Legal

Privacy Policy

This policy explains what personal data BidHound collects, why we collect it, how we use and protect it, and the rights you have over it.

Last updated: 21 April 2026 ยท Version 1.0

01Who we are

BidHound is a UK public tender intelligence service operated by Phil Lee trading as BidHound (“BidHound”, “we”, “us”, “our”). For the purposes of the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018, we are the data controller of the personal information described in this policy.

Contact details:

We are not required to appoint a Data Protection Officer under UK GDPR Article 37. Data protection queries are handled directly by the BidHound team.

02What this policy covers

This policy applies to personal data we collect when you:

  • Visit bidhound.co.uk or any subdomain we operate;
  • Create a BidHound account, start a free trial, or pay for a subscription;
  • Use the BidHound dashboard, including creating a company profile, running analyses, and providing feedback on tender scoring;
  • Receive emails from us, including digests, welcome emails, and service notifications;
  • Contact us by email or other means.

It does not cover third-party websites that we link to (including Contracts Finder, Find a Tender, and Stripe's checkout pages), which have their own privacy notices.

03Information we collect

3.1  Information you give us

  • Account data: your name, email address, hashed password.
  • Company profile data: company name, sector, services offered, accreditations, frameworks, past contract experience, contract value preferences, and geographic coverage. This is the data BidHound scores tenders against.
  • Pipeline and feedback data: the tenders you mark as interested, dismiss, analyse, or submit, and any feedback you give on scoring accuracy.
  • Billing data: your billing name and address. We do not store card numbers. Payment is handled entirely by Stripe — card details are submitted directly to Stripe and never touch our servers.
  • Correspondence: any emails you send us.

3.2  Information we collect automatically

  • Authentication cookie: a signed JSON Web Token set after login. This is strictly necessary to keep you logged in and has no tracking function. It expires on logout or after a period of inactivity.
  • Server logs: IP address, browser user agent, pages requested, and timestamps. Retained for a short period for security, debugging, and abuse prevention.
  • Usage signals: how you interact with the dashboard (which tenders you open, how long you spend on analysis, which you dismiss) — used to improve scoring accuracy on your account only.

3.3  Information we collect from other sources

  • Companies House: if you choose to enrich your company profile, we fetch publicly available data about your registered company (address, SIC codes, incorporation date) from the Companies House API.
  • UK government tender sources: we continuously fetch tender notices from Contracts Finder, Find a Tender, and FTS Planning. These notices may contain the names and contact details of public sector officials responsible for the procurement. This is public information published by UK government and reproduced in our dashboard as part of the service.

04Why we use your information, and our lawful basis

Under UK GDPR, we must have a lawful basis for each purpose for which we use your personal data. The table below sets out what we do and why.

What we doWhyLawful basis
Provide the BidHound service Run your account, show you scored tenders, run Go/No-Go analyses, sync your pipeline Performance of a contract (Art 6(1)(b))
Process payments Charge your card, issue receipts, handle refunds Performance of a contract (Art 6(1)(b)) and legal obligation for tax records (Art 6(1)(c))
Send service emails Welcome email, daily tender digest, receipts, security alerts, DMCCA renewal reminders Performance of a contract (Art 6(1)(b))
Improve tender scoring on your account Learn from your thumbs-up / thumbs-down feedback so the shortlist gets sharper over time Legitimate interests (Art 6(1)(f)) — to deliver the service you signed up for
Security, fraud prevention, troubleshooting Rate-limit abuse, detect scraping, debug errors Legitimate interests (Art 6(1)(f))
Product marketing to existing customers Let you know about new features or relevant product updates Legitimate interests + PECR soft opt-in. You can unsubscribe at any time.
Respond to your enquiries Handle support, account, or data-rights requests Legitimate interests (Art 6(1)(f))

Where we rely on legitimate interests, we have assessed that our interests do not override your rights and freedoms. You can object to this processing at any time (see Section 10).

05AI and automated processing

BidHound uses artificial intelligence to classify public tenders and match them to your company profile. Specifically:

  • When a new tender is published, we send the tender's public text (title, description, CPV codes, value, deadline) to Anthropic's Claude model via its API. We do not send your full company profile in this step. Anthropic acts as a processor on our behalf and does not use the content to train its models.
  • The classification output is stored in our database. A second, non-AI step then matches each classified tender against your profile inside our own infrastructure to produce your fit score.
  • Scores are advisory. They help you decide which tenders to investigate further. You always make the final bid / no-bid decision. BidHound does not submit bids, accept offers, or take any action on your behalf.

Because scoring is advisory and you retain full control, this is not “solely automated decision-making” with legal or similarly significant effect under UK GDPR Article 22. Even so, you can ask us at any time to explain any score and we will walk you through the breakdown (capability, budget, deadline, track record).

06Cookies and similar technologies

BidHound uses one cookie: a strictly necessary authentication cookie that keeps you logged in. It is covered by the “strictly necessary” exemption in Regulation 6 of the Privacy and Electronic Communications Regulations 2003 (PECR) and does not require consent.

We do not use advertising cookies, analytics cookies, tracking pixels, or any similar technologies today. If we add any in the future, we will update this policy and add a consent banner before we set them.

