Privacy Policy

1. Who We Are

Jorpex is a company registered in England and Wales. We operate the Jorpex platform (jorpex.com), a B2B tender notification service that aggregates public procurement opportunities and delivers them to your preferred channels, including Slack, email, and Microsoft Teams.

For the purposes of applicable data protection legislation, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, Jorpex is the data controller of the personal data collected through our platform.

If you have questions about this policy or how we handle your data, contact our data protection team at privacy@jorpex.com.

2. Information We Collect

We collect and process the following categories of personal data:

Account data

Email address, password (hashed and stored by Supabase — we never see or store plaintext passwords), and name. This data is collected when you register for an account.

Organisation data

Company name, description, industry sector, certifications, areas of experience, and website URL. This data is provided by you during onboarding and account setup.

Notification preferences

Keywords, categories, CPV/NAICS codes, regions, languages, contract value ranges, notification frequency, delivery channels, and disqualifier terms you configure in your notification profiles.

Integration data

Depending on the integrations you enable, we may collect: Slack workspace ID, Slack channel IDs, and bot tokens; email delivery addresses; and Microsoft Teams webhook URLs. We use these solely to deliver tender notifications to your chosen channels.

Payment data

All payment processing is handled by Stripe, Inc. Jorpex never receives, stores, or has access to your full credit card number or bank account details. Stripe shares with us your name, billing address, last four card digits, card expiration date, and subscription status so we can manage your account and provide billing support.

Usage and analytics data

We use PostHog for product analytics. This collects page views, feature usage events, session duration, device type, browser type and version, operating system, screen resolution, and IP address to help us understand how the platform is used and where we can improve it.

Advertising data

We use Google Ads (gtag.js) to measure the effectiveness of our advertising campaigns. Google may collect data about your visit, including pages viewed, time spent on the site, and whether you completed a conversion action (such as signing up for an account). This data is processed by Google in accordance with Google's Privacy Policy.

Cookies and local storage

We use cookies, local storage, and similar technologies as described in Section 12.

Communication data

When you contact us via email or through the Service, we collect the content of your communications, your email address, and any other information you choose to provide, so that we can respond to your enquiry and improve our support.

3. Legal Basis for Processing (GDPR Art. 6)

We process your personal data on the following legal bases:

• Contract performance (Art. 6(1)(b)) — processing your account, organisation, notification preference, and integration data is necessary to provide the service you signed up for and to perform our contractual obligations to you.
• Legitimate interest (Art. 6(1)(f)) — analytics and usage data help us improve the platform, maintain security, prevent abuse, and understand how our service is used. We have conducted a legitimate interest assessment and determined that this interest does not override your rights and freedoms.
• Consent (Art. 6(1)(a)) — where required (for example, for advertising cookies and marketing communications), we will obtain your explicit consent and you may withdraw it at any time by contacting us or adjusting your cookie preferences.
• Legal obligation (Art. 6(1)(c)) — we retain certain billing records and transaction data as required by applicable tax, accounting, and anti-money laundering legislation.

4. How We Use Your Information

We use the personal data we collect for the following purposes:

• Provide, operate, and maintain the tender notification service
• Match tenders to your notification profiles using AI (see Section 5)
• Generate AI-powered tender summaries and relevance scores
• Deliver notifications to your chosen channels (Slack, email, Microsoft Teams)
• Process subscription payments and manage your billing via Stripe
• Analyse platform usage to improve features, performance, and user experience
• Measure the effectiveness of our advertising campaigns
• Respond to support requests, enquiries, and feedback
• Detect, investigate, and prevent fraud, abuse, and security incidents
• Comply with legal obligations, resolve disputes, and enforce our agreements
• Send transactional communications related to your account (billing confirmations, security alerts, service updates)
• With your consent, send marketing communications about new features, product updates, and related offerings

We will not use your personal data for purposes incompatible with those described above without providing you with notice and, where required, obtaining your consent.

