Legal

Privacy Policy

Effective Date: 1 July 2026  ·  Last Updated: 13 July 2026

ProcureHQ Pty Ltd (ABN 34 692 155 481) of 117 Old Pittwater Road, Brookvale NSW 2100 (“ProcureHQ”, “Company”, “we”, “us”, or “our”) is committed to protecting the privacy of personal information handled in connection with our website at procurehq.com.au (the “Website”) and the ProcureHQ Tender Evaluator platform (the “Platform”). This Privacy Policy explains how we collect, hold, use, and disclose personal information, and how you can access or correct your information or make a complaint. This Policy is prepared in accordance with the Privacy Act 1988 (Cth) (“Privacy Act”) and the Australian Privacy Principles (“APPs”).

1. About This Policy

1.1 This Policy applies to personal information we collect through the Website, the Platform, our customer support channels, and any other interaction you have with us, including as a visitor, prospective customer, registered user, or representative of a Customer Organisation.

1.2 This Policy should be read together with our Website Terms of Use and Digital Product Terms, which are available at procurehq.com.au.

2. Who We Are

2.1 ProcureHQ Pty Ltd (ABN 34 692 155 481) is the entity responsible for handling personal information under this Policy. Our contact details are set out in Clause 18.

3. Scope of This Policy

3.1 This Policy applies to personal information about: (a) visitors to the Website; (b) individual users who register an account on behalf of a Customer Organisation; (c) representatives of prospective or existing Customers we deal with in the course of providing the Platform; and (d) other individuals whose personal information may be contained within Tender Data uploaded by a Customer.

3.2 Where a Customer uploads Tender Data that contains personal information about a third party (for example, names of personnel included in a tender submission), the Customer is responsible for ensuring it has an appropriate basis to provide that information to us, and this Policy governs our handling of that information once received.

4. What Personal Information We Collect and Why

4.1 We collect the following categories of information:

4.1.1 Account and identity data — full name, work email address, password (stored as a hash), and, if you sign in with Google, your Google OAuth profile information (name, email, avatar). We also hold your Organisation name and your role (owner/user) within that Organisation.

4.1.2 Billing data — we hold references to your Stripe customer ID, subscription or one-off purchase ID, plan or product, and status. Your ABN (if provided), tax residency, invoice history, and card details (last 4 digits and card brand only) are collected and held by our payment processor, Stripe. We do not store full card numbers.

4.1.3 Tender Data — uploaded Requests for Tender, specifications, evaluation criteria, and draft or final submission content; text and page-level data extracted from those uploads via our self-hosted OCR; extracted criteria and criterion responses; Evaluation Output; generated PDF reports; SHA-256 fingerprints of Brief-Locked documents; and, for Premium Customers, organisational capability information and documents you choose to provide, which we use to personalise the Live Opportunities presented to your Organisation. Tender Data is treated as confidential in accordance with the Digital Product Terms.

4.1.4 Usage and product analytics — event category and name, page path and referrer, device type and user agent, a per-browser session identifier, timestamps, and associated event properties. Analytics event data does not contain the content of your uploaded documents.

4.1.5 Aggregated Benchmarking data (opt-in only) — where you opt in, we aggregate overall score, potential score, confidence rating, number of criteria evaluated, and an optional industry or client-type tag. We never include respondent names, pricing, or other tender-identifying content in Benchmarking Data.

4.1.6 Audit and operational logs — records of administrative actions, server-side error logs (which may include a user ID or request path), and platform logs generated by our infrastructure providers.

4.1.7 Cookies and local storage — an authentication session token (stored via localStorage and a cookie) and a per-browser analytics session identifier (stored via sessionStorage). See Clause 10 for further detail.

4.2 We collect this information to: operate and provide the Platform; process payments and billing; provide customer support; verify eligibility to use the Platform; improve our products; maintain security and prevent misuse (including of the per-Tender billing model); and comply with our legal obligations.

4.3 Sensitive Information. We do not intentionally collect sensitive information (as defined in the Privacy Act) and ask that you do not include sensitive information about yourself or any third party in Tender Data or other content submitted to the Platform, other than where reasonably necessary and incidental to the tender documentation itself.

4.4 Information About Third Parties. If you provide us with personal information about another individual (for example, as part of Tender Data), you must ensure you are authorised to do so and that the individual is aware of, or has consented to, the matters set out in this Policy.

