Legal

Privacy Policy

Version 2.0Effective 14 June 2026 · Last updated 14 June 2026

Data controller

DFBL Limited
The Tara Building, 11–15 Tara Street
Dublin 2, D02 RY83, Ireland

Registered in Ireland · Company no. 772000 · Lead authority: Irish Data Protection Commission

This policy explains how DFBL Limited ("DFBL", "we") processes personal data within the DFBL Procure application (the "Service"). For account-level data we act as data controller. For the procurement data your organisation uploads ("Customer Data") we act as data processor on your documented instructions, under our Data Processing Agreement.

1. Who we are

The Service is operated by DFBL Limited, a company incorporated in Ireland under company number 772000, with its registered office at The Tara Building, 11–15 Tara Street, Dublin 2, D02 RY83, Ireland. For the purposes of the EU General Data Protection Regulation (GDPR) and the UK GDPR, DFBL Limited is the data controller for account data and the data processor for Customer Data.

2. Data we process

  • Account data: name, work email, organisation, role, language preference.
  • Authentication data: bcrypt password hash, session tokens, optional two-factor recovery data.
  • Customer Data (processor role): projects, suppliers, RFPs, initiatives, contract analyses, attachments uploaded by your organisation.
  • Operational data: IP address, browser user-agent, request logs (retained 90 days).

3. Legal bases

We process personal data on the basis of: contract performance, delivering the Service (Art. 6(1)(b) GDPR); our legitimate interest in security, fraud prevention and product reliability (Art. 6(1)(f)); and your consent where explicitly requested, for example marketing emails (Art. 6(1)(a)).

4. Sub-processors

We do not sell personal data. We rely on a limited set of vetted providers, under written GDPR-compliant terms, acting only on our instructions:

  • Hostinger International Ltd. for application hosting and server logs (United Kingdom, Manchester).
  • An SMTP provider for transactional email delivery.
  • AI providers (Anthropic, Google AI, Perplexity) only for AI-driven features your organisation explicitly enables.

We may also disclose data to legal authorities under a binding court order, or to an acquirer in a merger or acquisition subject to equivalent privacy commitments. The current sub-processor list is maintained in our Data Processing Agreement (Annex 2).

5. Hosting and international transfers

The Service is hosted in the United Kingdom (Manchester) on Hostinger infrastructure. The United Kingdom benefits from a European Commission adequacy decision, so transfers of personal data from the EEA to the UK are lawful without further safeguards. Where a sub-processor is located outside the UK and the EEA (for example certain AI providers in the United States), the transfer is governed by the European Commission's Standard Contractual Clauses.

6. Data retention

  • Customer Data: retained during the subscription plus a 30-day export window, then deleted within 90 days.
  • Audit logs: 12 months minimum, then archived for up to 24 months.
  • Backups: 7-day rolling window.
  • Request logs: 90 days.

7. Your rights (GDPR / UK GDPR)

You may request, free of charge: access to your personal data; rectification of inaccurate data; erasure (subject to legal retention obligations); portability (export of your account data); restriction of, or objection to, processing; and withdrawal of consent for consent-based processing.

Send requests to privacy@dfbl-solution.com; we respond within one month. You may also lodge a complaint with the Irish Data Protection Commission (dataprotection.ie), our lead supervisory authority, the UK Information Commissioner's Office (ico.org.uk) for UK matters, or your local authority.

8. Security

TLS 1.2+ in transit, encryption at rest, role-based access control enforced server-side, two-factor authentication for administrators, daily backups, and perimeter rate limiting. Technical and organisational measures are detailed in the DPA, Annex 1.

9. Cookies

We use only essential cookies (session, CSRF protection, language preference). We set no tracking, advertising or analytics cookies, so no consent banner is required.

10. Contact and complaints

Data Protection enquiries: privacy@dfbl-solution.com. Postal: DFBL Limited, The Tara Building, 11–15 Tara Street, Dublin 2, D02 RY83, Ireland.