[email protected]01707 240393
Read our Google reviewsFind us on Trustpilot

Legal

Privacy Policy

How TenderLab Ltd collects, uses and protects your personal data under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003 (PECR).

Last updated: 5 June 2026

Section 01Who we are

TenderLab is a trading name of TenderLab Ltd, a private limited company registered in England and Wales under Companies House number 17184263. Our registered office is 128 City Road, London, EC1V 2NX.

TenderLab Ltd is the data controller for the personal data described in this notice under UK GDPR and the Data Protection Act 2018.

For data protection enquiries email [email protected] or write to Data Protection Lead, TenderLab Ltd, 128 City Road, London, EC1V 2NX.

Section 02Personal data we collect

We collect personal data only when you provide it or when it is necessary to deliver our services.

Contact data. When you submit the consultation form, email us, message us, call us or book a meeting, we collect your name, work email address, phone number, organisation name, job role, sector and the contents of your enquiry.

Engagement data. Once you become a client, we collect company contact details, tender specifications you share with us, draft response content, verified evidence used to populate your submission (CQC ratings, Ofsted ratings, case examples, audit data, training records), commissioner contacts you nominate and correspondence between us.

Financial data. For invoicing we hold billing contact, billing address, VAT number where applicable and bank reference details. We do not store card numbers; payment is processed by your bank or accounts payable team.

Site analytics. Anonymised page views, referring URL, device type, browser and approximate location at regional level. We do not capture personally identifying information through analytics.

Cookies and similar technologies. Strictly necessary cookies to deliver the site, and optional analytics cookies you accept via the consent banner. See Section 09.

Marketing data. If you tick the marketing checkbox on a form or subscribe to our newsletter, we hold your email address, name and the date you opted in.

Section 03Lawful basis under UK GDPR

UK GDPR Article 6 requires a lawful basis for every processing activity. The bases we rely on for each purpose are set out below.

Consent (Article 6(1)(a)). Marketing newsletter sign-up; optional analytics cookies. You can withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

Contract (Article 6(1)(b)). Delivery of the consultancy services set out in your engagement letter, invoicing under that engagement and the steps necessary before entering the contract.

Legitimate interest (Article 6(1)(f)). Responding to a business enquiry you sent us; anonymised site analytics; contacting existing or recent clients about closely related services. We balance our interest against your rights and you can object at any time.

Legal obligation (Article 6(1)(c)). Retaining financial records under HMRC and Companies House rules; responses to lawful regulator or court requests.

Where we collect special category data (rarely; only when included in evidence you share with us for a bid), we rely on Article 9(2)(a) explicit consent and Schedule 1 of the Data Protection Act 2018.

Section 04How we use your data

We use the personal data we hold only for the purposes set out below.

  • Respond to enquiries and schedule the free 30-minute consultation.
  • Deliver tender writing, bid writing, pre-submission review, lost bid debrief, tender readiness audit, bid coaching, pipeline tracking and mobilisation support under your engagement letter.
  • Manage the day-to-day client relationship: scheduling, draft reviews, version control, evidence verification, sign-off and submission.
  • Send service updates relating to your active engagement (deadline reminders, draft review prompts, mobilisation alerts).
  • Send marketing communications where you have given consent. Every marketing email has a one-click unsubscribe link.
  • Invoice you and keep financial records as required by HMRC and the Companies Act 2006.
  • Comply with our legal obligations, including anti-money-laundering checks and responses to lawful regulator or court requests.
  • Improve our website and content through anonymised analytics.

Section 05Who we share data with

We do not sell your data and we do not share it for unrelated marketing. We share it only with the recipients below, each bound by written agreements that meet UK GDPR Article 28.

  • Hosting and CDN: Vercel Inc. (United States, with UK Data Bridge safeguards) and Cloudflare Inc.
  • Email and document storage: Google LLC (Google Workspace).
  • Accounting and bookkeeping: our accountants for statutory reporting under the Companies Act 2006 and HMRC rules.
  • Payment infrastructure: our bank and your bank or accounts payable provider for invoice settlement.
  • Professional advisors: legal, insurance and indemnity advisors on a need-to-know basis.
  • Regulators, law enforcement or courts: where we are legally compelled to disclose.
  • A successor entity: in the event of a merger, acquisition or sale of business, subject to confidentiality safeguards.

Each processor is contractually bound to process your data only on our documented instructions, maintain confidentiality, apply appropriate security measures and assist us with subject rights requests.