4.5 Anonymity and Pseudonymity. Where practicable and lawful, you may interact with us anonymously or using a pseudonym, for example when making a general enquiry through the Website. This is not practicable for registered use of the Platform, which requires identification.

5. How We Collect Personal Information

5.1 We collect personal information: (a) directly from you, when you create an account, upload Tender Data, contact support, or complete a form on the Website; (b) via Google OAuth, if you choose to sign in with Google; (c) via Stripe, in connection with billing and payment; (d) via cookies and similar technologies, as described in Clause 10; and (e) from our own systems, in the form of usage and audit data generated by your use of the Platform.

6. How We Use Personal Information

6.1 We use personal information to: operate and provide the Platform, including generating AI-Assisted Evaluations from your Tender Data; process billing and manage your Subscription; provide customer support and respond to enquiries; maintain the security and integrity of the Platform, including enforcement of the per-Tender billing model; personalise the Live Opportunities presented to Premium Customers, using organisational capability information they choose to provide; develop and improve our products, using de-identified or aggregated data where practicable; comply with our legal and regulatory obligations; and, where you have opted in or as otherwise permitted by law, send you service or marketing communications.

6.2 AI Processing Statement. Your Tender Data is processed by artificial intelligence models, including large language models accessed via the Lovable AI Gateway (Anthropic’s Claude), to generate Evaluation Output. Document text extraction (OCR) is performed using a self-hosted Tesseract instance running within our Cloudflare Worker; no third-party OCR vendor receives your uploaded documents. Your Tender Data is not used to train the Company’s own AI models or any third-party AI model.

7. Disclosure of Personal Information

7.1 We disclose personal information to the following categories of third-party service providers (subprocessors), each engaged to help us provide the Platform:

SubprocessorPurposeData categoryRegion
Supabase Inc.Database, authentication, and storageAll categories described in Clause 4Hosted in Australia (ap-southeast-2, Sydney)
Cloudflare, Inc. (Workers)Server-side compute and request handling, including self-hosted OCRRequest metadata; documents processed transiently within the WorkerGlobal edge network
Lovable (AI Gateway and hosting)Application hosting and AI model routingPrompts and model responses (including extracted Tender Data used for evaluation)United States / European Union
Anthropic (Claude, via the Lovable AI Gateway)AI inference for scoring and extractionPrompt content comprising extracted RFT and submission textUnited States
Stripe Payments Australia Pty LtdBilling, tax calculation, and invoicingPayment and tax identity informationAustralia and other jurisdictions in which Stripe operates
Google Australia Pty LtdOAuth sign-in onlyEmail address and profile informationGlobal
ResendTransactional email deliveryEmail address and message contentUnited States

7.2 Some of these subprocessors may change over time. We will keep this Clause 7 current and, where required, will update this Policy to reflect any material change in subprocessors.

7.3 We do not sell personal information. We otherwise disclose personal information only: to our related bodies corporate and professional advisers on a confidential basis; to a purchaser or prospective purchaser in connection with a sale, merger, or restructure of our business; where required or authorised by law, including to a law enforcement or regulatory body; or with your consent.

8. Cross-Border Disclosure (Australian Privacy Principle 8)

8.1 As set out in the subprocessor table at Clause 7.1, our AI-inference and application-hosting subprocessors may process personal information, including extracted Tender Data, outside Australia, including in the United States and the European Union. Our database and storage infrastructure is hosted in Australia.

8.2 Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure that the recipient does not breach the APPs in relation to that information, including by relying on contractual protections, the recipient’s own privacy and security commitments, and, where applicable, the recipient’s participation in recognised data protection frameworks. By using the Platform, you acknowledge that this cross-border handling of your information is necessary for the AI-Assisted Evaluation and hosting functionality of the Platform.

9. Direct Marketing and Communications

9.1 We may send you service-related communications necessary for the operation of your Subscription (for example, billing notices or renewal reminders), which are not marketing communications and cannot be opted out of while you hold an active account.

9.2 Where you have consented, or as otherwise permitted under the Spam Act 2003 (Cth), we may send you marketing communications about our products and services. You can opt out at any time using the unsubscribe link in any marketing communication or by contacting us using the details in Clause 18.

