Privacy Policy

Last updated 14 June 2026

This Privacy Policy explains how MyTenderBox ("we", "us") collects, uses, and protects information when you use mytenderbox.com and the MyTenderBox digest service (the "Service").

MyTenderBox is operated by Matthew Macleod, a sole trader based in England. We act as a "data controller" under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 for personal data described in this policy. You can reach us at [email protected].

1. What we collect

When you sign up, we collect:

  • Account info — your name, business name, email address, and a one-paragraph description of what your business does.
  • Service configuration — the sources you've chosen to scan, the regions you operate in, and any preferences you set.
  • Billing info — handled by Stripe. We don't store card numbers; we only see metadata Stripe sends back (customer ID, subscription status, plan).
  • Service activity — when digests were sent to you, which tenders have been included, and basic delivery / error logs.

We do not knowingly collect data from anyone under 18, and the Service is not intended for personal (non-business) use.

2. Why we use it

  • To run the Service — pull notices from public tender sources, score them against your business description, and email you the digest.
  • To handle your subscription — set up your account, manage billing through Stripe, send transactional emails (welcome, trial expiry, receipts).
  • To respond to your support requests.
  • To improve the Service — anonymous, aggregated usage data to understand what's working.

3. Our legal basis

Under the UK GDPR, we rely on:

  • Contract (Art 6(1)(b)) — to provide the Service you signed up for.
  • Legitimate interests (Art 6(1)(f)) — to keep the Service secure, prevent abuse, and improve it. We have weighed these interests against your rights and consider them proportionate.
  • Consent (Art 6(1)(a)) — for any optional marketing communications. You can withdraw consent at any time.

4. Who we share it with

We use a small number of trusted third-party processors to run the Service. Each is bound by a Data Processing Agreement and processes data on our instructions:

  • Stripe Payments Europe — billing + subscription management (data may be transferred to the EU and US under Standard Contractual Clauses).
  • Anthropic — AI processing. Your business description and the public tender notices we're scoring are sent to Anthropic's Claude API for relevance scoring. Anthropic does not use this data to train its models.
  • Resend — email delivery.
  • Cloudflare — website hosting, DNS, and DDoS protection for mytenderbox.com.
  • Fly.io — application hosting in London (the database and API run on a single machine in the LHR region).

We do not sell your data, ever. We may disclose data if required by law, court order, or to protect rights, property, or safety.

5. International transfers

Where data is transferred outside the UK, we rely on the UK's adequacy regulations or Standard Contractual Clauses with appropriate supplementary measures, as required by Articles 44–49 of the UK GDPR.

6. How long we keep it

  • Active accounts — for as long as your subscription is active.
  • Cancelled accounts — we retain billing records for 6 years to meet UK tax obligations. We delete personal preferences and business descriptions within 30 days of cancellation unless you ask us to do so sooner.
  • Abandoned signups — if you start signup but don't add a card, your record is automatically deleted after 24 hours.

7. Your rights

Under the UK GDPR you have the right to:

  • Access the personal data we hold about you
  • Have inaccurate data corrected
  • Have your data deleted (subject to our legal retention obligations)
  • Restrict or object to processing
  • Data portability — receive your data in a structured, common format
  • Withdraw consent where we relied on consent
  • Complain to the UK Information Commissioner's Office at ico.org.uk

To exercise any of these, email [email protected]. We'll respond within one month.

8. Cookies

We use only strictly-necessary cookies and sessionStorage to make signup work (e.g. so your progress survives a tab reload). We do not use analytics, advertising, or tracking cookies. There is no cookie banner because we don't need consent for strictly-necessary cookies under PECR.

9. Security

We use HTTPS everywhere, encrypted volumes for our database, and access controls on all admin endpoints. No system is perfect — if we discover a breach affecting your data, we'll notify you and the ICO as required by Article 33 of the UK GDPR.

10. Changes

We'll update this policy from time to time. The "last updated" date at the top of this page reflects the most recent change. If a change materially affects how we use your data, we'll email you in advance.

11. Contact

Questions, requests, or complaints: [email protected]