Privacy Policy
Last updated: April 2026
1. Who is the data controller
Tenderal ("we", "us") is the controller of your personal data under GDPR (EU/EEA users), UK GDPR (UK users), and equivalent laws in other jurisdictions. Contact: info@tenderal.com.
2. What we collect
| Category | Examples | Why |
|---|---|---|
| Account data | Email, name, company, country, password hash | Sign-in, support, invoicing |
| Profile preferences | Saved searches, favourites, alert rules, declared sectors | Personalise the product |
| Billing data | Stripe customer ID, plan, invoice history, billing address | Process payments, tax receipts |
| Usage data | Pages viewed, search terms, clicks, device/browser info, IP address | Improve the product, detect abuse |
| Support messages | Emails, chat logs, attachments you send us | Answer your questions |
| Cookies | Session, preferences, and (optional) analytics cookies | Keep you signed in; measure usage |
We do not collect: payment card numbers (Stripe does), government ID, biometric data, or special-category data (race, religion, health, etc.).
3. Legal bases (GDPR Art. 6)
- Contract — to provide the Service you signed up for (account, search, alerts, billing).
- Legitimate interest — to secure the Service, prevent fraud, analyse aggregate usage, and send service announcements.
- Consent — for optional analytics cookies and for marketing emails (both of which you can decline / opt out of).
- Legal obligation — to keep invoices and tax records as required by law.
4. Who we share data with
- Stripe — payment processing. See stripe.com/privacy.
- Supabase — database and authentication hosting (EU region).
- Cloudflare — CDN, DNS, and DDoS protection.
- Email delivery provider (Resend or equivalent) — transactional email.
- Authorities — only if legally compelled, and we will push back on overbroad requests.
We never sell or rent your personal data.
5. International transfers
Some providers (Stripe, Cloudflare) may process data in the United States or other jurisdictions. We rely on Standard Contractual Clauses (SCCs) and each vendor's certifications (e.g. Data Privacy Framework) as the legal basis for those transfers.
6. Retention
- Account data: while your account is active, plus 30 days after closure (then deleted).
- Invoices / tax records: 7 years, as required by law.
- Usage logs: 90 days in identifiable form, then aggregated.
- Support messages: 3 years.
7. Your rights
You have the right to: access your data, correct it, delete it, port it to another provider, object to processing, restrict processing, and withdraw consent at any time. Email privacy@tenderal.com to exercise any of these. We respond within 30 days.
EU/EEA users may also lodge a complaint with your national data protection authority. UK users: ICO.
8. Cookies
We use a small number of cookies:
- Essential (session, CSRF) — cannot be disabled; the site won't work without them.
- Preference (selected country, language) — stored in localStorage, not shared.
- Analytics (optional) — only if you accept the cookie banner. We currently use self-hosted Plausible (no cross-site tracking, no personal identifiers).
9. Security
We use TLS 1.2+ for all traffic, bcrypt-hashed passwords, least-privilege database access with row-level security, and encrypted backups. No system is 100 % secure; if we detect a breach that affects you, we will notify you within 72 hours as required by GDPR.
10. Children
Tenderal is a B2B tool for procurement professionals and is not directed to anyone under 18. We do not knowingly collect personal data from minors. If you believe we have such data, email privacy@tenderal.com and we will delete it.
11. Changes
We may update this policy to reflect product or legal changes. Material updates will be announced by email at least 14 days before they take effect.
12. Contact
Privacy questions or data-subject requests: privacy@tenderal.com. General contact: info@tenderal.com.