Your data, your rules.

TenderPulse is a procurement software company registered in Dhaka, Bangladesh. We build tools that help Bangladesh contractors win more e-GP tenders — specifically, our AI-powered bid copilot, eligibility scoring engine, and document management vault.

Under data-protection law, TenderPulse is the data controller: the entity that decides why and how your personal data is processed. Our sub-processors (our cloud provider, Anthropic, etc.) are processors — they act only on our documented instructions. We remain responsible for their conduct toward your data. Digital Security Act 2018 §29 BD Data Protection Act 2023 (draft) §14 GDPR Art. 6(1)(b)

Our designated contact for all privacy matters is our Data Protection Officer (DPO), reachable at help@tenderpulse.com.bd. For urgent matters — suspected breach, ongoing unauthorised access — use the same address with subject line “PRIVACY URGENT”; we acknowledge within 24 hours. General support questions go to help@tenderpulse.com.bd. Postal address: TenderPulse, c/o Public Pulse Agency, Banani, Dhaka 1213, Bangladesh. For service of formal legal notices, use this address with subject line “LEGAL — FOR THE ATTENTION OF THE DPO” and copy help@tenderpulse.com.bd on the same day.

This policy applies to every person who creates a TenderPulse account, visits our website at tenderpulse.com.bd, or otherwise sends data to our systems. It does not apply to third parties whose data appears inside documents you upload — those relationships are covered by our Data Processing Addendum.

We write this policy the way we would want our own suppliers to write theirs: plain language, concrete commitments, every legal citation visible. If something is unclear, the duty to clarify falls on us — not you. Contact the DPO and we will respond within five business days.

We collect the minimum data needed to make the product work. GDPR Art. 5(1)(c) (the data minimisation principle) is a hard constraint we design against, not a compliance checkbox. Every field in our database was added because a real product function required it; we have removed fields that turned out to be unused.

2.1 Account credentials

Your name, email address, mobile number, and a bcrypt password hash. We never store your plaintext password. Login session metadata — IP address, user-agent string, and timestamps — is kept for 30 days to detect unauthorised access and to show you “recent sessions” in settings. Lawful basis: contract performance.

2.2 Company profile

Trade name, legal name, RJSC registration, TIN, BIN, VAT registration, trade licence, e-GP user ID, registered and mailing address, and contact person names and roles. Also: authorised capital, paid-up capital, employee count, business categories, work specialisations, and geographic coverage. We use this to compute your eligibility score against tender ITB requirements and to auto-populate Form Tech-1 and related submission forms. Lawful basis: contract performance.

2.3 Financial data (sensitive)

Audited turnover, net profit, net worth, current assets and liabilities for the last three to five fiscal years. Bank account names, numbers, branches, and routing codes. Credit facilities, bonding limits, overdraft limits, bid-security facilities, and term-loan facilities including issuing bank and expiry dates. Bank account numbers are stored encrypted in the database (AES-256 via managed-key service) and are never returned in full by any API response — only the last four digits appear in the UI. Lawful basis: contract performance.

2.4 Key personnel records (sensitive)

Authorised signatory, engineers, finance personnel — name, designation, qualification, years of experience, email, phone, and optionally a National ID number. You are responsible for obtaining each person’s consent before adding them. NID numbers are stored encrypted and shown only as the last four digits in the interface. Lawful basis: contract performance and your instructions as the data controller for these individuals.

2.5 Document vault

Trade licence PDF, TIN/BIN/VAT certificates, e-GP registration letter, audited financials, bank solvency certificates, Project Completion Certificates, CV files, equipment documents, and authorisation letters. Each file is stored in encrypted object storage under your company ID prefix with server-side encryption (SSE-KMS). Download URLs are signed and expire after 60 seconds.

2.6 Tender uploads and AI conversations

ZIP archives you upload from e-GP (containing ToR, BoQ, ITB, GCC, SCC, technical specifications, drawings, and addenda), plus the copilot chat history for each tender. Your prompts and the extracted tender content are sent to Anthropic via managed AI inference platform for AI inference. The inference layer processes the request and discards the input — Anthropic does not retain your data or use it to train models. We also do not use your data to train any model.

2.7 Payment metadata

Plan slug, BDT amount, VAT amount, transaction reference, EPS merchant and transaction IDs, and paid-at timestamp. We do not see, store, or process your card number, CVV, expiry date, OTP, or banking PIN. The Bangladesh Bank-licensed EPS Bangladesh Limited gateway captures payment credentials directly and returns only the transaction outcome to us.

