Privacy and Cookie Policy

Last updated on 1 June 2026.

This Privacy and Cookie Policy explains how Tenderfy R&D Tax Ltd, trading through Tenderfy.io, collects, uses, shares and protects personal data when you use our website, platform and related services.

Tenderfy R&D Tax Ltd is a company registered in England and Wales under company number 15821247, with registered office at 1 Kings Avenue, London, United Kingdom, N21 3NA (Tenderfy, we, us, our).

For UK data protection law purposes, Tenderfy is the controller of personal data processed for platform operation, account management, tender publication, supplier approval, messaging, billing, security, analytics and marketing, unless this policy states otherwise.

You can contact us about privacy matters at admin@tenderfy.io. Legal notices should be sent to admin@tenderfy.io.

1. Scope of this policy

1.1 This policy applies to personal data processed in connection with:

  • tenderfy.io;
  • Client accounts;
  • Supplier accounts;
  • Tender publication;
  • Supplier proposals;
  • messaging, shortlisting and award workflows;
  • Supplier verification;
  • payments and billing;
  • support, complaints and dispute handling;
  • security, fraud prevention and platform improvement;
  • marketing communications;
  • cookies and similar technologies.

1.2 The platform is intended for business users only and is not intended for children or consumers.

1.3 Where a Client appoints a Supplier, that Supplier will usually act as an independent controller for personal data processed in connection with its professional services. The Supplier should provide its own privacy information to the Client.

1.4 This policy does not apply to third-party websites, payment processors, professional advisers or Supplier services except where we explain our own sharing of data with them.

2. Personal data we collect

The personal data we collect depends on how you use the platform.

2.1 Account and contact data

We may collect names, work email addresses, telephone numbers, job titles, usernames, passwords in hashed form, company names, company numbers, addresses, billing details and account preferences.

2.2 Company and tender data

We may collect company sector, size, location, financial information, R&D project descriptions, claim status, preferred service requirements, budget information, tender details, documents, messages and files that users choose to upload or submit.

2.3 Supplier verification data

For Suppliers, we may collect identity, company, director, beneficial owner, professional experience, professional body membership, anti-money laundering supervision, HMRC registration or agent services account, professional indemnity insurance, sanctions, adverse media, complaint history, reference and verification outcome information.

2.4 Proposal and engagement data

We may collect proposals, bids, quotes, pricing, fee structures, award decisions, shortlisting information, Client/Supplier communications, reported engagements, commission reports, invoices, receipts and commission-related records.

2.5 Payment and billing data

We may collect billing contact details, invoices, receipts, VAT information, transaction references, payment status, chargeback or failed payment information. Card payments are processed by Stripe or another payment processor. We do not intentionally store full payment card numbers.

2.6 Technical and usage data

We may collect IP addresses, device identifiers, browser type, operating system, referring URLs, pages viewed, date and time stamps, login records, session data, cookie identifiers, security logs and platform usage data.

2.7 Support, complaints and communications data

We may collect information contained in emails, chat, support tickets, complaints, feedback, survey responses and other communications with us.

2.8 Marketing data

We may collect marketing preferences, consent records, email engagement data and event attendance information.

2.9 Special category and sensitive information

The platform is not intended to collect special category personal data. You should not upload health, biometric, political, religious, trade union, sexual orientation or similarly sensitive personal data unless strictly necessary and lawful. If such information is uploaded, we may process it only as necessary to operate, secure, moderate or comply with legal obligations relating to the platform.

3. How we collect personal data

We collect personal data:

  • directly from you when you register, publish a Tender, submit a Proposal, complete verification, send messages, make payments or contact us;
  • from other platform users where they communicate with you or refer to you;
  • from public sources such as Companies House, professional registers, sanctions lists and publicly available websites;
  • from verification, payment, hosting, analytics, email and security providers;
  • automatically through cookies, logs and similar technologies.

