Privacy Policy — BidLibrary AI
Operated by Apexar Ltd Last updated: 2026-06-27 Version: 1.3
1. Who we are
Apexar Ltd ("Apexar", "we", "our", "us") is a private limited company registered in England and Wales.
- Company number: 17203546
- Registered office: 18 Tarrant Court, Ingleside Drive, Stevenage SG1 4RG, United Kingdom
- ICO Data Protection Fee registration:
ZC157912(verifiable at https://ico.org.uk/ESDWebPages/Search)
We operate BidLibrary AI (the "Service"), an AI-assisted bid-writing platform for UK engineering consultancies, available at https://bidlibrary.apexar.co.uk.
For data about you that we collect directly (e.g. when you visit our website or use our Service as an individual user), we are the data controller.
For personal data contained inside bid documents that you upload to the Service, your firm is the data controller and Apexar is the data processor. The processing terms are set out in our Data Processing Agreement (DPA), which forms part of the Master Services Agreement between Apexar and your firm.
This Privacy Policy explains both relationships.
2. What personal data we collect
2.1 From visitors to our website (bidlibrary.apexar.co.uk and apexar.co.uk)
- Technical data: IP address, browser type and version, device type, operating system, referring URL, pages visited, timestamps. This is collected automatically by our hosting and DNS providers (Vercel, Cloudflare) for security, fraud prevention, and basic service operation.
2.2 From individuals who contact us
- Identification data: name, email address, employer, job title.
- Communication data: the content of your message to us (e.g. via the
info@apexar.co.ukinbox or any contact form).
2.3 From individuals who become users of the Service (typically employees of our customer firms)
- Account data: name, work email address, employer, job title, password (stored as a one-way hash — we never see your password in readable form).
- Authentication data: timestamps of sign-in events, IP address at sign-in, multi-factor authentication state.
- Usage data: features used, queries submitted, documents accessed (logged to provide the Service and for security/audit).
2.4 From bid documents uploaded by customer firms (processed on the firm's behalf)
Bid and tender documents uploaded to the Service may incidentally contain personal data of:
- The customer firm's own employees (named project leads, signatories, technical authors)
- The customer firm's sub-contractors and supply chain (named individuals, contact details)
- Other project stakeholders (named end-client contacts, named approvers, etc.)
Apexar processes this personal data only on the customer firm's instructions, for the sole purpose of generating AI-assisted bid responses. We do not use this personal data for any other purpose. The full terms governing this processing are set out in the DPA.
2.5 What we do NOT collect
- Special category data (UK GDPR Art. 9): we do not knowingly collect health, racial, religious, political, biometric, genetic, sexual orientation, or trade union data. Bid documents in our domain (engineering tenders) do not typically contain such data; if they ever do, customer firms must ensure they have a lawful basis to share it under their controller obligations.
- Children's data: the Service is for business use only. Users must be 18+.
- Financial / payment card data: when card payment becomes available on the Service, all card payments will be processed by Stripe; Apexar does not see, store, or process card numbers. Until then, payment is by bank transfer and we hold no card data.
3. Why we use your personal data (purposes) and our legal basis
| Purpose | Personal data used | Legal basis (UK GDPR Art. 6) |
|---|---|---|
| Operate our website (deliver pages, prevent abuse) | Technical data (IP, browser) | Legitimate interests (running a secure website) |
| Respond to enquiries you send us | Identification + communication data | Legitimate interests (responding to enquiries) |
| Create and administer your user account | Account data | Contract performance (delivering the Service to your firm) |
| Operate the Service (process queries, return results, log usage) | Account data + usage data | Contract performance |
| Process bid documents through the AI pipeline | Personal data inside bid docs | Contract performance (on instructions of the customer firm, who is the controller) |
| Secure the Service, investigate misuse, comply with audit obligations | Authentication + usage data | Legitimate interests (security) and legal obligations |
| Comply with our legal and tax obligations (HMRC, Companies House, ICO) | Account + billing data | Legal obligation |
| Send service-related operational emails (outage notices, security alerts, invoicing) | Account data | Contract performance |
| Send optional marketing emails | Identification data | Consent (you can withdraw at any time via the unsubscribe link) |
Note on marketing emails: Apexar does not currently send marketing emails and does not maintain a marketing email list. If and when we begin to do so, every marketing email will include a one-click unsubscribe link in compliance with the UK Privacy and Electronic Communications Regulations (PECR), and your prior consent will be obtained.
We do not carry out automated decision-making with legal or similarly significant effects on you (UK GDPR Art. 22). The Service generates AI-assisted bid content for human review and adaptation; it does not make automated decisions about you as an individual.
