Privacy policy

1. About this Privacy Policy

JRC Software Pty Ltd ("JRC", "we", "us", "our") operates TenderAssist, an AI-powered tender response platform for Australian suppliers to government and commercial buyers. We are committed to protecting the privacy of individuals whose personal information we handle, in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

This Privacy Policy explains how we collect, hold, use and disclose personal information when you visit the TenderAssist website, register for an account, use the TenderAssist service, or otherwise interact with us.

By using TenderAssist, you agree that we may collect, use and disclose your personal information in accordance with this Privacy Policy and our Terms of Service.

2. About JRC Software Pty Ltd

JRC Software Pty Ltd is an Australian company. TenderAssist is one of JRC's products. The entity responsible for managing personal information collected through TenderAssist is:

• JRC Software Pty Ltd
• ABN: 98 625 944 354
• Registered office: 27/120 Collins St Melbourne VIC 3000
• Contact: privacy@tenderassist.com.au

3. Personal information we collect

We collect personal information that is reasonably necessary for the functions and activities of TenderAssist. The categories of personal information we typically collect are set out below.

3.1 Account and profile information

When you register for a TenderAssist account or are invited to an existing customer's workspace, we collect:

• Full name
• Business email address
• Business phone number (optional)
• Role or job title
• The name, ABN, and business address of your employer or the organisation you represent
• Authentication credentials (handled by our authentication provider)

3.2 Tender content and organisational information

In the course of using TenderAssist to prepare tender responses, you may upload or enter information that includes personal information about:

• Your organisation's staff (names, qualifications, experience, CV content)
• Your organisation's directors, shareholders or beneficial owners
• Past customer references or case study participants
• Subcontractors or partner organisations

We treat this content as confidential to the customer organisation and handle it in accordance with Part 7 (Customer Content) of our Terms of Service.

3.3 Integration data

If you authorise TenderAssist to connect to a third-party platform such as VendorPanel, we receive data from that platform on your behalf, which may include:

• Your supplier profile (business attributes, categories, regions of service)
• Tender invitations addressed to your organisation
• Tender documents, attachments and associated metadata
• Draft response content you have previously entered into the third-party platform
• Submission status and outcomes where available

Our access to third-party platforms is limited to the scopes you authorise at the time of connection and is revocable by you at any time.

3.4 Usage and technical data

When you use TenderAssist, we automatically collect:

• IP address and approximate location derived from it
• Device type, operating system and browser
• Pages and features accessed, and time spent on them
• Search queries and prompts submitted to the service
• Errors and diagnostic information

3.5 Payment information

Subscription payments are processed by our payment provider. We do not store full credit card or bank account numbers. We receive and retain:

• Transaction references
• Masked card details (last four digits, brand, expiry)
• Billing name and address
• Invoice and tax information

3.6 Marketing and communications

If you subscribe to marketing communications or contact us through our website, we collect the contact details and message content you provide. Marketing communications are sent in accordance with the Spam Act 2003 (Cth) and always include an unsubscribe mechanism.

4. How we collect personal information

We collect personal information:

• Directly from you when you register, use TenderAssist, contact us, or complete forms
• Automatically when you interact with the service (usage and technical data)
• From third-party platforms you have authorised at the scopes you approve
• From publicly available sources, such as the Supplier Portal, AusTender, ASIC, or ABR searches, where relevant to tender preparation
• From your colleagues, where they invite you to a workspace or refer you to us

Where it is unreasonable or impracticable to collect personal information directly from the individual (for example, where your colleagues provide a staff profile for a tender response), we take reasonable steps to notify the relevant individual of our collection and this Privacy Policy.

5. Why we collect, hold, use and disclose personal information

We use personal information for the following purposes:

• To provide, operate and maintain the TenderAssist service
• To draft, edit, and export tender response documents using our AI tools
• To connect to authorised third-party platforms and synchronise relevant data
• To authenticate users and secure accounts
• To process subscription payments and manage billing
• To provide customer support
• To improve the service, including improving prompts, drafting quality, and feature design, in accordance with Part 7 (Customer Content) of our Terms of Service
• To send transactional communications about your account and the service
• To send marketing communications where you have opted in, with a clear unsubscribe mechanism on every message
• To comply with our legal, regulatory and audit obligations
• To detect, prevent and respond to fraud, misuse and security incidents

6. Disclosure to third parties

We disclose personal information to third parties only where it is necessary for the purposes set out in this Privacy Policy, where required or authorised by law, or with your consent.

6.1 Subprocessors and service providers

We use a number of trusted service providers to operate TenderAssist. These providers handle personal information under contractual obligations that require them to protect personal information and to use it only for the purposes we specify. Our current subprocessors include:

• Amazon Web Services (cloud infrastructure (ap-southeast-2 / Sydney region))
• Anthropic, PBC (AI model provider for the Claude API used in drafting)
• Our authentication provider (user identity and session management)
• Our payment provider (subscription payment processing)
• Our email delivery provider (transactional and optional marketing email)
• Our error-monitoring and observability providers (service reliability)

An up-to-date list of subprocessors is available on request at privacy@tenderassist.com.au.

6.2 Integration partners

Where you authorise TenderAssist to connect to a third-party platform, we exchange the data necessary to provide the integration. Data sent to a third-party platform is handled by that platform in accordance with its own privacy policy and terms. You should review those documents separately.

