Privacy Policy
Last updated: 20 April 2026
1. Who we are
Govpie is operated by Covalet Ltd, a company registered in England & Wales under company number 15869880. We are the data controller for personal data collected through govpie.com and related services.
Contact: [email protected]
2. What we collect and why
We only collect what we need to run the service. Here is every category of personal data we hold, why we hold it, and the lawful basis under UK GDPR.
| Data | Purpose | Lawful basis |
|---|---|---|
| Email address | Sign in (one-time code), service-critical emails | Contract (UK GDPR Art. 6(1)(b)) |
| Company identifier (Companies House number, Charity Commission number, or trading name + trade + postcode for sole traders) | Match your business to relevant tenders | Contract |
| Website URL and/or capability description you submit | Automated enrichment: read public information about your business to pre-fill your profile | Contract |
| Digest email opt-in metadata (IP, user-agent, opt-in copy version, timestamp) | Evidence of consent for marketing/digest emails (PECR audit requirement) | Legal obligation (PECR) and legitimate interests |
| Product analytics (page views, feature events) via PostHog | Understand how the product is used, prioritise improvements | Consent (UK GDPR Art. 6(1)(a) + PECR) — only after you accept via the cookie banner |
| Email engagement events (opened, clicked, bounced, complained) | Maintain email deliverability and suppress bad addresses | Legitimate interests |
| Free-text feedback, tender ratings, capability notes you enter | Improve matching accuracy for you and the product overall | Contract |
We do not collect special-category data. Govpie is a B2B service and is not intended for anyone under 18.
3. What we do not do
- We do not sell personal data to anyone.
- We do not run advertising cookies or share data with ad networks.
- We do not profile individuals for automated decisions that produce legal effects.
4. Public-register data
Govpie reads from Companies House, the Charity Commission register, UK government procurement portals (Find a Tender, Contracts Finder), and publicly available web pages you point us to. This information is aggregated with the personal data above to produce eligibility matches and fit scores. Public-register data about businesses (companies, charities) is not personal data under UK GDPR; we only treat it as such where it relates to an identifiable sole trader.
5. Who processes your data for us
We use the following subprocessors. Each is bound by a data processing agreement and UK/EEA or adequacy-protected transfer mechanism.
- Supabase — database, authentication (EU region)
- Resend — transactional and digest email delivery
- PostHog — product analytics (EU-hosted, eu.posthog.com)
- UpCloud — VPS hosting for application servers (UK, London region)
- Anthropic — language-model analysis for tender fit breakdowns (prompts are processed, not used to train public models)
- Companies House API, Charity Commission API, Find a Tender, Contracts Finder — UK public-register lookups
Where a subprocessor is outside the UK/EEA, transfers are covered by the UK International Data Transfer Addendum or equivalent approved mechanism.
6. How long we keep data
- Account data: for as long as your account exists. Delete your account at /profile and all your personal data is removed within 30 days.
- Email consent audit records: retained for 3 years after unsubscribe, then deleted. This is the PECR audit trail we are required to keep.
- Product analytics (if you accepted): 12 months rolling.
- Backups: up to 30 days, then overwritten.
7. Your rights
Under UK GDPR you have the right to:
- Access a copy of your personal data.
- Correct inaccurate data.
- Delete your data (right to erasure).
- Restrict or object to certain processing.
- Data portability for data you provided under contract or consent.
- Withdraw consent at any time, for processing based on consent.
Most requests are served by deleting your account at /profile. For anything else, email [email protected]. We respond within one calendar month.
8. Cookies and similar technologies
We use a single strictly-necessary cookie to keep you signed in (Supabase session). Analytics (PostHog) only runs after you accept the cookie banner. You can change your choice at any time by clearing your browser storage for this site.
9. Complaints
If you think we have mishandled your data, please tell us first at [email protected] so we can fix it. You also have the right to complain to the Information Commissioner's Office: ico.org.uk/make-a-complaint.
10. Changes to this policy
If we make material changes we will update the date at the top and, where appropriate, notify you by email. The current version is always the one published on this page.