This is the privacy policy for Global Academic Supply ("we," "us," "GAS"). It explains what information we collect from you, why we collect it, how long we keep it, who we share it with, and what rights you have over your data.
We wrote this in plain English. If anything is unclear, email us at [email protected].
Global Academic Supply is a B2B textbook supplier serving institutions worldwide β schools, hospitals, government agencies, corporate training programs, libraries, and other organizations that buy academic books in bulk.
Legal entity: Global Academic Supply LLC (United States). Public point of contact: Margaret Caldwell, on behalf of Global Academic Supply LLC. Privacy contact: [email protected]
We collect only what we need to do business with you. Three categories:
Account + order information β when you create an account or place an order:
Bulk-quote requests (RFQ form) β when you request a bulk price quote:
Service-coordination data (FBA reseller, wholesale, dropship accounts) β when you use a gated-access service:
Automatically collected β when you visit the website:
We do NOT collect:
| What | Why |
|---|---|
| Name, email, address, phone | Order fulfillment, customer support, account security |
| PO numbers, tax-exempt docs | Institutional billing, tax compliance |
| Payment info | Processing payment via Razorpay |
| RFQ details | Generating your bulk quote |
| FBA / wholesale / dropship coordination data | Running the gated-access service you signed up for |
| IP, browser, page paths | Site security (rate limiting, abuse prevention), basic analytics |
| Cart cookies | Keeping your cart contents while you shop |
We do NOT use your data for advertising. We do NOT sell your data. We do NOT share your data with marketing partners.
| What | Retention |
|---|---|
| Account information | Active for as long as your account is open + 90 days after closure |
| Order records | 7 years (tax compliance β most jurisdictions) |
| RFQ records | 2 years (sales-pipeline reference) |
| FBA / wholesale / dropship lifecycle data | 7 years (audit + tax) |
| Communications with the GAS team | 7 years |
| Server logs (IP, browser, paths) | 90 days |
| Cart cookies | Until you close your browser, or 30 days |
| Marketing email subscriptions | Until you unsubscribe (one-click unsubscribe in every email) |
If you ask us to delete your data and the request doesn't conflict with legal retention requirements (tax records primarily), we will delete it within 30 days. If retention is required, we keep only the legally-required records and delete everything else.
We use the following third parties to run our business. They process your data on our behalf and are contractually required to protect it:
| Provider | Purpose | Where they're based |
|---|---|---|
| Razorpay | Payment processing | India |
| Brevo (formerly Sendinblue) | Transactional email + cold-outreach email | France / EU |
| DigitalOcean | Server hosting | USA |
| Cloudflare | DNS + CDN + DDoS protection | USA |
| Google Cloud | Search Console + analytics | USA |
| Shipping carriers (used per your shipment) | Order delivery | Various |
| Trustpilot | Customer reviews β only if you choose to leave one | Denmark / EU |
We do NOT share data beyond these sub-processors. We do NOT sell your data to anyone.
If a law enforcement agency makes a legal request for data, we will comply only if the request is legally valid in our jurisdiction, and we will notify you unless legally prohibited.
Depending on where you are, you have rights under GDPR (EU/UK), CCPA (California), or similar laws. We respect these rights regardless of your location:
To exercise any right, email [email protected]. We will respond within 30 days.
If you believe we've handled your data wrongly and we don't resolve it to your satisfaction, you can complain to your local data protection authority (e.g., the ICO in the UK, CNIL in France, the State Attorney General's office in the US).
We use industry-standard protections β TLS encryption in transit, encryption at rest for sensitive fields, helmet HTTP security headers, rate limiting on public endpoints, MFA option for accounts, hashed-and-salted passwords, regular dependency security scans, off-server encrypted backups.
No system is perfectly secure. If we discover a breach affecting your data, we will notify affected users within 72 hours of confirming the breach (GDPR standard) and explain what happened, what data was affected, and what we're doing about it.
We use cookies for cart state, session, and basic analytics only. We do NOT use third-party advertising cookies, tracking pixels for advertising networks, or social-media retargeting tags.
A cookie banner appears on your first visit. You can decline non-essential cookies; the site still works.
If you're in the EU/UK and we transfer your data to the US (e.g., to DigitalOcean or Cloudflare), we rely on Standard Contractual Clauses or equivalent legal mechanisms.
GAS is a B2B service for institutions. We do not knowingly collect data from anyone under 16. If you believe a minor has somehow created an account, email [email protected] and we will delete the account and any associated data.
If we change this policy materially, we will notify account holders by email 30 days before the change takes effect, and update the "last updated" date at the top.
If you have questions or concerns, email [email protected].