BidScript Privacy Notice

This notice ("Privacy Notice") sets out how we look after your personal data when you visit our website at www.bidscript.co.uk (the "Website") or access and use our web application at app.bidscript.co.uk (together, the "Platform").

It also applies where you are a prospective or existing customer of our business, or another type of business contact (for example, a supplier or service provider).

This Privacy Notice explains:

• what information we collect about you;
• how and why we use it;
• who we share it with; and
• your legal rights in relation to your personal data.

We may update this Privacy Notice from time to time to reflect changes to our business practices or to comply with new legal requirements. You should check this page regularly for the latest version.

We are BidScript Ltd, registered in England and Wales with company number 15669402 and our registered address at Bruntwood Station House, New Stamford Road, Altrincham, Cheshire, WA14 1EP.

For all visitors to our Website and users of our Platform, we are the controller of your personal data. This means that we decide what information we collect, how it is used, and how it is protected.

If you have any questions about this Privacy Notice or about the way we handle personal data, please contact:

• Name: Henry Brogan
• Email: henry@bidscript.co.uk
• Postal address: BidScript Ltd, Bruntwood Station House, New Stamford Road, Altrincham, Cheshire, WA14 1EP

Personal data means any information that identifies, or could be used to identify, a living individual. The types of personal data we collect depend on your relationship with us and how you use our Website and Platform.

4.1 Types of personal data

We may collect, use and store the following categories of personal data:

• Identity Data: first name, last name, job title, company name, and similar identifiers.
• Contact Data: email address, telephone number(s), postal or business address.
• Technical Data: IP address, device identifiers, operating system, browser type and version, and other technical details automatically collected when you access our Website or Platform.
• Usage Data: information about how you use our Website, Platform, and services, such as page views, interactions, and navigation paths (collected through our analytics tools).
• Marketing and Communications Data: your marketing preferences and records of communications with us.

4.2 How we collect personal data

We may collect your personal data through:

• direct interactions (e.g., when you fill in forms, create an account, or communicate with us);
• automated technologies (e.g., analytics from Posthog);
• third-party integrations that support our business operations (such as HubSpot for customer relationship management and communications).

We are required to identify a lawful basis under data protection law for using your personal data. The main lawful bases we rely on are legitimate interests, consent, and performance of a contract.

5.1 Legitimate Interests

We use your personal data where it is necessary for our legitimate business interests, provided those interests are not overridden by your rights and freedoms. This includes:

• improving and optimising our Website, Platform, and services;
• monitoring and enhancing security and preventing fraud or misuse;
• maintaining and developing our business operations;
• protecting our business and defending legal claims.

5.2 Performance of a Contract

We process your personal data where it is necessary to enter into or perform a contract with you, including:

• creating and managing your account on our Platform;
• delivering the services you request;
• communicating with you regarding your account or transactions.

5.3 Consent

We rely on your consent to:

• send you marketing communications by email or phone; and
• collect or use personal data where required by law or where no other lawful basis applies.

You can withdraw your consent at any time by contacting us at henry@bidscript.co.uk or support@bidscript.co.uk.

We use cookies and similar technologies only where necessary to operate and secure our Platform.

• Website: We do not use cookies on our public website for marketing, analytics, or advertising purposes.
• Web Application: We use essential cookies within our web application to maintain secure user sessions, manage authentication, and record session times. These cookies are required for the proper functioning of the Platform and cannot be disabled.

We also host analytics through PostHog to help us understand how users interact with our Platform and to improve our services. This analytics data does not rely on third-party tracking cookies and does not track users across other websites.

We may share your personal data with the following parties, strictly as necessary for business purposes:

• Our personnel: employees and authorised contractors bound by confidentiality and data protection obligations.
• Service providers: including Vercel (website hosting), Microsoft Azure (cloud infrastructure), HubSpot (CRM and communications), and other professional service providers who act as processors on our behalf and are bound by written data processing agreements. HubSpot acts solely as our data processor and does not use your information for its own purposes.
• Professional advisers: such as legal, accounting or insurance advisers.
• Potential buyers: if we consider selling or transferring parts of our business.
• Public authorities: if required to comply with a legal obligation, court order, or lawful request.

We ensure that all service providers implement appropriate technical and organisational measures to protect personal data.

We do not sell your personal data and we do not share it with third parties for their own marketing purposes.

We store and process all personal data on secure servers located within the United Kingdom and the European Economic Area (EEA). We do not transfer your data outside the UK or EEA. If you access our Website or Platform from outside these regions, your data will still be stored securely within the UK and EEA.

We have implemented appropriate technical and organisational security measures to prevent your personal data from being accidentally lost, used, accessed, altered, or disclosed without authorisation.

These include:

• multi-factor authentication and access controls;
• encryption of data in transit and at rest;
• network security monitoring and intrusion prevention;
• regular testing and review of our security measures;
• staff training and access management;
• incident and breach reporting procedures.

If an incident occurs that affects your personal data, we will notify you and the relevant regulator where legally required.

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected.

In most cases, we will delete or securely anonymise personal data within 30 days of collection or account closure, whichever is earlier, unless we are required by law to keep it for longer (for example, to comply with accounting or legal obligations).

After the retention period ends, personal data will be permanently deleted or irreversibly anonymised.

You have the following rights under data protection law in relation to your personal data:

• Access: to receive a copy of your personal data and information about how we use it.
• Correction: to have inaccurate or incomplete data corrected.
• Deletion: to request the erasure of your data where there is no lawful reason to keep it.
• Restriction: to ask us to limit how we use your data in certain circumstances.
• Objection: to object to processing based on legitimate interests or to receiving direct marketing.
• Portability: to request that we transfer your data to you or another organisation.
• Withdraw consent: where processing is based on consent, you may withdraw it at any time.

We may need to verify your identity before responding to any request. We aim to respond within one month, although complex requests may take up to an additional two months.

To exercise any of these rights, please contact Henry Brogan at henry@bidscript.co.uk.

If you have concerns about how we handle your personal data, we encourage you to contact us first so we can try to resolve the issue.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK data protection regulator:

• Website: www.ico.org.uk
• Telephone: 0303 123 1113

We may update this Privacy Notice from time to time.

The latest version will always be available on our Website and will include the date it was last updated.

If we make significant changes, we will notify users through the Website, Platform, or by direct communication where appropriate.