Privacy Policy

1. Introduction and Definitions

BidReady is built and owned by TSP Digital (Pty) Ltd (registration number 2013/198107/07). TSP Digital (Pty) Ltd ("we," "our," or "us"), the company that receives subscription payments and is the Responsible Party for the processing of your personal information in connection with BidReady, operating from the Republic of South Africa, is committed to protecting your privacy. This Privacy Policy explains how we collect, use, process, disclose, and safeguard your information when you use our tender analysis service.

Definitions:

• "Personal Information" means information relating to an identifiable, living, natural person, and where applicable, an identifiable, existing juristic person, as defined in POPIA
• "Processing" means any operation or activity concerning personal information, including collection, storage, use, and dissemination
• "Data Subject" means the person to whom personal information relates
• "Responsible Party" means TSP Digital (Pty) Ltd as the entity that determines the purpose and means of processing personal information in connection with the Service
• "Operator" means a person who processes personal information on behalf of the Responsible Party

By using BidReady, you consent to the collection, processing, and use of information in accordance with this policy. If you do not agree with this policy, please do not use our service.

2. Information We Collect

2.1 Personal Information You Provide

We collect personal information that you voluntarily provide to us when you:

• Registration Information: Name, surname, email address, password, phone number (if provided)
• Company/Business Information: Company name, registration number, VAT number, business type, industry sector
• Payment Information: Billing address, payment method details (processed securely through Paystack - we do not store credit card numbers)
• Tender Documents: PDF/Word documents you upload for analysis (automatically deleted after 90 days)
• Communications: Content of messages, support requests, feedback, and correspondence with us
• Profile Information: Preferences, saved searches, document history, subscription details

2.2 Information Automatically Collected

We automatically collect certain information when you access or use our service:

• Device Information: IP address, browser type and version, operating system, device identifiers, screen resolution
• Usage Information: Pages viewed, features used, time spent on platform, click patterns, navigation paths
• Location Information: General geographic location based on IP address (country, province, city level only)
• Cookies and Tracking: Session identifiers, authentication tokens, preference settings (see our Cookie Policy)
• Analytics Data: Performance metrics, error logs, system diagnostics

2.3 Information from Third Parties

We may receive information from:

• Payment Processors: Transaction confirmations and payment status from Paystack
• Authentication Services: Verification data from email authentication services
• Publicly Available Sources: Business registration information for verification purposes

3. How We Use Your Information (Purpose Specification)

In accordance with POPIA Section 13, we process your personal information only for specific, explicitly defined, and lawful purposes. We use your information for:

3.1 Service Provision

• Creating and managing your account
• Providing tender analysis services using AI technology
• Processing and storing uploaded documents temporarily
• Generating checklists, reports, and analysis results
• Enabling export functionality (PDF, Excel)
• Providing customer support and technical assistance

3.2 Business Operations

• Processing payments and managing subscriptions
• Enforcing usage limits and plan restrictions
• Sending transactional emails (receipts, confirmations, password resets)
• Communicating service updates and system maintenance
• Conducting internal research to improve our services

3.3 Legal and Security

• Detecting, preventing, and addressing fraud, security breaches, or technical issues
• Protecting against harm to rights, property, or safety of BidReady, users, or the public
• Enforcing our Terms of Service and legal agreements
• Complying with legal obligations (tax, audit, regulatory reporting)
• Responding to legal process (court orders, subpoenas)

3.4 Analytics and Improvement

• Analyzing usage patterns to improve functionality
• Conducting A/B testing for feature optimization
• Monitoring system performance and uptime
• Generating aggregated, anonymized statistics (no personal identification)

3.5 Marketing (With Consent)

Only if you opt-in: We may send promotional emails about new features, special offers, or updates. You can unsubscribe at any time using the link in each email or by contacting us. We comply with Section 69 of ECTA regarding electronic communications.

4. Data Storage, Security, and Retention

4.1 Security Safeguards (POPIA Section 19)

We implement appropriate technical and organizational measures to secure personal information against unauthorized access, loss, damage, or destruction:

• Encryption: All data in transit is encrypted using TLS 1.3. Data at rest is encrypted using AES-256 encryption
• Access Controls: Role-based access controls, multi-factor authentication for administrative access
• Secure Infrastructure: Hosted on Supabase with ISO 27001, SOC 2 Type II compliance
• Regular Security Audits: Vulnerability scanning, penetration testing, and security reviews
• Secure Development: Security best practices in coding, regular dependency updates
• Employee Training: Staff trained on data protection and security protocols
• Incident Response: Documented breach response procedures

Important: While we implement industry-standard security measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but commit to using commercially reasonable efforts to protect your information.

4.2 Data Retention Periods

We retain personal information only for as long as necessary to fulfill the purposes outlined in this policy, unless a longer retention period is required or permitted by law:

• Uploaded Documents: Automatically deleted 90 days after upload (you can delete earlier)
• Analysis Results: Retained for 12 months or until account deletion
• Account Information: Retained while account is active, plus 30 days after deletion request
• Financial Records: Retained for 5 years as required by South African tax law
• Marketing Consent: Retained until withdrawn, then deleted within 30 days
• Support Communications: Retained for 2 years for service improvement
• Security Logs: Retained for 90 days for security monitoring
• Audit Logs: Retained for 2 years for compliance and security
• Analytics Events: Retained for 24 months for product and usage analysis

After retention periods expire, personal information is securely deleted or anonymized to prevent identification. You may request a copy of your data (export) or full account deletion at any time; we process such requests manually (e.g. via email to privacy@bidready.co.za) and will respond within 30 days.

