Legal · Last updated 13 July 2026
Privacy policy
This policy explains what data TenderFitcollects, why, and how it's handled. We're a POPIA-conscious South African business — the short version is that we collect what we need to run the Service, we don't sell it, and you can ask for it back or for it to be deleted at any time.
1. Information we collect
1.1 Account data
When you sign up we collect your email, name, and (via Clerk) your hashed password. Organization membership and role. We use this to authenticate you and to bill you.
1.2 Company profile data
Whatever you enter into your company profile — capabilities, credentials, region, industry. This is used solely to score tenders for you. It is not shared or sold.
1.3 Usage data
Basic analytics: pages visited, actions taken, IP address, browser user-agent. Used to keep the Service reliable and to catch abuse.
1.4 Billing data
Handled by Paystack. We store a subscription reference; we do not store card numbers or CVCs.
2. How we use it
- Score tenders against your company profile.
- Send account, security, and billing emails.
- Send product emails and daily digests (opt-out any time).
- Investigate abuse, fraud, or policy violations.
- Comply with legal obligations.
3. Who we share it with
Only the processors we need to run the Service:
- Clerk — authentication and identity.
- Neon — Postgres database hosting.
- Paystack — payment processing.
- Voyage AI + Google Gemini — text embeddings and brief generation. Only tender content and company profile text is sent; no PII beyond the profile you supplied.
- Resend — outbound transactional email.
We do not sell data to advertisers. We do not use tracking cookies for cross-site profiling.
4. Where it lives
Data is stored in Neon Postgres and (encrypted) backups. Servers are hosted regionally where feasible; some processors are US-based. Cross-border transfers happen under standard contractual clauses and POPIA section 72.
5. How long we keep it
Account and profile data: for the life of your account plus 90 days after deletion (grace window for account restoration). Billing records: 5 years, per SARS retention rules. Usage logs: 12 months.
6. Your rights under POPIA
You can, at any time:
- Ask to see the data we hold about you.
- Ask us to correct it.
- Ask us to delete it (subject to legal retention).
- Object to processing or withdraw consent.
- Lodge a complaint with the Information Regulator (inforegulator.org.za).
Email hello@tenderfit.co.za to exercise any of these rights. We aim to respond within 14 days.
7. Cookies
We use first-party cookies for essential session state (Clerk auth, your theme preference). We do not use third-party advertising or cross-site tracking cookies.
8. Security
Transport is encrypted (TLS). Passwords are hashed by Clerk with bcrypt-family algorithms. Databases are encrypted at rest. Access to production data is limited to a small named team, audit-logged, and revoked on employment change.
9. Children
The Service is not directed at anyone under 18 and we do not knowingly collect data from children.
10. Changes
Material changes are announced by email or in-app banner at least 14 days before they take effect.
Contact
Information Officer: hello@tenderfit.co.za.