Legal
Privacy Policy
Version 2.0Effective 14 June 2026 · Last updated 14 June 2026
Data controller
DFBL LimitedThe Tara Building, 11–15 Tara Street
Dublin 2, D02 RY83, Ireland
Registered in Ireland · Company no. 772000 · Lead authority: Irish Data Protection Commission
This policy explains how DFBL Limited ("DFBL", "we") processes personal data within the DFBL Procure application (the "Service"). For account-level data we act as data controller. For the procurement data your organisation uploads ("Customer Data") we act as data processor on your documented instructions, under our Data Processing Agreement.
1. Who we are
The Service is operated by DFBL Limited, a company incorporated in Ireland under company number 772000, with its registered office at The Tara Building, 11–15 Tara Street, Dublin 2, D02 RY83, Ireland. For the purposes of the EU General Data Protection Regulation (GDPR) and the UK GDPR, DFBL Limited is the data controller for account data and the data processor for Customer Data.
2. Data we process
- Account data: name, work email, organisation, role, language preference.
- Authentication data: bcrypt password hash, session tokens, optional two-factor recovery data.
- Customer Data (processor role): projects, suppliers, RFPs, initiatives, contract analyses, attachments uploaded by your organisation.
- Operational data: IP address, browser user-agent, request logs (retained 90 days).
3. Legal bases
We process personal data on the basis of: contract performance, delivering the Service (Art. 6(1)(b) GDPR); our legitimate interest in security, fraud prevention and product reliability (Art. 6(1)(f)); and your consent where explicitly requested, for example marketing emails (Art. 6(1)(a)).
5. Hosting and international transfers
The Service is hosted in the United Kingdom (Manchester) on Hostinger infrastructure. The United Kingdom benefits from a European Commission adequacy decision, so transfers of personal data from the EEA to the UK are lawful without further safeguards. Where a sub-processor is located outside the UK and the EEA (for example certain AI providers in the United States), the transfer is governed by the European Commission's Standard Contractual Clauses.
6. Data retention
- Customer Data: retained during the subscription plus a 30-day export window, then deleted within 90 days.
- Audit logs: 12 months minimum, then archived for up to 24 months.
- Backups: 7-day rolling window.
- Request logs: 90 days.
7. Your rights (GDPR / UK GDPR)
You may request, free of charge: access to your personal data; rectification of inaccurate data; erasure (subject to legal retention obligations); portability (export of your account data); restriction of, or objection to, processing; and withdrawal of consent for consent-based processing.
Send requests to privacy@dfbl-solution.com; we respond within one month. You may also lodge a complaint with the Irish Data Protection Commission (dataprotection.ie), our lead supervisory authority, the UK Information Commissioner's Office (ico.org.uk) for UK matters, or your local authority.
8. Security
TLS 1.2+ in transit, encryption at rest, role-based access control enforced server-side, two-factor authentication for administrators, daily backups, and perimeter rate limiting. Technical and organisational measures are detailed in the DPA, Annex 1.
10. Contact and complaints
Data Protection enquiries: privacy@dfbl-solution.com. Postal: DFBL Limited, The Tara Building, 11–15 Tara Street, Dublin 2, D02 RY83, Ireland.