Privacy Policy

Effective Date: April 22, 2026 — Last Updated: April 22, 2026

1. Introduction

Mill Supply Co. (“we,” “us,” or “our”) operates the website millsupplyco.com (the “Site”). This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you visit our Site, create an account, place orders, or otherwise interact with our services.

We are a wholesale building materials distributor serving property management companies, contractors, and maintenance professionals. This policy applies to all users of our Site, including registered customers, guest shoppers, and visitors.

2. Information We Collect

2.1 Information You Provide Directly

Account Registration

When you create an account, we collect:

  • First and last name
  • Email address (used as your login username)
  • Phone number(s) (home and/or mobile) and phone type preference
  • Company name (for business accounts)
  • Password (stored in hashed form only; we never store plaintext passwords)
  • Billing address (street, city, state, ZIP code)
  • Shipping address (street, city, state, ZIP code)

Orders and Checkout

When you place an order, we collect:

  • Shipping address and contact information
  • Customer purchase order (PO) number
  • Requested delivery date
  • Payment information (credit card number, CVV, expiration date, cardholder name)
  • Shipping method preference

Payment Information

Credit card data is transmitted directly to our third-party payment processor (Authorize.Net) for tokenization. We do not store full credit card numbers on our servers. If you choose to save a card for future use, only a tokenized reference and the last four digits are retained.

Catalog Requests

If you request a catalog, we collect your name, company, job title, email, phone, and mailing address.

Mailing List

If you sign up for our mailing list, we collect your email address.

Password Resets

If you request a password reset, we collect your email address and generate a time-limited, single-use reset token.

2.2 Information Collected Automatically

Cookies and Session Data

We use cookies and server-side sessions to operate the Site. See Section 7 (Cookies) for details.

Analytics and Usage Data

We use Google Tag Manager to collect standard analytics data, which may include:

  • Pages visited and time spent on pages
  • Browser type, device type, and operating system
  • Screen resolution and viewport size
  • Referring website or search terms
  • IP address (which may indicate general geographic location)
  • Page load performance metrics

Bot Detection

We use Google reCAPTCHA Enterprise on login, registration, checkout, password reset, and catalog request forms. reCAPTCHA collects behavioral data (such as mouse movements and interaction patterns) to distinguish human users from automated bots.

2.3 Information from Third-Party Integrations

Yardi Punchout Sessions

If you access our Site through a Yardi Procure to Pay integration, Yardi transmits your user identity (name, email, company, building/property identifier, and a session token) to authenticate you without a separate login. Orders placed during a Yardi session are transmitted back to Yardi for procurement processing.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Order Fulfillment: Processing orders, calculating shipping rates, arranging delivery, and generating order confirmations and invoices.
  • Account Management: Creating and maintaining your account, authenticating your identity, and enabling you to view order history and manage saved addresses and payment methods.
  • Address Verification: Validating and standardizing billing and shipping addresses to ensure accurate delivery.
  • Shipping Estimates: Calculating real-time shipping rates based on destination, item weight, and dimensions.
  • Local Delivery Routing: Calculating distance from our warehouse to your delivery address for local delivery pricing.
  • Payment Processing: Authorizing and processing credit card transactions, and managing saved payment methods.
  • Communications: Sending order confirmations, shipping notifications, password reset links, and responding to catalog requests and inquiries.
  • Security: Protecting against fraud, unauthorized access, and other security threats.
  • Site Improvement: Analyzing usage patterns and performance metrics to improve Site functionality and user experience.
  • Compliance: Meeting legal, regulatory, and contractual obligations.

4. How We Share Your Information

We do not sell your personal information.

We share personal information only with the following categories of service providers, and only as necessary to operate our business:

Provider Purpose Data Shared
Authorize.Net (Visa) Payment processing and card tokenization Credit card details, billing address, cardholder name, transaction amounts
EasyPost Shipping rate calculation and label generation Destination address or ZIP code, package weight and dimensions
SAP Business One Enterprise resource planning — customer records and order processing Customer name, email, phone, addresses, company, order details
Google Address verification, delivery routing, analytics, bot detection Addresses, browsing behavior, interaction data
Yardi B2B procurement integration Order details (for customers accessing the Site through Yardi)

Google Tag Manager may load additional analytics and advertising tags, including Google Analytics, Google Ads, and Microsoft Clarity. These services may collect browsing behavior and session data as configured within our Tag Manager account and operate under their own privacy policies.

Legal and Safety Disclosures

We may disclose your information if required to do so by law, regulation, legal process, or governmental request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

Business Transfers

In the event of a merger, acquisition, or sale of all or a portion of our assets, your personal information may be transferred as part of that transaction. We will notify you of any such change.

5. Data Retention

  • Account data is retained for as long as your account is active and for a reasonable period thereafter to comply with legal and business obligations.
  • Order and transaction records are retained in accordance with applicable tax, accounting, and recordkeeping requirements.
  • Password reset tokens expire after 1 hour and are automatically deleted.
  • Guest cart data is retained for 30 days via a browser cookie.

6. Data Security

We implement technical and organizational measures to protect your personal information, including:

  • Encryption in Transit: All Site traffic is transmitted over HTTPS (TLS). HTTP Strict Transport Security (HSTS) headers are enforced.
  • Password Security: Passwords are hashed using PBKDF2 with a unique salt per account. Plaintext passwords are never stored or logged.
  • Payment Card Security: Credit card numbers are transmitted directly to our payment processor for tokenization. We do not store full card numbers.
  • Cookie Security: Cookies are configured with HttpOnly, Secure, and SameSite attributes.
  • Security Headers: Industry-standard HTTP security headers are enforced across the Site.

7. Cookies

We use the following cookies to operate the Site:

Cookie Purpose Duration
ASP.NET_SessionId Identifies your server-side session for Site functionality Browser session
MillLogin Remembers your username if you select “Remember me” 6 months
MillGuestCart Preserves your shopping cart across visits when not logged in 30 days
MillVisitor Anonymous visitor identifier for cart association 1 year

Third-party cookies may also be set by Google Analytics, Google Ads, and Microsoft Clarity through Google Tag Manager. These cookies are governed by the respective third parties' privacy policies.

You can control or delete cookies through your browser settings. Disabling cookies may affect Site functionality, including your ability to log in or maintain a shopping cart.

8. Your Rights and Choices

Account Information

You may update your account information, manage saved payment methods, and view your order history by logging into your account. To request account deletion or a copy of your personal data, contact us using the information in Section 11.

Cookies

You may manage cookie preferences through your browser settings. Note that disabling essential cookies may prevent the Site from functioning properly.

California Residents (CCPA/CPRA)

If you are a California resident, you have the right to:

  • Know what personal information we collect, use, and disclose
  • Delete your personal information, subject to certain exceptions
  • Opt out of the sale of personal information — we do not sell personal information
  • Non-discrimination for exercising your privacy rights

To exercise these rights, contact us using the information in Section 11.

9. Children’s Privacy

Our Site is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 18, we will take steps to delete such information.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last Updated” date at the top of this page. We encourage you to review this policy periodically.

11. Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact us:

Mill Supply Co., Inc.
6210 Frankford Avenue
Baltimore, MD 21206

Phone: (410) 485-3343
Toll-Free: (800) 817-8183
Email: sales@millsupplyco.com

GETTING STARTED

ASK ABOUT OUR
FREE SHIPPING and NEXT DAY DELIVERY!

GET IN TOUCH
X
Start Camera Scan your barcode Stop Camera
0 Cart