4. Why we use personal data and lawful bases

We use personal data for the following purposes and lawful bases:

  • Providing the platform: account creation, tenders, proposals, messaging, dashboards and support. Lawful basis: contract and legitimate interests.
  • Publishing tenders and matching users: showing tender briefs to approved Suppliers, managing shortlists and recording awards. Lawful basis: contract and legitimate interests.
  • Supplier verification: identity, AML, professional, insurance, HMRC registration, sanctions and adverse media checks. Lawful basis: legitimate interests and legal obligation where applicable.
  • Payments and billing: publication fees, invoices, receipts, failed payments, chargebacks and commission administration. Lawful basis: contract, legal obligation and legitimate interests.
  • Commission administration: Supplier reporting, audit, invoicing, debt recovery and enforcement of Supplier terms. Lawful basis: contract and legitimate interests.
  • Security and fraud prevention: login monitoring, abuse prevention, platform integrity and investigation of suspicious activity. Lawful basis: legitimate interests and legal obligation.
  • Compliance and disputes: complaints, legal claims, regulatory requests, HMRC matters, court matters and enforcement. Lawful basis: legal obligation and legitimate interests.
  • Service communications: operational notices, account alerts, security messages, legal updates and platform change notices. Lawful basis: contract and legitimate interests.
  • Marketing: newsletters, updates, events and platform announcements. Lawful basis: consent or legitimate interests, as applicable.
  • Analytics and improvement: usage analysis, service testing, product development and performance monitoring. Lawful basis: legitimate interests and consent where required for cookies.

Where we rely on legitimate interests, our interests include operating a secure business-to-business marketplace, preventing abuse, verifying Suppliers, enforcing our terms, improving our services, managing commercial relationships and protecting users.

5. How we share personal data

We may share personal data with the following categories of recipients.

5.1 Other platform users

When a Client publishes a Tender, relevant Tender information may be visible to approved Suppliers. Direct contact details may be withheld until shortlisting, award or another platform stage determined by Tenderfy.

When a Supplier submits a Proposal, relevant Proposal information may be shared with the Client that published the Tender.

When users message, shortlist, award or enter into an Engagement, we may share the information needed to facilitate that workflow.

5.2 Service providers

We may share personal data with providers of hosting, cloud infrastructure, payment processing, email delivery, customer support, analytics, security, verification, document storage, e-signature, accounting and professional services.

5.3 Payment processors

Payment information may be processed by Stripe or another payment processor. The payment processor will process payment data under its own terms and privacy policy where applicable.

5.4 Professional advisers and authorities

We may share personal data with lawyers, accountants, auditors, insurers, regulators, HMRC, law enforcement, courts, insolvency practitioners, debt recovery providers or other authorities where necessary.

5.5 Business transfers

If Tenderfy is involved in a merger, investment, reorganisation, sale, acquisition or transfer of business or assets, personal data may be shared with relevant parties and advisers subject to appropriate confidentiality protections.

6. Data roles between Clients, Suppliers and Tenderfy

6.1 Tenderfy is generally an independent controller for platform data.

6.2 Clients are independent controllers for personal data they upload to the platform and for decisions about the content of their Tenders.

6.3 Suppliers are independent controllers for personal data they process when providing professional services to Clients.

6.4 Suppliers are responsible for their own privacy notices, lawful bases, retention periods, data security and data subject rights handling in relation to their professional services.

6.5 Tenderfy is not responsible for how a Supplier uses Client data outside the platform, except to the extent required by law or our contractual relationship with that Supplier.

7. International transfers

7.1 We aim to store and process personal data in the UK or European Economic Area where reasonably practicable.

7.2 Some service providers may process personal data outside the UK.

7.3 Where personal data is transferred outside the UK to a country without adequacy regulations, we use appropriate safeguards such as the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, together with transfer risk assessments where required.

8. Retention

We keep personal data only for as long as reasonably necessary for the purposes described in this policy.

Typical retention periods are:

  • Account data: account lifetime plus up to 6 years after closure.
  • Tender, proposal, messaging and award records: up to 6 years after the relevant Tender, Engagement, dispute or account closure.
  • Supplier verification records: account lifetime plus up to 6 years after closure or last platform activity.
  • Billing, tax and commission records: 6 years from the end of the relevant accounting period, or longer if required by law or dispute.
  • Support and complaints records: up to 6 years after resolution.
  • Security logs: usually up to 24 months unless needed for investigation or legal reasons.
  • Marketing records: until you opt out, withdraw consent or the data is no longer needed.
  • Cookie consent records: duration of consent plus a reasonable audit period.

