BidScript Privacy Notice

This notice ("Privacy Notice") sets out how we look after your personal data when you visit our website at www.bidscript.co.uk (the "Website") or access and use our web application at app.bidscript.co.uk (together, the "Platform").

It also applies where you are a prospective or existing customer of our business, or another type of business contact (for example, a supplier or service provider).

This Privacy Notice explains:

• what information we collect about you;
• how and why we use it;
• who we share it with; and
• your legal rights in relation to your personal data.

Note for Platform users: If you access the BidScript platform as an authorised user under a contract between BidScript and your employer or organisation, some of the personal data processed within the platform (such as content you upload and work within) is processed by BidScript on behalf of your organisation. In that context, your organisation is the Data Controller and BidScript acts as a Data Processor under a Data Processing Agreement. For further information about how your data is handled within the platform, please contact your organisation's administrator or email us at support@bidscript.co.uk.

We may update this Privacy Notice from time to time to reflect changes to our business practices or to comply with new legal requirements. You should check this page regularly for the latest version.

We are BidScript Ltd, registered in England and Wales with company number 15669402 and our registered address at Bruntwood Station House, New Stamford Road, Altrincham, Cheshire, WA14 1EP.

For visitors to our website (including prospective or existing customers): we are the controller of your personal data. This means that we decide what information we collect, how it is used, and how it is protected.

For existing customers of the BidScript platform, we are the Processor.

If you have any questions about this Privacy Notice or about the way we handle personal data, please contact:

• Name: Henry Brogan
• Email: henry@bidscript.co.uk
• Postal address: BidScript Ltd, Bruntwood Station House, New Stamford Road, Altrincham, Cheshire, WA14 1EP

Personal data means any information that identifies, or could be used to identify, a living individual. The types of personal data we collect depend on your relationship with us and how you use our Website and Platform.

4.1 Types of personal data

We may collect, use and store the following categories of personal data:

• Identity Data: first name, last name, job title, company name, and similar identifiers.
• Contact Data: email address, telephone number(s), postal or business address.
• Technical Data: IP address, device identifiers, operating system, browser type and version, and other technical details automatically collected when you access our Website or Platform.
• Usage Data: information about how you use our Website, Platform, and services, such as page views, interactions, and navigation paths (collected through our self-hosted analytics tools).
• Marketing and Communications Data: your marketing preferences, records of communications with us, and information about how you found us (for example, via a search engine, paid advert, or referral link).
• Scheduling Data: name, email address, and appointment details collected when you book a call or meeting with us.

4.2 How we collect personal data

We may collect your personal data through:

• direct interactions (e.g., when you fill in forms, create an account, or communicate with us);
• automated technologies (e.g., analytics from our self-hosted PostHog instance);
• scheduling tools (e.g., when you book a call via Calendly, we may also record campaign or referral parameters — known as UTM parameters — to understand how you found us);
• third-party integrations that support our business operations (such as HubSpot for customer relationship management and communications).

We are required to identify a lawful basis under data protection law for using your personal data. The main lawful bases we rely on are legitimate interests, consent, and performance of a contract.

5.1 Legitimate Interests

We use your personal data where it is necessary for our legitimate business interests, provided those interests are not overridden by your rights and freedoms. This includes:

• improving and optimising our Website, Platform, and services;
• monitoring and enhancing security and preventing fraud or misuse;
• maintaining and developing our business operations;
• understanding how visitors find us and which marketing activities are effective (including via UTM/campaign tracking at the point of scheduling a call);
• protecting our business and defending legal claims.

5.2 Performance of a Contract

We process your personal data where it is necessary to enter into or perform a contract with you, including:

• creating and managing your account on our Platform;
• delivering the services you request;
• communicating with you regarding your account or transactions.

5.3 Consent

We rely on your consent to:

• send you marketing communications by email or phone; and
• collect or use personal data where required by law or where no other lawful basis applies.

You can withdraw your consent at any time by contacting us at henry@bidscript.co.uk or support@bidscript.co.uk.

We use cookies and similar technologies only where necessary to operate and secure our Platform.

