Skip to main content
Social Value Unlocked

Clause & Effect & TenderReady

Privacy Policy — United Kingdom

Last updated: 25 April 2026

This Privacy Policy explains how personal data is collected, used, stored and disclosed in connection with the Clause & Effect and TenderReady platforms (the Software) for users in the United Kingdom. It is issued under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

By accessing or using the Software, you acknowledge this Privacy Policy. If you do not agree, please do not use the Software.

1. Who we are (Controller)

1.1 The data controller for personal data collected directly through the Software (account information, billing details, support enquiries, marketing communications) is:

James Reid

Contact: [email protected]

1.2 Where a customer organisation uploads personal data into the Software in the course of their tender response or supplier assessment activity, that customer is the data controller for that personal data and we act as data processor in accordance with our Terms and any executed Data Processing Addendum (DPA).

2. Scope

2.1 This Privacy Policy applies to personal data we collect through the Software, our website, support enquiries, billing and related services.

2.2 Third-party websites linked from the Software operate under their own privacy policies.

3. What we collect

We may collect the following categories of personal data:

3.1 Identity and contact data — name, work email address, phone number, organisation, job title.

3.2 Account and access data — username, hashed password, account status, role, login history, IP address, browser/device information, session metadata.

3.3 Billing data — billing contact, subscription tier, transaction references, invoices, VAT details. Card numbers are processed directly by our payment provider and are not stored on our servers.

3.4 Usage and technical data — feature usage, clicks, prompts, outputs generated, service logs, analytics, error logs, performance metrics, support records.

3.5 Communications data — emails, contact form submissions, support tickets, DPA correspondence, security questionnaires.

3.6 Uploaded content — documents, prompts, draft responses or other content submitted by Authorised Users while using the Software. We instruct customers not to upload personal data unless a signed DPA is in place.

4. How we collect personal data

We collect data when: an account is created; a free trial or paid subscription is started; a user logs in or interacts with the Software; an enquiry, support request or DPA is submitted; usage data is generated by interaction with the Software; or where information is shared in commercial, security or technical discussions.

We also collect information through cookies, web logs and analytics tools (see clause 11).

5. Lawful bases (UK GDPR Art. 6)

We rely on the following lawful bases:

5.1 Performance of a contract — to provide the Software, manage subscriptions, process payments, deliver support and fulfil our Terms.

5.2 Legitimate interests — to operate, secure and improve the Software, prevent fraud, manage analytics, monitor usage and enforce our Terms. We have considered whether our legitimate interests are overridden by the rights of data subjects.

5.3 Consent — for non-essential cookies, optional marketing communications and any optional analytics where consent is required. Consent can be withdrawn at any time without affecting earlier processing.

5.4 Legal obligation — to comply with tax, accounting and legal record-keeping obligations.

6. Why we use personal data

We use personal data to: (a) provide and operate the Software; (b) create and manage accounts; (c) authenticate users; (d) process payments and billing; (e) provide support; (f) maintain security and detect misuse; (g) comply with our legal and contractual obligations; (h) communicate updates, incidents, support and administrative matters; and (i) where lawful, share product news and offers.

7. Data restrictions and customer responsibilities

7.1 The Software is not intended for the submission of special category data (UK GDPR Art. 9), criminal offence data, personal data of minors, or other sensitive operational data unless a signed DPA permits otherwise.

7.2 Where customers upload personal data, they are responsible for ensuring there is a lawful basis, that all required notices and consents are in place, and that data is minimised, accurate and lawful to share.

7.3 We may suspend access where data is submitted in breach of the Terms or applicable law.

8. Sharing and recipients

We may share personal data with: (a) cloud and hosting infrastructure providers (e.g. for hosting and database services); (b) software, analytics and diagnostics providers; (c) payment processors and billing providers; (d) professional advisers, accountants and lawyers; (e) law enforcement, regulators or governmental bodies where required by law; (f) parties to a business sale, restructure or transfer; and (g) third parties acting on the customer's instructions for support or integration.

We do not sell personal data.

9. International transfers

9.1 Some processors operate outside the United Kingdom. Where we transfer personal data outside the UK, we use appropriate safeguards such as: (a) UK adequacy regulations; (b) the UK International Data Transfer Agreement (IDTA); or (c) the UK Addendum to the EU Standard Contractual Clauses, with supplementary measures where required.

9.2 A list of sub-processors and transfer mechanisms is available on request from [email protected].

10. Retention

10.1 We retain personal data only for as long as is necessary for the purposes described, including for account management, billing, support, compliance, security, dispute resolution and legal record-keeping.

10.2 Indicative retention periods:

  • Account data — for the duration of the subscription, plus 24 months after termination.
  • Billing data — 7 years (statutory accounting period).
  • Support and correspondence — up to 3 years from the last interaction.
  • Usage and analytics logs — up to 24 months in identifiable form.
  • Marketing data — until consent is withdrawn.

10.3 When data is no longer required, it is deleted, de-identified or securely destroyed. Backups may persist for short periods in line with normal technical processes.

11. Cookies and analytics

11.1 We use a small number of cookies and similar technologies to: keep users signed in; remember preferences; understand usage patterns; monitor performance; detect suspicious activity; and support billing and licensing records.

11.2 Strictly necessary cookies do not require consent. Analytics or marketing cookies are only set with consent (where required), in accordance with the Privacy and Electronic Communications Regulations (PECR).

11.3 You can control cookies through browser settings, though some functionality may be affected.

12. Security

12.1 We implement appropriate technical and organisational measures to protect personal data, including access controls, authentication, encryption in transit, monitoring, vendor due diligence and provider-level security.

12.2 No online environment is fully secure. We will notify the relevant supervisory authority and affected data subjects of any qualifying personal data breach in accordance with the UK GDPR.

13. Your rights

Subject to UK data protection law, you have the right to:

13.1 Access — request a copy of the personal data we hold about you.

13.2 Rectification — ask us to correct inaccurate or incomplete data.

13.3 Erasure — request deletion in certain circumstances (the right to be forgotten).

13.4 Restriction — ask us to restrict processing in certain circumstances.

13.5 Data portability — request a copy of your data in a structured, machine-readable format.

13.6 Objection — object to processing based on legitimate interests, including for direct marketing.

13.7 Withdraw consent — where processing is based on consent, you may withdraw it at any time.

13.8 Automated decision-making — we do not make decisions about you based solely on automated processing that produce legal or similarly significant effects.

13.9 To exercise these rights, contact [email protected]. We may need to verify your identity before responding. We will respond within one (1) month, extendable by two further months for complex requests.

14. Marketing

14.1 Service communications (account, billing, security, legal updates) are sent as part of the contract.

14.2 Marketing communications are sent only where you have consented or where we have a legitimate interest under PECR rules. You can unsubscribe at any time using the link in any email or by contacting us.

15. Children

The Software is intended for business and professional use only and is not directed to children under 18.

16. Changes to this Policy

We may update this Privacy Policy from time to time. The version published on the website applies from the date stated. We will notify material changes by email or in-product notice where reasonably practicable.

17. Complaints to the ICO

17.1 If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO).

17.2 The ICO can be contacted at ico.org.uk, by phone on 0303 123 1113, or by post at: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

18. Contact

For all privacy enquiries, data subject requests, DPA execution and any other privacy matters, please contact us at: [email protected]

We collect limited personal data to operate the Software, manage accounts and billing, maintain security, and respond to enquiries. Do not upload personal data or sensitive business data without a signed DPA in place.

See also: Terms & Conditions