Legal

Privacy Policy

We built Bidnexis for African businesses. Your data belongs to you — here is exactly how we handle it, in plain terms.

Last updated: March 2025
Effective: 1 March 2025
Jurisdiction: Republic of Kenya
A note before we start: Most privacy policies are written by lawyers, for lawyers. We wrote this one for you — the procurement officer checking tenders at 8 p.m., the supplier uploading documents, the administrator managing a team account. We will tell you what we collect, why we collect it, and what we will never do with it.
01

Who We Are

Bidnexis is a procurement intelligence platform serving Republic of Kenya and the broader African market. We help businesses discover, track, and bid on public and private tenders. When this policy says "Bidnexis," "we," "us," or "our," it means the company operating this platform.

We are the data controller for all personal information collected through this website and our associated services.

02

What Information We Collect

We only ask for what we actually need. Here is what that looks like in practice:

  • Account details — your name, email address, phone number, and the password you create (we store a hashed version, never the actual text).
  • Business profile — company name, registration number, sector, country of operation, and any documents you upload as part of supplier qualification or bid preparation.
  • Subscription and payment data — your chosen plan, billing cycle, and payment confirmation records. We do not store raw card numbers; payments are processed by Flutterwave and M-Pesa, which have their own compliance frameworks.
  • Platform activity — tenders you view, save, or bid on; searches you run; documents your team generates through our AI tools.
  • Technical data — IP address, browser type, device information, and usage timestamps. This helps us diagnose problems and secure the platform.
Uploaded documents: When you upload compliance documents for verification, those files are processed by our AI and then deleted from temporary storage. We retain only the verification outcome (pass/fail/confidence level) linked to your account — not the document itself.
03

How We Use Your Data

Everything we do with your information has a specific purpose:

  • To create and manage your account and keep it secure.
  • To show you tenders relevant to your country, sector, and saved preferences.
  • To power our AI features — bid suggestions, document checks, tender summaries — using the data you provide in real time. We do not train AI models on your private documents.
  • To send you tender alerts and notifications you have opted into.
  • To process subscription payments and issue receipts.
  • To respond when you contact our support team.
  • To maintain platform security and investigate misuse.
  • To improve the platform based on aggregated, anonymised usage patterns.
About our AI tools (VERA): VERA, our bid intelligence assistant, processes tender documents and your draft responses to generate suggestions. This processing happens in real time — your content is sent to an AI API (currently Google Gemini) and the response is returned to you. We do not store your AI conversations in a way that links them to your identity beyond basic session logging for security purposes.
04

Who Sees Your Data

We do not sell your personal information. Full stop. We share it only in these limited situations:

  • Service providers — companies that help us run the platform: our cloud hosting provider, email delivery service (for alerts and verification emails), and payment processors. All are bound by data processing agreements.
  • AI processing — content you submit to VERA is processed through the Google Gemini API. Google processes this data under their own API terms. We recommend not submitting genuinely confidential proprietary information through AI tools on any platform.
  • Legal requirements — if a Kenyan court or regulatory authority compels disclosure, we will comply and notify you where legally permitted to do so.
  • Business transfer — if Bidnexis is acquired or merged, user data would transfer to the new entity under equivalent privacy protections.

We do not share your information with advertisers, data brokers, or any third party for commercial profiling.

05

How Long We Keep It

We keep your account data for as long as your account exists, plus a 90-day grace period after deletion (in case of an accidental deletion request). Payment records are kept for 7 years as required by Kenyan tax regulations. Technical logs are purged after 12 months.

If you ask us to delete your account, we will remove all personal data within 30 days, except where retention is legally required.

06

Your Rights

Under Kenya's Data Protection Act, 2019, you have the following rights:

Access

Request a copy of all personal data we hold about you.

Correction

Ask us to fix inaccurate or outdated information.

Deletion

Request that we erase your personal data ("right to be forgotten").

Objection

Object to certain types of processing, including marketing emails.

Portability

Receive your data in a structured, machine-readable format.

Restriction

Request that we limit how we use your data while a dispute is resolved.

To exercise any of these rights, email us at [email protected]. We will respond within 14 working days.

07

Security Measures

We take reasonable steps to protect your data: HTTPS encryption on all pages, hashed password storage, rate limiting on login attempts, and session-based access controls. Administrative access to the database requires multi-factor authentication.

No system is perfectly secure, and we cannot guarantee that a breach will never occur. If one does, we will notify affected users within the timeframe required by law and take immediate steps to contain it.

08

Cookies

We use cookies to keep you logged in, remember your preferences, and understand how the platform is being used. We do not use cookies to track you across other websites or serve you ads elsewhere on the internet.

For a detailed breakdown of every cookie we set and why, read our Cookie Policy.

09

Changes to This Policy

When we update this policy in a meaningful way — adding a new data type, changing a sharing arrangement — we will send an email notification to all registered users at least 14 days before the change takes effect. Minor clarifications or formatting updates will be noted with a revised date at the top.

If you disagree with a change, you may delete your account before it takes effect.

Have a question about your data?

Our team is based in Nairobi. If something in this policy is unclear or you need to make a data request, reach out directly — a real person will respond.

Chat with VERA