2.8 Usage analytics

request log service logs request paths, response codes, latency, and user IDs for operational diagnostics (90-day retention). Google Analytics 4 runs on customer-facing pages via Google Tag Manager, configured with Consent Mode v2 — advertising and personalisation signals are denied by default; we transmit only a hashed user identifier and rely on GA4’s built-in IP anonymisation. We do not run Facebook Pixel, Mixpanel, session-replay tools, or any advertising cookie. The admin subdomain manage.tenderpulse.com.bd excludes analytics entirely. See the Cookie Policy for full inventory and opt-out instructions.

Every processing activity at TenderPulse has a documented lawful basis. We rely on four grounds and four grounds only: Digital Security Act 2018 §29 GDPR Art. 6(1)(a) GDPR Art. 6(1)(b) GDPR Art. 6(1)(c) GDPR Art. 6(1)(f)

3.1 Contract performance — Art. 6(1)(b)

The majority of our processing — running your account, computing eligibility scores, powering the AI copilot, sending transactional emails, and processing payments — is necessary to fulfil the contract between you and TenderPulse. Without processing this data we cannot operate the product. This basis applies from the moment you create an account and ends 30 days after you delete it (the grace period explained in §7).

3.2 Legal obligation — Art. 6(1)(c)

Invoice and payment records must be retained for seven years under the Income Tax Ordinance 1984 and the VAT and Supplementary Duty Act 2012. We cannot delete these records early even on your request, but we pseudonymise them — retaining only the financial figures and transaction IDs, not your name or email — after your account closes. We hold no other data under this basis.

3.3 Consent — Art. 6(1)(a)

Optional activities — marketing emails about new features, product updates, and sector events — require your explicit opt-in. Consent is captured through a separate checkbox during onboarding; it is not a condition of service. You can withdraw consent at any time from account settings or by emailing the DPO, and your account continues unaffected. We record a timestamped log of every consent grant and withdrawal.

3.4 Legitimate interests — Art. 6(1)(f)

We do invoke legitimate interests for a narrow set of security-related processing: detecting and blocking fraudulent logins, maintaining our admin audit log, and investigating abuse reports. These activities are proportionate (security is a fundamental interest), subject to access controls, and time-limited. We do not invoke legitimate interests as a basis for any commercial activity, third-party sharing, or marketing-adjacent processing.

Bangladesh law and our GDPR-aligned practice together give you nine distinct rights over your data. GDPR Art. 15–22 All nine are self-service where possible; for anything that requires human review we respond within 30 calendar days.

Right 1 · Access (Art. 15)

You can request a complete export of every byte we hold on you — account data, company profile, uploaded documents, AI conversation history, payment records, and audit logs. Self-service export is available at /settings/data in JSON format plus the original PDFs. Alternatively email the DPO and we will deliver within 30 days.

Right 2 · Rectification (Art. 16)

Correct inaccurate profile, personnel, or financial data directly from your dashboard. If a field is locked (e.g. because an active tender depends on it), contact support and we will apply the correction within five business days.

Right 3 · Erasure (Art. 17)

Delete your account and all associated data from /settings/data. Hard deletion completes within 30 days. After deletion only tax-law-required invoice records survive, in pseudonymised form (financial figures and transaction IDs only — no name, email, or company identifiers).

Right 4 · Restriction (Art. 18)

If you dispute the accuracy of data we hold, or if you object to processing under Art. 21, you can ask us to restrict processing while the question is investigated. During restriction we store your data but do not actively process it — your copilot sessions and eligibility scores will pause.

Right 5 · Portability (Art. 20)

Receive your data in a structured, machine-readable format — JSON for structured data and the original PDFs for uploaded documents. You can request this at any time and transfer it to any other service. No vendor lock-in.

Right 6 · Object (Art. 21)

Object to any processing we perform under legitimate interests (Art. 6(1)(f)). We will stop that specific processing unless we can demonstrate compelling legitimate grounds that override your interests — and given that we use legitimate interests only for security, in practice objection will almost always succeed.

Right 7 · Withdraw consent (Art. 7(3))

Withdraw marketing consent at any time, with immediate effect. Your account continues unaffected. You can also withdraw consent for any other consent-based processing — though note that withdrawing consent for contract-performance processing means we can no longer provide the service.

Right 8 · Automated decisions (Art. 22)

We do not make decisions with legal or similarly significant effects based solely on automated processing. Our eligibility score is informational — it suggests which tenders you may qualify for but does not prevent you from bidding, does not affect your subscription, and does not create any legal consequence for you.

Right 9 · Complaint

If we fail to resolve a privacy concern to your satisfaction, you may file a complaint with the Bangladesh Data Protection Authority once constituted under the draft Personal Data Protection Act 2023, or lodge a report under the Digital Security Act 2018. You may also initiate arbitration or court proceedings as described in §12. GDPR Art. 77 BD Data Protection Act 2023 (draft) §22 Digital Security Act 2018 §43

A sub-processor is a company that processes your data on our behalf and under our documented instructions. GDPR Art. 28(2)+(4) We have signed data-processing agreements with every sub-processor listed here. We do not permit sub-processors to use your data for their own purposes.

