Last updated: 3 April 2026
Privacy Policy
1. Introduction
Bid Refinery Ltd ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the Bid Refinery platform ("Service"). We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. Data We Collect
We collect the following categories of data:
- Account Information. Name, email address, organisation name, and role when you register for an account.
- Tender Documents. Documents you upload to the Service for requirement extraction and response generation, including PDFs, DOCX files, and text content.
- Library Content. Capability statements, case studies, and reference materials you add to your organisation library.
- Usage Data. Information about how you interact with the Service, including pages visited, features used, and timestamps of actions.
- Payment Information. Billing details are collected and processed by Stripe. We do not store payment card numbers on our servers.
3. How We Use Your Data
- Service Operation. To provide, maintain, and improve the Service, including requirement extraction, response drafting, and quality assurance features.
- AI Processing. Your tender documents and library content are processed by our AI systems (powered by Anthropic Claude) to generate responses and analysis. This content is not used to train AI models.
- Analytics. To understand usage patterns and improve the Service. We use aggregated, anonymised data for this purpose.
- Communication. To send you essential service notifications, security alerts, and billing information.
- Legal Compliance. To comply with applicable laws, regulations, and legal processes.
4. Data Storage and Security
- Your data is stored in Supabase (PostgreSQL) with encryption at rest and in transit (TLS 1.2+).
- We employ row-level security (RLS) policies to ensure strict data isolation between organisations.
- File downloads are protected with time-limited, signed URLs.
- All state-changing requests are protected with CSRF tokens.
- Comprehensive audit logging tracks all significant actions for security and compliance purposes.
5. Data Retention
- Account data is retained for the duration of your account and for 30 days after account deletion.
- Tender documents and generated responses are retained for a default period of 90 days after project completion. Enterprise customers may configure custom retention periods.
- Usage and audit logs are retained for 12 months.
- Payment records are retained as required by applicable tax and accounting regulations.
6. Third-Party Processors
We use the following third-party processors to deliver the Service:
| Processor | Purpose | Location |
|---|---|---|
| Supabase | Database hosting, authentication, file storage | EU / US |
| Stripe | Payment processing | US (EU-US Data Privacy Framework) |
| Anthropic | AI processing (Claude) for tender analysis and response generation | US |
Each processor is bound by data processing agreements that require them to protect your data in accordance with applicable data protection laws.
7. Your Rights
Under the UK GDPR, you have the following rights regarding your personal data:
- Right of Access. Request a copy of the personal data we hold about you.
- Right to Rectification. Request correction of inaccurate or incomplete personal data.
- Right to Erasure. Request deletion of your personal data, subject to legal retention obligations.
- Right to Data Portability. Request your data in a structured, commonly used, machine-readable format.
- Right to Object. Object to the processing of your personal data in certain circumstances.
- Right to Restrict Processing. Request that we limit how we use your data.
To exercise any of these rights, contact our Data Protection Officer at privacy@bidrefinery.com. We will respond within 30 days.
8. Cookies
We use a minimal set of cookies necessary for the Service to function:
- Session Cookies. Used to maintain your authenticated session. These are essential and cannot be disabled.
- CSRF Cookies. Used to protect against cross-site request forgery attacks. These are essential security cookies.
We do not use tracking cookies, advertising cookies, or third-party analytics cookies.
9. International Data Transfers
Some of our third-party processors are based outside the UK. Where data is transferred internationally, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the Information Commissioner's Office (ICO) and adequacy decisions where available.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a notice on the Service at least 30 days before changes take effect. The "Last updated" date at the top of this page indicates the most recent revision.
11. Contact
For any privacy-related questions or to exercise your rights, contact our Data Protection Officer:
- Email: privacy@bidrefinery.com
- Bid Refinery Ltd
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.