Section 06International transfers

Our infrastructure providers may transfer or store data outside the UK, primarily in the European Economic Area and the United States.

Where data leaves the UK we rely on the following safeguards under UK GDPR Chapter V.

  • The UK's adequacy regulations for transfers to the EEA and other approved third countries.
  • The UK-US Data Bridge for transfers to participating US recipients certified under the UK extension to the EU-US Data Privacy Framework.
  • The UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses with the UK Addendum for other recipients.

You can request a copy of the relevant safeguards by emailing the Data Protection Lead.

Section 07Data retention

We retain personal data only as long as we need it.

Consultation enquiries. 24 months from the date of last contact, then deleted, unless you become a client.

Active client files. Duration of the engagement plus 7 years for HMRC, contractual record-keeping and limitation period purposes. Tender drafts are archived at this point, not deleted, in case of re-bids.

Marketing subscriber data. Until you unsubscribe, with an annual review to remove inactive subscribers (no engagement in 24 months).

Financial records. 7 years from the end of the relevant accounting period under the Companies Act 2006 and HMRC rules.

Site analytics. Anonymised aggregates only; retained at most 26 months.

Section 08Your rights

UK GDPR Articles 15 to 22 give you the following rights over your personal data.

  • Right of access (Article 15) - a copy of the data we hold about you.
  • Right to rectification (Article 16) - correction of inaccurate or incomplete data.
  • Right to erasure (Article 17) - "right to be forgotten" where the legal grounds apply.
  • Right to restriction (Article 18) - while we investigate an accuracy or lawfulness concern.
  • Right to data portability (Article 20) - for data you provided under consent or contract, in a structured, machine-readable format.
  • Right to object (Article 21) - to processing based on legitimate interest, including profiling, and an absolute right to object to direct marketing.
  • Rights relating to automated decision-making (Article 22) - we do not make automated decisions that produce legal or similarly significant effects about you.
  • Right to withdraw consent at any time, without affecting the lawfulness of processing before withdrawal.

To exercise any of these rights, email [email protected]. We respond within one calendar month as required by UK GDPR Article 12. Complex or multiple requests may be extended by two further months; if so, we will tell you within the first month.

Section 09Cookies and PECR consent

The Privacy and Electronic Communications Regulations 2003 (PECR) govern cookies and electronic marketing. This site uses two categories of cookie.

Strictly necessary cookies. Required to deliver the page, remember your consent choices and protect against fraud. PECR Regulation 6(4) does not require consent for these.

Optional analytics cookies. Set only when you accept the optional category in the consent banner. We use privacy-respecting analytics that aggregate visitor behaviour. You can decline at any time, change your mind via the banner or block cookies in your browser settings.

We do not use third-party advertising cookies, behavioural advertising cookies or cross-site tracking pixels.

Marketing emails are sent only with prior consent (PECR Regulation 22) or to existing customers about closely related services with a one-click unsubscribe (the "soft opt-in").

Section 10Children's data

Our services are sold to businesses operating in UK health and social care. The site and our forms are not directed at children and we do not knowingly collect personal data from anyone under 18. If you believe we hold data about a child, contact us and we will delete it without delay.

Section 11Security measures

We apply technical and organisational measures appropriate to the risk under UK GDPR Article 32.

  • Encrypted in transit (TLS 1.2 or higher) and at rest across our hosting and document storage.
  • Multi-factor authentication on all staff accounts and on infrastructure consoles.
  • Role-based access controls on shared drives and case files.
  • Confidentiality clauses in every employment, contractor and processor agreement.
  • Documented incident response procedure including notification to the ICO within 72 hours of becoming aware of a notifiable personal data breach (UK GDPR Article 33).
  • Annual review of access rights, retention and processor due diligence.

Section 12Changes to this notice

We review this notice at least annually and update it when our processing changes. The "Last updated" date at the top of the page records the most recent change. Material changes are communicated by email to active clients and by a banner on the site.

Section 13Complaints and the ICO

If you are unhappy with how we have handled your personal data, contact the Data Protection Lead first so we can put it right.

You also have the right to complain to the Information Commissioner's Office, the UK supervisory authority for data protection.

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Telephone 0303 123 1113. Online ico.org.uk/make-a-complaint.

Section 14Contact the Data Protection Lead

Email [email protected] or write to Data Protection Lead, TenderLab Ltd, 128 City Road, London, EC1V 2NX.

TenderLab Ltd. Companies House 17184263. Registered office: 128 City Road, London, EC1V 2NX. See also our Terms of Service and Contact page.