5. AI Processing Disclosure

Jorpex uses AI models provided by OpenAI to match tender opportunities to your notification profiles and to generate tender summaries. When this processing occurs:

• Data sent to AI models: publicly available tender text (titles, descriptions, requirements) and your profile keywords, categories, and regions.
• Purpose: to determine relevance scores and produce concise summaries of tender opportunities for your notifications.
• No personal data in AI prompts: we do not send your email, name, payment details, or any other personal identifiers to AI providers. Only tender content and matching criteria are processed.
• AI output is informational: AI-generated summaries and scores may contain inaccuracies. You should always review the original tender documents before making any business decisions.
• No automated decision-making: the AI processing described above does not constitute solely automated decision-making that produces legal effects or similarly significantly affects you within the meaning of GDPR Art. 22. The AI assists in filtering and summarising publicly available tender data for your convenience.
• Data processing agreement: we have a data processing agreement with OpenAI that governs their processing of data on our behalf, including obligations regarding data security, confidentiality, and deletion.

6. Sub-processors and Data Sharing

We share data with the following third-party service providers ("sub-processors") to operate our platform. We do not sell, rent, or trade your personal data to anyone.

We maintain data processing agreements with each sub-processor that require them to protect your personal data in accordance with applicable data protection law.

We may also disclose personal data where required by law, regulation, or court order, or to protect the rights, safety, or property of Jorpex, our users, or the public. We will notify you of such disclosures where permitted by law.

7. International Data Transfers

Your data may be transferred to and processed in the United States by our sub-processors listed above. These transfers are protected by:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• The UK International Data Transfer Agreement (UK IDTA) or UK Addendum to the EU SCCs
• The EU-US Data Privacy Framework (DPF) where applicable
• Provider certifications and data processing agreements

We have assessed the laws and practices in the recipient countries and have implemented supplementary measures where necessary to ensure an adequate level of data protection.

You can request a copy of the relevant transfer safeguards by contacting us at privacy@jorpex.com.

8. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our specific retention periods are:

• Account and organisation data: retained while your account is active and for 30 days after account deletion to allow for recovery. After this period, data is permanently deleted or anonymised.
• Billing records: retained as required by applicable tax and accounting legislation (typically 6 years in the UK under HMRC requirements).
• Analytics data: retained according to PostHog's data retention settings, which we configure to balance product insight with privacy. Typically retained for no more than 12 months.
• Integration data: deleted when you disconnect the relevant integration or delete your account.
• Support correspondence: retained for up to 24 months after the last communication to provide continuity in support and to resolve potential disputes.
• Advertising data: retained by Google in accordance with their data retention policies. We do not independently store advertising-related personal data.

When retention periods expire, we will securely delete or anonymise your personal data so that it can no longer be associated with you.

9. Your Rights Under UK GDPR

Under the UK General Data Protection Regulation, you have the following rights regarding your personal data:

• Right of access (Art. 15) — request a copy of the personal data we hold about you
• Right to rectification (Art. 16) — ask us to correct inaccurate or incomplete data
• Right to erasure (Art. 17) — ask us to delete your personal data ("right to be forgotten"), subject to applicable exceptions
• Right to restrict processing (Art. 18) — ask us to limit how we use your data in certain circumstances
• Right to data portability (Art. 20) — receive your data in a structured, commonly used, machine-readable format and have it transmitted to another controller
• Right to object (Art. 21) — object to processing based on legitimate interests or for direct marketing purposes
• Right to withdraw consent (Art. 7) — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing
• Right not to be subject to automated decision-making (Art. 22) — you have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects on you

To exercise any of these rights, contact us at privacy@jorpex.com. We will respond within one month of receiving your request. In complex cases, we may extend this period by a further two months, but we will inform you of any extension within the initial one-month period.

We may ask you to verify your identity before processing your request. We will not charge a fee for processing your request unless it is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection, at ico.org.uk.

