← Back to Home
Privacy Policy
Last Updated: 25 January 2026
UK GDPR Compliant: This Privacy Policy complies with the UK General Data Protection
Regulation (UK GDPR) and the Data Protection Act 2018. We are committed to protecting your personal data and
respecting your privacy rights.
1. Data Controller Information
ProcureFly is the data controller responsible for your personal data.
GDPR Commitment: We are committed to complying with UK GDPR and the Data Protection Act
2018 for all our UK users. We apply UK data protection standards to protect your rights and privacy.
2. Information We Collect
2.1 Information You Provide Directly
- Identity Data: First name, last name, username, title
- Contact Data: Email address, telephone number, billing address, delivery address
- Financial Data: Bank account details, payment card details (processed securely via
PCI-DSS compliant payment processors)
- Profile Data: Username, password, preferences, feedback, survey responses
- Business Data: Company name, job title, RFP documents, vendor information, procurement
data
2.2 Information Collected Automatically
- Technical Data: IP address, browser type and version, time zone setting, browser
plug-in types, operating system
- Usage Data: Information about how you use our website and services
- Marketing Data: Your preferences in receiving marketing from us and communication
preferences
3. Lawful Basis for Processing
Important: Under UK GDPR, we must have a lawful basis for processing your personal data. We
rely on the following legal bases:
| Purpose |
Lawful Basis |
| To register you as a new customer |
Performance of a contract |
| To process and deliver services |
Performance of a contract |
| To manage payments and billing |
Performance of a contract |
| To manage our relationship with you |
Performance of a contract / Legal obligation |
| To send marketing communications |
Consent (you can withdraw at any time) |
| To deliver relevant website content and advertisements |
Legitimate interests |
| To improve our website, products, and services |
Legitimate interests |
| To prevent fraud and ensure security |
Legal obligation / Legitimate interests |
4. How We Use Your Information
We use your personal data for the following purposes:
- Providing, maintaining, and improving our RFP management platform
- Processing your transactions and managing your account
- Sending you service-related communications (not marketing)
- Responding to your enquiries and support requests
- Sending marketing communications (where you have consented)
- Analysing usage to improve our services
- Detecting and preventing fraud and abuse
- Complying with legal obligations
5. Data Sharing and Third Parties
5.1 Categories of Recipients
We may share your personal data with:
- Service Providers: Cloud hosting (AWS/Azure), payment processors (Stripe, PayPal),
email providers
- Professional Advisers: Lawyers, accountants, auditors, insurers
- Regulators and Authorities: HMRC, ICO, courts (where required by law)
- Business Partners: Only with your explicit consent
5.2 Requirements for Third Parties
We require all third parties to:
- Respect the security of your personal data
- Treat it in accordance with the law
- Only process your data on our documented instructions
- Enter into appropriate data processing agreements
6. International Data Transfers
Post-Brexit Transfers: Some of our service providers are based outside the UK. When we
transfer your data internationally, we ensure adequate protection through:
- UK Adequacy Decisions: Transfers to countries deemed adequate by the UK government
- International Data Transfer Agreement (IDTA): UK-approved standard contractual clauses
- Binding Corporate Rules: For transfers within corporate groups
- Additional Safeguards: Encryption, pseudonymisation, access controls
Countries we may transfer data to include: USA, EU Member States, and other jurisdictions with appropriate
safeguards in place.
7. Data Retention
We retain your personal data only for as long as necessary. Our retention periods are:
| Data Type |
Retention Period |
Reason |
| Account Information |
Duration of account + 6 years |
Contractual and legal requirements |
| Transaction Records |
7 years from transaction |
HMRC requirements |
| Marketing Preferences |
Until consent withdrawn |
Consent-based processing |
| Support Communications |
3 years from resolution |
Quality assurance |
| Website Analytics |
26 months |
Statistical analysis |
8. Your Rights Under UK GDPR
Your Rights: As a UK data subject, you have the following rights under UK GDPR. These
rights are not absolute and may be subject to exemptions.
- Right of Access: Request a copy of your personal data (Subject Access Request)
- Right to Rectification: Request correction of inaccurate or incomplete data
- Right to Erasure: Request deletion of your personal data ("right to be forgotten")
- Right to Restrict Processing: Request limitation of processing in certain circumstances
- Right to Data Portability: Receive your data in a structured, machine-readable format
- Right to Object: Object to processing based on legitimate interests or for direct
marketing
- Rights Related to Automated Decision Making: Right not to be subject to decisions based
solely on automated processing
- Right to Withdraw Consent: Withdraw consent at any time (where processing is based on
consent)
How to Exercise Your Rights
To exercise any of these rights, please contact us:
- Email: [email protected]
- Subject: "Data Subject Request - [Your Right]"
- Response Time: We will respond within one month (extendable by two months for complex
requests)
- Fee: No fee for most requests; reasonable fee for excessive or unfounded requests
- Verification: We may need to verify your identity before processing your request
9. Data Security
We have implemented appropriate technical and organisational measures to protect your personal data:
- Encryption of data in transit (TLS 1.3) and at rest (AES-256)
- Multi-factor authentication for account access
- Regular security assessments and penetration testing
- Role-based access controls (principle of least privilege)
- Regular staff training on data protection
- Incident response and breach notification procedures
- Regular backups with tested restoration procedures
10. Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms:
- We will notify affected individuals without undue delay
- We will take immediate steps to contain and investigate the breach
- We maintain a breach register recording all incidents
- For UK users, you may report concerns to the ICO if you believe the breach affects your rights
11. Cookies and Tracking
We use cookies and similar technologies. For full details, please see our Cookie
Policy.
12. Children's Privacy
Our services are not intended for individuals under 18 years of age. We do not knowingly collect personal
data from children. If we become aware that we have collected data from someone under 18, we will delete it
promptly.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by:
- Posting a notice on our website
- Updating the "Last Updated" date
- Sending an email notification for material changes
14. Right to Complain
We take data protection seriously and aim to resolve any concerns directly. If you are unhappy with how we
have handled your data:
- Step 1: Contact us first at [email protected] - we will try to resolve your
concern within 30 days
- Step 2: If you are a UK resident and remain unsatisfied, you have the right to lodge a
complaint with the Information Commissioner's Office (ICO)
15. Contact Us
For any questions about this Privacy Policy or our data practices:
We respond to all data protection enquiries within 30 days.
Home |
Terms of Service |
Cookie Policy