• Website: We do not use cookies on our public website for marketing, analytics, or advertising purposes.
• Web Application: We use essential cookies within our web application to maintain secure user sessions, manage authentication, and record session times. These cookies are required for the proper functioning of the Platform and cannot be disabled.

We also operate self-hosted analytics through PostHog to help us understand how users interact with our Platform and to improve our services. This analytics data does not rely on third-party tracking cookies and does not track users across other websites.

We may share your personal data with the following parties, strictly as necessary for business purposes:

• Our personnel: employees and authorised contractors bound by confidentiality and data protection obligations.
• Service providers: the following companies act as processors on our behalf and are bound by written data processing agreements:
  • Microsoft Azure (Microsoft Corporation, US/EEA) — cloud infrastructure, data storage, and AI-assisted processing. Data is stored within the UK and EEA. International transfers where applicable are governed by EU Standard Contractual Clauses.
  • Vercel Inc. (US) — website hosting and content delivery. Processes IP addresses and traffic metadata as part of serving our Website. Transfers to the US are governed by EU Standard Contractual Clauses.
  • HubSpot Inc. (US) — CRM and marketing communications. Processes name, email address, company name, and engagement data from website forms and email interactions. HubSpot acts solely as our data processor and does not use your information for its own purposes. Transfers to the US are governed by EU Standard Contractual Clauses.
  • Calendly Inc. (US) — appointment scheduling. Processes name, email address, and scheduling data when you book a call with us. Transfers to the US are governed by EU Standard Contractual Clauses.
• Professional advisers: such as legal, accounting, or insurance advisers, bound by duties of confidentiality.
• Potential buyers: if we consider selling or transferring parts of our business, in which case we would take steps to protect your data.
• Public authorities: if required to comply with a legal obligation, court order, or lawful request.

We do not sell your personal data and we do not share it with third parties for their own marketing purposes.

We store and process personal data on secure servers located within the United Kingdom and the European Economic Area (EEA). Some of our service providers (including HubSpot, Calendly, and Vercel) are based in the United States. Where personal data is transferred outside the UK or EEA, we ensure that appropriate safeguards are in place, including EU Standard Contractual Clauses approved by the European Commission and equivalent mechanisms recognised under UK data protection law.

We have implemented appropriate technical and organisational security measures to prevent your personal data from being accidentally lost, used, accessed, altered, or disclosed without authorisation.

These include:

• multi-factor authentication and access controls;
• encryption of data in transit and at rest;
• network security monitoring and intrusion prevention;
• regular testing and review of our security measures;
• staff training and access management;
• incident and breach reporting procedures.

If an incident occurs that affects your personal data, we will notify you and the relevant regulator where legally required.

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected.

In most cases, we will delete or securely anonymise personal data within 30 days of the end of our relationship with you or account closure, unless we are required by law to keep it for longer (for example, to comply with accounting or legal obligations).

After the retention period ends, personal data will be permanently deleted or irreversibly anonymised.

You have the following rights under data protection law in relation to your personal data:

• Access: to receive a copy of your personal data and information about how we use it.
• Correction: to have inaccurate or incomplete data corrected.
• Deletion: to request the erasure of your data where there is no lawful reason to keep it.
• Restriction: to ask us to limit how we use your data in certain circumstances.
• Objection: to object to processing based on legitimate interests or to receiving direct marketing.
• Portability: to request that we transfer your data to you or another organisation.
• Withdraw consent: where processing is based on consent, you may withdraw it at any time.

We may need to verify your identity before responding to any request. We aim to respond within one month, although complex requests may take up to an additional two months.

To exercise any of these rights, please contact Henry Brogan at henry@bidscript.co.uk.

If you have concerns about how we handle your personal data, we encourage you to contact us first so we can try to resolve the issue.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK data protection regulator:

• Website: www.ico.org.uk
• Telephone: 0303 123 1113

We may update this Privacy Notice from time to time.

The latest version will always be available on our Website and will include the date it was last updated.

If we make significant changes, we will notify users through the Website, Platform, or by direct communication where appropriate.