4. How long we keep your personal data (retention)
| Category | Retention period | Why |
|---|---|---|
| Visitor server logs (IP, browser, request timestamps) | 90 days | Security and abuse investigation window |
| Enquiry correspondence (emails to info@apexar.co.uk) | 24 months from last contact, then archived to cold storage and reviewed annually | Sales pipeline + legitimate-interest balance |
| User account data (while customer firm contract is active) | For the duration of the customer firm's subscription, plus the 60-day export grace window after cancellation (see §4.1) | Contract performance |
| Customer firm's uploaded bid documents + derived AI outputs + Voyage embeddings + RAG index entries | For the duration of the subscription, plus the 60-day export grace window (see §4.1) | Contract performance — minimal-necessary retention |
| Billing records (invoices, payment confirmations) | 7 years from end of accounting year | Legal obligation (UK tax law — HMRC requires 6 years for limited companies, we hold an extra year for safety) |
| Marketing consent and unsubscribe records | Indefinitely | Legal obligation (PECR — to honour opt-outs) |
4.1 Post-cancellation grace and deletion (the 60-day window)
When a customer firm cancels its subscription:
- The firm has 60 days from the cancellation effective date to export its bid documents, AI outputs, and any other content it wishes to retain. To request a bulk export, email
info@apexar.co.uk; Apexar will deliver your Customer Content (source documents in their original format plus a structured JSON export of AI Outputs, queries, citations, and RFP analyses) within 14 days of the request. - At the end of the 60-day window, Apexar permanently deletes:
- The firm's account data
- All uploaded bid documents
- All AI outputs generated from those documents
- All Voyage embeddings derived from the documents
- All RAG (retrieval-augmented generation) index entries pointing at the documents
- Billing records and invoices are retained for 7 years per §4 above, irrespective of cancellation.
4.2 Right-to-erasure requests during a live subscription (UK GDPR Art. 17)
If you ask us to delete your personal data while your firm's subscription is live, we will honour the request to the extent compatible with the contract. For data inside bid documents (where your firm is the controller), we will pass the request to your firm and act on their instructions per the DPA. For your own account data, we will delete it within 30 days of your request unless we are legally required to retain it.
5. Who we share your personal data with (sub-processors and recipients)
We use the following third parties to deliver the Service. Each is bound by data-protection contractual terms (either UK GDPR Art. 28 processor terms, or — where the recipient acts as a separate controller — appropriate data-sharing terms).
| Sub-processor | Role | Location | Safeguards |
|---|---|---|---|
| Supabase, Inc. | Database hosting (Postgres) + object storage | Project hosted in eu-west-2 (London); company headquartered in the United States | Apexar's Supabase project is in London. Supabase Inc. (US) is bound by UK IDTA / EU SCCs for any incidental access from the US. |
| Anthropic PBC | Large language model (Claude) — generates AI bid responses | United States | UK IDTA / EU SCCs in place. Anthropic does not use customer content to train its models (per Anthropic's commercial terms). |
| Voyage AI, Inc. | Embeddings model — converts bid text into vector representations | United States | UK IDTA / EU SCCs in place. Voyage does not use customer content to train its models. |
| Vercel, Inc. | Web hosting for the bidlibrary.apexar.co.uk application | Edge servers globally; account home in the United States | UK IDTA / EU SCCs in place. |
| Cloudflare, Inc. | DNS, CDN, web application firewall for apexar.co.uk | United Kingdom (incidental US) | UK IDTA / EU SCCs in place. |
| Google Ireland Limited (Google Workspace) | Business email infrastructure (info@apexar.co.uk) | European Union (Ireland), with EU/US transfers governed by adequacy + SCCs | EU/US Data Privacy Framework + SCCs. |
| GitHub, Inc. (Microsoft) | Encrypted weekly database backups (snapshots stored in a private Apexar repository) | United States | All snapshots are GPG-encrypted before upload; GitHub cannot read the content. UK IDTA / EU SCCs in place. |
Planned future sub-processor: We expect to add Stripe Payments UK Ltd (United Kingdom) and Stripe, Inc. (United States) as a sub-processor for card payment processing when card payment becomes available on the Service. Stripe is PCI-DSS Level 1 compliant and acts as an independent data controller for fraud prevention. We will update this Privacy Policy and notify existing users at least 14 days in advance of card payment going live.
We do not sell your personal data. We do not share it with advertising networks or data brokers.
We may share your personal data with law enforcement, courts, or regulators if we are legally required to (e.g. a court order, an ICO statutory notice). Where we are legally permitted to do so, we will notify you before complying.
