Legal

Privacy Policy

How Bundle Technologies Ltd collects, uses, and protects your personal data.

Version: 2.0

Effective: April 2026

Controller: Bundle Technologies Ltd

Framework: UK GDPR · Data Protection Act 2018

Plain English summary. We collect only what we need to run the platform. We never sell your data. Analytics only load with your consent. You can request deletion at any time: privacy@bundleiq.co.uk

Contents

1. Who we are 2. What we collect 3. How we use it 4. Legal bases 5. Cookies 6. Who we share with 7. Retention periods 8. Your rights 9. International transfers 10. Security 11. Children 12. Changes 13. Contact & complaints

1. Who we are

Bundle Technologies Ltd is the data controller for personal data collected through bundleiq.co.uk and the Bundle IQ platform, registered in England and Wales.

Data protection contact: privacy@bundleiq.co.uk

2. What we collect

2.1 Information you provide

Data	When	Why
Name, email, password	Account registration	To create and secure your account
Organisation, address, company number	Onboarding	Business verification and contract issuance
Procurement requirements	RFQ submission	Running the procurement process
Bid responses and pricing	Vendor response	Scoring and shortlisting
Payment information	Escrow funding	Processed by Stripe — we do not store card data
Identity and compliance documents	Vendor verification	Insurance and certification verification
Platform messages	Contract communications	Buyer-supplier communications and audit trail
Contact form submissions	Contact page	Responding to enquiries

2.2 Automatically collected

Log data — IP address, browser type, pages visited, timestamps. Used for security and performance.
Session data — Authentication tokens stored in your browser. Essential for keeping you logged in.
Analytics — Page views and usage patterns. Only with your consent — see Section 5.

2.3 From third parties

Stripe — Payment confirmation and transaction IDs. We never receive your card details.
Companies House — Public company records for business verification.

3. How we use your data

Purpose	Data used	Legal basis
Running the platform	Account data, requirements, responses, messages	Contract
Processing escrow payments	Payment confirmation, milestone data	Contract
Vendor verification	Identity docs, insurance certificates	Legitimate interests
IQ scoring and benchmarking	Anonymised bid and pricing data	Legitimate interests
Platform security	Log data, IP addresses	Legitimate interests
Transactional emails	Email, name	Contract
Analytics	Anonymised usage data	Consent
Legal compliance	Contract and transaction records	Legal obligation
Dispute resolution	Messages, evidence, contracts	Legitimate interests

We do not use your data for advertising, third-party profiling, or any purpose not listed above.

4. Legal bases for processing

Contract performance (Art. 6(1)(b)) — Processing necessary to deliver the services you have signed up for.
Legitimate interests (Art. 6(1)(f)) — Security, fraud prevention, platform improvement, and contract enforcement, where not overridden by your rights.
Legal obligation (Art. 6(1)(c)) — Financial record-keeping and other statutory requirements.
Consent (Art. 6(1)(a)) — Analytics cookies only. Withdraw at any time via the cookie banner.

5. Cookies

Essential cookies — always active

Cookie	Provider	Purpose	Expiry
sb-access-token	Supabase	Keeps you authenticated	Session
sb-refresh-token	Supabase	Refreshes authentication	7 days
biq_consent	Bundle IQ	Stores your cookie preference	12 months

Analytics cookies — consent required

Cookie	Provider	Purpose	Expiry
Analytics	Plausible / Google Analytics	Anonymous page view tracking	Up to 2 years

Withdraw analytics consent at any time via the cookie banner or by emailing us. For more on managing cookies: ico.org.uk.

Recipient	What	Why
Invited vendors	Anonymised requirement only — not your identity until award	Competitive tendering
Awarding buyers	Organisation name, contact, compliance docs	Contract execution
Supabase	All platform data	Infrastructure — EU DPA in place
Stripe	Payment transaction data	Escrow processing — PCI DSS compliant
Resend	Email, name, notification content	Transactional email delivery
Authorities	As legally required	Legal compliance, fraud investigation

We never sell your personal data. We never share it with advertisers.

7. Retention periods

Data type	Period	Reason
Account data	Account lifetime + 2 years	Platform operation
Contract and transaction records	7 years from contract end	Companies Act 2006
Procurement requirements and responses	3 years	Dispute resolution
Messages	3 years from last message	Evidence and audit trail
Payment records	7 years	Financial obligations
Analytics (anonymised)	26 months	Platform improvement
Deleted accounts	30 days then purged	Recovery window

8. Your rights under UK GDPR

To exercise any right, email privacy@bundleiq.co.uk. We respond within 30 days, free of charge.

📋 Access

Request a copy of all personal data we hold about you (Subject Access Request).

✏️ Rectification

Ask us to correct inaccurate or incomplete data.

🗑️ Erasure

Request deletion where we have no compelling reason to continue. Some data is retained for legal reasons — we will explain.

⏸️ Restriction

Ask us to pause processing while a complaint is resolved or accuracy verified.

📦 Portability

Receive your data in machine-readable format where processing is based on consent or contract.

🚫 Object

Object to legitimate interests processing. We stop unless we can demonstrate compelling grounds.

🤖 Automated decisions

IQ scoring is automated but not solely determinative — you make the final award decision. Request human review of any score.

↩️ Withdraw consent

Withdraw analytics consent at any time via the cookie banner. Does not affect prior processing.

9. International transfers

Primary infrastructure (Supabase) stores data in the EU-West region. Any transfers outside the UK or EEA use Standard Contractual Clauses approved by the ICO. Stripe operates under EU-US Data Privacy Framework. Contact us for details of specific transfer safeguards.

10. Security

All data in transit encrypted with TLS 1.2 or higher
All data at rest encrypted with AES-256
Authentication via Supabase Auth with bcrypt password hashing
Escrow funds held in segregated client accounts
Row-level security — users access only their own data
Regular security reviews and dependency updates

Data breaches likely to affect your rights will be reported to the ICO within 72 hours and to affected users without undue delay. Full details: Security page.

11. Children

Bundle IQ is for business use only. We do not knowingly collect data from anyone under 18. If you believe we have, email privacy@bundleiq.co.uk and we will delete it immediately.

12. Changes

We notify registered users of material changes by email at least 14 days before they take effect. The version number and effective date at the top always reflect the current policy. Previous versions available on request.

13. Contact and complaints

Email: privacy@bundleiq.co.uk — we aim to respond within 5 business days.

If not satisfied, you can complain to the Information Commissioner's Office (ICO): ico.org.uk · 0303 123 1113 · Wycliffe House, Water Lane, Wilmslow, SK9 5AF.

Bundle Technologies Ltd · Privacy Policy v2.0 · April 2026 · privacy@bundleiq.co.uk