Privacy Policy
Effective: July 2025 - Last Updated: April 2026
Operated by SIA BMAP - GDPR & Multi-Country Compliant
1. Data Controller
Welcome to tendermap.com, operated by SIA BMAP ("we", "us", "our"). Your privacy matters to us. This policy explains what data we collect, how we use it, with whom we share it, and how you can exercise your rights. We comply with the EU General Data Protection Regulation (GDPR), and applicable data protection laws in Latvia, Sweden, Estonia, Lithuania, Finland, Norway, Denmark, and Germany.
- Controller: SIA BMAP
- Email: [email protected] | [email protected]
- Website: www.tendermap.com
2. Personal vs. Non-Personal Data
We collect both categories to deliver and improve our services.
- Personal Data: Data that directly identifies you - name, email address, phone number, company details, VAT number, payment information.
- Non-Personal Data: Anonymised or aggregated usage data - browser and device type, approximate location (city level), interaction logs, and platform analytics.
3. Data We Collect & Why
| Data Type | Examples | Purpose |
|---|---|---|
| Account & Registration | Name, email, password, company info, VAT/reg. number | Account creation, identity verification, legal compliance |
| Listings & Payments | Listing content, feature selections, payment via Stripe | Enable listings, process payments, manage features |
| AI Feature Usage | Search queries, matching inputs, document uploads for AI | Deliver AI-powered search, matching & recommendations |
| Analytics & Usage | Pages viewed, searches, filters, session info via Google Analytics, Hotjar, Meta Pixel | Optimise platform, improve UX, serve relevant content (GDPR consent required) |
| Cookies & Tracking | Cookie consent (CookieYes), session logs, tags | Maintain sessions, preferences, analytics |
| Map & Location Data | Map markers, addresses (Google Maps / Places API), geolocation | Enable map-based search and navigation |
| Security & Hosting | IP address, access logs via Cloudflare and Cloudways | Site uptime, fraud prevention, DDoS protection |
| Supplier & Tender Data | Company profiles, tender matches, saved searches | Deliver supplier matching and tender recommendations |
4. Legal Basis for Processing (GDPR)
We process your personal data on the following legal bases:
- Contract Performance (Art. 6(1)(b) GDPR): Processing necessary to deliver our services to you - account management, payments, listings, AI features.
- Legitimate Interests (Art. 6(1)(f) GDPR): Platform security and fraud prevention only. Service improvement and analytics are processed under consent (see below), not legitimate interest, in line with the stricter requirements applicable in Germany, Sweden, Denmark, and other jurisdictions where we operate.
- Consent (Art. 6(1)(a) GDPR): All analytics tools (Google Analytics, Hotjar), marketing cookies, Meta Pixel tracking, marketing communications, and service improvement based on usage data. Consent is required prior to activation of any non-essential processing. You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
- Legal Obligation (Art. 6(1)(c) GDPR): Compliance with applicable laws, tax obligations, and regulatory requirements in each country of operation.
5. How We Use Your Data
- Essential Services: Manage accounts, process payments, enable listings and AI features, send service notifications.
- AI Features: Your search queries, company profile data, and interaction history are used to power and improve AI-based tender search, supplier matching, and project recommendations. You may opt out of personalised AI recommendations in your account settings.
- Communications: Service emails (registration, account updates, listing deadlines). Marketing communications are sent only with prior consent, unless otherwise expressly permitted by applicable law (e.g., soft opt-in for existing customers where allowed). We do not share your contact details with third parties for their marketing purposes. You may withdraw marketing consent at any time.
- Analytics & Personalisation: We analyse aggregated usage data to improve service quality and deliver relevant content.
- Security & Compliance: Protect systems, prevent fraud, and meet legal obligations in all eight countries of operation.
We do not sell your personal data. We only share data with trusted service providers under strict data processing agreements.
6. Third-Party Integrations
We integrate with the following services. Each processes data under their own privacy policies:
- Stripe Checkout - payment processing (stripe.com/privacy)
- Google Maps, Geolocation & Places APIs - map-based search (policies.google.com/privacy)
- Google Analytics & Tag Manager - usage analytics (policies.google.com/privacy)
- Hotjar - session recording and UX analysis (hotjar.com/legal/policies/privacy)
- Meta Pixel - ad performance measurement (facebook.com/privacy/policy)
- Cloudflare - CDN, DDoS protection, security (cloudflare.com/privacypolicy)
- Cloudways - secure hosting infrastructure (cloudways.com/en/privacy-policy.php)
- OpenAI / AI Providers - AI features (data processed under contractual safeguards in accordance with Art. 28 GDPR and not used beyond service provision unless explicitly stated)
We have Data Processing Agreements (DPAs) in place with all third-party processors in accordance with Article 28 GDPR. All processors are contractually bound to process data only on our documented instructions and in compliance with applicable data protection law.
7. International Data Transfers
Some of our service providers (including AI providers and analytics tools) may process data outside the European Economic Area. Where this occurs, we rely on European Commission Standard Contractual Clauses (SCCs) or other approved transfer mechanisms to ensure adequate protection. Where required by applicable supervisory guidance, we conduct Transfer Impact Assessments (TIAs) to evaluate the level of protection afforded in the destination country prior to transfer.
