← Back

Privacy Policy

Last updated: 19 March 2026

Note: Subprocessors, retention periods, and international transfer mechanisms should be documented to match how you operate the Service. Have qualified counsel review.

1. Introduction

This Privacy Policy describes how SME PROCURE LTD (“we”, “us”, “our”) collects, uses, and shares personal information when you use SME Procure (the “Service”), including our websites, applications, and related features such as Smart Team, Smart Scope, and Smart Bid.

2. Who we are

Controller: SME PROCURE LTD, 220 Aztec West, Almondsbury, Bristol, England BS32 4SY.

Company number: 16982913 (England and Wales).

Privacy contact: privacy@sme-procure.com

SME PROCURE LTD is part of a corporate group. Our immediate parent company is RC Fornax PLC (company number 12795371). We may share personal information with other group companies where necessary for administration, security, or to provide the Service.

If we appoint a data protection officer, their contact details will be added here.

3. Information we collect

  • Account and authentication: Information from our identity provider (e.g. name, email address, user identifiers, session data) when you sign in or create an account.
  • Professional and profile data: Skills, experience, availability, certifications, role preferences, and other fields you or your organisation enter for associate, supplier, or team profiles.
  • Organisation data: Information about your employer or client organisation, invitations, and membership in workspaces.
  • Content you upload: CVs/resumes, requirement documents, project descriptions, and other files you submit to the Service.
  • Usage and technical data: IP address, browser type, device identifiers, timestamps, and diagnostic logs needed to operate and secure the Service.
  • Communications: Messages you send to us (for example support requests).

4. How we use information

We use personal information to:

  • Provide, maintain, and improve the Service;
  • Authenticate users and enforce access controls;
  • Enable procurement workflows, including building and evaluating teams, matching associates to opportunities where you have agreed or where the Service is designed to share profile data with customer organisations;
  • Process and store files you upload (such as CVs and requirement docs);
  • Detect, prevent, and address fraud, abuse, and security issues;
  • Comply with legal obligations and respond to lawful requests;
  • Communicate with you about the Service (including service-related notices), and where you have opted in, marketing [confirm scope with counsel].

5. Legal bases (EEA, UK, and similar)

Where GDPR or UK GDPR applies, we rely on:

  • Performance of a contract - to provide the Service you request;
  • Legitimate interests - for example securing the platform, improving features, and intra-organisation operations, where not overridden by your rights;
  • Consent - where we ask for it (e.g. certain cookies or optional communications);
  • Legal obligation - where the law requires processing.

6. Sharing of information

We may share personal information with:

  • Service providers who process data on our instructions to host, secure, and operate the Service (e.g. authentication, database, file storage). A current list of key subprocessors is published on our Subprocessors page.
  • Group companies, including RC Fornax PLC, where necessary for administration, security, or service delivery.
  • Customer organisations using SME Procure where necessary to provide features-for example, making associate or team profile information visible for discovery, evaluation, or project staffing when you or your organisation has chosen to participate.
  • Professional advisers where reasonably necessary.
  • Authorities when required by applicable law or to protect rights, safety, and security.

We do not sell your personal information as defined under applicable U.S. state privacy laws [confirm with counsel if you serve U.S. users].

7. International transfers

Your information may be processed in countries other than England and Wales. Where required, we use appropriate safeguards such as the UK International Data Transfer Agreement, Standard Contractual Clauses, or equivalent mechanisms, in line with UK GDPR and applicable law [document your actual transfers and tools].

8. Retention

We retain personal information only as long as necessary for the purposes described in this policy, unless a longer period is required by law. Retention depends on account status, contractual needs, and backup cycles [set specific periods internally and align this section].

Uploaded files (e.g. CVs, requirement documents) are retained according to the same principles and any organisation-specific rules enabled in the Service.

9. Security

We implement appropriate technical and organisational measures designed to protect personal information. No method of transmission or storage is completely secure; we cannot guarantee absolute security.

10. Your rights

Depending on your location, you may have rights to access, rectify, erase, restrict, or object to certain processing, or to data portability, and to withdraw consent where processing is based on consent. You may lodge a complaint with a supervisory authority (in the UK, the Information Commissioner’s Office - ico.org.uk). To exercise your rights, contact us at privacy@sme-procure.com.

11. Children

The Service is not directed at individuals under 16. We do not knowingly collect personal information from children.

12. Changes

We may update this Privacy Policy from time to time. We will post the updated version on this page and revise the “Last updated” date.