4.3 Data Storage Locations

Your data is primarily stored on secure servers provided by Supabase. While some infrastructure may be located outside South Africa, we ensure compliance with POPIA Section 72 requirements for cross-border data transfers (see Section 5 below).

5. Data Sharing, Disclosure, and Cross-Border Transfers

5.1 Third-Party Service Providers (Operators)

We engage third-party service providers to perform functions on our behalf. These Operators process personal information under written agreements ensuring POPIA compliance:

• Supabase (Database & Authentication): Stores user data, documents, and analysis results. Data may be processed outside SA - adequate protection ensured
• Paystack (Payment Processing): Processes subscription payments. PCI-DSS compliant. Based in Nigeria with SA operations
• OpenAI (AI Processing): Processes tender documents for analysis. Important: Documents are processed in real-time and NOT stored by OpenAI. Data processed in USA - see cross-border section below
• Email Service Providers: Deliver transactional and notification emails
• Analytics Services: Process anonymized usage data for performance monitoring

We do NOT sell, rent, or trade your personal information to third parties for marketing purposes.

5.2 Legal Disclosures

We may disclose personal information if required or permitted by law:

• In response to court orders, subpoenas, or legal processes
• To comply with regulatory requirements (SARS, CIPC, Information Regulator)
• To protect our rights, property, or safety, or that of users or the public
• To enforce our Terms of Service or investigate violations
• In connection with business transfers (mergers, acquisitions) - you will be notified

5.3 Cross-Border Data Transfers (POPIA Section 72)

Some of our service providers process data outside the Republic of South Africa. We ensure compliance with POPIA Section 72 by:

• Adequacy Assessment: Verifying that recipient countries provide adequate data protection (e.g., GDPR-compliant jurisdictions)
• Contractual Safeguards: Requiring processors to implement POPIA-equivalent protections
• Transparency: Informing you of cross-border transfers in this policy
• Your Consent: By using our service, you consent to these transfers under the protections described

Specific Transfers:

• OpenAI (USA): Documents processed for AI analysis - NOT permanently stored
• Supabase (various regions): Data hosting with encryption and access controls
• All transfers comply with Section 72 and use Standard Contractual Clauses where applicable

6. Your Rights Under POPIA (Data Subject Participation)

Under POPIA, you have the following rights regarding your personal information:

6.1 Right of Access (Section 23)

• Request confirmation of whether we hold your personal information
• Receive a copy of your personal information in a commonly used format
• Request information about how your data is processed
• How to exercise: Email privacy@bidready.co.za with "Access Request" in the subject line
• Response time: Within 30 days. Fee may apply for excessive requests (R50 maximum)

6.2 Right to Correction (Section 24)

• Request correction of inaccurate or incomplete personal information
• Update your account information directly through your profile settings
• If we disagree with correction, we'll attach your request to the record

6.3 Right to Deletion/Erasure

• Request deletion of your personal information when no longer needed
• Delete your uploaded documents at any time through the dashboard
• Request full account deletion - we'll delete all data within 30 days
• Exception: We may retain information required by law (e.g., financial records for 5 years)

6.4 Right to Object to Processing

• Object to processing based on legitimate interests
• Object to direct marketing at any time (unsubscribe links provided)
• We must stop processing unless we have compelling legitimate grounds

6.5 Right to Data Portability

• Receive your personal information in a structured, machine-readable format (JSON, CSV)
• Request transfer to another service provider where technically feasible.

6.6 Right to Complain

• Lodge a complaint with us: privacy@bidready.co.za
• Lodge a complaint with the Information Regulator of South Africa:

7. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience and analyze service usage. For detailed information, please see our Cookie Policy.

Types of Cookies We Use:

• Essential Cookies: Required for authentication, security, and basic functionality (cannot be disabled)
• Functional Cookies: Remember your preferences (dark mode, language settings)
• Analytics Cookies: Help us understand how you use the service (anonymized data)
• Performance Cookies: Monitor system performance and identify issues

You can control cookies through your browser settings. However, disabling essential cookies may affect functionality.

8. Security Breach Notification

In accordance with POPIA Section 22, in the event of a data breach that compromises your personal information, we will:

• Notify the Information Regulator: Within 72 hours of becoming aware of the breach (if required)
• Notify Affected Users: Without undue delay via email or in-app notification
• Provide Details: Nature of breach, affected data, potential consequences, and remedial actions
• Take Action: Immediately contain the breach, conduct forensic investigation, and implement additional safeguards

We maintain an incident response plan and conduct regular security drills to ensure rapid response to any security incidents.

9. Children's Privacy

BidReady is not intended for use by individuals under the age of 18 years. We do not knowingly collect personal information from children. Our service is designed for businesses and adults engaged in tender processes.

If we become aware that we have collected personal information from a person under 18 without parental consent, we will take steps to delete such information immediately. If you believe we have inadvertently collected information from a minor, please contact us at privacy@bidready.co.za.

10. Direct Marketing (POPIA Section 69)

We will only send you marketing communications if you have opted in to receive them. We comply with Section 69 of POPIA and Section 45 of ECTA regarding electronic communications.

• All marketing emails include an unsubscribe link
• We will process unsubscribe requests within 48 hours
• You can manage communication preferences in your account settings
• Transactional emails (receipts, password resets, service updates) cannot be opted out of

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last updated" date at the top of this policy
• Notify you via email or prominent notice in the application
• Provide at least 30 days' notice for material changes
• Request renewed consent where required by law

Your continued use of BidReady after changes take effect constitutes acceptance of the updated policy. We recommend reviewing this policy periodically.

12. Contact Us & Information Officer

For any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact our Information Officer:

We are committed to resolving privacy concerns promptly and transparently. If you are not satisfied with our response, you have the right to lodge a complaint with the Information Regulator (contact details in Section 6.6).