CleanTender

Legal

Privacy policy

Last updated: 27 April 2026

This policy explains how CleanTender (a service operated by Cyber Phoenix Ltd, registered in England & Wales at 124-128 City Road, London EC1V 2NX) collects, uses, and protects personal data when you visit cleantender.co.uk or use the CleanTender service. We are the data controller for the personal data we hold about you.

We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. If anything below is unclear or you want to exercise a data-protection right, email support@cleantender.co.uk.

Personal data we collect

We only collect data we need to deliver the service. The categories below mirror the actual fields stored in our database — we do not maintain shadow profiles, scrape your business activity, or buy data about you from third parties.

Account data (when you register)

  • Email address (used to sign in and to send transactional and alert emails).
  • Password (stored as a one-way hash by our authentication provider; we never see plaintext).

Company profile (optional, you fill it in)

  • Trading name, annual turnover, years trading, operative count.
  • Public liability and employer's liability insurance cover figures.
  • ISO 9001 / 14001 / 45001 status, BICSc / SafeContractor / CHAS / Constructionline / COSHH compliance flags.
  • Vetting and policy flags (DBS, TUPE, Modern Slavery Act, Equal Opportunities, Social Value, Environmental, KPI framework, Business Continuity) and free-text notes.
  • Sector experience and UK regions you cover.
  • Free-text company description.
  • Tender alert preferences (enabled / frequency / value band / match-score threshold).

Activity data (created when you use the service)

  • Qualification scans you run (which contract, when, the resulting score and saved evaluation).
  • Bid drafts you generate.
  • Tender-alert log (which tenders we matched to your profile and emailed to you).
  • API usage counters used for fair-use rate limiting and your monthly evaluation cap.

Technical data (collected automatically)

  • Authentication session cookies (see the cookie policy).
  • Server logs from our hosting provider (IP address, request URL, timestamp, user agent) — retained briefly for security and abuse prevention. We do not analyse these for marketing.

We do not collect special category data (health, biometrics, etc.) and we do not process personal data of children. We do not run third-party analytics, advertising, or fingerprinting on the public site or signed-in app.

Lawful bases for processing

For each kind of processing, we rely on one of the lawful bases in UK GDPR Article 6:

  • Performance of a contract — to operate your account, run qualification scans, generate bid drafts, and send tender alerts you've opted in to.
  • Legitimate interests — to log API usage for rate limiting, prevent abuse, dedupe alert sends, and keep the service secure. We've assessed the interests at stake; you have the right to object (see below).
  • Consent — for any optional category cookies (analytics or marketing) if and when we add them. Consent is recorded by the cookie banner; you can change it at any time via the "Cookie settings" link in the footer.
  • Legal obligation — where we have to retain certain records (for example financial records relating to invoices) to meet UK statutory requirements.

Sub-processors and international transfers

We use the following data processors (UK GDPR Article 28). Each one is bound by a data-processing agreement with us and only processes data on our instructions.

  • Insforge — backend platform: database, authentication, server-side functions. Data is held in the EU (Ireland). Used to store your account, profile, evaluations, alerts, and CMS content.
  • Anthropic, PBC (United States) — large-language-model provider. Receives your contract description, your structured profile fields, and the system prompt at the moment a qualification scan or bid draft is run; outputs are returned to you and stored in your account. Anthropic's API does not retain prompts for training under our agreement.
  • Resend, Inc. (United States) — transactional email delivery (tender alerts, account verification). Receives your email address and the alert content at the moment of sending.
  • Netlify, Inc. (United States) — site hosting and CDN. Processes server logs and serves the public marketing pages and authenticated app.
  • Cloudflare, Inc. (United States) — DNS for cleantender.co.uk and DKIM/SPF records for outbound email.

Where data is transferred outside the UK or EEA (to our US sub-processors above), we rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, plus supplementary measures appropriate to the data, in line with ICO guidance.

How long we keep your data

  • Account and profile data — for as long as your account exists. You can request deletion at any time (see "Your rights" below).
  • Qualification scans and bid drafts — kept while your account exists; deleted within 30 days of account closure.
  • Tender alert log — 6 months rolling, used to prevent us re-sending you the same tender twice.
  • Authentication tokens — access tokens expire after 15 minutes; refresh tokens after 7 days.
  • Cookie consent record — stored locally on your device for 12 months from last update.
  • Financial / billing records — 6 years from the end of the relevant accounting period (UK statutory requirement) where billing applies.

Your rights under UK GDPR

You have the right to:

  • Be informed about how your data is used (this policy).
  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data (you can do this directly in your profile, or by emailing us).
  • Erase your data ("right to be forgotten") in the circumstances UK GDPR sets out.
  • Restrict processing while a query is being resolved.
  • Receive your data in a portable format.
  • Object to processing based on legitimate interests.
  • Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects. Our qualification scans are decision-support, not automated decisions — you decide whether to bid.

To exercise any of these rights, email support@cleantender.co.uk from the address on your account. We respond within one calendar month, free of charge.

Security

Passwords are hashed at rest. All traffic to and from the site is served over HTTPS. Authentication cookies are HTTP-only, secure in production, and Same-Site Lax. Server-side database access is protected by row-level security policies that restrict each authenticated user to their own data, and an administrative API key that never reaches the browser.

Cookies

We use a small number of strictly-necessary cookies for sign-in and security. We do not run analytics or advertising cookies. The full breakdown is in the cookie policy. You can change your cookie preferences at any time using the "Cookie settings" link in the footer.

Children

The CleanTender service is sold to UK businesses and is not intended for individuals under 18. We don't knowingly collect data from children.

Changes to this policy

We'll update this page when our processing changes. The "Last updated" date at the top reflects the most recent revision. If we make material changes (for example, adding a new sub-processor or a new category of data), we'll notify registered users by email before the change takes effect.

Contact and complaints

For any privacy question or to exercise your rights, contact:

Cyber Phoenix Ltd (CleanTender)
124-128 City Road
London EC1V 2NX
United Kingdom
Email: support@cleantender.co.uk

If you believe we've handled your data unlawfully, you can complain to the UK supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
0303 123 1113 · ico.org.uk

We'd appreciate a chance to resolve your concern first, but you can complain to the ICO at any time without going through us.

Browse contractsGet started