Privacy Policy

1. Who We Are

Jorpex is a company registered in England and Wales. We operate the Jorpex platform (jorpex.com), a B2B tender notification service that aggregates public procurement opportunities and delivers them to your Slack workspace.

For the purposes of applicable data protection legislation, Jorpex is the data controller of the personal data collected through our platform.

If you have questions about this policy or how we handle your data, contact us at privacy@jorpex.com.

2. Information We Collect

Account data

Email address, password (hashed and stored by Supabase — we never see or store plaintext passwords), and name.

Organisation data

Company name, description, industry, certifications, experience areas, and website URL.

Notification preferences

Keywords, categories, regions, languages, contract value ranges, notification frequency, and disqualifier terms you configure in your notification profiles.

Slack integration data

Slack workspace ID, channel IDs, and bot token. We use these solely to deliver tender notifications to your chosen channels.

Payment data

All payment processing is handled by Stripe. Jorpex never receives, stores, or has access to your full credit card number. Stripe shares with us your name, billing address, last four card digits, and subscription status so we can manage your account.

Usage and analytics data

We use PostHog for product analytics. This collects page views, feature usage events, device type, browser, and IP address to help us understand how the platform is used and where we can improve it.

Cookies and local storage

We use a Supabase authentication session stored in your browser's localStorage and a PostHog tracking cookie. See Section 10 for details.

3. Legal Basis for Processing (GDPR Art. 6)

We process your personal data on the following legal bases:

• Contract performance — processing your account, organisation, notification preference, and Slack integration data is necessary to provide the service you signed up for.
• Legitimate interest — analytics and usage data help us improve the platform, maintain security, and prevent abuse. We have assessed that this interest does not override your rights and freedoms.
• Consent — where required (for example, marketing communications), we will obtain your explicit consent and you may withdraw it at any time.
• Legal obligation — we retain certain billing records as required by tax and accounting legislation.

4. How We Use Your Information

• Provide, operate, and maintain the tender notification service
• Match tenders to your notification profiles using AI (see Section 5)
• Generate AI-powered tender summaries and relevance scores
• Deliver notifications to your Slack channels
• Process subscription payments via Stripe
• Analyse platform usage to improve features and performance
• Respond to support requests
• Detect and prevent fraud, abuse, and security incidents
• Comply with legal obligations

5. AI Processing Disclosure

Jorpex uses AI models provided by OpenAI to match tender opportunities to your notification profiles and to generate tender summaries. When this processing occurs:

• Data sent to AI models: publicly available tender text (titles, descriptions, requirements) and your profile keywords, categories, and regions.
• Purpose: to determine relevance scores and produce concise summaries of tender opportunities for your notifications.
• No personal data in AI prompts: we do not send your email, name, or payment details to AI providers. Only tender content and matching criteria are processed.
• AI output is informational: AI-generated summaries and scores may contain inaccuracies. You should always review the original tender documents before making any business decisions.

6. Sub-processors and Data Sharing

We share data with the following third-party service providers ("sub-processors") to operate our platform. We do not sell your personal data to anyone.

We may also disclose personal data where required by law, regulation, or court order, or to protect the rights, safety, or property of Jorpex, our users, or the public.

7. International Data Transfers

Your data may be transferred to and processed in the United States by our sub-processors listed above. These transfers are protected by:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• The UK International Data Transfer Agreement (UK IDTA) or UK Addendum to the EU SCCs
• Provider certifications and data processing agreements

You can request a copy of the relevant transfer safeguards by contacting us at privacy@jorpex.com.

8. Data Retention

• Account and organisation data: retained while your account is active and for 30 days after account deletion to allow for recovery.
• Billing records: retained as required by applicable tax and accounting legislation (typically 6 years in the UK).
• Analytics data: retained according to PostHog's data retention settings, which we configure to balance product insight with privacy.
• Slack integration data: deleted when you disconnect your Slack workspace or delete your account.

9. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

• Access — request a copy of the personal data we hold about you
• Rectification — ask us to correct inaccurate or incomplete data
• Erasure — ask us to delete your personal data ("right to be forgotten")
• Restrict processing — ask us to limit how we use your data
• Data portability — receive your data in a structured, machine-readable format
• Object to processing — object to processing based on legitimate interests
• Withdraw consent — where processing is based on consent, withdraw it at any time

To exercise any of these rights, contact us at privacy@jorpex.com. We will respond within one month.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

10. Cookies and Tracking

We use the following cookies and browser storage:

• Supabase auth session (localStorage) — strictly necessary for keeping you logged in. Cannot be disabled without losing access to the platform.
• PostHog analytics cookie — used to understand how you interact with the platform. You can opt out by enabling "Do Not Track" in your browser or by contacting us.

We do not use advertising or third-party marketing cookies.

11. Security

We take the security of your data seriously and implement appropriate technical and organisational measures, including:

• Encryption in transit via TLS for all connections
• Encryption at rest for stored data
• Our infrastructure providers (Supabase, Railway) maintain SOC 2 certifications
• We do not store payment card data — this is handled entirely by Stripe, a PCI DSS Level 1 service provider
• Regular review of access controls and security practices

No method of transmission or storage is 100% secure. If you become aware of a security vulnerability, please report it to support@jorpex.com.

12. Children

Jorpex is a B2B service and is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

13. Changes to This Policy

We may update this privacy policy from time to time. For material changes, we will notify you by email using the address associated with your account. The updated policy will be effective when posted. Your continued use of the platform after changes are posted constitutes your acceptance of the revised policy.

14. Contact

For any privacy-related questions or requests, contact us at:

• Email: privacy@jorpex.com
• General support: support@jorpex.com

If you wish to make a complaint about how we handle your personal data, you can also contact the Information Commissioner's Office (ICO), the UK supervisory authority for data protection, at ico.org.uk.