Skip to content

Privacy Policy

Last updated: 13 February 2026

1. Introduction

Gwinva Ltd ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your personal data when you use MyBidTeam.

Gwinva Ltd is the data controller for personal data processed through MyBidTeam. We are registered in England and Wales (Company No. 16854456) and registered with the Information Commissioner's Office (ICO Registration: ZC044445).

Registered Office: 12 East Close, Helston, TR13 8LG

2. Data We Collect

We collect the following types of data:

Account Information

  • Name and email address
  • Password (securely hashed)
  • Organisation name

Business Information (Your "Vault")

  • Company details and accreditations
  • Team member information
  • Case studies and past project details
  • Policies and certifications

Compliance Information

You may optionally provide compliance-related information to support your bid responses:

  • Insurance details (provider, policy number, cover amount, expiry date) for Public Liability, Employers' Liability, and Professional Indemnity insurance
  • Policy summaries (key commitments and review dates) for Health & Safety and GDPR/Data Protection policies

Important: We store this information to help generate compliant bid responses. We display expiry warnings as a convenience only. We are not your compliance advisor and you remain solely responsible for maintaining valid insurance and up-to-date policies. MyBidTeam does not verify, validate, or guarantee the accuracy of any compliance information you provide.

Tender and Bid Data

  • Tender documents you upload
  • Generated bid responses
  • Analysis and strategy reports

Technical Data

  • IP address and browser information
  • Device type and operating system
  • Usage data and interaction logs

3. How We Use Your Data

We use your data to:

  • Provide the MyBidTeam service, including generating bid responses
  • Store your business information in your Vault for future bids
  • Process payments
  • Send service-related communications
  • Improve our service and user experience
  • Comply with legal obligations

4. Legal Basis for Processing

We process your data on the following legal bases:

  • Contract: To provide the service you have purchased
  • Legitimate interests: To improve our service and prevent fraud
  • Legal obligation: To comply with applicable laws
  • Consent: For marketing communications (where applicable)

5. Data Sharing

We do not sell your data. We share data only with:

  • AI Service Providers: Tender content and vault data is processed by AI services (Anthropic Claude) to generate bid responses. This data is processed under strict data processing agreements.
  • Payment Processors: Stripe processes payment information. We do not store full card details.
  • Hosting Providers: Our infrastructure is hosted on secure cloud platforms (Vercel, Supabase).
  • Legal Requirements: We may disclose data if required by law or to protect our rights.

6. Data Retention

We retain your data as follows:

  • Account data: Until you close your account
  • Vault data: Until you delete it or close your account
  • Compliance data: Insurance and policy information is retained until you delete it or close your account. Snapshots of compliance data used in bid generation are retained with bid data.
  • Bid data: 7 years (for tax and legal compliance)
  • Technical logs: 90 days

7. Data Security

We implement appropriate technical and organisational measures to protect your data, including:

  • Encryption in transit (TLS) and at rest
  • Secure authentication and access controls
  • Regular security assessments
  • Staff training on data protection

8. Your Rights

Under UK GDPR, you have the following rights:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate data
  • Erasure: Request deletion of your data
  • Restriction: Limit how we use your data
  • Portability: Receive your data in a portable format
  • Objection: Object to certain processing

To exercise these rights, contact us at hello@mybidteam.com. We will respond within one month.

9. International Transfers

Your data may be transferred to and processed in the following countries:

  • United States (Anthropic): AI content generation, covered by Standard Contractual Clauses
  • United States (Vercel): Application hosting, covered by UK-US Data Bridge
  • United States (Stripe): Payment processing, covered by Standard Contractual Clauses
  • European Union (Supabase): Database hosting, covered by UK adequacy decision

When we transfer data internationally, we ensure appropriate safeguards are in place to protect your data to the same standard required under UK GDPR.

10. Cookies

We use cookies to operate our service. For details, please see our Cookie Policy.

11. Automated Processing and AI

MyBidTeam uses artificial intelligence (specifically Anthropic's Claude) to generate draft bid responses. This AI-assisted process works by analysing:

  • Tender documents you upload
  • Business information stored in your Vault
  • Evaluation criteria extracted from tender specifications

Important: This AI processing is a tool to help you draft responses faster. It does not make binding decisions about you or your business. All generated content requires your review and approval before use, and you remain in full control of what you submit to buyers.

The AI uses pattern recognition in language models trained on publicly available text. It does not access external databases about your company or make judgments about your suitability for contracts. You can request human review of any AI-generated content by contacting us.

12. Sub-Processors

We use the following third-party processors to deliver our service:

ProviderPurposeLocation
AnthropicAI content generationUSA
StripePayment processingUSA
VercelApplication hostingUSA
SupabaseDatabase hosting & authenticationEU
ResendTransactional emailUSA

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice on our website.

14. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

  • Notify the Information Commissioner's Office (ICO) within 72 hours where required by law
  • Notify you directly without undue delay if the breach is likely to result in high risk to your rights
  • Document the breach and our response, including corrective actions taken

15. Contact and Complaints

If you have questions or concerns about this policy, contact us at:

Gwinva Ltd
12 East Close, Helston, TR13 8LG
Email: hello@mybidteam.com

Complaints Procedure

If you have a complaint about how we handle your data, please contact us first at hello@mybidteam.com. We aim to resolve all complaints within 28 days. If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.