10. California Privacy Rights

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with additional rights regarding your personal information:

• Right to know: you may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which it was collected, the business or commercial purposes for collecting it, and the categories of third parties with whom we share it.
• Right to delete: you may request that we delete your personal information, subject to certain exceptions.
• Right to correct: you may request that we correct inaccurate personal information that we maintain about you.
• Right to opt out of sale or sharing: Jorpex does not sell your personal information. We do not share personal information for cross-context behavioural advertising.
• Right to non-discrimination: we will not discriminate against you for exercising your CCPA/CPRA rights.

To exercise these rights, contact us at privacy@jorpex.com. We will verify your identity before processing your request and respond within 45 days.

11. EU/EEA Residents

If you are located in the European Union or European Economic Area, you have the same rights described in Section 9 under the EU General Data Protection Regulation (EU GDPR). In addition:

• You may lodge a complaint with your local data protection authority (supervisory authority) in the EU/EEA member state where you reside, work, or where the alleged infringement took place.
• International data transfers from the EU/EEA are conducted in accordance with the safeguards described in Section 7.

12. Cookies and Tracking Technologies

We use the following cookies, local storage, and tracking technologies:

Strictly necessary technologies cannot be disabled without losing core functionality (e.g., staying logged in).

Opting out of analytics and advertising cookies: you can opt out by enabling "Do Not Track" in your browser settings, by using a browser extension that blocks tracking scripts, or by contacting us at privacy@jorpex.com. You can also opt out of Google's advertising cookies at Google Ads Settings.

13. Security

We take the security of your data seriously and implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encryption in transit via TLS 1.2 or higher for all connections
• Encryption at rest for all stored data, including database records and backups
• Secure password hashing (bcrypt) — we never store plaintext passwords
• Infrastructure hosted on enterprise-grade cloud providers with established security certifications (Supabase on AWS, Railway)
• We do not store payment card data — this is handled entirely by Stripe, a PCI DSS Level 1 certified service provider
• Role-based access controls for internal access to systems and data
• Regular review and testing of access controls, security configurations, and security practices
• Incident response procedures for detecting, reporting, and responding to security events

No method of transmission over the internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security. If you become aware of a security vulnerability, please report it immediately to security@jorpex.com.

14. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority (the ICO for UK residents) without undue delay and, where feasible, within 72 hours of becoming aware of the breach, as required by GDPR Art. 33.
• Notify you directly without undue delay if the breach is likely to result in a high risk to your rights and freedoms, as required by GDPR Art. 34.
• Provide details about the nature of the breach, the data affected, the likely consequences, and the measures taken or proposed to address the breach and mitigate its effects.

15. Third-Party Links

The Service may contain links to third-party websites, including procurement portals, tender documents, and partner services. We are not responsible for the privacy practices or content of these third-party sites. We encourage you to read the privacy policies of any third-party website you visit. This Privacy Policy applies only to information collected through our Service.

16. Do Not Track Signals

Some browsers transmit "Do Not Track" (DNT) signals to websites. PostHog, our analytics provider, can be configured to respect DNT signals. If your browser sends a DNT signal, PostHog may limit the data collected about your visit. However, as there is no industry consensus on how to respond to DNT signals, we cannot guarantee that all tracking will cease in response to a DNT signal. For the most effective opt-out, we recommend contacting us directly or using a browser extension that blocks tracking scripts.

17. Children

Jorpex is a B2B service and is not directed at individuals under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at privacy@jorpex.com and we will take steps to delete the data promptly.

18. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. For material changes, we will notify you by email using the address associated with your account at least 30 days before the changes take effect.

The updated policy will be effective when posted. The "Last updated" date at the top of this policy indicates when the most recent revisions were made. Your continued use of the platform after changes are posted constitutes your acceptance of the revised policy.

19. Contact

For any privacy-related questions, data protection requests, or to exercise your rights, contact us at:

• Privacy: privacy@jorpex.com
• Security: security@jorpex.com
• General support: support@jorpex.com

If you wish to make a complaint about how we handle your personal data, you can also contact the Information Commissioner's Office (ICO), the UK supervisory authority for data protection, at ico.org.uk.