07Who we share your information with

We share personal data only with the service providers (“processors”) that we need to run BidHound. Each of these processors is bound by a data processing agreement that restricts how they can use your data.

ProcessorPurposeLocation
Hetzner Online GmbH Hosting of application, database, and files Finland (EEA)
Anthropic, PBC AI classification of public tender text (your profile data is not sent to this step) United States
Stripe Payments Europe Ltd / Stripe, Inc. Payment processing, subscription billing, invoicing Ireland and United States
Wildbit LLC (Postmark) Transactional and digest email delivery United States

For the authoritative current sub-processor list — including full transfer mechanisms, certifications, and onward sub-processors — see our Sub-Processors page.

We also use the following UK government APIs as public data sources. We do not send them any personal data about you; we only fetch public tender and company information from them.

  • Contracts Finder (Crown Commercial Service)
  • Find a Tender (Crown Commercial Service)
  • Companies House (when you run profile enrichment)

We will share your information with others only where required by law — for example, in response to a valid court order, HMRC enquiry, or ICO investigation — and only to the extent legally required.

We do not sell personal data. We do not share it between customer accounts. We do not allow our AI provider to use your data to train its models.

08International data transfers

Our primary data storage is in the European Economic Area (EEA). Some of our processors (notably Anthropic, Stripe, and Postmark) are based in the United States. When your personal data is transferred outside the UK, we rely on one of the following safeguards required by UK GDPR:

  • An adequacy decision made by the UK government (for example, transfers to the EEA are covered by the UK's recognition of EU adequacy, so no additional safeguards are required);
  • The UK Extension to the EU-US Data Privacy Framework (the “UK-US Data Bridge”) for US processors certified under that framework;
  • The ICO's International Data Transfer Agreement (IDTA), or the EU Standard Contractual Clauses with the UK Addendum, where no adequacy mechanism applies.

You can request a copy of the specific safeguard used for a particular transfer by emailing us.

09How long we keep your data

CategoryRetention
Account, profile, pipeline, feedback dataFor as long as your account is active, and 30 days after you close it (in case you change your mind), after which it is permanently deleted.
Billing and invoice records7 years from the date of the transaction (UK tax law requires this).
Email correspondenceUp to 3 years, then archived or deleted.
Server logsUp to 30 days, then deleted.
Stripe customer recordsRetained by Stripe per their retention policy, separate from our own systems.

You can ask us to delete your data earlier — see Section 10.

10Your rights

Under UK GDPR, you have the following rights over your personal data. You can exercise any of these by emailing phil@bidhound.co.uk. We will respond within one calendar month.

  • Right of access — ask for a copy of the personal data we hold about you.
  • Right to rectification — ask us to correct inaccurate or incomplete data.
  • Right to erasure (“right to be forgotten”) — ask us to delete your data. We will do so unless we are legally required to keep it (e.g., tax records).
  • Right to restrict processing — ask us to pause processing your data while a dispute or correction is resolved.
  • Right to data portability — ask for a copy of your data in a machine-readable format (we provide JSON export on request).
  • Right to object — object to processing based on legitimate interests or for direct marketing.
  • Right to withdraw consent — where we rely on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.
  • Rights related to automated decision-making — as explained in Section 5, our scoring is advisory. If you want a human explanation of any score, just ask.

We will not charge a fee unless your request is manifestly unfounded or excessive. We may ask you to verify your identity before we release any personal data.

11How to complain

If you're not happy with how we handle your data, please contact us first at phil@bidhound.co.uk. We take complaints seriously and will try to resolve any issue.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's data protection regulator:

  • Website: ico.org.uk/make-a-complaint
  • Helpline: 0303 123 1113
  • Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

12How we protect your data

We take the security of your data seriously. Measures we use include:

  • Encryption in transit: all traffic between you and BidHound uses TLS 1.2 or higher (HTTPS).
  • Authentication: passwords are never stored in plaintext. We use industry-standard one-way hashing (bcrypt) with per-user salt.
  • Access control: production servers are reachable only via key-based SSH from a small number of authorised devices. Your data is scoped to your account and is never readable by other customer accounts.
  • Rate limiting and abuse detection: multi-tier rate limits on authentication and API endpoints.
  • Security headers: Content Security Policy, HSTS, X-Content-Type-Options, and related defences on every page.
  • Payment isolation: card data is handled entirely by Stripe; we never see or store it.
  • Backups: the database is backed up regularly. Backups are encrypted and deleted on a rolling schedule.

No system is perfectly secure. If we ever become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and, where required, notify you directly.

13Children

BidHound is a business tool. It is not intended for, and we do not knowingly collect personal data from, anyone under the age of 18. If you believe we have inadvertently collected data about a child, please email us and we will delete it.

14Changes to this policy

We may update this policy from time to time. The “Last updated” date at the top of this page tells you when it was last revised. If we make material changes, we will notify you by email before they take effect and give you the chance to close your account if you disagree.

15Contact

For any privacy question or to exercise any of your rights, email phil@bidhound.co.uk. Include “Privacy” in the subject line and we'll prioritise it.

See also

Our Terms of Service describe the legal agreement between you and BidHound.