6. International transfers
Several of our sub-processors are based outside the United Kingdom (primarily the United States). The UK Government has not granted an adequacy decision for the United States as a whole. We rely on:
- The UK International Data Transfer Addendum (IDTA) to the EU Standard Contractual Clauses, or
- The EU Standard Contractual Clauses (SCCs) with UK addenda, or
- The UK Extension to the EU-US Data Privacy Framework where the recipient is certified.
We do not transfer personal data to any country listed by the UK Government as inadequate without these or equivalent safeguards.
7. Your rights under UK GDPR
You have the following rights in relation to your personal data:
- Right of access — request a copy of the personal data we hold about you (a "subject access request" or SAR).
- Right to rectification — ask us to correct inaccurate or incomplete data.
- Right to erasure ("right to be forgotten") — ask us to delete your personal data in the circumstances set out in UK GDPR Art. 17.
- Right to restrict processing — ask us to pause processing while we resolve a dispute about accuracy or lawfulness.
- Right to data portability — receive your personal data in a structured, commonly used, machine-readable format.
- Right to object — object to processing that is based on our legitimate interests (we will stop unless we have overriding legitimate grounds, or unless we need to continue for legal claims).
- Right to withdraw consent — where our processing is based on your consent, you can withdraw it at any time.
- Right not to be subject to solely automated decisions with legal or similarly significant effects (we do not currently make such decisions).
To exercise any of these rights, email info@apexar.co.uk. We will respond within one month. There is no fee for exercising these rights unless your request is manifestly unfounded or excessive.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe we have mishandled your personal data:
- Web: https://ico.org.uk/make-a-complaint/
- Helpline: 0303 123 1113
- Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
We would, however, appreciate the chance to address any concerns first — please contact us before going to the ICO.
8. Cookies and similar technologies
We use only strictly necessary cookies on bidlibrary.apexar.co.uk and apexar.co.uk. These are required to operate the website and the Service securely:
- Session cookies — to keep you signed in to the Service.
- Security cookies — to detect abuse and prevent cross-site request forgery (CSRF) attacks.
- Load balancing cookies — used by Cloudflare and Vercel to route your requests efficiently.
We do not use analytics cookies, advertising cookies, or any non-essential tracking. Under the UK Privacy and Electronic Communications Regulations (PECR) we are not required to obtain consent for strictly necessary cookies, so the site does not show a cookie consent banner.
If we ever add analytics or other non-essential cookies in future, we will update this Privacy Policy and add a consent mechanism in compliance with PECR.
9. Security
We take the security of your personal data seriously. Our current measures include:
- Encryption in transit: all traffic to and from our services uses TLS 1.2 or above.
- Encryption at rest: databases, backups, and object storage are encrypted at rest by our hosting providers (Supabase, Vercel) and additionally GPG-encrypted in the case of our weekly off-site backup snapshots.
- Access control: Apexar personnel access production systems via individually-authenticated accounts with multi-factor authentication enforced. No shared accounts.
- Logging: authentication events (sign-ins, password changes, MFA factor changes) are recorded by our Supabase backend; database modifications are captured in PostgreSQL write-ahead logs and retained per Supabase platform defaults.
- Vulnerability management: we monitor security advisories for our dependencies and patch promptly. We do not currently run a formal penetration test programme; we will introduce this when revenue justifies it.
- Business continuity: documented business continuity plan, weekly off-site encrypted backups, documented restore procedure with the first end-to-end rehearsal scheduled for Q3 2026 and a quarterly cadence thereafter. Manual restore RTO ~4 hours.
Breach notification: if Apexar suffers a personal data breach likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and notify affected individuals where the risk is high, as required by UK GDPR Art. 33–34.
10. Children
The Service is not intended for use by children. We do not knowingly collect personal data from anyone under the age of 18. If you believe a child has provided us with personal data, please contact us so we can delete it.
11. Changes to this Privacy Policy
We will update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent revision. For material changes (e.g. adding a new sub-processor, changing retention periods, expanding the data we collect), we will:
- Notify existing users by email to the address associated with their account, at least 14 days before the change takes effect.
- Post a notice on bidlibrary.apexar.co.uk for at least 30 days.
For non-material changes (e.g. clarifications, correcting typos, updating contact details), we will update this page without separate notice.
12. How to contact us
- General data-protection enquiries, SARs, deletion requests, complaints:
info@apexar.co.uk - Postal address: Apexar Ltd, 18 Tarrant Court, Ingleside Drive, Stevenage SG1 4RG, United Kingdom
- Data Protection enquiries: Apexar Ltd is not legally required to appoint a Data Protection Officer; data-protection enquiries should be sent to
info@apexar.co.uk.
We aim to respond to all data-protection enquiries within one month, and to acknowledge receipt within 5 working days.