Our Commitment to Your Privacy
Bidovate ("we", "us", "our") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal data when you use our AI-powered procurement intelligence platform and related services (the "Service"), in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), and the Data Protection Act 2018.
This policy provides the information required under Articles 13 and 14 of the GDPR.
Contact: support@bidovate.co
Data Controller
The data controller responsible for your personal data is:
Bidovate
Email: support@bidovate.co
If you have questions about data protection, you may contact our Data Protection Officer (DPO):
Data Protection Officer
Email: dpo@bidovate.co
Personal Data We Collect
Data you provide directly (Article 13(1)(d)):
- Account registration details: name, email address, job title, and organisation name
- Billing and payment information, processed by our PCI-DSS-compliant payment processor
- Support requests, feedback, and correspondence
- Uploaded documents and tender data you choose to analyse through the platform
Data collected automatically:
- Log data: IP address (anonymised), browser type, operating system, referring URL
- Usage data: features accessed, pages visited, timestamps, and session duration
- Device identifiers (anonymised)
Lawful Basis for Processing (Article 6)
We process your personal data on the following lawful bases:
| Purpose | Lawful Basis | GDPR Article |
|---|---|---|
| Providing and maintaining the Service | Performance of a contract | Art. 6(1)(b) |
| Processing payments | Performance of a contract | Art. 6(1)(b) |
| Sending service-related communications | Legitimate interest | Art. 6(1)(f) |
| Improving the Service through anonymised analytics | Legitimate interest | Art. 6(1)(f) |
| Marketing communications (where opted in) | Consent | Art. 6(1)(a) |
| Complying with legal obligations | Legal obligation | Art. 6(1)(c) |
Where we rely on legitimate interest, we have conducted a Legitimate Interest Assessment (LIA) to ensure our interests do not override your fundamental rights and freedoms.
Zero Model Training Guarantee
Your data is never used to train, fine-tune, or improve any AI or machine learning models. Your procurement data remains exclusively yours.
Data Sharing and Recipients
We do not sell your personal data. We share data only with the following categories of recipients:
- Sub-processors: Cloud hosting providers (EU-based data centres), payment processors, and support tools, all bound by Data Processing Agreements (DPAs) in accordance with Article 28 of the GDPR
- Legal authorities: Where required by applicable law, court order, or regulatory request
- Business transfers: In connection with a merger or acquisition, with advance notice and safeguards
- With your explicit consent
International Data Transfers
Your data is primarily hosted within the European Economic Area (EEA). Where transfers to countries outside the EEA are necessary (for example, for technical support), we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Supplementary technical and organisational measures in line with the Schrems II decision
- Adequacy decisions where applicable
Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:
| Data Category | Retention Period | Justification |
|---|---|---|
| Account data | Duration of contract + 12 months | Contract performance and reasonable re-activation period |
| Billing records | 7 years from transaction | Legal obligation (tax and accounting) |
| Support correspondence | 3 years from resolution | Legitimate interest (service improvement) |
| Analytics data (anonymised) | 2 years | Legitimate interest (product improvement) |
| Server logs | 90 days | Security and troubleshooting |
Your Data Subject Rights
Under the GDPR and UK GDPR, you have the following rights:
- Right of Access (Art. 15): Request a copy of the personal data we hold about you
- Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data
- Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten")
- Right to Restriction (Art. 18): Request restriction of processing in certain circumstances
- Right to Data Portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format
- Right to Object (Art. 21): Object to processing based on legitimate interest, including profiling
- Right to Withdraw Consent (Art. 7(3)): Where processing is based on consent, withdraw at any time without affecting prior lawfulness
- Right not to be Subject to Automated Decision-Making (Art. 22): We do not make decisions based solely on automated processing that produce legal or similarly significant effects
To exercise any of these rights, contact us at support@bidovate.co or dpo@bidovate.co. We will respond within one calendar month, as required by the GDPR.
Supervisory Authority
You have the right to lodge a complaint with a supervisory authority if you believe your data protection rights have been violated. The relevant authority depends on your location:
- UK: Information Commissioner's Office (ICO), ico.org.uk
- Ireland: Data Protection Commission (DPC), dataprotection.ie
- EU Member States: Your local supervisory authority
Security Measures
We implement robust security controls across the platform:
- SOC 2 Type II certified: independently audited controls for security, availability, and confidentiality
- ISO 27001 certified: information security management system certified to the international gold standard
- ISO 27017 certified: cloud-specific security controls extending ISO 27001
- AES-256 encryption at rest, TLS 1.3 in transit
- Role-based access control and comprehensive audit logging
- Regular penetration testing and vulnerability assessments
All data is hosted on EU-based cloud infrastructure. Your tender documents, analysis results, and company data never leave EU jurisdiction unless you explicitly request otherwise.
EU AI Act Transparency
In accordance with the EU Artificial Intelligence Act (Regulation (EU) 2024/1689), we disclose the following:
- Our AI system is classified as a limited-risk AI system
- AI-generated content (such as tender summaries and analysis reports) is clearly labelled as AI-generated
- Our system does not perform biometric identification, social scoring, or any prohibited AI practices
- Technical documentation is available upon request for regulatory compliance purposes
Children's Privacy
Bidovate is a business platform for procurement professionals and enterprises. Our services are not directed at individuals under 18, and we do not knowingly collect data from minors.
Changes to This Policy
We will notify you of material changes via email or prominent notice on our website at least 30 days before they take effect.
Contact
Data Controller: Bidovate
Email: support@bidovate.co
DPO: dpo@bidovate.co