Complete sub-processor list

All operational data at TenderPulse is stored and processed in the our approved Asia-Pacific region. This region was chosen specifically for its proximity to Bangladesh (low latency), the maturity of the cloud provider's compliance certifications there, and the absence of data-sovereignty restrictions that would complicate processing for Bangladesh-resident users.

AI inference via managed AI inference platform runs entirely within the approved Asia-Pacific region. Your prompts and tender content do not leave the approved region. The inference layer enforces regional containment at the infrastructure level — this is not merely a contractual promise but a technical boundary enforced by the cloud provider.

The only data that ever moves outside the approved region is development- and staging-environment OTP emails sent via Resend (EU/US infrastructure). No production user data — no account data, financial data, tender uploads, or conversation history — transits Resend. In production all email is delivered via transactional email service from the approved region.

Google Analytics 4 data (aggregate usage metrics, hashed user IDs) may be processed on Google’s global infrastructure per Google’s standard analytics data terms. This data is aggregated and anonymised; it does not include your name, company name, TIN, BIN, tender content, or financial figures. You can opt out entirely via the Google Analytics opt-out add-on.

We define a specific retention period for each data category. We do not retain data “just in case” — every retention window is tied to a concrete operational, contractual, or legal purpose. When that purpose expires, the data is deleted automatically.

Security is not a feature we added after launch — it is a design constraint baked into every layer of the architecture. Our controls are aligned with ISO/IEC 27001 and our primary cloud cloud sub-processor holds SOC 2 Type II, which we review annually.

Encryption at rest and in flight

All data stored in our systems — S3 files, RDS database rows, KMS keys themselves — is encrypted at rest using AES-256-GCM with managed-key service-managed keys. All data in transit uses TLS 1.3 with HSTS preloaded on the apex domain. Bank account numbers and National ID numbers are additionally encrypted at the application layer (column- level AES-256) before being stored, so even a database dump would not expose them in plaintext.

Credential security

Passwords are stored as industry-standard bcrypt hashes (adaptive work factor reviewed against current OWASP guidance). We never store plaintext passwords or reversibly encrypted passwords. OTP codes for sign-up and password reset are stored hashed with a short expiry window; the plaintext is never written to any log. Failed login attempts trigger progressive rate-limiting and account lockout.

Access control

TenderPulse enforces strict per-tenant row-level isolation — your data is scoped to your company ID and no other tenant can access it. TenderPulse staff engineers cannot read user data in the normal course of work. Accessing a user’s data for debugging requires an audited “break-glass” approval recorded in the admin audit log, with a stated purpose and a time-limited access window. You can request a copy of all admin audit log entries relating to your account at any time by emailing the DPO.

Vulnerability disclosure

If you discover a security vulnerability in TenderPulse systems, please report it to help@tenderpulse.com.bd. We acknowledge within 24 hours and aim to resolve critical vulnerabilities within 72 hours. We do not pursue legal action against good-faith security researchers.

TenderPulse uses cookies in two categories: essential cookies necessary to operate the service, and analytics cookies that help us understand how the product is used.

Essential cookies

Four cookies are strictly necessary and cannot be opted out of without breaking the service:

• better-auth.session_token — authenticates your logged-in session (7-day rolling lifetime).
• better-auth.csrf_token — CSRF protection on forms and server actions (session lifetime).
• tp_consent_ack — records that you have acknowledged the current legal document versions on this device (365 days).
• tp_locale — stores your interface language preference, bn-BD or en-BD (365 days).

Analytics cookies

Google Analytics 4 (via Google Tag Manager) uses _ga and _ga_* cookies (up to 13 months) scoped to .tenderpulse.com.bd. These are configured with Consent Mode v2: advertising and personalisation signals are denied by default; analytics are granted by default for aggregate measurement. Do-Not-Track browser signals are honoured automatically. The admin subdomain manage.tenderpulse.com.bd excludes all GA scripts.

We do not use Facebook Pixel, Meta SDK, Mixpanel, Segment, Hotjar, FullStory, LogRocket, or any session-replay or advertising cookie.

You can opt out of analytics cookies at any time using your browser’s cookie controls or the Google Analytics opt-out add-on. For the full cookie inventory and opt-out instructions, see our Cookie & Tracking Policy.

Local storage and IndexedDB

We cache UI state (last opened tender, sidebar preference, theme) in localStorage — no personal data, no tracking identifiers. IndexedDB and service workers are not used.

