FeaturesPricingFAQBlog
LoginGet Started Free
EN|NL|DE|FR

Privacy Policy

Last updated: March 2026

1. Data Controller

TenderPulse is operated by Nick Verbeke, acting as a sole proprietor (eenmanszaak) under Belgian law.

Registered address: [ADDRESS — to be completed upon KBO registration] Enterprise number (KBO/BCE): [TO BE COMPLETED] Email: privacy@tenderpulse.io

We have not appointed a Data Protection Officer (DPO), as we are a small-scale processor that does not engage in large-scale systematic monitoring or processing of special categories of data. For all privacy-related inquiries, contact us at the email address above.

2. Data We Collect

We collect the following categories of personal data:

Account data — email address, display name, hashed password, and/or third-party authentication identifiers (when you sign in via Google or Microsoft). We also record whether you have accepted the Terms of Service, including the timestamp and version of acceptance.

Usage data — saved search filters, alerts, pipeline status, bid assessments, competitor watchlists, AI analysis results, and interaction history within the Service.

Payment data — subscription tier and status. We never store full card numbers, bank account details, or other sensitive financial data; all payment processing is handled entirely by our third-party payment provider.

Technical data — IP address, browser type and version, device type, operating system, referral URLs, and access timestamps collected via server logs and, where you consent, analytics tools.

Uploaded content — tender documents, company documents, and other files you upload for AI analysis or library storage.

Communication data — messages you send to us via email or support channels.

3. Purposes of Processing

We process your personal data for the following purposes:

Service delivery — to provide and operate the TenderPulse platform, including tender monitoring, alert notifications, pipeline management, competitor tracking, and AI-powered analysis.

Account management — to create and manage your account, authenticate your identity, verify your email, and process password resets.

Transactional communications — to send essential emails such as verification emails, password resets, alert notifications, deadline reminders, and subscription-related notices.

Payment processing — to process payments, manage subscriptions, and generate invoices through our payment provider.

AI features — to provide AI-powered tender analysis, document summarization, bid/no-bid assessments, bid draft generation, and conversational analysis. Your data is sent to third-party AI model providers for processing (see Section 5).

Service improvement — to improve the Service through aggregated, anonymized usage analytics and error monitoring.

Security — to detect, prevent, and respond to security incidents, fraud, and abuse.

Legal compliance — to comply with applicable legal obligations, including tax record-keeping, responding to lawful requests from authorities, and enforcing our Terms of Service.

4. Legal Bases (GDPR Art. 6)

We process your personal data based on the following legal grounds:

Contract performance (Art. 6(1)(b)) — processing necessary to deliver the Service you signed up for, including account management, service features, and transactional communications.

Legitimate interest (Art. 6(1)(f)) — security monitoring, fraud prevention, service improvement, and error tracking. We have assessed that these interests do not override your fundamental rights and freedoms.

Consent (Art. 6(1)(a)) — analytics cookies and optional marketing communications. You can withdraw consent at any time via the cookie consent banner or by contacting us.

Legal obligation (Art. 6(1)(c)) — financial record-keeping, tax compliance, and responding to lawful requests from public authorities.

5. Categories of Recipients & Third-Party Processors

We share personal data with the following categories of third-party processors. Where applicable, data processing agreements (DPAs) are in place with each processor.

Payment provider — Paddle processes subscription payments on our behalf (PCI DSS compliant). Paddle acts as Merchant of Record and may process your name, email, and payment details.

Authentication providers — if you sign in via Google or Microsoft, your authentication token is verified with the respective provider. We receive only your email address, name, and a unique identifier; we do not receive your password.

AI model provider — tender analysis, document summarization, and chat features use a third-party large language model API. Text from your documents and tender data is sent to the AI provider for processing. The AI provider processes data under a DPA and does not use your data to train its models.

Translation provider — tender titles and descriptions may be sent to a third-party translation API for automatic translation. Text is processed transiently.

Error monitoring service — we use an error tracking service to detect and diagnose technical issues. This service may receive technical data such as IP address, browser information, and stack traces.

Email delivery service — transactional emails (verification, password reset, alerts) are sent via a third-party email service provider.

Cloud hosting provider — our application and database are hosted on cloud infrastructure. The hosting provider stores and processes all data on our behalf under a DPA.

Content delivery network — our frontend is served via a content delivery network (CDN), which may process IP addresses and request metadata for security and performance purposes.

Analytics provider — with your consent, we use an analytics service to understand how visitors interact with the Service. Analytics data is anonymized (IP anonymization enabled).

We do not sell your personal data to third parties. We do not share your data with third parties for their own marketing purposes.

6. Automated Decision-Making & Profiling

TenderPulse uses automated processing in the following ways:

Tender recommendations — the Service may automatically suggest tenders based on your search filters, saved preferences, and interaction history. These recommendations are informational and do not have legal or similarly significant effects on you.

