Data Protection

Introduction

Strategic Sourcing Consult Limited is committed to protecting the personal, business, procurement, supplier, organization, financier, contract, payment, and platform data entrusted to us.

This Data Protection Policy explains how we safeguard data across our website, procurement platform, advisory services, tender workflows, supplier onboarding, organization workspaces, subscriptions, reporting, payments, finance requests, and related services.

Our goal is to support transparent, secure, and responsible digital procurement while respecting privacy, confidentiality, and applicable data protection requirements.

Scope Of This Policy

This policy applies to data processed through:

Our public website
User accounts and dashboards
Supplier profiles
Organization profiles
Financier profiles
Tender publishing workflows
Bid submission workflows
Evaluation, award, and contract workflows
Payment and invoice workflows
Finance request workflows
Subscription and billing features
Messaging and notification systems
Reports and analytics
Document uploads and storage
Support, consulting, and administrative services

It applies to website visitors, registered users, suppliers, organizations, financiers, administrators, team members, evaluators, reviewers, approvers, consultants, and authorized representatives.

Data We Protect

We protect data including but not limited to:

Personal identification information
Account login and access information
Contact details
Supplier registration and compliance records
Organization profile and procurement records
Director and ownership information
Tender documents
Bid submissions and bid attachments
Technical and financial proposals
Evaluation records
Award and contract records
Invoices, receipts, and payment records
Finance request records
Subscription and billing records
Uploaded files and supporting documents
Audit logs and activity records
Messaging and notification records
Reports and analytics generated through the platform

Data Protection Principles

We process data lawfully, fairly, and transparently for legitimate business, procurement, platform, legal, contractual, security, or user-requested purposes.

We use data only for the purposes for which it was collected, including account management, procurement workflows, document review, compliance, reporting, billing, support, security, and service improvement.

We aim to collect only the data necessary to provide services, comply with obligations, manage procurement workflows, and protect the platform.

Users are expected to provide accurate and up-to-date information. Where information changes, users should update their profiles, documents, and records promptly.

We retain data only as long as necessary for platform services, legal obligations, procurement audit trails, dispute resolution, security monitoring, accounting, and compliance purposes.

We use reasonable technical and organizational measures to protect data against unauthorized access, alteration, loss, misuse, disclosure, or destruction.

Role-Based Access Control

The platform uses role-based access to help ensure users access only the data required for their role.

Access may be controlled by user role, account type, subscription plan, team permissions, department assignment, tender ownership, bid participation, verification status, and administrative approval.

Users must not attempt to access data, accounts, documents, workflows, or systems that they are not authorized to use.

Supplier
Organization
Financier
Admin
Team member
Evaluator
Reviewer
Approver
Read-only user
Approval-only user

Supplier Data Protection

Supplier data may include company profiles, directors, compliance documents, bids, pricing, contracts, invoices, payment requests, and finance records.

We protect supplier data by limiting access to authorized supplier users and relevant platform workflows, restricting bid information to the supplier, relevant organization, evaluators, and authorized administrators, supporting document review statuses, maintaining records of submissions and approvals, and applying upload restrictions and storage controls.

Suppliers are responsible for ensuring uploaded documents are valid, accurate, lawful, and current.

Organization Data Protection

Organization data may include procurement teams, tender drafts, published tenders, evaluation records, awards, contracts, invoices, payment approvals, reports, and internal workflow records.

We protect organization data by restricting access to authorized organization users and assigned team members, supporting workflow permissions for drafting, reviewing, approving, and publishing, maintaining audit records, protecting confidential procurement and evaluation information, and limiting public visibility to information approved for publication.

Organizations remain responsible for their procurement decisions, access assignments, and compliance with applicable laws and internal policies.

Tender And Bid Data Protection

Tender and bid data can be sensitive and commercially confidential.

We apply safeguards so tender drafts remain restricted until published or approved, suppliers can access their own bid submissions and version history, organizations can access bids submitted to their tenders, evaluators access only assigned evaluation records, bid withdrawals and version changes are recorded, and public users only see public tender or award information.

Users must treat bid prices, technical proposals, financial proposals, evaluations, and award decisions as confidential unless officially published.

Document Upload Protection

Documents uploaded to the platform may include sensitive business, legal, financial, or procurement information.

To protect uploaded files, we may apply file type restrictions, file size limits, secure storage paths, access authorization checks, download permission checks, review and approval workflows, version tracking where applicable, malware or virus scanning where available, and activity logging.

