Privacy Policy

1. Introduction and Responsible Party

TenderGuard AI ("we", "us", "our") is committed to protecting the personal information of all users of our platform in accordance with the Protection of Personal Information Act 4 of 2013 ("POPIA") and the regulations promulgated thereunder. This Privacy Policy explains how we collect, use, store, disclose, and protect your personal information when you use the TenderGuard AI platform ("the Platform").

For the purposes of POPIA, TenderGuard AI is the "responsible party" in relation to the personal information processed through this Platform. Our Information Officer can be contacted at the details provided in Section 12 below.

2. Definitions

In this Privacy Policy, unless the context indicates otherwise, the following terms have the meanings assigned to them under POPIA:

• "Personal information" means information relating to an identifiable, living, natural person or an identifiable, existing juristic person, including but not limited to name, email address, organisation name, and contact details.
• "Processing" means any operation or activity concerning personal information, including collection, receipt, recording, organisation, storage, updating, retrieval, consultation, use, dissemination, merging, restriction, degradation, erasure, or destruction.
• "Data subject" means the person to whom personal information relates, being the user of the Platform.
• "Operator" means a person who processes personal information for a responsible party in terms of a contract or mandate.

3. Personal Information We Collect

We collect and process the following categories of personal information:

4. Lawful Basis for Processing

We process your personal information on the following lawful grounds as provided for in Section 11 of POPIA:

• Consent (Section 11(1)(a)): You provide explicit consent when creating an account and uploading documents for analysis.
• Contractual Necessity (Section 11(1)(b)): Processing is necessary to perform the compliance analysis services you have requested.
• Legal Obligation (Section 11(1)(c)): We may process information to comply with legal obligations under South African law.
• Legitimate Interest (Section 11(1)(f)): We process certain data for legitimate business interests such as security, fraud prevention, and service improvement, provided such interests do not override your rights.

5. Data Security Measures

In compliance with Section 19 of POPIA, we implement appropriate, reasonable technical and organisational measures to secure the integrity and confidentiality of personal information in our possession or under our control:

• Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher (HTTPS). This includes document uploads, analysis results, and all API communications.
• Encryption at Rest: Documents and personal information stored in our cloud infrastructure are encrypted at rest using AES-256 encryption.
• Access Controls: Role-based access control (RBAC) ensures that only authorised users can access their own data. Administrative access is restricted to authorised personnel with multi-factor authentication.
• Session Security: Secure, HTTP-only session cookies with SameSite attributes prevent cross-site request forgery and session hijacking.
• Audit Logging: All access to and processing of personal information is logged in an immutable audit trail for accountability and incident investigation.
• Infrastructure Security: Our cloud infrastructure employs firewalls, intrusion detection systems, and regular security assessments.
• Document Isolation: Each user's documents are stored in isolated storage paths, preventing cross-user access.

6. Access Controls

We implement the following access control measures:

• Users can only access their own tenders, documents, and analysis reports.
• Authentication is required for all protected operations via secure OAuth 2.0 flow.
• Administrative functions are restricted to authorised admin users only.
• API endpoints enforce user-level authorisation checks on every request.
• Document storage uses per-user isolation with unique file keys.

7. Consent Management

In accordance with Sections 11 and 18 of POPIA:

• Informed Consent: Before using the Platform, you are informed of the purpose for which your personal information is collected and how it will be processed.
• Voluntary Consent: Your consent is given voluntarily. You may choose not to use the Platform if you do not wish to provide the required personal information.
• Withdrawal of Consent: You may withdraw your consent at any time by contacting our Information Officer. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
• Document Processing Consent: By uploading documents for analysis, you explicitly consent to the processing of the information contained therein for the purpose of compliance analysis.

8. Data Subject Rights

Under POPIA, you have the following rights in relation to your personal information:

• Right of Access (Section 23): You may request confirmation of whether we hold personal information about you and request access to such information.
• Right to Correction (Section 24): You may request the correction or deletion of your personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully.
• Right to Deletion (Section 24): You may request the destruction or deletion of your personal information, subject to any legal retention obligations.
• Right to Object (Section 11(3)): You may object to the processing of your personal information on reasonable grounds.
• Right to Lodge a Complaint: You may lodge a complaint with the Information Regulator if you believe your rights under POPIA have been infringed.

9. Data Retention

In accordance with Section 14 of POPIA, we retain personal information only for as long as is necessary for the purpose for which it was collected, or as required by law. Specifically:

• Account information is retained for the duration of your account and for 12 months thereafter.
• Uploaded documents are retained for 90 days after analysis completion, unless you request earlier deletion.
• Analysis reports and compliance results are retained for 24 months for audit and reference purposes.
• Audit logs are retained for 36 months as required for accountability and legal compliance.

10. Third-Party Processing

We may engage third-party service providers ("operators" under POPIA) to assist in providing the Platform. These operators process personal information only on our instructions and are bound by written agreements that ensure compliance with POPIA. Our operators include cloud infrastructure providers and AI processing services, all of which maintain appropriate security measures.

11. Cross-Border Transfers

In accordance with Section 72 of POPIA, where personal information is transferred to a jurisdiction outside the Republic of South Africa, we ensure that the recipient country has adequate data protection legislation, or that the transfer is subject to a binding agreement that provides an adequate level of protection.

12. Information Officer

To exercise any of your rights under POPIA, or for any queries regarding this Privacy Policy, please contact our Information Officer. You may also lodge a complaint with the Information Regulator of South Africa:

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will notify you of any material changes by posting the updated policy on the Platform with a revised "Last updated" date. Your continued use of the Platform after such changes constitutes your acceptance of the updated Privacy Policy.