Privacy Policy

Effective 23 May 2026

Who we are

TenderBuilder (Dublin, Ireland) operates this service. We are the data controller for personal data processed through tenderbuilder.ie. For any privacy question, contact lewis@tenderbuilder.ie.

What we collect

• Account data: email address; OAuth profile fields (name, avatar) if you sign in with Google or Microsoft.
• Company profile content you supply: case studies, personnel biographies, certifications, services, pricing/SLA frameworks, writing guidelines, and historical tender outcomes. You control what you enter.
• Tender documents you upload: RFTs, TRDs, specs, appendices. These remain in your account.
• Operational data: jobs, harness events, usage metering (model, tokens, cost in EUR).
• Cookies: a strictly-necessary session cookie set by Supabase Auth, and (if you consent) a preference cookie remembering your cookie choice.

Legal bases

We process account and tender data under the contract basis (Art. 6(1)(b) GDPR) — we need it to deliver the service you signed up for. Operational data is processed under our legitimate interest (Art. 6(1)(f)) in running and improving the service. Non-essential cookies, if any are added in the future, will only run with your explicit consent (Art. 6(1)(a)).

Where your data lives

All account, tender, profile, and operational data is stored in Supabase (Postgres + Storage) in the EU region (Frankfurt). When the harness drafts answers, your tender documents and a rendered company-profile bundle are sent to Anthropic(Claude API) as document blocks under Anthropic's processor terms. Anthropic does not train on data submitted via the API. No other third-party processor receives your content.

Sub-processors

• Supabase (database, auth, storage; EU region).
• Anthropic (model inference for drafting).
• Vercel (hosting and edge runtime).
• Stripe (payment processing; billing data only).

Retention

We retain your data for as long as your account exists. Deleting your account deletes your tenant, all linked profile records, tenders, documents, drafts, and harness events within 30 days. Billing records are retained for 7 years as required by Irish tax law.

Your rights

Under the GDPR you can request access, correction, deletion, restriction, or portability of your personal data, and you can object to processing under legitimate interest. Email us at lewis@tenderbuilder.ie. You may also complain to the Irish Data Protection Commission (dataprotection.ie).

Security

Multi-tenant isolation is enforced at the database layer via Postgres Row Level Security on every table. Connections to Supabase and Anthropic are TLS-encrypted. Service-role keys are confined to the worker process and never exposed to the browser.

Changes

If we materially change this policy we will update the effective date above and notify active users by email at least 14 days before the change takes effect.

Terms of Service · Back to home