Users must not upload harmful files, unauthorized documents, forged documents, or documents that violate another party's rights.

Payment, Billing, And Finance Data Protection

Payment and finance data may include invoices, receipts, transaction references, finance requests, repayments, approvals, disbursements, and billing records.

We protect this data by restricting access to authorized users and relevant workflow participants, using transaction references and billing records for reconciliation, limiting exposure of sensitive payment information, supporting audit trails for approvals and corrections, and working with payment or financial service providers where necessary.

We do not intentionally store full card details unless handled through a secure and compliant payment provider.

Data Sharing Controls

We share data only where necessary to provide the platform, support procurement workflows, meet legal obligations, or respond to authorized requests.

Data may be shared with authorized account users, supplier teams, organization procurement teams, assigned evaluators or approvers, financiers involved in finance requests, platform administrators, payment and billing providers, hosting, email, storage, security, analytics, or technical service providers, legal and professional advisers, and government or regulatory authorities where required.

We do not sell personal data.

Publicly Visible Data

Some data may become public where users choose to publish it or where platform workflows require publication.

This may include public tender notices, tender deadlines, tender summaries, procuring organization names, public organization profiles, public supplier profiles where enabled, public award notices, and public archive information.

Users should not submit confidential information into public fields.

Security Measures

We use reasonable technical and organizational security measures, which may include password-protected accounts, authentication middleware, role and permission checks, secure file validation, server-side validation, session controls, activity logging, audit trails, backup practices, access restrictions, error monitoring, rate limiting where applicable, file access authorization, and administrative review workflows.

Security is a shared responsibility. Users must protect their passwords, devices, email accounts, and access permissions.

Data Retention

We retain data for as long as necessary to provide services, maintain procurement records, support audit trails, meet tax, accounting, legal, regulatory, and contractual obligations, resolve disputes, investigate misuse or security incidents, enforce terms and policies, and support reporting and analytics.

Certain procurement records, including tender, bid, award, contract, payment, finance, and compliance records, may be retained after account closure where necessary.

Data Subject Rights

Depending on applicable law, individuals may request to:

Access their personal data
Correct inaccurate data
Update account information
Request deletion of certain data
Restrict certain processing
Object to certain processing
Request portability of certain data
Withdraw consent where applicable

Some requests may be limited where data must be retained for procurement, legal, audit, contractual, compliance, dispute resolution, or security reasons.

Data Breach Response

If we become aware of a data breach or security incident affecting protected data, we will take reasonable steps to investigate the incident, contain and reduce potential harm, restore affected systems where needed, assess the type and sensitivity of affected data, notify affected users or authorities where required by law, and improve safeguards to reduce future risk.

Users should report suspected unauthorized access, suspicious activity, or compromised accounts immediately.

User Responsibilities

Users are responsible for:

Keeping login credentials confidential
Using strong passwords
Logging out from shared devices
Assigning team permissions carefully
Uploading accurate and lawful documents
Avoiding public upload of confidential information
Reporting unauthorized access
Updating expired or incorrect documents
Ensuring their organization complies with applicable data protection and procurement laws

Third-Party Processors

We may use third-party service providers for hosting, email delivery, storage, analytics, payment processing, security monitoring, communication tools, maps, and support.

Where third parties process data on our behalf, we aim to work with providers that apply appropriate security and confidentiality measures.

Third-party services may also have their own terms and privacy policies.

Cross-Border Data Processing

Because the platform may serve users across Africa and beyond, data may be accessed, stored, or processed using infrastructure or service providers located in different jurisdictions.

Where cross-border processing is required, we aim to apply reasonable safeguards consistent with applicable legal requirements.

Training And Governance

We promote responsible data handling through:

Internal access controls
Administrative review practices
Document approval workflows
Security-focused development practices
User permissions
Audit records
Policy updates
Staff and administrator awareness

Changes To This Data Protection Policy

We may update this Data Protection Policy from time to time to reflect changes in law, technology, platform features, business operations, or security practices.

When updates are made, we may notify users through the website, platform, email, or account notices.

Contact Us

For questions about this Data Protection Policy or data protection requests, contact Strategic Sourcing Consult Limited at Plot 2702, Block 244, Nyangweso Road, Muyenga, Kampala, Uganda.

Email: [email protected]

Phone: +256 759 000 847 or +256 752 432 111

Designed for secure digital procurement, controlled access, and responsible information handling.