Privacy Policy
Last updated: 1 April 2026
Tenderfly ("we", "our", "us") is operated by Sanara Ltd. We are committed to protecting the privacy and security of your personal data. This policy explains how we collect, use, and safeguard information when you use our platform.
1. Data we collect
Account information
When you create an account, we collect your name, email address, and organisation details. This is necessary to provide the service and manage your access.
Tender documents
You upload PDF tender documents (specifications, equipment schedules, drawings) for automated processing. These documents may contain information about building projects, equipment specifications, and contractor details.
Usage data
We collect technical data about how you use the platform, including pages visited, features used, and processing requests. This helps us improve the service.
2. How we use your data
We use your data to:
- Provide the tender estimation service (document processing, equipment extraction, quote generation)
- Manage your account and organisation
- Improve the accuracy of our extraction and estimation algorithms
- Communicate with you about the service
- Ensure the security of the platform
3. AI processing and sub-processors
To extract equipment and generate estimates from your tender documents, we use third-party AI services. Your documents are sent to these services for processing:
| Sub-processor | Purpose | Data location |
|---|---|---|
| Anthropic (Claude) | Document classification, equipment extraction, correlation | United States |
| Google (Gemini) | Schedule and drawing extraction | United States / EU |
| Google Cloud Platform | Application hosting, database, file storage | Belgium (europe-west1) |
| Firebase (Google) | User authentication | EU |
| Resend | Transactional email (contact form, invitations, password reset) | United States |
| Upstash | Rate limiting | EU |
| Sentry | Error monitoring (optional, no document content) | United States |
Both Anthropic and Google process document content for the purpose of extraction only. Neither service uses your data to train their models. We rely on Standard Contractual Clauses (SCCs) and the sub-processors' own data processing commitments for cross-border transfers to the United States.
4. Data storage and security
Your data is stored on Google Cloud Platform in the EU (Belgium, europe-west1). All data is encrypted in transit (TLS/HTTPS) and at rest (AES-256, Google-managed keys). Database connections require SSL. Access to production systems is restricted to authorised personnel via IAM authentication.
Your organisation's data (projects, equipment, pricing, templates) is isolated from other organisations at the application and database level. No organisation can access another organisation's data.
5. Data retention
We retain your data for as long as your account is active and your organisation uses the service. Specifically:
- Account data: retained while your account exists
- Projects and documents: retained until you delete them or your organisation is removed
- Processing logs: retained for 30 days for debugging and support
- Uploaded files: stored in Cloud Storage until the project is deleted
When a project is deleted, all associated data (equipment, points, files, cost data) is permanently removed via cascade deletion. When an organisation is deleted, all projects, templates, pricing, and user associations are permanently removed.
6. Your rights (GDPR)
Under the UK GDPR and EU GDPR, you have the right to:
- Access: request a copy of the personal data we hold about you
- Rectification: request correction of inaccurate data
- Erasure: request deletion of your data (right to be forgotten)
- Portability: request your data in a machine-readable format
- Restriction: request we limit how we process your data
- Objection: object to processing based on legitimate interests
To exercise any of these rights, contact us at privacy@tenderfly.ai. We will respond within 30 days.
7. Legal basis for processing
We process your data on the following legal bases:
- Contract: processing is necessary to provide the service you signed up for
- Legitimate interest: improving our algorithms, ensuring platform security
- Consent: optional cookies and marketing communications (where applicable)
8. Cookies
We use cookies for authentication and session management. For full details, see our Cookie Policy.
9. Data breach notification
In the event of a data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay, as required by GDPR Article 33 and 34.
10. Data Processing Agreements
We offer a Data Processing Agreement (DPA) to all organisations using the platform. If you require a DPA, please contact us at privacy@tenderfly.ai.
11. Changes to this policy
We may update this policy from time to time. We will notify you of any material changes by email or through the platform. The "last updated" date at the top of this page indicates when the policy was last revised.
12. Contact
For privacy-related enquiries:
- Email: privacy@tenderfly.ai
- Or use our contact form