Tenurion

Privacy Policy

Last updated: January 2026

1. Introduction

Tenurion ("we," "our," or "us") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our tenders intelligence and bid operations platform (the "Service").

We process personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable data protection laws.

2. Data Controller

Data Controller: Tenurion
Contact Email: privacy@tenurion.com
Address: Qatar

If you have questions about this Privacy Policy or wish to exercise your data protection rights, please contact us at the email address above.

3. Personal Data We Collect

3.1 Authentication Data

  • Email address
  • Password (hashed and encrypted)
  • OAuth provider tokens (Google, LinkedIn) - when using social login

3.2 Profile Information

  • Full name
  • Phone number (optional)
  • Avatar/profile picture URL
  • User intentions and interests (collected during onboarding)

3.3 Company and Role Data

  • Company name
  • Your role in the company
  • Company membership and permissions

3.4 Request Access Form Data

  • Name
  • Email address
  • Company name
  • Role in tender submissions
  • Country
  • Bidding challenges description

3.5 Newsletter Subscriptions

  • Email address
  • Consent timestamp and version

3.6 Technical Data

  • IP address
  • Browser type and version
  • Device information
  • Usage data and analytics
  • Session tokens and cookies

4. Purpose and Legal Basis for Processing

Purpose Legal Basis
User authentication and account management Contract performance (Article 6(1)(b) GDPR)
Providing the Service and platform functionality Contract performance (Article 6(1)(b) GDPR)
Processing access requests and lead generation Legitimate interests (Article 6(1)(f) GDPR)
Newsletter and marketing communications Consent (Article 6(1)(a) GDPR)
Security, fraud prevention, and compliance Legitimate interests (Article 6(1)(f) GDPR)
Analytics and service improvement Legitimate interests (Article 6(1)(f) GDPR)

5. Recipients of Personal Data

We may share your personal data with the following categories of recipients:

5.1 Service Providers (Data Processors)

  • Supabase - Authentication and database services (EU region)
  • Oracle Cloud Infrastructure - Database hosting (GCC region for data residency)
  • Netlify - Hosting and CDN services
  • Email service providers - For transactional and marketing emails

All service providers are bound by Data Processing Agreements (DPAs) and process data only as instructed by us.

5.2 OAuth Providers

When you use Google or LinkedIn OAuth, these providers receive authentication requests and may process your data according to their privacy policies.

6. International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA):

  • GCC Region (Qatar, Saudi Arabia, UAE): Oracle Cloud Infrastructure maintains data residency within GCC countries for compliance with local regulations.
  • EU Region: Supabase services are hosted in EU regions.
  • United States: Some service providers (e.g., Netlify) may process data in the US.

We ensure appropriate safeguards are in place for international transfers, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Data Processing Agreements with all processors
  • Verification of processor compliance with GDPR

7. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes outlined in this policy:

  • User accounts: Until account deletion is requested or account is inactive for 3 years
  • Session tokens: 7-30 days (depending on "Remember Me" setting)
  • Audit logs: 2 years
  • Newsletter subscriptions: Until unsubscribe request
  • Access request forms: 2 years
  • Legal obligations: As required by applicable law (e.g., tax records)

After the retention period, data is securely deleted or anonymized. You can request deletion at any time through your account settings or by contacting us.

8. Your Data Subject Rights

Under GDPR, you have the following rights regarding your personal data:

8.1 Right of Access (Article 15)

You can request a copy of all personal data we hold about you. Use the "Export Data" feature in your account settings or contact us at privacy@tenurion.com.

8.2 Right to Rectification (Article 16)

You can update your profile information at any time through your account settings. If you need assistance, contact us.

8.3 Right to Erasure (Article 17)

You can request deletion of your account and all associated data. Use the "Delete Account" feature in settings or contact us. Note: Some data may be retained for legal compliance (e.g., audit logs may be anonymized rather than deleted).

8.4 Right to Data Portability (Article 20)

You can receive your data in a structured, machine-readable format (JSON). Use the "Export Data" feature in your account settings.

8.5 Right to Object (Article 21)

You can object to processing based on legitimate interests. Contact us to exercise this right.

8.6 Right to Restrict Processing (Article 18)

You can request that we limit how we process your data in certain circumstances. Contact us to discuss.

8.7 Right to Withdraw Consent (Article 7)

If processing is based on consent, you can withdraw consent at any time. For newsletters, use the unsubscribe link in emails or update preferences in settings.

8.8 Right to Lodge a Complaint (Article 77)

You have the right to lodge a complaint with your local data protection supervisory authority if you believe we have violated your rights. For EU users, find your authority at edpb.europa.eu.

9. Automated Decision-Making and Profiling

We do not use automated decision-making or profiling that produces legal effects or significantly affects you. Any analytics or personalization is based on aggregated, anonymized data and does not result in automated decisions.

10. Security Measures

We implement appropriate technical and organizational measures to protect your data:

  • Encryption in transit (HTTPS/TLS)
  • Encryption at rest (database level)
  • Secure password hashing (bcrypt via Supabase)
  • HTTP-only, secure cookies with strict SameSite policies
  • CSRF protection on all forms
  • Rate limiting and brute force protection
  • Regular security audits and updates
  • Access controls and principle of least privilege

11. Cookies

We use cookies and similar technologies to provide and improve our Service. For detailed information about cookies we use, please see our Cookie Policy.

12. Children's Privacy

Our Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email (if you have an account) or by posting a notice on our website. The "Last updated" date at the top indicates when changes were made.

14. Contact Us

If you have questions, concerns, or wish to exercise your data protection rights, please contact us:

Email: privacy@tenurion.com
Subject Line: "GDPR Data Request" or "Privacy Inquiry"

We will respond to your request within 30 days as required by GDPR.