Privacy Policy
Last updated: April 2026
ICO Registration: ZC123196
1. Who we are
PSIP is operated by BN Solutions ("we", "us", "our"), registered in Scotland (SC318654). We operate psip.co.uk, a UK public sector tender intelligence platform.
We are the data controller for personal information collected through psip.co.uk. We are registered with the Information Commissioner's Office (ICO).
Contact us about data protection matters: psip.co.uk/contact
2. What personal data we collect
Account data
Name, email address, company name, billing country. Collected when you register or update your profile.
Business profile data
Business description, sectors, and keywords you provide. Used to configure tender alerts and AI relevance scoring.
Payment data
Billing information is collected and processed directly by Stripe. We store only a Stripe customer reference — we never see or store card numbers, CVVs, or bank account details.
Usage and technical data
Pages visited, searches performed, features used, IP address, browser type, and error logs. Used to operate and improve the service.
Communication data
Alert preferences, email open and click data (via Resend), and any feedback or support messages you send us.
Integration credentials
Slack and Microsoft Teams webhook URLs if you configure notification integrations. Stored encrypted in Supabase Vault.
3. How we use your data and our lawful basis
| Activity | Lawful basis | Detail |
|---|---|---|
| Providing the PSIP service (account, search, alerts) | Contract | Necessary to perform the service you signed up for |
| Processing subscription payments via Stripe | Contract | Necessary to fulfil your subscription |
| Sending tender alert emails you have configured | Contract | Core service delivery |
| AI relevance scoring using your business profile | Contract | Your profile is sent to Anthropic API to generate scores — see section 5 |
| Improving platform features and fixing bugs | Legitimate interests | We have a legitimate interest in improving the service for all users |
| Error monitoring and performance logging via Sentry | Legitimate interests | Necessary to detect and fix technical problems |
| Sending onboarding and service update emails | Contract / Legitimate interests | Service emails during trial and subscription |
| Sending marketing communications | Consent | Only where you have opted in — you can unsubscribe at any time |
| Retaining financial records | Legal obligation | UK tax law requires retention of financial records for 6 years |
| Responding to data subject requests | Legal obligation | UK GDPR requires us to respond to access, deletion and other rights requests |
4. Data processors and third-party services
We use the following third-party services to operate PSIP. Each is a data processor acting on our instructions. We have reviewed each service's data processing terms and, where required, have data processing agreements in place.
Supabase
Privacy policy ↗Database, authentication, and encrypted secret storage
Vercel
Privacy policy ↗Website hosting and serverless functions
Stripe
Privacy policy ↗Payment processing and subscription management
Resend
Privacy policy ↗Transactional and alert email delivery
Ahrefs Analytics
Privacy policy ↗Website analytics — pages visited, traffic sources, usage patterns on psip.co.uk
Anthropic
Privacy policy ↗AI relevance scoring — your business description and tender titles are sent to the Anthropic API to generate relevance scores
Sentry
Privacy policy ↗Error monitoring and performance tracking. Technical error data including stack traces and request context may be captured.
Companies House API
Privacy policy ↗Supplier company enrichment — we query the Companies House public API to identify supplier organisations named in contract award notices
We do not sell your personal data to any third party. We do not permit any processor to use your data for their own purposes.
5. Public sector tender data
PSIP aggregates tender and contract data from UK government procurement portals. This data is published under the Open Government Licence v3.0 and is not personal data in the ordinary sense — it relates to contracting authorities and procurement activities rather than private individuals.
Where contract award notices include supplier names (which may be sole traders or partnerships where the name identifies an individual), we process this data under legitimate interests to provide our market intelligence service, consistent with the original publication purpose.
6. Data retention
| Data type | Retention period |
|---|---|
| Account and profile data | Duration of account, plus 30 days after deletion request |
| Saved searches and alert settings | Duration of account, plus 30 days after deletion request |
| Financial and billing records | 6 years from end of financial year (legal obligation) |
| Email delivery logs | 90 days |
| Error and performance logs (Sentry) | 30 days (free tier retention) |
| API request logs | 90 days |
| Trial feedback and churn data | 2 years (aggregate analysis only after 6 months) |
| Support correspondence | 2 years from last contact |
7. Your rights under UK GDPR
You have the following rights regarding your personal data:
How to exercise your rights
Email us via psip.co.uk/contact. We will respond within 30 days. We may need to verify your identity before processing your request.
If you are unhappy with how we handle your request, you have the right to complain to the Information Commissioner's Office: ico.org.uk/make-a-complaint
8. Cookies
We use the following cookies on psip.co.uk:
Essential cookies
Authentication session cookies (set by Supabase Auth). Required for you to log in and use the service. Cannot be disabled.
Analytics cookies
We use Ahrefs Analytics to understand how visitors use psip.co.uk. This is a privacy-focused analytics tool operated by Ahrefs Pte. Ltd. It may set cookies or use similar tracking technologies. Data collected includes pages visited, referral sources, and general usage patterns. No personally identifiable information is shared with Ahrefs. You can opt out via your browser's cookie controls. See Ahrefs' privacy policy ↗.
9. Security
We implement appropriate technical and organisational measures to protect your data:
- ✓All data in transit is encrypted using TLS 1.2 or above
- ✓Database data is encrypted at rest
- ✓Passwords are hashed and never stored in plain text
- ✓Integration credentials (Slack, Teams webhooks) are stored in encrypted Vault storage
- ✓Row-level security enforces data isolation between user accounts
- ✓Production access is restricted to authorised personnel only
- ✓Error monitoring is in place to detect and respond to security incidents
10. International transfers
Some of our processors operate outside the UK. Where personal data is transferred outside the UK, we ensure an appropriate transfer mechanism is in place:
- →Adequacy decisions — transfers to countries the UK has deemed adequate (EU/EEA member states)
- →EU-US Data Privacy Framework — for US processors certified under this framework (Stripe, Vercel)
- →Standard Contractual Clauses (SCCs) — UK-approved SCCs for transfers to Anthropic, Resend, and Sentry
11. Children
PSIP is a business-to-business service. We do not knowingly collect data from or market to individuals under the age of 18. If you believe a minor has provided us with personal data, please contact us and we will delete it promptly.
12. Changes to this policy
We may update this privacy policy from time to time. We will notify registered users of material changes by email at least 14 days before they take effect. The "last updated" date at the top of this page reflects the most recent revision. Continued use of the service after the effective date constitutes acceptance of the updated policy.
Questions or requests?
Contact us via psip.co.uk/contact. For data subject requests, please include "Data Request" in your subject line and we will respond within 30 days.