Privacy Policy

Last Updated: March 1, 2026 (UK GDPR Compliant)

Note for UK/EU Users: This policy has been updated to fully comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Data Controller Information

ProcureFly is the data controller responsible for your personal data.

2. Information We Collect

2.1 Information You Provide Directly

  • Identity Data: First name, last name, username, title.
  • Contact Data: Email address, telephone number, billing address, delivery address.
  • Financial Data: Bank account details, payment card details (processed securely via PCI-DSS compliant payment processors like Stripe/PayPal).
  • Profile Data: Username, password, preferences, feedback, survey responses.
  • Business Data: Company name, job title, RFP documents, vendor information, procurement data.

2.2 Information Collected Automatically

  • Technical Data: IP address, browser type and version, time zone setting, browser plug-in types, operating system.
  • Usage Data: Information about how you use our website and services.
  • Marketing Data: Your preferences in receiving marketing from us and communication preferences.

3. How We Use Your Information

We use your personal data for the following purposes:

  • Providing, maintaining, and improving our RFP management platform.
  • Processing your transactions and managing your account.
  • Sending you service-related communications (non-marketing).
  • Responding to your enquiries and support requests.
  • Sending marketing communications (where you have explicitly consented).
  • Analysing usage to improve our services and user experience.
  • Detecting and preventing fraud, abuse, and security threats.
  • Complying with legal and regulatory obligations.

4. Data Sharing and Third Parties

4.1 Categories of Recipients

We may share your personal data with:

  • Service Providers: Cloud hosting (AWS/Azure), payment processors (Stripe, PayPal), email providers.
  • Professional Advisers: Lawyers, accountants, auditors, insurers.
  • Regulators and Authorities: HMRC, ICO, courts (where required by law).
  • Business Partners: Only with your explicit consent.

4.2 Requirements for Third Parties

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. They are only permitted to process your data on our documented instructions.

5. International Data Transfers

Your information may be transferred to and stored on servers located outside the UK. We ensure appropriate safeguards are in place, including:

  • UK Adequacy Decisions: Transfers to countries deemed adequate by the UK government.
  • International Data Transfer Agreement (IDTA): UK-approved standard contractual clauses.
  • Binding Corporate Rules: For transfers within corporate groups.
  • Additional Safeguards: Encryption, pseudonymisation, and strict access controls.

6. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Account data is typically retained for 7 years after account closure for legal and tax compliance.

7. Your Rights Under UK GDPR

  • Right of Access: Request a copy of your personal data (Subject Access Request).
  • Right to Rectification: Request correction of inaccurate or incomplete data.
  • Right to Erasure: Request deletion of your personal data ("right to be forgotten").
  • Right to Restrict Processing: Request limitation of processing in certain circumstances.
  • Right to Data Portability: Receive your data in a structured, machine-readable format.
  • Right to Object: Object to processing based on legitimate interests or for direct marketing.
  • Right to Withdraw Consent: Withdraw consent at any time (where processing is based on consent).

8. Data Security

We have implemented appropriate technical and organisational measures to protect your personal data:

  • Encryption of data in transit (TLS 1.3) and at rest (AES-256).
  • Multi-factor authentication for sensitive account access.
  • Regular security assessments and penetration testing.
  • Role-based access controls (principle of least privilege).
  • Regular staff training on data protection and security.
  • Incident response and breach notification procedures.

9. Data Breach Notification

In the event of a personal data breach that poses a high risk to your rights and freedoms, we will notify affected individuals and the ICO without undue delay, in accordance with UK GDPR requirements.

10. Right to Complain

We aim to resolve any concerns directly. If you are unhappy with how we have handled your data:

  1. Step 1: Contact us first at privacy{{ config('app.url') }}. We will attempt to resolve your concern within 30 days.
  2. Step 2: If you remain unsatisfied, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

Back to Registration