T
TenderOpp
Sign in

Legal

Privacy Policy

Last updated · 23 May 2026

This Privacy Policy explains how GBB Components Pty Ltd (“TenderOpp”, “we”) collects, uses, discloses, and protects personal information when you use the TenderOpp Service. It is designed to comply with the Privacy Act 1988 (Cth) including the Australian Privacy Principles (APPs), and serves as a GDPR Article 13/14 information notice for users in the European Economic Area and the United Kingdom.

1. Who we are

TenderOpp is operated by GBB Components Pty Ltd, an Australian proprietary limited company. Where this policy refers to a “data controller” or “APP entity” for GDPR/Privacy Act purposes, that means GBB Components Pty Ltd.

2. What information we collect

From you directly

  • Account info: name, email, profile photo, OAuth provider identifier (Google or Microsoft).
  • Company profile: company name, sectors, capability tags, ideal-tender description, geographic focus, deal value band, past tender summaries.
  • Customer Content: documents you upload (past tenders, capability statements, certifications, brand assets), notes, draft submissions, recorded outcomes.
  • Billing data: name and billing address (held by Stripe; we receive a token, not your card details).

Automatically

  • Usage data: pages viewed, actions taken, agent runs, timestamps. Used for product improvement and security.
  • Technical data: IP address, user agent, browser language, request timing.
  • Cookies: only those strictly necessary for authentication and session management. We do not use advertising or cross-site tracking cookies.

From third parties

  • Public procurement portals: we ingest tender notices from government and multilateral sources (SAM.gov, Find a Tender, TED Europa, AusTender, World Bank, and ~25 others). These contain information about buyers, not about you.
  • Your website (if you opt in to website analysis during onboarding): we fetch and process your public site to suggest capability tags.

3. How we use it (purposes)

  • To provide and operate the Service.
  • To run AI agents (fit scoring, qualification, drafting) on your behalf.
  • To send transactional emails (sign-in links, invitations, digests, alerts).
  • To process payments and manage subscriptions.
  • To improve the Service, including aggregated, anonymised analytics.
  • To enforce these Terms and protect against abuse.
  • To comply with legal obligations.

4. Lawful basis (GDPR / UK GDPR)

For users in the EEA/UK, the lawful bases we rely on under Article 6 of the GDPR are:

  • Contract: to provide the Service you have signed up for (Art. 6(1)(b)).
  • Legitimate interests: product improvement, security, fraud prevention (Art. 6(1)(f)).
  • Legal obligation: tax records, responding to lawful requests (Art. 6(1)(c)).
  • Consent: where we ask for it explicitly (e.g., website analysis at onboarding) (Art. 6(1)(a)).

5. Sub-processors

We use the following sub-processors to deliver the Service. All have contractual confidentiality and security obligations:

Sub-processorPurposeLocation of processing
Google Cloud PlatformApplication hosting, database, file storageUnited States (us-central1)
Anthropic, PBCClaude LLM inference (no training on your prompts)United States
OpenAI, L.L.C.Text embeddings for retrieval (only when configured)United States
Stripe, Inc.Payment processingUnited States / EU (region-pinned where required)
Twilio SendGrid, Inc.Transactional email deliveryUnited States
Sentry (Functional Software, Inc.)Error monitoring and observabilityUnited States

For transfers of personal data outside the EEA/UK or Australia, we rely on the Standard Contractual Clauses (SCCs) approved by the European Commission and the UK International Data Transfer Addendum, as applicable. Enterprise customers can request our Data Processing Agreement at /dpa.

6. Where we store your data

TenderOpp’s primary database and document storage run in Google Cloud’s us-central1 region (Council Bluffs, Iowa, USA). Daily backups are encrypted at rest. Point-in-time recovery is enabled for the database.

EU-based customers who require EU-region storage as a contractual condition should contact us at privacy@tenderopp.com — we can deploy a dedicated EU-region instance under our Enterprise plan.

7. Retention

  • Customer Content: retained for as long as your subscription is active, plus a 30-day grace period after termination during which you can export.
  • Agent run logs and audit events: 24 months from creation.
  • Billing records: 7 years (Australian Taxation Office requirement).
  • Account info: while your account exists, plus 30 days after deletion.

8. Your rights

Under the Privacy Act 1988 and the GDPR/UK GDPR (as applicable), you have the right to:

  • Access the personal information we hold about you.
  • Correct it if it’s inaccurate.
  • Request deletion (subject to legal retention obligations).
  • Export it in a portable format.
  • Object to processing based on legitimate interests.
  • Withdraw consent (where consent is the lawful basis).
  • Lodge a complaint with a supervisory authority (the OAIC in Australia).

To exercise any of these rights, email privacy@tenderopp.com. We will respond within 30 days.

9. How we protect your data

  • All data in transit is encrypted with TLS 1.2+.
  • Data at rest is encrypted using Google-managed encryption keys.
  • Access to production systems is restricted to authorised engineers with multi-factor authentication and audit logging.
  • We follow the principle of least privilege; service accounts have narrowly-scoped IAM permissions.
  • We monitor for security incidents and will notify affected users without undue delay (and within 72 hours where required by GDPR Article 33) in the event of a personal data breach likely to result in a risk to your rights and freedoms.

10. Children

The Service is not directed at children under 16. We do not knowingly collect personal information from children.

11. Changes

We will post updates to this Policy on this page. For material changes affecting how we process personal data, we will give 30 days’ notice by email.

12. Contact

Privacy questions: privacy@tenderopp.com
Postal: GBB Components Pty Ltd, Australia (full address provided on request)
EU Representative (where required by GDPR Art. 27): contact us to be appointed.