How we handle your information.

10der (“we”, “us”, “the Platform”) operates a tender-management platform for South African institutions and contractors, accessible at https://10der.co.za. We are the responsible party under the Protection of Personal Information Act, 2013 (POPIA) for the personal information we process in the course of delivering our services.

From institutions (typically procurement officers, CFOs, and IT directors): name, work email, employer name, role, and any information you enter when publishing a tender (including the content of tender documents you upload).

From contractors: name, company name, company registration number, contact details, the contents of compliance documents you upload to your document vault (including CIPC certificates, B-BBEE certificates, tax clearance letters, bank statements, director IDs, and similar), and the applications you submit on tenders.

From visitors to the Platform who request a demo: name, work email, organisation, role, the volume of tenders you publish, and any free-text notes you include.

We do not collect browsing analytics (no tracking pixels, no Google Analytics, no ad-tech), nor do we embed third-party tracking scripts in the Platform.

We process your personal information only to deliver the Platform. Specifically:

• To create and maintain your user account.
• To verify contractor compliance documents against the tender's requirements (AI analysis).
• To rank contractor applications according to the institution's published evaluation criteria (PPPFA or custom).
• To process tender-related payments via PayFast, our payment provider.
• To communicate with you about your use of the Platform (including notifications of tender deadlines, application updates, and administrative messages).

The lawful basis for each of these processing purposes is one or more of (a) your consent, given at account registration; (b) performance of our contract with you; or (c) our legitimate interest in operating the Platform securely and effectively.

All Platform data is stored in Google Cloud Platform, in the europe-west4 region (Eemshaven, Netherlands). This includes Firestore, Firebase Storage, and Firebase Auth records. We chose a European region because the Google Cloud Africa-South region does not yet support the Firebase products we rely on; we intend to migrate when it does.

Encryption: all data is encrypted in transit (TLS 1.3) and at rest (Google Cloud default encryption — AES-256 with Google-managed keys).

Access controls: a user's data is accessible only to themselves, the institution they interact with (where relevant to a tender), and a small number of 10der platform administrators for support and operational purposes. Every access decision is enforced server-side by Firebase Security Rules and API route guards.

We use the following sub-processors to deliver the Platform. Each is bound by its own privacy and data-protection terms:

Google Cloud Platform (Alphabet Inc.)

Hosting, authentication, database, storage. Data-processing addendum executed by default through GCP terms.

Anthropic PBC

AI analysis of tender documents and contractor compliance documents. Data-processing addendum signed (see §6).

PayFast (Pty) Ltd

Payment processing for contractor application fees. South African PCI-compliant payment gateway.

domains.co.za

DNS hosting and email relay for the 10der.co.za domain.

We do not sell your personal information. We do not share it with any other third party except where required by law or with your explicit consent.

Because our hosting is in the European Union and Anthropic operates from the United States, some of your personal information will be processed outside of South Africa. This transfer is lawful under POPIA §72 because (a) it is necessary for performance of the contract between you and us, and (b) our sub-processors are subject to contractual data-protection obligations that provide an adequate level of protection.

Institutional customers sign a separate Data Processing Agreement with us that names these sub-processors and covers their specific processing purposes.

• Active account data (user records, tenders, applications) is retained for as long as your account is active.
• On account closure, we delete your personal information within 30 days, with narrow exceptions where we are required to retain records for legal, accounting, or audit purposes (in which case we retain only the minimum required data, for the minimum required period).
• Tender documents uploaded by institutions are retained with the tender record and deleted when the tender record is deleted.
• Demo booking requests are retained for 12 months after initial contact unless the requester becomes a customer (in which case their data transitions to the active-account retention above).
• System logs (containing no submitter PII) are retained for 30 days (Google Cloud Logging default).

You have the right to:

• Know what personal information we hold about you, and request a copy of it.
• Correct any inaccurate information.
• Request deletion of your information, subject to our legal retention obligations.
• Object to specific processing activities.
• Withdraw your consent where processing is consent-based.
• Lodge a complaint with the Information Regulator (South Africa) if you believe we have handled your information unlawfully.

To exercise any of these rights, email privacy@10der.co.za with a description of your request. We will respond within 30 days.

If we become aware of a breach that is reasonably likely to result in harm to you, we will notify you as soon as practicable — and in any case within 72 hours of becoming aware, as required by POPIA §22. We will also notify the Information Regulator within the same window for breaches that meet the statutory threshold.

To report a suspected security issue with the Platform, email security@10der.co.za.

Our Information Officer is responsible for compliance with POPIA. You can reach them at privacy@10der.co.za.

We may update this policy from time to time. Material changes will be notified via email to active users at least 14 days before they take effect. The date at the top of this page indicates when the current version was published.

For general questions about this policy, email hello@10der.co.za. For privacy-specific questions or to exercise your rights under POPIA, email privacy@10der.co.za.