10. Cookies and Analytics

10.1 We currently use first-party analytics only. We do not currently set third-party marketing or advertising cookies.

10.2 The following is stored client-side in your browser: an authentication session token (localStorage and a cookie, used to keep you signed in) and a per-browser analytics session identifier (sessionStorage, used to associate usage events within a browsing session). Analytics event data is described further in Clause 4.1.4.

10.3 We do not currently display a cookie consent banner, as we do not set non-essential third-party cookies. If we introduce third-party analytics or marketing tools that set additional cookies in the future, we will update this Policy and implement a cookie banner or equivalent consent mechanism as appropriate.

11. Data Security

11.1 We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure, including:

11.1.1 encryption of data in transit using TLS across our hosting and database infrastructure;

11.1.2 encryption of data at rest (AES-256), managed by our database provider;

11.1.3 database-level row-level security scoped to each Organisation, with privilege-escalation-resistant helper functions and a service-role credential held only in our server environment;

11.1.4 authentication controls including a configurable password policy and leaked-password protection;

11.1.5 automated daily backups; and

11.1.6 audit logging of administrative actions. Further detail about our current security controls, hosting arrangements, and subprocessors is published on our Security & Trust page at procurehq.com.au/security.

11.2 No method of electronic storage or transmission is completely secure, and we cannot guarantee absolute security. If we become aware of a data breach likely to result in serious harm (an eligible data breach under the Notifiable Data Breaches scheme), we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) in accordance with our obligations under the Privacy Act.

12. Data Retention

12.1 We retain personal information only for as long as reasonably necessary for the purposes described in this Policy, or as required by law, in accordance with the following schedule:

12.1.1 Account and identity data — retained while your account remains active.

12.1.2 Tender Data and Evaluation Output — retained for the life of your account, and deleted on written request or account termination as described in the Digital Product Terms.

12.1.3 Billing records — retained for seven (7) years to meet Australian Taxation Office record-keeping requirements.

12.1.4 Usage and product analytics events — retained on a rolling basis for up to twenty-four (24) months.

12.1.5 Audit logs — retained for up to twenty-four (24) months.

12.2 You may request deletion of your account and associated personal information at any time by emailing privacy@procurehq.com.au. Some information, including billing and audit records, may be retained beyond that request where we are legally required to do so.

13. Access to and Correction of Personal Information

13.1 Under APP 12, you may request access to the personal information we hold about you. Under APP 13, you may request correction of that information if you believe it is inaccurate, out of date, incomplete, irrelevant, or misleading.

13.2 To make an access or correction request, contact us using the details in Clause 18. We will respond within a reasonable period, and in any event within thirty (30) days.

13.3 We may need to verify your identity before providing access to, or correcting, personal information, and there are limited circumstances in which we may refuse a request, in which case we will provide reasons in accordance with the APPs.

13.4 We do not charge a fee for making an access or correction request, although we may charge a reasonable fee for giving access to information where permitted under the APPs.

14. Privacy Complaints

14.1 If you have a concern or complaint about how we have handled your personal information, please contact us using the details in Clause 18, including sufficient detail for us to investigate. We will acknowledge your complaint and aim to resolve it within thirty (30) days.

14.2 If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au or by calling 1300 363 992.

15. Notifiable Data Breaches

15.1 We maintain a data breach response process consistent with the Notifiable Data Breaches (NDB) scheme under the Privacy Act. Where we determine that an eligible data breach has occurred, we will notify affected individuals and the OAIC as soon as practicable in accordance with our obligations under the scheme.

16. Children’s Privacy

16.1 The Platform is a business-to-business service intended for use by individuals aged 18 years or older acting on behalf of a business. It is not directed at, and we do not knowingly collect personal information from, children under the age of 18.

17. Changes to This Privacy Policy

17.1 We may update this Policy from time to time to reflect changes in our practices or legal obligations. The current version will always be available at procurehq.com.au, together with its effective date.

17.2 Where a change is material, we will notify existing Customers by email in addition to publishing the updated Policy in-app and on the Website.

18. Contact Us

18.1 For privacy enquiries, access or correction requests, or complaints, please contact us at privacy@procurehq.com.au, or using the details below:

Organisation: ProcureHQ Pty Ltd (ABN 34 692 155 481)
Email: privacy@procurehq.com.au
Registered Address: 117 Old Pittwater Road, Brookvale NSW 2100, Australia
Website: procurehq.com.au
OAIC (Privacy): www.oaic.gov.au | 1300 363 992