TenderPulse is a B2B software tool designed for and sold to professional procurement contractors and their companies. It is not intended for, designed for, or marketed to children. Our minimum account age is 18 years, consistent with the legal capacity to enter a commercial contract under Bangladesh law.

We do not knowingly collect personal data from anyone under 18. Our registration form requires attestation that the user is an authorised representative of a registered business entity — which implies legal adulthood. We do not offer a “under 18” account pathway.

If you become aware that a minor has registered an account on TenderPulse — whether through misrepresentation during registration or any other means — please notify us immediately at help@tenderpulse.com.bd. We will suspend and delete the account within 48 hours of confirmation, and delete all associated data within 30 days, without retaining any tax-law records (since no valid commercial contract existed).

If you are a parent or guardian and believe your child has inadvertently submitted personal data through our platform — for example, if they were added as a “key personnel” contact by a family-run business — you may request deletion of that specific record by emailing the DPO. We will process the request within 30 days at no charge.

A “breach” is any confirmed unauthorised access to, disclosure of, alteration of, or destruction of personal data held by TenderPulse. Our breach response protocol has four stages.

Stage 1 — Contain

On detection of a suspected breach, the on-call engineer immediately isolates the affected system, revokes any leaked credentials, and triggers our incident response runbook. Containment takes priority over everything else.

Stage 2 — Notify you

We notify affected users directly by email within 72 hours of confirming a breach. GDPR Art. 33+34 Digital Security Act 2018 §29The notification will include: what data was affected, when the breach occurred, what we know about how it happened, what we have done to contain it, the likely risk to you, and the specific steps you can take to protect yourself (e.g. change your password, watch for phishing). We will not send a vague “we take security seriously” non-disclosure.

Stage 3 — Regulatory notification

Where legally required (once the Bangladesh Data Protection Authority is constituted and operational), we will notify the regulator within 72 hours of confirming a breach involving personal data. We will maintain documentation of all breach events regardless of whether regulatory notification is triggered — this documentation is available to affected users on request.

Stage 4 — Remediate and learn

After containment and notification, we conduct a root-cause analysis and implement preventive controls. We do not repeat the same failure mode twice without documented mitigation.

We aim to resolve all privacy complaints internally before any formal dispute process is needed. If you have a concern about how we have handled your data, email help@tenderpulse.com.bd with a description of the issue. We will respond within five business days with either a resolution or a clear explanation of why we cannot action the request.

If internal resolution fails, you may escalate to formal mediation. Both parties select a mutually agreed mediator from a list provided by the Bangladesh International Arbitration Centre (BIAC) within 14 days of the escalation request. Mediation costs are shared equally unless the mediator finds that one party acted in bad faith, in which case costs fall entirely on the bad-faith party. We will not use superior resources to outlast a legitimate privacy dispute.

This policy and any dispute arising under it is governed by the laws of Bangladesh. Contract Act 1872 §28 The courts of Bangladesh have non-exclusive jurisdiction over all disputes that cannot be resolved through mediation.

Nothing in this section restricts your right to file a complaint with the Bangladesh Data Protection Authority (once constituted) or to make a report under the Digital Security Act 2018, independently of any mediation or court proceedings.

We keep a public version history so you can see exactly what changed and when. “Material change” means any amendment that affects your rights, our obligations, the sub-processor list, or the categories of data we collect. Material changes trigger a version bump, an email to all registered users, an in-app banner, and a re-consent prompt on next login.

Prior versions of this policy are available on request by emailing the DPO. We retain all prior versions for a minimum of five years. If you accepted a prior version and want to know exactly what you agreed to, we can send you the exact render at the time of your consent.

TenderPulse’s designated Data Protection Officer (DPO) is the first point of contact for all privacy matters — rights requests, concerns about our data handling, consent withdrawals, subject access requests, and general questions about this policy.

Response timelines

All privacy emails receive an automated acknowledgement within 4 hours confirming receipt and the date by which you will receive a substantive response. Substantive responses are delivered within 30 calendar days for complex requests and within 5 business days for straightforward requests (e.g. consent withdrawal, simple data corrections). We will never leave a privacy email unanswered.

What to include in your request

To help us process your request efficiently: include your account email address, a brief description of the data or processing you are concerned about, and what you would like us to do (delete, correct, export, restrict, etc.). You do not need to cite specific legal articles — plain language is fine. If we need additional information to verify your identity or process your request, we will ask once and clearly.

Self-service options

Many rights can be exercised without contacting the DPO at all. From /settings/data you can: export all your data as JSON, delete your account and associated data, view the current consent versions you have accepted, withdraw marketing opt-in, and download your invoice history. We invest in self-service so you are never dependent on us being available to exercise your rights.

See also: Terms of Service · EULA · Cookie Policy · Data Processing Addendum · Trust Center