ProduktFunktionenProdukttourRoadmap
PreisePortale
LösungenBranchenIT & TechnologieBauwesenGesundheitswesen
RessourcenBlogLeitfädenGlossar
AnmeldenBook a CallAuf die Warteliste

Privacy Policy

Last updated: April 11, 2026

1. Introduction

TenderRadar (“we”, “our”, or “us”) is committed to protecting your privacy and processing your personal data in compliance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and applicable national data protection laws. This Privacy Policy explains how we collect, use, share, and protect your personal data when you use our procurement intelligence platform at tenderradar.io (“the Service”).

2. Data Controller

The data controller responsible for your personal data is:

TenderRadar
Email: hello@tenderradar.io

For data protection inquiries, contact our data protection officer at privacy@tenderradar.io.

3. Personal Data We Collect

3.1 Data you provide directly

  • Account data: email address, password (hashed, never stored in plaintext), and name
  • Company profile data: company name, website URL, industry, capabilities description, and procurement preferences
  • Billing data: billing name, billing address, and VAT number (payment card details are collected and stored exclusively by Stripe and never touch our servers)
  • Communications: content of messages you send us via email or contact forms

3.2 Data collected automatically

  • Usage data: pages visited, features used, search queries, tender interactions, and click patterns
  • Device data: browser type and version, operating system, screen resolution, and language preference
  • Log data: IP address, access timestamps, referring URL, and error logs
  • Cookie data: see Section 9 (Cookies) below for full details

3.3 Data from third parties

  • Google OAuth: if you sign in with Google, we receive your name, email address, and profile picture from Google
  • Publicly available data: we scrape your company website URL (which you provide) to build an AI-generated capability profile for tender matching

4. Legal Basis for Processing

We process your personal data under the following legal bases as defined by Article 6(1) GDPR:

PurposeLegal Basis
Providing and maintaining the ServiceContract performance (Art. 6(1)(b))
Processing payments and managing subscriptionsContract performance (Art. 6(1)(b))
AI-powered tender matching and company profilingContract performance (Art. 6(1)(b))
Sending transactional emails (alerts, digests, account notifications)Contract performance (Art. 6(1)(b))
Product analytics and service improvementLegitimate interest (Art. 6(1)(f))
Marketing analytics (Google Analytics, LinkedIn Insight Tag)Consent (Art. 6(1)(a))
Fraud prevention and securityLegitimate interest (Art. 6(1)(f))
Compliance with legal obligations (e.g., tax records)Legal obligation (Art. 6(1)(c))

5. How We Use Your Data

  • To create and manage your account, authenticate your sessions, and enforce multi-tenant data isolation
  • To build AI-powered company capability profiles from the website URL you provide, using third-party large language models
  • To match and score public tender opportunities against your company profile using AI classification
  • To process subscription payments and manage billing through Stripe
  • To send you tender alerts, weekly digests, and account notifications via email
  • To analyze platform usage with PostHog to improve features and user experience
  • To measure marketing effectiveness through Google Analytics and LinkedIn Insight Tag (only with your consent)
  • To respond to your support requests and communications
  • To detect and prevent fraud, abuse, and security incidents

6. Automated Decision-Making and AI Processing

We use artificial intelligence (including OpenAI's models) to:

  • Classify and categorize public tender notices by industry, type, and requirements
  • Analyze your company website to generate a capability profile
  • Score and rank tenders against your profile to surface relevant opportunities
  • Generate summaries and key information extractions from tender documents

This processing is part of the core service you subscribe to. AI outputs are advisory — no legally significant decisions about you as an individual are made solely by automated means. You may contact us to request human review of any AI output that affects you.

When your company profile data is processed by OpenAI, it is sent via API and is not used by OpenAI to train their models, in accordance with their data processing terms.

