Disqovr

Legal

Privacy Policy

Last updated: 1 April 2026

This Privacy Policy describes how Disqovr ("we", "our", or "us") collects, uses, and shares information about you when you use our services, including our website at disqovr.com and our software platform (collectively, the "Services"). We are committed to handling your personal data responsibly and in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who we are

Disqovr is a software-as-a-service platform for structured vendor evaluation. The data controller for your personal data is Disqovr Ltd, a company registered in England and Wales. If you have questions about this policy or our data practices, contact us at privacy@disqovr.com.

2. Data we collect

We collect the following categories of personal data:

  • Account data: Name, email address, and password when you create an account.
  • Workspace and project data: Information you enter into the platform including project names, vendor details, evaluation scores, survey responses, RFI answers, and notes.
  • Usage data: Log data including IP address, browser type, pages visited, and actions taken within the platform, collected automatically when you use our Services.
  • Payment data: Billing address and payment method details, handled by our payment processor (Stripe). We do not store full card numbers.
  • Communications: Any correspondence you send to us, including support requests and contact form submissions.
  • Stakeholder and vendor data: Email addresses and responses from stakeholders and vendors you invite to participate in evaluations. These parties are informed of their data use through our platform notices.

3. How we use your data

We use your personal data to:

  • Provide and operate the Services
  • Process transactions and manage subscriptions
  • Send service-related communications (account notifications, security alerts)
  • Respond to support requests and communications
  • Improve the Services through aggregate usage analysis
  • Comply with legal obligations
  • Detect and prevent fraud and security incidents

We do not use your project or evaluation data for training machine learning models, for advertising purposes, or for any purpose beyond operating the Services.

4. Legal basis for processing

Under UK GDPR, we process your personal data on the following lawful bases: (a) contract — processing necessary to perform our agreement with you to provide the Services; (b) legitimate interests — improving our Services and detecting security threats, where these interests are not overridden by your rights; (c) legal obligation — where we are required to process data by applicable law; (d) consent — for optional communications such as marketing emails, where we have sought your consent.

5. Data sharing and disclosure

We share personal data only in the following circumstances:

  • Service providers: We use Supabase (database hosting), Resend (transactional email), and Stripe (payments). These providers process data only on our instructions.
  • Within your workspace: Data you create is visible to other members of your workspace with appropriate permissions.
  • Legal requirements: Where required by law, court order, or regulation.
  • Business transfers: In connection with a merger, acquisition, or sale of assets, with appropriate confidentiality protections.

We do not sell personal data to third parties.

6. Data retention

We retain your data for as long as your account is active and for a period of 90 days following account deletion, to allow for recovery requests. Certain data may be retained longer where required by law (for example, financial records required under the Companies Act). Anonymised, aggregated data (such as community vendor scores) may be retained indefinitely as it cannot be linked to you.

7. Your rights

Under UK GDPR, you have the right to:

  • Access the personal data we hold about you
  • Rectification of inaccurate or incomplete data
  • Erasure ("right to be forgotten") in certain circumstances
  • Restriction of processing in certain circumstances
  • Data portability — receive your data in a machine-readable format
  • Object to processing based on legitimate interests
  • Withdraw consent at any time where processing is based on consent

To exercise any of these rights, email privacy@disqovr.com. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

8. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, destruction, or alteration. These include TLS encryption in transit, AES-256 encryption at rest, role-based access control, and regular security reviews. For more information, see our Security page.

9. Cookies

We use strictly necessary cookies to maintain your session and authentication state. We do not use advertising or tracking cookies. We use minimal, privacy-respecting analytics (no third-party advertising pixels).

10. Changes to this policy

We may update this policy from time to time. When we make material changes, we will notify workspace administrators by email and update the "Last updated" date at the top of this page. Continued use of the Services after the effective date of the updated policy constitutes acceptance of the changes.

11. Contact

For questions about this policy or your personal data, contact us at privacy@disqovr.com or through our contact form.

Related documents: Terms of Service · Security · Contact us