8. Consent & Cookies
We use CookieYes to manage your cookie consent in compliance with GDPR and applicable national cookie laws (including Germany’s TTDSG, Sweden’s LSEK, and Finland’s Act on Electronic Communications Services). Non-essential cookies are disabled by default and are only activated after you provide explicit consent via our cookie consent panel. No analytics, marketing, or tracking cookies are loaded prior to your consent.
Cookie categories:
- Essential Cookies: Required for the Platform to function. Cannot be disabled.
- Analytics Cookies: Google Analytics, Hotjar - require consent.
- Marketing Cookies: Meta Pixel - require consent.
- Preference Cookies: Saved filters, language, session state.
You can withdraw or modify consent at any time via our cookie panel.
9. Data Retention & Security
- Account Data: Retained while your account is active and for up to 7 years after closure for legal and tax compliance purposes.
- Active and Completed Listings: Retained for as long as necessary for platform functionality and the purposes for which they were submitted. You may request deletion of listing data at any time, subject to applicable legal retention obligations. We will review and minimise retained listing data periodically in accordance with the data minimisation principle under Art. 5(1)(e) GDPR.
- Listing Drafts: Automatically deleted after 6 months if not published.
- Orders & Invoices: Retained for the duration required by applicable tax and accounting law (typically 7-10 years depending on jurisdiction).
- AI Query Logs: Retained for up to 12 months to improve AI feature performance, then anonymised or deleted.
- Security Measures: SSL/TLS encryption in transit; encrypted storage at rest; DDoS and firewall protection (Cloudflare); PCI DSS-compliant payments (Stripe); access controls and regular security audits.
10. Your Rights (GDPR & National Law)
Under GDPR and applicable national laws, you have the right to:
- Access: Request a copy of your personal data.
- Rectification: Correct inaccurate or incomplete data.
- Erasure ('Right to be Forgotten'): Request deletion of your data, subject to legal retention obligations.
- Restriction: Request we limit processing of your data in certain circumstances.
- Portability: Receive your data in a structured, machine-readable format.
- Object: Object to processing based on legitimate interests or for direct marketing.
- Withdraw Consent: Withdraw any previously given consent at any time.
- Complaint: Lodge a complaint with your national supervisory authority.
To exercise any of these rights, contact: [email protected]
11. National Supervisory Authorities
You may contact the data protection authority in your country:
- Latvia: Datu valsts inspekcija (dvi.gov.lv)
- Sweden: Integritetsskyddsmyndigheten / IMY (imy.se)
- Estonia: Andmekaitse Inspektsioon (aki.ee)
- Lithuania: Valstybinė duomenų apsaugos inspekcija (vdai.lrv.lt)
- Finland: Tietosuojavaltuutetun toimisto (tietosuoja.fi)
- Norway: Datatilsynet (datatilsynet.no)
- Denmark: Datatilsynet (datatilsynet.dk)
- Germany: Federal Commissioner for Data Protection (bfdi.bund.de) or relevant state authority
12. Automated Processing & AI Transparency
- Automated processing and profiling: Certain features of the Platform involve automated processing of your data, including profiling, to deliver personalised tender recommendations, supplier matches, and AI-powered search results. This processing analyses your company profile, search behaviour, and interaction history to produce ranked or filtered outputs.
- No solely automated decisions with legal effect (Art. 22 GDPR): TenderMap does not make decisions that produce legal effects or similarly significant consequences for you based solely on automated processing. All AI-generated outputs (recommendations, matches, rankings) are informational tools intended to support human decision-making, not replace it. You retain full control over your commercial decisions.
- Opt-out of personalised AI recommendations: You may opt out of personalised AI-based recommendations at any time via your account settings. Opting out does not affect your access to core platform features.
13. Data Controller Clarification
SIA BMAP acts as the sole data controller for all personal data processed through the TenderMap platform, across all eight jurisdictions in which the platform operates (Latvia, Sweden, Estonia, Lithuania, Finland, Norway, Denmark, and Germany). There are no joint controllers. Where we engage third-party processors, they act solely on our instructions under binding Data Processing Agreements as required by Article 28 GDPR.
14. Data Breach Notification
In the event of a personal data breach, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware, in accordance with Article 33 GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay in accordance with Article 34 GDPR. Breach notifications will describe the nature of the breach, the categories of data affected, likely consequences, and the measures taken or proposed to address it.
15. Children
The Platform is intended for users aged 18 and over. We do not knowingly collect personal data from individuals under 18. If we become aware that a child's data has been collected, we will delete it promptly.
16. Policy Changes
We may update this Privacy Policy from time to time. Material changes will be highlighted on the Platform or communicated via email with at least 14 days' notice before taking effect. Continued use of the Platform after the effective date constitutes acceptance of the updated policy.
17. Contact Us
- Company: SIA BMAP
- General: [email protected]
- Privacy & Data Requests: [email protected]
- Website: www.tendermap.com
