Per-Article walk-through of how we comply.

TenderPulse is a Bangladesh-incorporated business serving Bangladesh contractors. The GDPR applies to us where we process personal data of individuals in the EEA (e.g. an EU- resident director of a Bangladesh-registered firm we serve) or offer services to people in the EEA. GDPR Art. 3(2)

Even where the GDPR does not formally apply, we treat its standards as our baseline. Our Privacy Policy is GDPR-aligned by design. This page documents the specific Article-level compliance posture for organisations that need to verify it before contracting.

We rely on four lawful bases under GDPR Art. 6:

• Contract performance — Art. 6(1)(b) — for account creation, billing, product delivery, and customer support. Customers cannot use the product without us processing this data.
• Legal obligation — Art. 6(1)(c) — for tax records (NBR 7-year retention), AML/sanctions screening, and government request handling under Bangladesh law (DSA 2018, ICT Act 2006).
• Consent — Art. 6(1)(a) — for marketing emails, GA4 analytics, and any future feature where consent is the primary basis. Consent is captured via our onboarding consent gate and is fully withdrawable.
• Legitimate interest — Art. 6(1)(f) — for security monitoring (login anomaly detection, fraud prevention), product analytics needed for capacity planning, and internal audit. We have completed legitimate-interest assessments documenting the necessity and proportionality balance for each use.

The full enumeration of data subject rights, with mechanism for each, is in our Privacy Policy §4. The summary mapping:

• Art. 15 — Right of access: machine-readable data export from billing settings; full audit log entries on request to the DPO
• Art. 16 — Right to rectification: inline edit in account settings; DPO-handled for fields you cannot self-edit (e.g. corrected legal name on invoices)
• Art. 17 — Right to erasure: account deletion from billing settings triggers a 30-day grace window then full deletion; legal-obligation retention (tax, AML) exempted as permitted by Art. 17(3)(b)/(e)
• Art. 18 — Right to restriction: account settings “suspend processing” toggle pauses non-essential processing while preserving the data
• Art. 20 — Right to portability: structured, machine-readable export covering account, profile, tender history, AI drafts, audit log
• Art. 21 — Right to object: marketing opt-out in one click; legitimate-interest objections handled by the DPO with a reasoned response within 30 days
• Art. 22 — Automated decision making: we do not make legal-effect decisions on automated processing alone (eligibility scores are advisory, not binding)

Response time for any rights request: 30 calendar days, with a one-time 60-day extension available for complex requests under Art. 12(3). GDPR Art. 12 No fees are charged for any rights request, ever, regardless of frequency.

Where personal data is transferred from the EEA to TenderPulse systems in Bangladesh / our hosting region, we rely on the European Commission’s Standard Contractual Clauses (SCCs) Module 2 (controller-to-processor), executed bilaterally between the customer (as controller) and TenderPulse (as processor). GDPR Art. 46

Where personal data is transferred from the UK, we use the UK International Data Transfer Addendum (IDTA) to extend the SCCs to UK-originating data. For onward transfers from TenderPulse to its sub-processors outside the EEA (Anthropic for inference, Twilio for SMS, etc.), we have flow-down SCCs in our sub-processor contracts.

Transfer Impact Assessment (TIA): under GDPR Schrems II jurisprudence we maintain a TIA documenting the specific risks of each transfer route and the supplementary measures we have put in place (encryption, access controls, transparency-report-driven challenge of government access requests). Enterprise customers can request the TIA under NDA.

For B2B customers handling personal data through TenderPulse (e.g. supplier contact details processed during bid evaluation), we are a processor and the customer is the controller. Our Data Processing Addendum covers the full Art. 28 obligation set: GDPR Art. 28(3)

• Processing only on documented controller instructions, with an obligation to inform the controller if those instructions infringe applicable law
• Confidentiality commitments from all processing personnel
• Security measures meeting Art. 32 — documented in our Security & Infrastructure page
• Sub-sub-processor authorisation (general, with 14-day notice and right to object) — see /trust/sub-processors
• Assistance with data subject rights requests
• Breach notification to controllers within 24 hours of awareness
• DPIA assistance and sub-processor audit cooperation
• End-of-contract data return or deletion

Our designated Data Protection Officer is reachable at help@tenderpulse.com.bd. The DPO is empowered to receive rights requests, breach reports, and supervisory-authority correspondence; the DPO reports independently to the founders and their decisions on compliance matters cannot be overridden by commercial considerations. GDPR Art. 37

Under Art. 27 GDPR, controllers and processors offering goods or services to EEA data subjects in a way that triggers Art. 3(2) are required to designate an EU representative. Our current customer base is overwhelmingly Bangladesh-resident, and we do not currently meet the threshold criteria for mandatory designation. Where this changes — for example, if we take on EEA-resident enterprise customers at material scale — we will appoint an EU representative and publish their contact details on this page within 30 days.

You have the right to lodge a complaint with a supervisory authority if you believe TenderPulse’s processing of your personal data infringes the GDPR. GDPR Art. 77 Specifically, you may lodge a complaint with the supervisory authority of the Member State where you are habitually resident, where you work, or where the alleged infringement occurred.

We would prefer you contact our DPO first so we can attempt to resolve the matter directly — typically faster than a regulatory route — but exercising your right under Art. 77 is fully available to you regardless. We will not retaliate against any data subject who contacts a supervisory authority.

For B2B controllers conducting their own DPIAs covering TenderPulse as a sub-processor, we provide on request: our security overview document, our SOC-aligned controls description, our pen test summary report (redacted), our sub-processor register, our breach notification SLA, and our transfer-impact assessment. GDPR Art. 35

We will execute customer-issued DPAs that meet the Art. 28 requirements without unreasonable delay. Our default DPA at /dpa is GDPR-compliant and may be used as-is for most B2B engagements.