7. Sub-Processors and Data Sharing

We do not sell your personal data. We share data with the following categories of third-party processors who act on our behalf under appropriate data processing agreements:

ProcessorPurposeData ProcessedLocation
SupabaseAuthentication, database, storageAccount data, profiles, usage recordsEU (Frankfurt)
StripePayment processing, subscription managementBilling name, email, payment methodUS (EU SCCs)
OpenAIAI classification and matchingCompany profiles, tender textUS (EU SCCs)
VercelApplication hosting, edge functionsIP address, request logsGlobal CDN (EU primary)
MailgunTransactional email deliveryEmail address, email contentEU
PostHogProduct analyticsUsage events, device info, IP (anonymized)EU
Google AnalyticsMarketing analytics (consent-based)Page views, device info, IP (anonymized)US (EU SCCs)
LinkedInMarketing conversion tracking (consent-based)Page views, conversion eventsUS (EU SCCs)

We may also disclose personal data when required by law, to protect our rights, or in connection with a merger or acquisition (with prior notice to affected users).

8. International Data Transfers

Your primary data is stored within the European Union (Supabase EU region). Some sub-processors are based in the United States. For all transfers outside the EU/EEA, we rely on:

  • EU Standard Contractual Clauses (SCCs) as approved by the European Commission
  • The EU-U.S. Data Privacy Framework, where the processor is certified
  • Supplementary technical measures including encryption in transit and at rest

You may request a copy of the applicable safeguards by contacting privacy@tenderradar.io.

9. Cookies

We use the following categories of cookies:

Strictly Necessary Cookies

Required for authentication, session management, and security. These cannot be disabled. Includes Supabase authentication tokens and CSRF protection cookies.

Analytics Cookies (Consent Required)

PostHog product analytics cookies help us understand how the platform is used. You can opt out via the cookie consent banner or by contacting us. PostHog is configured for identified profiles only — anonymous visitors are not tracked with personal identifiers.

Marketing Cookies (Consent Required)

Google Analytics and LinkedIn Insight Tag cookies are only loaded after you grant consent via the cookie banner. These help us measure the effectiveness of our marketing. You can withdraw consent at any time by clearing your cookies or using the cookie banner settings.

For more details, see our Cookie Policy.

10. Data Retention

Data CategoryRetention Period
Account dataDuration of account + 30 days after deletion request
Company profile dataDuration of account + 30 days after deletion request
Billing and payment records7 years (legal/tax obligation)
Email logs12 months
Analytics data (PostHog)24 months
Server and access logs90 days
Marketing analytics (GA, LinkedIn)14 months (Google default)

After the retention period, data is permanently deleted or irreversibly anonymized. You may request earlier deletion (see Section 11).

11. Your Rights Under GDPR

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access (Art. 15) — obtain a copy of the personal data we hold about you
  • Right to rectification (Art. 16) — request correction of inaccurate or incomplete data
  • Right to erasure(Art. 17) — request deletion of your personal data (“right to be forgotten”)
  • Right to restrict processing (Art. 18) — request that we limit how we use your data
  • Right to data portability (Art. 20) — receive your data in a structured, machine-readable format
  • Right to object (Art. 21) — object to processing based on legitimate interest, including profiling
  • Right to withdraw consent (Art. 7(3)) — withdraw consent at any time for consent-based processing (e.g., marketing cookies), without affecting the lawfulness of prior processing
  • Right not to be subject to automated decision-making (Art. 22) — request human intervention for decisions made solely by automated means that significantly affect you

To exercise any of these rights, contact us at privacy@tenderradar.io. We will respond within 30 days. We may request identity verification before fulfilling your request.

12. Right to Lodge a Complaint

If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority. If you are in the Netherlands, the relevant authority is the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl). You may also lodge a complaint with the supervisory authority of the EU member state in which you reside or work.

13. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Row-level security (RLS) ensuring strict multi-tenant data isolation — each organization can only access its own data
  • Passwords are hashed using bcrypt; we never store plaintext credentials
  • Regular security reviews and access controls for production systems
  • Principle of least privilege for internal access to personal data

14. Children's Privacy

The Service is not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a minor, please contact us and we will promptly delete it.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes at least 30 days in advance via email or through a prominent notice on the platform. The “Last updated” date at the top reflects the most recent revision. We encourage you to review this page periodically.

16. Contact Us

For questions about this Privacy Policy or to exercise your data rights:

TenderRadar
General inquiries: hello@tenderradar.io
Data protection: privacy@tenderradar.io