Privacy Policy

Government Contracts Hub ("we", "us", "our") operates the Government Contracts Hub platform (the "Service"), a procurement-intelligence tool that indexes publicly available government tender notices across Canada, the United States, and the United Kingdom.

This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use the Service, and what rights you have in respect of that information.

Contact: Governmentcontractshub.Contact@gmail.com

2.1 Account information

• Name and email address (provided at registration)
• Password (stored as a salted bcrypt hash — we never see your plaintext password)
• Company name and industry classification (NAICS/UNSPSC codes you enter in your profile)
• Subscription and billing information (handled by Stripe; we store only a Stripe customer ID)

2.2 Usage data

• Pages visited, features used, search queries, and tenders viewed
• Log data: IP address, browser type, device type, timestamp, referring URL
• Error and crash reports

2.3 Communications

• Emails you send to us (e.g., support requests)
• Email engagement data (open/click tracking on transactional emails, where technically feasible)

2.4 Cookies and similar technologies

We use session cookies (strictly necessary for authentication) and analytics cookies (to understand aggregate usage patterns). We do not use advertising or cross-site tracking cookies. You can control cookies in your browser settings; blocking session cookies will prevent you from logging in.

2.5 Information we do NOT collect

• Payment card numbers (processed exclusively by Stripe)
• Government identification documents
• Sensitive personal data as defined under GDPR Article 9

We process your personal data to:

• Provide the Service — create and manage your account, deliver tender matches, send deadline alerts, process payments (legal basis: contract performance)
• Improve the Service — analyse usage patterns, debug errors, and develop new features (legal basis: legitimate interests)
• Communicate with you — transactional emails (account confirmation, password reset, invoices) and, with your separate consent, marketing communications about new features or offers (legal basis: consent for marketing; contract for transactional)
• Ensure security and prevent fraud — detect and investigate suspicious activity (legal basis: legitimate interests)
• Comply with law — respond to lawful requests from government authorities (legal basis: legal obligation)

We do not use your personal data for automated decision-making that produces legal or similarly significant effects without human review.

We do not sell, rent, or trade your personal information. We share data only in the following circumstances:

4.1 Service providers (data processors)

• Railway (US) — cloud hosting and compute for the web application. Data may be processed on servers in the United States.
• Supabase (US) — managed PostgreSQL database. Data is encrypted at rest and in transit.
• Stripe (US) — payment processing. Stripe processes payment card data under their own PCI-DSS certification.
• Google (Gmail SMTP) (US) — transactional email delivery. Emails pass through Google's servers to reach you.

Each sub-processor is bound by data processing agreements and standard contractual clauses (where applicable) that restrict them to processing data only as instructed.

4.2 Legal requirements

We may disclose your information if required to do so by law, court order, or regulatory authority, or if we believe disclosure is necessary to protect the rights, property, or safety of our users or the public.

4.3 Business transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to a successor entity. We will notify you before your data is transferred and becomes subject to a different privacy policy.

Our infrastructure is primarily located in the United States. If you are located in Canada, the UK, or the EEA, your personal data is transferred to the US under standard contractual clauses or equivalent safeguards approved by the relevant authority (Office of the Privacy Commissioner of Canada; UK ICO; European Commission).

By using the Service, you acknowledge that your data may be processed in countries outside your own, which may have different data protection standards.

• Account data: retained for the duration of your account plus 24 months after closure, then permanently deleted or anonymised.
• Billing records: retained for 7 years to comply with financial-record-keeping obligations.
• Access and error logs: retained for 90 days on a rolling basis.
• Marketing consent records: retained for 3 years from last interaction (required under CASL).

You may request earlier deletion of your account data at any time (see Section 8).

We implement commercially reasonable technical and organisational measures to protect your personal data, including:

• TLS encryption for all data in transit
• AES-256 encryption for data at rest (via Supabase)
• bcrypt hashing for passwords (no plaintext storage)
• Role-based access controls limiting data access to personnel who need it
• Regular dependency updates and vulnerability scanning

No method of transmission over the internet or electronic storage is 100% secure. If you believe your account has been compromised, contact us immediately at Governmentcontractshub.Contact@gmail.com.

Depending on your jurisdiction, you may have the following rights regarding your personal data:

All users

• Access: request a copy of the personal data we hold about you.
• Correction: request correction of inaccurate or incomplete data.
• Deletion: request deletion of your account and associated personal data (subject to legal retention obligations).
• Withdraw consent: withdraw consent to marketing communications at any time.

UK and EEA users (UK GDPR / GDPR)

• Portability: receive your data in a structured, machine-readable format.
• Restriction: request that we restrict processing of your data.
• Objection: object to processing based on legitimate interests.
• Supervisory authority: lodge a complaint with the UK ICO (ico.org.uk) or your local EU data protection authority.

Canadian users (PIPEDA / Quebec Law 25)

• Access and correction rights as above.
• Right to withdraw consent, subject to legal or contractual restrictions.
• Right to complain to the Office of the Privacy Commissioner of Canada (priv.gc.ca) or the Commission d'accès à l'information du Québec.

California residents (CCPA / CPRA)

• Right to know what personal information is collected about you.
• Right to delete personal information (with exceptions).
• Right to opt out of the sale or sharing of personal information — we do not sell or share your personal information.
• Right to non-discrimination for exercising your privacy rights.

To exercise any of these rights, email us at Governmentcontractshub.Contact@gmail.com with the subject line "Privacy Request". We will respond within 30 days (or within the timeframe required by applicable law). We may ask you to verify your identity before processing the request.

The Service is not directed at individuals under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected such information, we will delete it promptly. If you believe a child has provided us with personal information, please contact us at Governmentcontractshub.Contact@gmail.com.

The Service may contain links to third-party government portals and external websites. This Privacy Policy does not apply to those sites. We encourage you to review the privacy policies of any third-party sites you visit.

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will notify you of material changes by email or via a prominent notice in the Service at least 14 days before the changes take effect.

The updated policy will be effective as of the stated effective date. Your continued use of the Service after that date constitutes acceptance of the updated policy.

For privacy inquiries, data subject requests, or complaints:

For unresolved privacy complaints, Canadian residents may also contact the Office of the Privacy Commissioner of Canada or the Commission d'accès à l'information du Québec. UK residents may contact the Information Commissioner's Office.