6.3 Professional advisers, auditors and acquirers

We may disclose personal information to our professional advisers (such as lawyers, accountants, and insurers) under obligations of confidentiality, to auditors engaged to review our compliance, or to a prospective purchaser or investor in connection with a corporate transaction (in which case the recipient will be bound by equivalent confidentiality and privacy obligations).

6.4 Legal and regulatory disclosures

We may disclose personal information where we are required or authorised to do so by law, including in response to a court order, subpoena, regulatory investigation, or other lawful request by an Australian or overseas authority.

7. Cross-border disclosure

TenderAssist's primary data storage infrastructure is located in Australia (Amazon Web Services ap-southeast-2, Sydney region). However, some of our service providers are located outside Australia or may process data outside Australia:

• Anthropic, PBC (United States) processes prompts and returns AI-generated responses as part of the drafting engine
• JRC Software's development and support team in Sri Lanka may access the service for engineering, support and incident response purposes, under contractual confidentiality obligations and access controls
• Other service providers may process data in the United States, United Kingdom, European Union or elsewhere

Before disclosing personal information overseas we take reasonable steps to ensure that the overseas recipient does not breach the Australian Privacy Principles, including by entering into written agreements that impose obligations consistent with the APPs.

8. Automated decision-making

8.1 Decisions that may involve automation

TenderAssist uses automated processes for the following activities:

• Parsing tender documents and extracting evaluation criteria
• Matching tender requirements to your organisation's content library
• Scoring draft responses against extracted evaluation criteria
• Prioritising tender opportunities in your dashboard
• Generating draft response text for your review

8.2 Categories of personal information used

The personal information used in these automated processes is limited to the content you provide (such as staff profiles, CVs, capability statements, past-project descriptions) and the tender content received from integrated platforms.

8.3 Human review

Final decisions about whether to submit a tender response, and the content submitted, are always made by you. TenderAssist drafts and recommendations are intended as a starting point for human review. You can request additional information about how an automated process affected an output that relates to you, and you can request that an output be reviewed by a human member of our team, by contacting privacy@tenderassist.com.au.

9. Security of personal information

We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification and disclosure. Our security measures include:

• Encryption of data in transit using Transport Layer Security (TLS)
• Encryption of data at rest using AES-256 with keys managed in AWS KMS
• Role-based access controls and multi-factor authentication for staff and administrator accounts
• Tenant isolation: your data is logically separated from other customers' data
• Per-tenant data residency pinning for Australian customers (AWS ap-southeast-2)
• Regular vulnerability scanning, penetration testing and secure development practices
• Immutable audit logs of access to personal information
• Incident response procedures aligned with the Notifiable Data Breaches scheme

In the event of a data breach that is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required by the Notifiable Data Breaches scheme.

10. Retention of personal information

We retain personal information only for as long as is necessary for the purposes set out in this Privacy Policy, or as required by law. Indicative retention periods:

• Account and profile information: retained while your account is active, plus 12 months after closure (unless you request earlier deletion)
• Tender content and organisational information: retained while your account is active and for 12 months after closure, subject to legal holds
• Billing and financial records: retained for seven (7) years in accordance with Australian tax law
• Audit logs of access to integrated platforms (such as VendorPanel): retained for seven (7) years to align with Commonwealth procurement audit expectations
• Usage and technical data: retained for up to 24 months for service improvement and security

Where personal information is no longer needed, we take reasonable steps to destroy or de-identify it.

11. Your rights

11.1 Access

You have the right to request access to the personal information we hold about you. We will respond to access requests within a reasonable period (usually within 30 days) and will provide the information unless an exception under the Privacy Act applies.

11.2 Correction

You have the right to request correction of personal information that is inaccurate, out-of-date, incomplete, irrelevant or misleading. Where we agree that correction is required, we will make the correction promptly and without charge.

11.3 Deletion and account closure

You can close your account at any time. On closure we will delete or de-identify personal information within the retention periods set out in section 10, subject to our legal obligations to retain certain records.

11.4 Complaints

If you believe we have handled your personal information in a way that does not comply with the Privacy Act or this Privacy Policy, you can make a complaint by emailing privacy@tenderassist.com.au. We will acknowledge your complaint within 5 business days and aim to resolve it within 30 days.

If you are not satisfied with our response, you can refer your complaint to the Office of the Australian Information Commissioner (OAIC):

• Website: oaic.gov.au
• Phone: 1300 363 992
• Post: GPO Box 5218, Sydney NSW 2001

12. Cookies and analytics

Our website and service use cookies and similar technologies for:

• Authentication and session management (strictly necessary)
• Remembering your preferences (functional)
• Understanding how the service is used so we can improve it (analytics)

You can control non-essential cookies through the cookie banner on our website and through your browser settings. Disabling strictly necessary cookies will prevent the service from functioning.

13. Children's privacy

TenderAssist is a business-to-business service intended for users aged 18 or over. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal information from a child, we will take reasonable steps to delete it.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The current version will always be available at [tenderassist.com.au/privacy]. Where changes are material, we will notify you by email (to the address associated with your account) or by prominent notice within the service at least 30 days before the change takes effect.

15. Contact us

If you have questions, concerns, or requests about this Privacy Policy or our handling of personal information, please contact:

• Email: privacy@tenderassist.com.au