Privacy Policy

Last updated: December 10, 2025

1. Introduction

TenderFlow ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our tender management software and services.

We comply with the Protection of Personal Information Act (POPIA) of South Africa (Act No. 4 of 2013) and the General Data Protection Regulation (GDPR) where applicable.

POPIA Compliance

TenderFlow is fully compliant with POPIA. We are registered as a responsible party with the Information Regulator of South Africa and adhere to all eight conditions for lawful processing of personal information as set out in POPIA.

2. Information We Collect

2.1 Personal Information

We collect information that you provide directly to us, including:

  • Name, email address, and contact information
  • Company name and billing information
  • Payment and credit card information (processed securely through third-party payment processors)
  • Account credentials and preferences

2.2 Usage Information

We automatically collect certain information when you use our service, including:

  • IP address and device information
  • Browser type and version
  • Pages visited and time spent on pages
  • Features used and actions taken

3. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve our services
  • Process transactions and send related information
  • Send technical notices, updates, and support messages
  • Respond to your comments, questions, and requests
  • Monitor and analyze trends and usage
  • Detect, prevent, and address technical issues
  • Comply with legal obligations

4. Data Storage and Security

We implement appropriate technical and organizational measures to protect your personal information:

  • Encryption of data in transit and at rest
  • Secure servers and databases
  • Regular security assessments and updates
  • Access controls and authentication
  • Regular backups and disaster recovery procedures

Your data is stored on secure servers located in South Africa and may be backed up to secure cloud storage facilities.

5. Data Sharing and Disclosure

We do not sell your personal information. We may share your information only in the following circumstances:

  • Service Providers: With trusted third-party service providers who assist us in operating our service (e.g., payment processors, email services)
  • Legal Requirements: When required by law or to protect our rights and safety
  • Business Transfers: In connection with a merger, acquisition, or sale of assets
  • With Your Consent: When you have given us explicit consent to share your information

6. Your Rights Under POPIA

As a data subject under POPIA, you have the following rights:

  • Right to be Notified: You have the right to be notified when your personal information is being collected, the purpose for collection, and whether the collection is voluntary or mandatory.
  • Right of Access: You may request access to your personal information that we hold, including information about the identity of third parties who have accessed your information.
  • Right to Correction: You may request correction or deletion of inaccurate, irrelevant, excessive, out of date, incomplete, or misleading personal information.
  • Right to Object: You may object to the processing of your personal information on reasonable grounds relating to your particular situation.
  • Right to Withdraw Consent: Where processing is based on consent, you may withdraw your consent at any time.
  • Right to Complain: You have the right to lodge a complaint with the Information Regulator if you believe your rights have been violated.
  • Right to Restrict Processing: You may request restriction of processing in certain circumstances.

6.1 Exercising Your Rights

To exercise any of these rights, please contact us through our contact page or send a written request to our Information Officer. We will respond to your request within 30 days as required by POPIA.

Information Officer Contact:

  • Email: Contact Page
  • Subject Line: "POPIA Request - [Your Request Type]"

6.2 POPIA Compliance Details

We comply with all eight conditions for lawful processing under POPIA:

  1. Accountability: We take responsibility for ensuring compliance with POPIA and have appointed an Information Officer.
  2. Processing Limitation: We only collect personal information that is necessary for our legitimate business purposes.
  3. Purpose Specification: We clearly specify the purpose for collecting personal information and only use it for that purpose.
  4. Further Processing Limitation: We do not process personal information for purposes incompatible with the original purpose without consent.
  5. Information Quality: We take reasonable steps to ensure personal information is accurate, complete, and up to date.
  6. Openness: We maintain documentation of all processing operations and make this Privacy Policy readily available.
  7. Security Safeguards: We implement appropriate technical and organizational measures to secure personal information.
  8. Data Subject Participation: We facilitate the exercise of data subject rights as outlined above.

6.3 Information Regulator

If you are not satisfied with how we handle your personal information, you have the right to lodge a complaint with the Information Regulator:

  • Website: www.justice.gov.za/inforeg/
  • Email: inforeg@justice.gov.za
  • Address: Information Regulator, 33 Hoofd Street, Forum III, 3rd Floor, Braampark, Braamfontein, 2017

7. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to track activity on our service and store certain information. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent.

We use cookies for:

  • Authentication and session management
  • Preferences and settings
  • Analytics and performance monitoring
  • Security and fraud prevention

8. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

8.1 Retention Periods

  • Active Accounts: Personal information is retained for the duration of your account and for 30 days after cancellation to allow for account reactivation.
  • Financial Records: Billing and payment information is retained for 7 years as required by South African tax law.
  • Legal Requirements: Information subject to legal proceedings or regulatory requirements may be retained longer as necessary.
  • Marketing Data: Newsletter subscriptions and marketing preferences are retained until you unsubscribe or request deletion.

8.2 Deletion Process

When you cancel your account or request deletion:

  • Your personal information will be deleted or anonymized within 30 days
  • Data in backups will be deleted according to our backup retention schedule (up to 90 days)
  • Anonymized, aggregated data that cannot identify you may be retained for analytical purposes
  • Financial records required by law will be retained as specified above

You may request deletion of your personal information at any time by contacting us through our contact page. We will process deletion requests in accordance with POPIA requirements.

9. Children's Privacy

Our service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children.

10. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. We ensure that appropriate safeguards are in place to protect your information in accordance with this Privacy Policy.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date.

12. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your rights, please contact us:

Learn About Security Contact Us