Privacy Policy
Last updated: June 2026
ICO Registration: ZC123196
1. Who we are
PSIP is operated by BN Solutions ("we", "us", "our"), registered in Scotland (SC318654). We operate psip.co.uk, a UK public sector tender intelligence platform.
We are the data controller for personal information collected through psip.co.uk. We are registered with the Information Commissioner's Office (ICO).
Contact us about data protection matters: psip.co.uk/contact
2. What personal data we collect
Account data
Name, email address, company name, billing country. Collected when you register or update your profile.
Business profile data
Business description, sectors, and keywords you provide. Used to configure tender alerts and AI relevance scoring.
Payment data
Billing information is collected and processed directly by Stripe. We store only a Stripe customer reference — we never see or store card numbers, CVVs, or bank account details.
Usage and technical data
Pages visited, searches performed, features used, IP address, browser type, and error logs. Used to operate and improve the service.
Communication data
Alert preferences, email open and click data (via Resend), and any feedback or support messages you send us.
Integration credentials
Slack and Microsoft Teams webhook URLs if you configure notification integrations. Stored encrypted in Supabase Vault.
3. How we use your data and our lawful basis
| Activity | Lawful basis | Detail |
|---|---|---|
| Providing the PSIP service (account, search, alerts) | Contract | Necessary to perform the service you signed up for |
| Processing subscription payments via Stripe | Contract | Necessary to fulfil your subscription |
| Sending tender alert emails you have configured | Contract | Core service delivery |
| AI relevance scoring using your business profile | Contract | Your profile is sent to Anthropic API to generate scores — see section 5 |
| AI Procurement Analyst (answering your questions over public tender data) | Contract | Your question is sent to OpenAI (search) and Anthropic (answer) — see section 5a |
| Improving platform features and fixing bugs | Legitimate interests | We have a legitimate interest in improving the service for all users |
| Error monitoring and performance logging via Sentry | Legitimate interests | Necessary to detect and fix technical problems |
| Sending onboarding and service update emails | Contract / Legitimate interests | Service emails during trial and subscription |
| Sending marketing communications | Consent | Only where you have opted in — you can unsubscribe at any time |
| Retaining financial records | Legal obligation | UK tax law requires retention of financial records for 6 years |
| Responding to data subject requests | Legal obligation | UK GDPR requires us to respond to access, deletion and other rights requests |
4. Data processors and third-party services
We use the following third-party services to operate PSIP. Each is a data processor acting on our instructions. We have reviewed each service's data processing terms and, where required, have data processing agreements in place.
Supabase
Privacy policy ↗Database, authentication, and encrypted secret storage
Vercel
Privacy policy ↗Website hosting and serverless functions
Stripe
Privacy policy ↗Payment processing and subscription management
Resend
Privacy policy ↗Transactional and alert email delivery
Ahrefs Analytics
Privacy policy ↗Website analytics — pages visited, traffic sources, usage patterns on psip.co.uk
OpenAI
Privacy policy ↗AI Procurement Analyst — when you use the analyst, the question text you enter is sent to the OpenAI API to convert it into a search vector for retrieving relevant tenders
Anthropic
Privacy policy ↗AI relevance scoring (your business description and tender titles) and the AI Procurement Analyst (your analyst question, recent conversation history and retrieved public tender context) are sent to the Anthropic API to generate scores and answers
Sentry
Privacy policy ↗Error monitoring and performance tracking. Technical error data including stack traces and request context may be captured.
Companies House API
Privacy policy ↗Supplier company enrichment — we query the Companies House public API to identify supplier organisations named in contract award notices
We do not sell your personal data to any third party. We do not permit any processor to use your data for their own purposes.
5. Public sector tender data
PSIP aggregates tender and contract data from UK government procurement portals. This data is published under the Open Government Licence v3.0 and is not personal data in the ordinary sense — it relates to contracting authorities and procurement activities rather than private individuals.
Where contract award notices include supplier names (which may be sole traders or partnerships where the name identifies an individual), we process this data under legitimate interests to provide our market intelligence service, consistent with the original publication purpose.
