P
ProcureMate
Start free
/ Legal

Privacy Policy

How we collect, use and protect your personal data. Written in plain English, aligned with the UK GDPR and the Data Protection Act 2018.

Last updated · 17 May 2026

1. Who we are

ProcureMate (“we”, “us”, “our”) provides an AI-assisted platform that helps UK small and medium-sized businesses find and bid for public-sector contracts published under the Procurement Act 2023.

For the purposes of UK GDPR, ProcureMate is the data controller for the personal data described in this notice. We are independent of HM Government and of any contracting authority.

Contact: privacy@procuremate.co.uk

2. What data we collect

We only collect what we need to operate the service:

  • Account data — name, email address, password hash, sign-in provider (email/OTP or Google).
  • Supplier profile — company name, website, capabilities, accreditations, regions, contract size preferences and any text you submit during onboarding or profile editing.
  • Activity data — tenders you view, save, track or draft outreach for; bid drafts and outreach drafts; tracker notes.
  • Technical data — IP address, browser and device information, cookies and session identifiers needed to keep you signed in and to detect abuse.
  • Communications — emails or support messages you send to us.

We do not intentionally collect special category data (e.g. health, ethnicity, political views). Please do not submit such data into your profile.

3. Where the data comes from

  • Directly from you when you sign up, build your profile and use the product.
  • From your company website, where you ask us to enrich your profile by scraping public pages.
  • From public UK procurement sources — Find a Tender Service, Contracts Finder, Public Contracts Scotland, Sell2Wales, eTendersNI, Crown Commercial Service and the Digital Marketplace. These are public notices, not personal data about you.

4. Why we use it (lawful bases)

PurposeLawful basis
Create and operate your accountContract (Art. 6(1)(b))
Match your profile to live tenders, draft outreach and bidsContract (Art. 6(1)(b))
Send service emails (OTP, account changes, status)Contract (Art. 6(1)(b))
Detect abuse, secure the platform, keep audit logsLegitimate interests (Art. 6(1)(f))
Improve and debug the productLegitimate interests (Art. 6(1)(f))
Send product or marketing emails (if you opt in)Consent (Art. 6(1)(a))
Comply with legal and tax obligationsLegal obligation (Art. 6(1)(c))

5. AI and automated processing

ProcureMate uses large-language-model providers (which route to providers such as Google and OpenAI) to:

  • summarise your supplier profile and the tenders you view,
  • rank tender matches against your profile,
  • draft outreach emails and bid responses for your review.

These are assistive outputs. A human (you) reviews and decides before anything is sent or submitted. No decision with legal or similarly significant effects on you is made solely by automated means within the meaning of Article 22 UK GDPR.

Profile and tender text is sent to model providers for inference. We do not allow providers to train their public models on your data.

6. Who we share data with

We share data only with vetted processors who act on our instructions:

  • Lovable Cloud — database, authentication and file storage (powered by Supabase, hosted in the EU).
  • Cloudflare — edge hosting, DDoS protection and CDN.
  • Lovable AI Gateway — routes inference requests to Google and OpenAI models.
  • Firecrawl — fetches public web pages when you ask us to enrich your profile from your website.
  • Email delivery providers — transactional email (OTP, password resets).

We do not sell your personal data and do not share it for third-party advertising. We may disclose data if required by UK law, a court order, or to protect the rights, property or safety of ProcureMate, our users or the public.

7. International transfers

Where processors are located outside the UK (for example certain AI providers in the United States), transfers are protected by the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, or by an adequacy decision.

8. How long we keep it

  • Account & profile data — for as long as your account is active, then deleted within 30 days of account closure.
  • Tender match history, drafts, tracker — kept while your account is active so you can return to past work.
  • Security and audit logs — up to 12 months.
  • Billing records — 6 years, as required by UK tax law.

9. Your rights

Under UK GDPR you have the right to:

  • access a copy of your personal data,
  • correct inaccurate data,
  • delete your data (“right to be forgotten”),
  • restrict or object to certain processing,
  • data portability (receive your data in a machine-readable format),
  • withdraw consent at any time, where processing is based on consent.

To exercise any of these, email privacy@procuremate.co.uk. We respond within one month.

You can also complain to the UK Information Commissioner’s Office (ICO) at ico.org.uk.

10. Security

We use row-level security on our database, encrypted connections (TLS) in transit, encryption at rest, hashed passwords, signed server-function calls with bearer tokens, and least-privilege access controls. Public API endpoints used for scheduled jobs require a shared secret. No system is perfectly secure; if a breach affects you, we will notify you and the ICO within 72 hours where required.

11. Cookies

We use a small number of strictly necessary cookies to keep you signed in and to remember preferences. We do not use third-party advertising cookies or cross-site tracking.

12. Children

ProcureMate is a B2B service and is not directed at children. We do not knowingly collect data from anyone under 18.

13. Changes to this policy

We may update this notice from time to time. Material changes will be notified by email or an in-product notice at least 14 days before they take effect. The “Last updated” date at the top of this page always reflects the current version.