AI-powered analysis — tender summaries, bid assessments, and draft suggestions are generated by automated AI models. These outputs are advisory only and are not used to make binding decisions about you.

Alert matching — the Service automatically matches new tenders against your saved filters to generate alert notifications.

None of these automated processes constitute solely automated decision-making with legal or similarly significant effects within the meaning of GDPR Art. 22. You always retain full control over any actions taken based on automated outputs.

7. Data Retention

We retain your personal data only as long as necessary for the purposes described in this policy:

Account data — retained while your account is active. Deleted within 30 days of account deletion.

Usage data (filters, pipeline, assessments) — retained while your account is active. Deleted with your account.

Tender data — public procurement data sourced from official EU and national portals. This is public-domain data and is retained indefinitely for historical analysis.

Uploaded documents — deleted when you remove them or when your account is deleted.

AI analysis results — retained while your account is active. Deleted with your account.

Payment records — retained for 7 years as required by Belgian tax law.

Server logs — retained for 90 days for security and debugging purposes, then automatically purged.

Analytics data — retained in anonymized form as configured by the analytics provider (typically up to 26 months).

ToS acceptance records — retained for the duration of the contractual relationship and for 7 years thereafter, as evidence of your agreement.

8. International Data Transfers

Your primary data is stored on servers within the European Economic Area (EEA) or in jurisdictions that provide an adequate level of data protection as determined by the European Commission.

Some of our third-party processors may transfer or process data outside the EEA (for example, AI model providers and translation services). Where such transfers occur, they are protected by one or more of the following safeguards:

(a) An adequacy decision by the European Commission (e.g., the EU-US Data Privacy Framework).

(b) Standard Contractual Clauses (SCCs) approved by the European Commission.

(c) Other appropriate safeguards as required by GDPR Chapter V.

You may request information about the specific safeguards applied to any transfer by contacting us at privacy@tenderpulse.io.

9. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

Right of access (Art. 15) — request a copy of all personal data we hold about you.

Right to rectification (Art. 16) — correct inaccurate or incomplete personal data.

Right to erasure (Art. 17) — request deletion of your personal data ("right to be forgotten"). You can delete your account via Settings, or contact us.

Right to restriction (Art. 18) — request that we limit the processing of your data in certain circumstances.

Right to data portability (Art. 20) — receive your personal data in a structured, commonly used, machine-readable format (JSON).

Right to object (Art. 21) — object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds.

Right to withdraw consent (Art. 7(3)) — withdraw consent at any time for processing based on consent (e.g., analytics cookies), without affecting the lawfulness of processing before withdrawal.

Right not to be subject to automated decision-making (Art. 22) — as described in Section 6, we do not make solely automated decisions with legal or similarly significant effects.

To exercise any of these rights, contact us at privacy@tenderpulse.io. We will verify your identity and respond within 30 days. If we need additional time (up to 60 further days for complex requests), we will inform you within the initial 30-day period.

Exercising your rights is free of charge. However, we may charge a reasonable fee for manifestly unfounded or excessive requests, or refuse to act on such requests, as permitted by GDPR Art. 12(5).

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction, including:

Encryption in transit — all data transmitted between your browser and our servers is encrypted using TLS (HTTPS).

Password security — passwords are hashed using bcrypt with SHA-256 pre-hashing and are never stored in plain text.

Access control — role-based access control and row-level security in the database ensure users can only access their own data.

Authentication security — HTTP-only cookies for session tokens, account lockout after failed login attempts, and token rotation.

Regular reviews — we conduct periodic security assessments and apply security patches promptly.

No system is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. You are responsible for keeping your account credentials confidential.

11. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

(a) Notify the competent supervisory authority (Gegevensbeschermingsautoriteit for Belgium) within 72 hours of becoming aware of the breach, as required by GDPR Art. 33.

(b) Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms, as required by GDPR Art. 34.

Notification will include the nature of the breach, the categories of data affected, the likely consequences, and the measures taken or proposed to address the breach.

12. Children's Privacy

The Service is not directed at or intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a person under 18, we will take steps to delete that data promptly. If you believe a child has provided us with personal data, please contact us at privacy@tenderpulse.io.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the Service. We will notify active users of material changes via email at least thirty (30) days before they take effect. The updated policy will be posted on our website with the revised "Last updated" date.

Non-material changes (such as clarifications or typographical corrections) may be made without prior notice. We encourage you to review this policy periodically.

14. Contact & Complaints

If you have questions about this Privacy Policy or wish to exercise your rights, contact us at:

Email: privacy@tenderpulse.io

We will endeavor to respond to all inquiries within 30 days.

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority. For Belgium:

Gegevensbeschermingsautoriteit (GBA) Drukpersstraat 35, 1000 Brussels https://www.gegevensbeschermingsautoriteit.be contact@apd-gba.be