Privacy Policy

Last updated: 18 March 2026

1. Who We Are

TenderFlare is a public procurement intelligence platform based in Ireland, operated by Blue Dot Consulting, an Irish company (CRO: 769206). Registered address: Cork, Ireland.

We aggregate publicly available tender data from Irish and EU sources. For details on how we protect your data, see our Security & Trust page.

For any privacy-related queries, please contact us.

2. What Data We Collect

When you create an account, we collect:

  • Email address - used for account login and service communications
  • Full name - used for display within the platform
  • Company name (optional) - used for display within the platform
  • Password - stored as a secure hash; we never store your plain-text password

When you use the platform, we also store:

  • Saved search criteria
  • Pipeline entries (tenders you track)
  • Basic usage logs for service operation and security

3. Why We Collect Your Data (Legal Basis)

We process your personal data on the following legal bases under GDPR:

  • Contract performance (Article 6(1)(b)) - to provide the TenderFlare service you signed up for, including account management, saved searches, and pipeline tracking.
  • Legitimate interests (Article 6(1)(f)) - for service security, fraud prevention, and improving the platform.

4. How We Use Your Data

  • To provide and maintain your account
  • To deliver the procurement search and tracking features
  • To send essential service communications (e.g. password resets)
  • To monitor and ensure security of the platform

We do not sell your personal data to third parties. We do not use your data for advertising.

5. Data Retention

We retain your account data for as long as your account is active. If you delete your account, we will remove your personal data within 30 days, except where retention is required by law.

Usage logs are retained for up to 12 months for security and operational purposes.

6. Data Sharing & Sub-Processors

We may share data with:

  • Amazon Web Services (AWS) - database hosting and compute infrastructure (EU-West-1, Ireland)
  • Cloudflare - frontend hosting and content delivery network
  • Resend - transactional email delivery (e.g. password resets)
  • Legal authorities - if required by law or valid legal process

All third-party processors are bound by data processing agreements in compliance with GDPR.

7. Your Rights Under GDPR

As a data subject, you have the right to:

  • Access - request a copy of the personal data we hold about you
  • Rectification - ask us to correct inaccurate data
  • Erasure - ask us to delete your data ("right to be forgotten")
  • Data portability - receive your data in a structured, machine-readable format
  • Restriction - ask us to restrict processing of your data
  • Objection - object to processing based on legitimate interests

To exercise any of these rights, please contact us. We will respond within 30 days.

You also have the right to lodge a complaint with the Irish Data Protection Commission.

8. Cookies

TenderFlare uses essential browser storage (localStorage) to maintain your login session. We do not use tracking cookies or third-party advertising cookies.

9. AI & Automated Processing

TenderFlare does not use artificial intelligence or machine learning to process your personal data. Your data is never used to train AI models. Search functionality is keyword-based and analytics are statistical.

No automated decisions are made about you based on your personal data (Article 22 GDPR does not apply).

Blue Dot Consulting uses AI tools internally for business productivity (e.g., software development, research). These tools are governed by our internal PII & LLM Usage Policy, which prohibits sending third-party personal data to AI providers that lack a Data Processing Agreement.

10. International Data Transfers

TenderFlare's primary infrastructure is hosted in the EU (AWS EU-West-1, Ireland). However, some sub-processors may process data in the United States or other jurisdictions:

  • Cloudflare — content delivery may route through non-EU edge servers. Covered by EU-US Data Privacy Framework and SCCs.
  • Resend — email delivery infrastructure. Covered by SCCs.

Where data is transferred outside the EEA, appropriate safeguards are in place under Chapter V GDPR, including Standard Contractual Clauses (SCCs) approved by the European Commission.

11. Changes to This Policy

We may update this privacy policy from time to time. We will notify registered users of material changes via email. The "last updated" date at the top of this page indicates when the policy was last revised.