TenderPath logoTenderPath
Sign inTry free

Privacy policy

Last updated: 21 June 2026

This page is maintained by TenderPath UK Limited ("TenderPath", "we", "us") to explain how we handle personal data when you use our website and platform. It is written to align with the UK GDPR and the Data Protection Act 2018. It is not a substitute for a contract or DPA — if you need either, contact privacy@tenderpath.uk.

1. Who we are

TenderPath UK Limited is a company being formed in England & Wales. The data controller for personal data processed via this platform is TenderPath UK Limited. Contact: privacy@tenderpath.uk.

2. What we collect

  • Account data: name, work email, password hash, sign-in provider.
  • Company profile: company name, sectors, accreditations, regions, contract value bands, capabilities you choose to enter.
  • Usage data: opportunities viewed, scans run, bids tracked, in-app actions.
  • Billing data: handled by Stripe; we receive a customer ID and subscription metadata, not full card details.
  • Technical data: IP address, browser, device, and error logs needed to keep the service running and secure.

3. Lawful bases

  • Contract: to provide the platform you signed up for.
  • Legitimate interests: to keep the service secure, prevent abuse, and improve product quality.
  • Consent: for non-essential cookies and marketing emails you have explicitly opted into.
  • Legal obligation: for tax, accounting and lawful requests from authorities.

4. How we use the data

To run the matching engine, score opportunities, manage your bid portfolio, deliver transactional emails (account confirmation, password resets, billing receipts), and improve the platform. We do not sell personal data, and we do not use customer bid content to train models for other customers.

5. Subprocessors

We use a small number of carefully chosen processors to deliver the service:

  • Supabase (database, auth, storage) — UK / EU region.
  • Cloudflare (hosting, CDN, edge runtime).
  • Stripe (subscription billing).
  • Resend / transactional email provider (delivery of system emails).

A full and up-to-date subprocessor list is available on request.

6. International transfers

We aim to keep personal data in the UK / EU. Where a subprocessor processes data outside the UK, we rely on adequacy decisions or the UK International Data Transfer Addendum to the EU SCCs.

7. Retention

Account and profile data is retained while your account is active and for up to 24 months after closure (so we can restore the account if you change your mind, and to meet tax record-keeping). Billing records are retained for 7 years as required by HMRC. You may request earlier deletion — see section 9.

8. Security

Data is encrypted in transit (TLS) and at rest. Authentication uses managed Supabase Auth with row-level security on every table holding customer data, so a customer's data is isolated from other customers' at the database layer. Access is restricted to a small operational team on a need-to-know basis.

9. Your rights

You have the right to:

  • Access the personal data we hold about you;
  • Rectify inaccurate data;
  • Erase your data (right to be forgotten), subject to legal retention;
  • Restrict or object to processing;
  • Port your data to another provider;
  • Withdraw consent at any time for processing based on consent;
  • Complain to the UK Information Commissioner's Office (ico.org.uk).

To exercise any of these, email privacy@tenderpath.uk.

10. Cookies

See our cookies page for details and to change your preference.

11. Changes to this policy

We will post material changes here and, where appropriate, notify you by email at least 14 days before they take effect.