Privacy Notice
This notice tells you what personal information Tenderset collects, why we collect it, who we share it with, how long we keep it, and what rights you have under the Protection of Personal Information Act 4 of 2013 (POPIA).
Who we are
Tenderset is a tender-preparation consultancy operating in South Africa, based in KwaZulu-Natal. We prepare bid packs, compliance memos, and submission documents for South African SMEs bidding on public-sector tenders.
We are the responsible party under POPIA for personal information collected through this website and through our engagement process.
What personal information we collect
We collect only what we need to deliver the service. Depending on the engagement tier, this can include:
- Contact details — name, email address, phone number, business address.
- Business documents — company registration (CIPC), BBBEE certificate, CIDB grading certificate, tax clearance certificate, banking confirmation.
- Financial documents — annual financial statements (AFS), pricing schedules, bank statements where required by the RFP.
- Identity documents — director/owner ID copies as required for FICA compliance and SBD form completion.
- RFP content — tender documents, specifications, and any supporting material you share with us during the engagement.
We do not collect health information, criminal records, or religious / political affiliation. We do not run advertising campaigns and have no interest in profiling your behaviour as a visitor.
Why we collect it
We process your personal information for three purposes:
- Service delivery — preparing your tender documents, compliance memos, pricing schedules, and submission packs per the Statement of Work you sign.
- Regulatory compliance — FICA onboarding (source-of-funds verification), SARS requirements, and any disclosure obligations required by the specific RFP.
- Engagement administration — invoicing, scheduling, communication, and conflict-of-interest checks before accepting a new engagement.
The legal basis for processing
Under POPIA, every processing activity must have a lawful ground. Ours are:
- Performance of contract — most processing is necessary to deliver the service you engaged us to provide.
- Legitimate interest — conflict-of-interest checks and engagement administration, where those interests don't override your rights.
- Legal obligation — FICA onboarding and any document-retention requirements imposed by law.
- Consent — for any processing not covered above, we ask for your written consent in the Data Processing Addendum attached to the Statement of Work.
Who we share your information with
We use a small number of third-party processors to operate the service. Each one is necessary. We do not sell your data. We do not share it between clients.
- Anthropic — AI-assisted document processing (bid content only; no personal identity data). Anthropic does not use customer data submitted via the API to train its models. We document this assurance in writing in the DPA.
- Microsoft 365 — file storage, email, and document collaboration. Your client folder is restricted-access, not shared with other clients.
- Cal.com — the booking system used to schedule your discovery call. Processes your name and email address to confirm the appointment.
- Resend — transactional email delivery (SOW links, invoice delivery, deletion confirmations). Processes your email address only.
- Web3Forms — handles submissions from the contact form on this site. Processes the name, email, and message you enter into the form.
- Cloudflare Web Analytics — privacy-friendly, cookieless traffic statistics. No personal data is collected. We see aggregate page counts, not individual visitor identities.
We do not share your information with procurement panels, other bidders, or any party outside the above list without your explicit written consent.
How long we keep it
We keep your personal information only as long as we need it.
- Personal data (IDs, contact details, banking confirmation) — deleted within 30 days of engagement end. You receive a written deletion confirmation.
- Standing-pack documents — remain yours at all times. On request, we delete our copies immediately. On engagement end, they are deleted within the same 30-day window unless you instruct otherwise.
- Invoices and financial records — retained for 5 years as required by SARS. These records contain your business name and banking reference but are held separately from engagement documents.
Your rights as a data subject
Under POPIA, you have the right to:
- Access — request a copy of the personal information we hold about you.
- Correct — ask us to update or correct inaccurate personal information.
- Delete — request deletion of your personal information, subject to any legal retention obligations.
- Object — object to specific processing activities, including any processing based on legitimate interest.
- Lodge a complaint — if you believe we have not handled your personal information correctly, you can complain to the Information Regulator (details below).
How to exercise your rights
Send a written request to our Information Officer at:
Include your name, the nature of your request, and enough detail to identify your records. We will respond within 30 days. There is no charge for a first access request per calendar year.
International transfers
Some of our third-party processors — Anthropic, Microsoft, and Cal.com — may store or process data outside South Africa. Where this occurs, we rely on standard contractual clauses or adequacy decisions as permitted under POPIA Section 72, and we document this in the engagement-specific Data Processing Addendum.
Microsoft 365 can be configured to store data in South Africa (Azure South Africa North). We use this configuration where available.
How we protect your information
We take reasonable technical and organisational measures to protect personal information. In practice, this means:
- All data in transit is encrypted via TLS.
- Operator devices use full-disk encryption (BitLocker on Windows).
- Each client's documents are stored in a dedicated, restricted-access folder. No cross-client access.
- We do not sell your data to any third party.
- We do not use your documents to train AI models. The Anthropic API does not use API-submitted data for model training.
In the event of a breach that is likely to affect your rights, we will notify you and the Information Regulator within the timeframe required by POPIA Section 22.
Lodging a complaint
If you are not satisfied with how we have handled your personal information, you may lodge a complaint with the South African Information Regulator at inforegulator.org.za.