BidSonarBidSonar

Privacy Policy for BidSonar

Last Updated: 18/05/2026

This policy explains what data BidSonar (operated by Hypership Ltd) collects, why, who it's shared with, and what you can do about it. It is written in plain English and covers our obligations under UK GDPR and the Data Protection Act 2018.

1. Who we are

BidSonar is operated by Hypership Ltd, a company registered in Northern Ireland (company number NI736697) with its registered office at Aisling House, 50 Stranmillis Embankment, Belfast, BT9 5FL, United Kingdom. Hypership Ltd is the data controller for personal data collected through BidSonar. You can reach us at human@hypership.tech.

2. What we collect

Account data

  • Email address — provided when you sign up via our authentication provider (Clerk).
  • Session metadata — managed by Clerk, used to keep you signed in.

Profile data

  • Business description — the text you provide during onboarding so we can match opportunities to your business.
  • Onboarding conversation — the chat transcript from the onboarding flow, retained so we can refine your profile later.
  • Extracted attributes — industries, locations, and capabilities our AI infers from your description.
  • Embedding vector — a numerical representation of your business description used for similarity matching. It is not human-readable.
  • Match history— which opportunities have been matched to you, their scores, and whether you've viewed them.
  • Notification preferences — frequency (instant, daily, weekly) and on/off toggle.

Technical data

  • Server logs — IP address, browser type, timestamps, and pages visited, collected automatically by our hosting provider (Vercel) for security and operational purposes.
  • sonar_consent cookie — records your analytics consent decision. See our Cookie Policy.
  • Analytics — only if you accept the analytics cookie. Vercel Web Analytics provides aggregate, anonymised traffic metrics. No advertising trackers, no cross-site fingerprinting.

3. How we use your data

  • Provide the service — match public-sector opportunities to your business profile.
  • Send the digest— if you've enabled email notifications, send instant, daily, or weekly digests.
  • Operate the platform — security, fraud prevention, debugging, performance monitoring.
  • Improve the product — aggregate analytics on how the site is used. Personal data is not used to train any AI model.

4. Legal basis

  • Contract — providing the matching service you signed up for.
  • Legitimate interest — operating the platform safely and securely; understanding aggregate usage to improve the product.
  • Consent — analytics cookies; marketing communications if we ever introduce them (we currently do not).

5. Who we share data with

We do not sell personal data. We share only with the service providers needed to run the platform:

  • Clerk (authentication) — your email and session metadata.
  • Vercel (hosting + analytics) — server logs; aggregate analytics only with consent.
  • Supabase (database) — your profile and match history, encrypted at rest.
  • OpenAI (embeddings) — your business description is sent to compute the embedding vector. OpenAI does not use API data for model training under their default terms.
  • Anthropic (matching and classification) — onboarding conversations and opportunity text are sent for AI processing. Anthropic does not use API data for model training under their default terms.
  • Resend(transactional email) — your email address and digest content if you've opted in.

Some of these processors are based in the United States. International transfers are covered by Standard Contractual Clauses or equivalent safeguards as required by UK GDPR.

6. Retention

We keep your data for as long as your account is active. When you delete your account (see Section 8), all profile data, match history, and onboarding conversations are removed immediately from the live database.

Database backups (point-in-time recovery) are retained by our hosting provider for up to 7 days, after which deleted rows are purged in the normal rotation.

Server logs are retained by Vercel according to their standard log retention (typically 1–3 days for hobby/pro plans).

7. Security

We use industry-standard measures: encrypted transport (HTTPS), encrypted database at rest, row-level security on all user-scoped tables, scoped API tokens, and authentication via a dedicated provider rather than custom credential handling. No security is perfect; we will notify affected users and the ICO within 72 hours of becoming aware of a personal data breach.

8. Your rights

You have the following rights, exercisable from Settings or by email:

  • Access— see what we hold. Settings → "Download your data" produces a JSON export.
  • Rectification— correct inaccurate data via Settings, or contact us if it's something the UI doesn't cover.
  • Erasure— delete your account immediately via Settings → "Delete account".
  • Portability — same JSON export above is a portable copy.
  • Restriction and objection — limit how we process your data, or object to processing based on legitimate interests. Email us.
  • Withdraw consent — clear the sonar_consent cookie to switch off analytics; uncheck email notifications in Settings.
  • Complain — to the Information Commissioner's Office (the UK supervisory authority) or your local data protection authority.

9. Children

BidSonar is not intended for users under 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

10. Updates to this policy

We may revise this policy as the product changes. The "Last Updated" date at the top reflects the most recent revision. Material changes will be highlighted on the site or notified by email where appropriate.

11. Contact

Data controller: Hypership Ltd, Aisling House, 50 Stranmillis Embankment, Belfast, BT9 5FL, United Kingdom. Company number NI736697. Email human@hypership.tech.