Privacy Policy

Last updated: June 2026

HealthProcure Intel ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our platform, API, and associated services. We process personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Table of Contents

  1. What Data We Collect
  2. How We Use Your Data
  3. Data We Aggregate
  4. Third-Party Services
  5. Data Retention
  6. Your Rights Under GDPR
  7. Cookies
  8. Data Security
  9. International Transfers
  10. Children's Privacy
  11. Changes to This Policy
  12. Contact

1.What Data We Collect

We collect the following categories of personal data:

1.1 Account Information

  • Name — your full name as provided during registration.
  • Email address — used for account identification, authentication, and communication.
  • Organisation name — if provided, for business account association.

1.2 Payment Information

  • Payment card details and billing address are processed exclusively by our payment processor, Stripe, Inc. We do not store full card numbers, CVVs, or complete billing details on our servers.
  • We retain a Stripe customer identifier, subscription status, and plan tier for billing management.

1.3 API Usage Data

  • API request logs — timestamps, endpoints accessed, response codes, and request counts for rate limiting and analytics.
  • IP addresses — collected for security monitoring and abuse prevention.
  • API key identifiers — the hpi_ prefixed key hash (not the full key) associated with each request.

1.4 Technical Data

  • Browser type and version, operating system, and device information when accessing the dashboard.
  • Referral source and page interaction data.

2.How We Use Your Data

We process your personal data on the following lawful bases and for the following purposes:

Purpose Lawful Basis
Providing and maintaining the Service Performance of contract
Processing subscription payments via Stripe Performance of contract
Enforcing API rate limits and preventing abuse Legitimate interest
Usage analytics and platform improvements Legitimate interest
Service-related communications and updates Legitimate interest
Compliance with legal obligations Legal obligation

We will never sell your personal data to third parties. We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects.

3.Data We Aggregate

The core function of HealthProcure Intel is to aggregate, normalise, and provide structured access to publicly available healthcare procurement data from government and institutional sources including TED Europa, SAM.gov, WHO, and NHS Supply Chain.

This procurement data consists of publicly published tender notices, contract awards, supplier information, and pricing data. This data does not constitute personal data within the meaning of GDPR, as it relates to institutional and governmental procurement activities, not identified or identifiable natural persons.

In the rare event that a public procurement record contains the name of an individual (e.g., a contracting officer), such data is already in the public domain and is processed on the basis of legitimate interest in providing procurement intelligence services.

4.Third-Party Services

We rely on the following third-party service providers to operate the platform. Each provider has been evaluated for GDPR compliance:

Supabase (Database and Authentication)

Supabase hosts our PostgreSQL database and manages authentication. Account data and API usage logs are stored within Supabase's infrastructure. Supabase complies with SOC 2 Type II and processes data in accordance with their Data Processing Agreement.

Stripe, Inc. (Payment Processing)

Stripe processes all subscription payments and stores payment card details. Stripe is PCI DSS Level 1 certified. We do not have direct access to your full card details. See Stripe's Privacy Policy.

Railway (Application Hosting)

Railway hosts our API server and dashboard. Server logs may include IP addresses and request metadata. Railway's infrastructure operates with encryption in transit and at rest.

5.Data Retention

We retain your personal data according to the following schedule:

  • Account data (name, email, organisation) — retained for the duration of your active account.
  • API usage logs — retained for 12 months from the date of the request for analytics and abuse detection.
  • Payment records — retained as required by applicable financial regulations (typically 7 years for tax purposes).
  • Post-termination — upon account termination or cancellation, your account data (excluding legally required records) will be permanently deleted within 90 days.

You may request earlier deletion of your data by exercising your rights under Section 6 below.

6.Your Rights Under GDPR

Under the UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data:

Right of Access

You have the right to request a copy of the personal data we hold about you. We will provide this within 30 days of a verified request.

Right to Rectification

You have the right to request correction of inaccurate personal data or completion of incomplete data.

Right to Erasure

You have the right to request deletion of your personal data, subject to any overriding legal obligations (e.g., financial record-keeping).

Right to Portability

You have the right to receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV) and to transmit it to another controller.

Right to Object

You have the right to object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds.

Right to Restrict

You have the right to request restriction of processing in certain circumstances, such as when you contest the accuracy of your data.

To exercise any of these rights, please contact us at privacy@healthprocureintel.com. We will respond within 30 days. If you are dissatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

7.Cookies

We use a minimal cookie policy. Our platform uses only strictly necessary session cookies to maintain your authenticated state when using the dashboard.

  • Session cookies — temporary cookies that expire when you close your browser. Used to maintain your login session.
  • We do not use advertising cookies, tracking pixels, or third-party analytics cookies.
  • We do not use cookies to track your behaviour across other websites.

Because we use only strictly necessary cookies, consent is not required under the Privacy and Electronic Communications Regulations (PECR). However, you may disable cookies in your browser settings, which may affect dashboard functionality.

8.Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction:

  • Encryption in transit — all data transmitted between your client and our servers is encrypted using TLS 1.2 or higher.
  • Encryption at rest — database storage is encrypted at rest via Supabase's managed infrastructure.
  • Row-Level Security (RLS) — Supabase PostgreSQL policies enforce data isolation, ensuring users can only access their own account data.
  • API key hashing — API keys are stored as cryptographic hashes; full keys are never stored in plaintext after initial generation.
  • Access controls — internal access to production data is restricted to authorised personnel on a need-to-know basis.
  • Structured logging — all system events are logged in structured JSON format with personally identifiable information redacted.

Despite these measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but will notify affected users and the ICO within 72 hours of becoming aware of a qualifying data breach in accordance with GDPR requirements.

9.International Transfers

Some of our third-party service providers (Stripe and Supabase) are headquartered in the United States. When personal data is transferred outside the United Kingdom, we ensure adequate protection through one or more of the following safeguards:

  • Standard Contractual Clauses (SCCs) approved by the ICO.
  • The provider's binding corporate rules or equivalent mechanisms.
  • The provider's participation in recognised data protection frameworks.

You may request details of the specific safeguards applied to international transfers by contacting us at privacy@healthprocureintel.com.

10.Children's Privacy

The Service is a business-to-business platform designed for professional use. We do not knowingly collect personal data from individuals under the age of 18.

If we become aware that we have collected personal data from a person under the age of 18, we will take immediate steps to delete that data. If you believe that a child under 18 has provided us with personal data, please contact us at privacy@healthprocureintel.com.

11.Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page.
  • Send an email notification to the address associated with your account at least 30 days before the changes take effect.
  • Where required by law, seek your consent to material changes in how we process your data.

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after changes become effective constitutes your acceptance of the revised policy.

12.Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact our Data Protection team:

HealthProcure Intel — Data Protection

Email: privacy@healthprocureintel.com

If you are not satisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk or by calling their helpline at 0303 123 1113.