com. We will designate a formal Data Protection Officer as required by applicable regulation.
CCPA Provisions (California Suppliers)
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with additional rights:
- Right to Know: The categories of personal information collected and the purposes for which it is used (see Sections 2 and 3)
- Right to Delete: Request deletion of personal information, subject to legal exceptions
- Right to Opt-Out of Sale: BioHippo does not sell personal information of supplier contacts
- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights
- Right to Correct: Request correction of inaccurate personal information
To submit a CCPA request, contact vendors@biohippo.com with "CCPA Request" in the subject line. We will respond within 45 days.
PIPL Provisions (China-Based Suppliers)
If you are based in the People's Republic of China, China's Personal Information Protection Law (PIPL) applies to our processing of your personal information.
13.1 Processing Basis
We process personal information of China-based supplier contacts on the basis of contract performance (necessary to perform the supplier partnership agreement) and, where required, with your explicit consent.
13.2 Cross-Border Transfer
Where personal information of China-based individuals is transferred outside China, we will comply with PIPL cross-border transfer requirements, including executing standard contracts issued by the Cyberspace Administration of China (CAC) where required based on data volume and sensitivity thresholds.
13.3 Your PIPL Rights
China-based supplier contacts have the right to: access their personal information; request correction of inaccurate data; request deletion where processing is no longer necessary; withdraw consent for consent-based processing; and receive an explanation of processing rules. Contact vendors@biohippo.com to exercise these rights.
13.4 Sensitive Personal Information
We do not intentionally collect sensitive personal information (as defined under PIPL, including biometric data, financial account information beyond what is necessary for payment, or health information) from supplier contacts except where strictly necessary and with explicit consent.
Changes to This Policy
We may update this Supplier Privacy Policy from time to time to reflect changes in our data practices, platform operations, or applicable law. When we make material changes, we will:
- Post the updated policy at shop.ebiohippo.com/pages/supplier-privacy-policy
- Update the "Effective" date at the top of this document
- Notify active supplier partners by email at least 30 days before material changes take effect
Your continued participation in the BioHippo supplier network after the effective date of any revised policy constitutes your acceptance of the changes.
Contact & Data Protection Inquiries
| Inquiry Type | Contact |
|---|---|
| General privacy questions | vendors@biohippo.com |
| GDPR / UK GDPR requests | vendors@biohippo.com — Subject: "GDPR Request" |
| CCPA requests | vendors@biohippo.com — Subject: "CCPA Request" |
| PIPL requests (China-based suppliers) | vendors@biohippo.com — Subject: "PIPL Request" |
| Data breach notification | vendors@biohippo.com — Subject: "Security Incident" |
| Supplier Terms inquiries | vendors@biohippo.com |
We aim to respond to all privacy requests within 30 days, or within the shorter period required by applicable law.