ProofWorks Limited
Privacy Policy
Last updated: 4 May 2026
This policy explains how ProofWorks Limited (“we”, “us”, “ProofWorks”) handles personal data when you visit bidengine.co, sign up for a free trial, or use the BidEngine platform.
We are the data controller for personal data we collect about visitors to our website and people who register for our services. For data you upload into BidEngine as part of running your bid pipeline (your evidence library, tender questions, draft answers), your organisation is the data controller and we act as a data processor on your behalf. See “BidEngine platform data” below.
1. Who we are
ProofWorks Limited, a company registered in England and Wales (company number 16940700), with registered office at 63 Archer Drive, Derby, DE3 0FS.
For data protection enquiries, contact us at privacy@bidengine.co.
2. What personal data we collect
We collect personal data in three contexts:
Website visitors
- Standard server logs (IP address, browser type, referring URL, pages viewed)
- Cookies and similar technologies for essential site function and basic analytics
Free trial signups, account holders, and prospects we contact
- Name, work email address, company name, job title
- Authentication identifiers managed by Clerk (our identity provider)
- Billing details handled by Stripe (we do not store payment card numbers)
- Communications you send us
- For prospects: business contact details obtained from publicly available B2B sources for the purpose of business outreach
BidEngine platform data
When your organisation uses BidEngine, you upload material to populate your evidence library and tender responses. This may include personal data such as named contacts, project staff, signatories on case studies, and quotations attributed to individuals. We process this data only on your instructions, in accordance with the Data Processing Agreement that forms part of your service contract.
3. How we use your personal data and our lawful basis
| Purpose | Lawful basis |
|---|---|
| Providing the BidEngine service to your organisation | Performance of contract |
| Authenticating and securing your account | Performance of contract; legitimate interests (security) |
| Processing payments via Stripe | Performance of contract; legal obligation (financial records) |
| Sending service messages (e.g. trial expiry, security alerts) | Performance of contract; legitimate interests |
| Marketing emails to existing customers about related services | Legitimate interests (soft opt-in under PECR), with opt-out in every message |
| B2B outreach to prospects whose details we obtain from public business sources | Legitimate interests (we have completed a Legitimate Interests Assessment); recipients can opt out at any time |
| Responding to your enquiries and complaints | Legitimate interests; legal obligation |
| Improving the platform, including aggregated and anonymised usage analytics | Legitimate interests |
| Complying with legal, regulatory, and accounting obligations | Legal obligation |
4. AI processing
BidEngine uses large language models from established AI providers to generate, score, and improve tender responses. When your team writes a question or runs a scoring pass, the relevant content is sent to the provider solely to produce the response shown to you. We do not use customer data to train any AI model, and our agreements with these providers prohibit them from training on your data either. Each customer’s evidence library is logically isolated; data from one customer is never used in another customer’s drafts. The specific providers and contractual terms are listed in our sub-processor disclosure and a detailed named list is available to customers and qualified prospects on request.
5. Who we share your personal data with
We share personal data only with the sub-processors listed at bidengine.co/sub-processors. We do not sell personal data and we do not share it with any party outside that list except where compelled by law.
6. International transfers
Some of our sub-processors are based outside the UK, including in the United States. Where personal data is transferred outside the UK, we rely on the UK’s International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, together with appropriate technical and organisational safeguards.
The full list of sub-processors and their data residency is published at bidengine.co/sub-processors.
7. How long we keep your data
- Account data: for as long as your account is active. After cancellation, we delete or anonymise within 90 days, except where we are required to retain records for legal or accounting purposes (typically 6 years for invoice records).
- BidEngine platform data: retained for the term of your contract. On termination, we delete within 30 days unless you request earlier deletion or instruct us to extend retention.
- Marketing prospects: we hold details for outreach for up to 12 months, then refresh or delete. If you opt out, we keep the minimum data needed to honour your opt-out.
- Server logs: 90 days.
8. Your rights under UK GDPR
You have the right to:
- Access the personal data we hold about you
- Have inaccurate data corrected
- Have your data erased (subject to lawful retention requirements)
- Restrict or object to certain processing
- Receive your data in a portable format
- Withdraw consent at any time, where consent is the lawful basis
To exercise any of these rights, email privacy@bidengine.co. We will respond within one month.
9. Complaints
If you are unhappy with how we handle your personal data, please contact us first so we can try to resolve it. You also have the right to complain to the UK Information Commissioner’s Office (ICO) at ico.org.uk/make-a-complaint or by calling 0303 123 1113.
10. Changes to this policy
We may update this policy from time to time. The “Last updated” date at the top of this page reflects the most recent change. Material changes will be notified to active customers by email.
11. Cookies
We use a small number of cookies that are strictly necessary for authentication and site security, plus basic analytics to understand which pages are read. We do not use advertising cookies or third-party tracking pixels.