Legal

Privacy Policy

We are committed to protecting your personal data. This policy explains what we collect, how we use it, and the rights you have over your information.

Last updated: April 8, 2025Version 1.0GDPR compliant
Section 01

Overview

Procurexio Inc. ("we", "us", "our") operates the Procurexio procurement SaaS platform ("Service"). This Privacy Policy explains how we collect, use, store, and share information about you when you use our Service, and the rights you have in relation to that information.

We act as both a data controller (for account and usage data we collect directly) and a data processor (for Customer Data you upload to the platform on behalf of your organisation).

If you are a resident of the European Economic Area (EEA), United Kingdom, or other jurisdictions with equivalent data protection laws, you have additional rights described in Section 9.
Section 02

Data We Collect

We collect the following categories of personal data:

Account & profile data:

  • Full name, work email address, and password (hashed)
  • Company name, job title, and role within the platform
  • Profile photo (if provided)

Usage & activity data:

  • Log data: IP address, browser type, pages visited, timestamps
  • Feature usage patterns and interaction events
  • Audit logs of procurement actions (RFQs created, bids submitted, POs approved, etc.)

Communications data:

  • Messages sent through the platform (e.g., RFQ communications with vendors)
  • Support tickets and correspondence with our team

Device & technical data:

  • Device identifiers, operating system, and screen resolution
  • Cookie data (see Section 8)

We do not collect sensitive personal data (such as health information, racial or ethnic origin, or biometric data) through the Service.

Section 03

How We Use Data

We use personal data for the following purposes:

  • Service delivery: To create and manage your account, authenticate you, and provide platform features.
  • Communication: To send transaction emails (account creation, password reset, invitations) and service announcements.
  • Support: To respond to support requests and resolve technical issues.
  • Security: To detect, prevent, and respond to fraud, abuse, and security incidents.
  • Compliance: To meet our legal obligations and enforce our Terms of Service.
  • Product improvement: To analyse usage patterns (in aggregated, anonymised form where possible) to improve the Service.

We rely on the following legal bases under GDPR for processing:

  • Contract performance — processing necessary to deliver the Service you subscribed to.
  • Legitimate interests — security monitoring, fraud prevention, and product analytics.
  • Legal obligation — compliance with applicable laws.
  • Consent — for optional marketing communications (you may withdraw at any time).
Section 04

Data Sharing

We do not sell your personal data. We may share it in the following limited circumstances:

  • Service providers: We use vetted third-party processors (cloud hosting, email delivery, analytics) who process data only on our instructions and under contractual data protection obligations.
  • Within your organisation:Data you submit is visible to other authorised users within your company's workspace as determined by your Admin.
  • Vendors (by your choice): When you invite a vendor to respond to an RFQ, limited contact information is shared with that vendor to enable the procurement workflow.
  • Legal requirements: We may disclose data if required by law, court order, or to protect the rights, property, or safety of Procurexio, our users, or the public.
  • Business transfers: In the event of a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction. We will notify you before your data is subject to a different privacy policy.
Section 05

Multi-Tenant Environment

Procurexio is a multi-tenant SaaS platform where multiple organisations ("Tenants") share the same underlying infrastructure while maintaining strict data isolation.

Isolation measures include:

  • All database queries are scoped to the authenticated tenant's company ID.
  • API responses never include data belonging to a different tenant.
  • Audit logs are tenant-scoped and accessible only to that tenant's Admins.
  • Role-based access control (RBAC) enforces data visibility within each workspace.

While we implement strict technical controls, the Company Admin is responsible for managing which users have access to data within their organisation's workspace.

Section 06

Data Retention

We retain personal data for as long as necessary to:

  • Maintain your account and provide the Service.
  • Comply with legal, regulatory, and contractual obligations.
  • Resolve disputes and enforce our agreements.

Specific retention periods:

  • Account data: Retained while your account is active, plus 30 days after account deletion to allow for data retrieval.
  • Audit logs: Retained for 2 years to support compliance and security investigations.
  • Billing records: Retained for 7 years as required by tax regulations.
  • Support communications: Retained for 3 years.

After the applicable retention period, data is securely deleted or anonymised.

Section 07

Security

We implement industry-standard technical and organisational measures to protect your personal data from unauthorised access, loss, or disclosure, including:

  • Encryption in transit (TLS 1.2+) and at rest for sensitive data.
  • Password hashing using bcrypt with an appropriate cost factor.
  • Role-based access controls for our internal team.
  • Regular security reviews and vulnerability assessments.
  • Audit logging of privileged access and administrative actions.

No security measure is perfect. If you believe your account has been compromised, please contact us immediately at procurexio@gmail.com.

Section 08

Cookies

We use cookies and similar technologies to operate and improve the Service. The cookies we use fall into the following categories:

  • Strictly necessary: Session cookies required for authentication and security. These cannot be disabled.
  • Functional: Cookies that remember your preferences (e.g., language, timezone) to personalise your experience.
  • Analytics: Aggregated, anonymised data about how users interact with the Service, used to improve product features.

You can manage cookie preferences through your browser settings. Disabling non-essential cookies will not affect core Service functionality.

Section 09

Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate or incomplete data.
  • Erasure: Request deletion of your personal data ("right to be forgotten"), subject to legal retention requirements.
  • Restriction: Request that we restrict processing of your data in certain circumstances.
  • Portability: Receive your data in a structured, machine-readable format.
  • Objection: Object to processing based on legitimate interests or for direct marketing.
  • Withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior processing.
To exercise any of these rights, email us at procurexio@gmail.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.
Section 10

International Transfers

Your data may be transferred to and processed in countries outside your country of residence, including countries that may not provide the same level of data protection as your home country.

When we transfer personal data from the EEA, UK, or Switzerland to a third country, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or transfers to countries with an adequacy decision.

Section 11

Children's Privacy

The Service is intended for business use by adults. We do not knowingly collect personal data from individuals under the age of 16 (or the applicable minimum age in your jurisdiction). If you believe a minor has provided us with personal data, please contact us and we will promptly delete it.

Section 12

Policy Changes

We may update this Privacy Policy periodically. We will notify you of material changes by email or by displaying a prominent notice in the Service. The updated policy will include the revised "last updated" date at the top.

Continued use of the Service after the effective date of the updated policy constitutes acceptance. If you disagree with the changes, you must stop using the Service and delete your account.

Section 13

Contact & DPO

For any privacy-related queries, data subject requests, or concerns:

If you are located in the EEA or UK and have concerns about our data processing that we have not satisfactorily resolved, you have the right to contact your local supervisory authority.