ProcureLens.
Sign inStart free
Legal

Policies & agreements

UK GDPR and the Data Protection Act 2018 are the floor for how we operate, not the ceiling. These documents are written to be readable by a procurement professional — not by a lawyer alone — and are kept current as the product evolves.

Last updated: 16 June 2026

Privacy Policy

This Privacy Policy explains how ProcureLens UK Limited ("ProcureLens", "we", "us") collects, uses, shares and protects personal data when you use the ProcureLens UK platform, our website and related services (the "Service"). It is written to comply with the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018.

1. Who is the data controller?

For personal data we collect about visitors to our website and individual account holders, ProcureLens UK Limited is the data controller. For personal data uploaded by a buyer organisation into their workspace (e.g., colleague contact details, supplier contacts, evaluation comments), the buyer organisation is the controller and ProcureLens acts as the data processor. Our processing obligations are governed by the Data Processing Addendum.

Contact: privacy@procurelens.co.uk. Postal address: ProcureLens UK Limited, London, United Kingdom.

2. Personal data we collect

2.1 Account data

Name, work email, organisation, role, hashed password (when not using single sign-on), authentication metadata.

2.2 Workspace data

Content you upload or create inside the platform: supplier shortlists, scoring inputs, comments, attachments, engagement records, weighting configurations. This may contain personal data about your colleagues or about supplier contacts.

2.3 Usage and device data

IP address, user-agent, pages visited, timestamps, error logs. Used to operate, secure and improve the Service.

2.4 Public-source data

Information about UK supplier organisations drawn from Companies House and other public registers. Where this incidentally includes personal data of directors, our lawful basis is legitimate interest (operating a procurement intelligence service).

2.5 We do not collect

Special category data, payment card numbers (handled by our PCI-DSS-compliant payment processor, not by us), or biometric data.

3. Lawful bases

We rely on the following lawful bases under UK GDPR Article 6:

  • Contract (Art. 6(1)(b)) — to deliver the Service you or your organisation has signed up for.
  • Legitimate interests (Art. 6(1)(f)) — to secure the Service, prevent fraud, improve the product and operate a procurement intelligence platform on public-source data. A balancing test is documented for each activity.
  • Legal obligation (Art. 6(1)(c)) — to comply with UK tax, accounting and law-enforcement obligations.
  • Consent (Art. 6(1)(a)) — for non-essential cookies and optional marketing communications. You can withdraw consent at any time.

4. How we use personal data

To operate the Service; authenticate users; secure accounts; bill the buyer organisation; provide customer support; improve and develop new features; communicate service updates; and comply with law.

We do not sell personal data. We do not use personal data for cross-site advertising. We do not train third-party generative AI models on customer workspace content.

5. Sharing and sub-processors

We use a small set of vetted sub-processors to deliver the Service: cloud hosting and database (UK / EEA region), authentication infrastructure, transactional email and payment processing. A current list of sub-processors, their location and purpose is maintained at the Data Processing Addendum and updated when changes occur.

We may disclose personal data to law enforcement where legally compelled. We will challenge overbroad requests and, where permitted, notify the affected customer.

6. International transfers

Customer workspace data is stored in the UK and/or EEA. Where a sub-processor necessarily transfers data outside the UK / EEA, we rely on the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or an adequacy decision, with supplementary measures where required.

7. Retention

Account data: for the life of the account plus 30 days after closure (to allow restore on accidental cancellation). Workspace data: under the buyer organisation's instruction; deleted within 30 days of contract termination unless legally required otherwise. Usage logs: 12 months. Billing records: 7 years (UK tax law).

8. Your rights

Under UK GDPR you have the right to access, rectify, erase, restrict or object to processing, to data portability, and to withdraw consent where processing is based on consent. You also have the right to complain to the UK Information Commissioner's Office (ico.org.uk). Email privacy@procurelens.co.uk to exercise any right. We respond within one month.

9. Security

Encryption in transit (TLS 1.2+) and at rest; role-based access controls; principle of least privilege internally; audited admin access; secrets segregated from application code; vulnerability monitoring; incident response runbook with regulator-notification targets aligned to the 72-hour UK GDPR breach window.

10. Children

The Service is a B2B procurement platform and is not directed at individuals under 18. We do not knowingly collect personal data about children.

11. Changes

We will post material changes to this policy on this page and, where appropriate, notify account holders by email. Continued use of the Service after the effective date constitutes acceptance.