5a. AI Procurement Analyst
If you use our AI Procurement Analyst, we process the questions you type, the answers generated, and usage metadata (such as the number of requests and the AI model used). We use this to provide the feature, maintain your conversation history so you can continue your work, and prevent abuse. Our lawful basis is performance of our contract with you.
The analyst answers using only published public tender data and cites the notices it relies on. It is an information tool — it does not make any decision that produces legal or similarly significant effects about you. Answers are AI-generated and may be incomplete or inaccurate; you should verify before relying on them.
To deliver this feature your question is sent to OpenAI (to convert it into a search vector) and Anthropic (to generate the answer), under the safeguards described in sections 4 and 10. These providers are contractually prohibited from using your data to train their models.
Please do not enter personal data about other people, or confidential third-party information, into the analyst.
6. Data retention
| Data type | Retention period |
|---|---|
| Account and profile data | Duration of account, plus 30 days after deletion request |
| Saved searches and alert settings | Duration of account, plus 30 days after deletion request |
| Financial and billing records | 6 years from end of financial year (legal obligation) |
| Email delivery logs | 90 days |
| Error and performance logs (Sentry) | 30 days (free tier retention) |
| API request logs | 90 days |
| AI Analyst conversations (questions and answers) | Up to 12 months from last activity, then automatically deleted |
| AI usage records (request counts, no question content) | 12 months from the request, then automatically deleted |
| Trial feedback and churn data | 2 years (aggregate analysis only after 6 months) |
| Support correspondence | 2 years from last contact |
7. Your rights under UK GDPR
You have the following rights regarding your personal data:
How to exercise your rights
Email us via psip.co.uk/contact. We will respond within 30 days. We may need to verify your identity before processing your request.
If you are unhappy with how we handle your request, you have the right to complain to the Information Commissioner's Office: ico.org.uk/make-a-complaint
8. Cookies
We use the following cookies on psip.co.uk:
Essential cookies
Authentication session cookies (set by Supabase Auth). Required for you to log in and use the service. Cannot be disabled.
Analytics cookies
We use Ahrefs Analytics to understand how visitors use psip.co.uk. This is a privacy-focused analytics tool operated by Ahrefs Pte. Ltd. It may set cookies or use similar tracking technologies. Data collected includes pages visited, referral sources, and general usage patterns. No personally identifiable information is shared with Ahrefs. You can opt out via your browser's cookie controls. See Ahrefs' privacy policy ↗.
9. Security
We implement appropriate technical and organisational measures to protect your data:
- ✓All data in transit is encrypted using TLS 1.2 or above
- ✓Database data is encrypted at rest
- ✓Passwords are hashed and never stored in plain text
- ✓Integration credentials (Slack, Teams webhooks) are stored in encrypted Vault storage
- ✓Row-level security enforces data isolation between user accounts
- ✓Production access is restricted to authorised personnel only
- ✓Error monitoring is in place to detect and respond to security incidents
10. International transfers
Some of our processors operate outside the UK. Where personal data is transferred outside the UK, we ensure an appropriate transfer mechanism is in place:
- →Adequacy decisions — transfers to countries the UK has deemed adequate (EU/EEA member states)
- →EU-US Data Privacy Framework — for US processors certified under this framework (Stripe, Vercel)
- →Standard Contractual Clauses (SCCs) — UK-approved SCCs for transfers to Anthropic, Resend, and Sentry
11. Children
PSIP is a business-to-business service. We do not knowingly collect data from or market to individuals under the age of 18. If you believe a minor has provided us with personal data, please contact us and we will delete it promptly.
12. Changes to this policy
We may update this privacy policy from time to time. We will notify registered users of material changes by email at least 14 days before they take effect. The "last updated" date at the top of this page reflects the most recent revision. Continued use of the service after the effective date constitutes acceptance of the updated policy.
Questions or requests?
Contact us via psip.co.uk/contact. For data subject requests, please include "Data Request" in your subject line and we will respond within 30 days.