We may retain data for longer where required for legal claims, regulatory requests, fraud prevention, security incidents, disputes or enforcement of our terms.

Where data is no longer needed, we will delete, anonymise or securely archive it.

9. Security

We use appropriate technical and organisational measures designed to protect personal data, including access controls, encryption in transit, secure password storage, logging, backups, supplier due diligence and internal access restrictions.

No system is completely secure. You are responsible for keeping account credentials safe and notifying us promptly of suspected unauthorised access.

10. Your rights

Subject to legal conditions and exemptions, you may have the right to:

  • access your personal data;
  • correct inaccurate personal data;
  • request deletion of personal data;
  • restrict processing;
  • object to processing based on legitimate interests or direct marketing;
  • request data portability;
  • withdraw consent where processing is based on consent;
  • complain to the Information Commissioner's Office.

To exercise your rights, contact admin@tenderfy.io. We may need to verify your identity and authority before responding.

You can complain to the Information Commissioner's Office at ico.org.uk, but we ask that you contact us first so we can try to resolve your concern.

11. Marketing communications

We may send business users marketing communications about Tenderfy services, updates, events or related opportunities where permitted by law.

You can opt out of marketing at any time by using the unsubscribe link in an email or contacting admin@tenderfy.io.

Opting out of marketing does not stop transactional or service messages relating to your account, tenders, proposals, payments, verification, security or legal notices.

12. Cookies and similar technologies

Cookies are small text files placed on your device when you visit a website. Similar technologies include pixels, local storage, SDKs and tags.

We use cookies and similar technologies to operate the website, keep users logged in, protect the platform, remember preferences, measure performance and, where consented, support analytics or marketing.

13. Types of cookies we use

We may use the following types of cookies:

  • Strictly necessary cookies: required for login, authentication, security, payment flow, load balancing, fraud prevention and cookie preference storage. Consent is not required.
  • Functional cookies: remember choices such as preferences, saved filters or interface settings. Consent may be required unless the cookie is strictly necessary.
  • Analytics cookies: help us understand how visitors use the website and improve performance. Consent is required where applicable.
  • Marketing cookies: support advertising, retargeting, campaign measurement or similar marketing activities. Consent is required.
  • Third-party cookies: set by providers such as payment, analytics, security or embedded content providers. Consent depends on the purpose of the cookie.

14. Cookie examples

The exact cookies used may change as the platform develops. The cookie banner or preference centre should show the current cookies, providers and expiry periods.

Typical cookies may include:

  • Session or authentication cookies provided by Tenderfy to keep you logged in and maintain your session. These usually last for the session or a short fixed period.
  • CSRF or security cookies provided by Tenderfy to protect forms and account actions against misuse. These usually last for the session or a short fixed period.
  • Cookie preference records provided by Tenderfy to store your cookie choices. These may last for up to 12 months.
  • Payment cookies provided by Stripe or another payment provider to enable secure payment processing and fraud prevention. Duration is set by the provider.
  • Analytics cookies provided by an analytics provider to measure website usage and performance where consented. Duration is set by the provider.
  • Marketing pixels or tags provided by a marketing provider to measure campaigns or support advertising where consented. Duration is set by the provider.

15. Managing cookies

15.1 You can manage non-essential cookies through our cookie banner or preference centre, where available.

15.2 You can also block or delete cookies through your browser settings. Blocking some cookies may affect website functionality.

15.3 We do not set non-essential analytics or marketing cookies unless consent has been obtained where required.

15.4 If you clear cookies or use a different browser or device, you may need to set your preferences again.

16. Third-party links and services

The platform may contain links to third-party websites, services, payment processors, professional advisers, Supplier websites or external resources. We are not responsible for the privacy practices, content or security of third-party services. You should read their privacy notices before providing personal data.

17. Automated decision-making

We may use rules, filters, scoring or automated tools to support matching, verification, fraud prevention, security and platform prioritisation. We do not use solely automated decisions that produce legal or similarly significant effects without appropriate safeguards where required by law.

18. Changes to this policy

We may update this Privacy and Cookie Policy from time to time. Where changes are material, we will take reasonable steps to notify users, such as by email, dashboard notice, website notice or requiring re-acceptance.

The latest version will be available on tenderfy.io.