Effective Date: 1st July 2025
Last Updated: 16th March 2026
Tenderly is a trading name of AH Grace Ltd, a company registered in the Isle of Man (Company Number 133190/C, incorporated 11 September 2019). Our registered office is at 32 Cronk Avenue, Onchan, Isle of Man, IM3 3DF.
We operate Tenderly (available at tenderly.im and as an installable mobile app), an online tendering and project management marketplace that connects clients with contractors, quantity surveyors, architects, and other construction professionals, primarily serving the Isle of Man.
For the purposes of data protection law, AH Grace Ltd is the data controller of the personal information you provide through this platform. If you have any questions about how we handle your personal data, please contact us at support@tenderly.im.
2.1 Account registration
When you register, we collect your full name, email address, and a password (stored as a secure hash, we never store your password in plain text). You may also provide your phone number. You select your role on the platform: client, contractor, quantity surveyor, architect, or apprentice. If you register as a contractor, quantity surveyor, or architect, we also collect your company name, company registration number, and company address.
2.2 Profile information
You may choose to provide additional information to build your public profile, including a profile photograph, a business biography or overview, specialisations, accreditations and supporting images, social media links (LinkedIn, Facebook, Instagram), your website URL, your service area, and portfolio items (images and descriptions).
2.3 Apprentice profile data
If you register as an apprentice, we collect additional information relevant to matching you with placement opportunities. This includes your age, home address, education provider, trade, apprenticeship level, year of study, and expected completion date, as well as key skills, a personal statement, and references. You may also upload a CV and cover letter. We collect your availability, preferred contract type, transportation arrangements, driving licence status, and work location preferences. We treat this information with particular care given its personal and sensitive nature.
2.4 Job postings and tender submissions
When a client posts a job, we collect the job title, description, location, deadline, work type, and any supporting documents or photographs. When a contractor submits a tender or quote, we collect pricing and financial details, proposed dates, payment terms, method statement, insurance certificate, employers' liability document, reference photographs, contact references, and any supporting terms or documents. We also store clarification messages posted on job listings.
2.5 Direct messages
We store the content of direct messages exchanged between users on the platform, including any images shared within those conversations.
2.6 Reviews
If you leave a review of another user, we store your structured rating scores and any written comment you provide.
2.7 Notification and push subscription data
We maintain a record of in-app notifications delivered to your account and a log of your email notification preferences. If you enable push notifications, we store the technical push subscription data for each device, specifically the browser push endpoint URL and the encryption keys necessary to send notifications to that device.
2.8 Subscription and billing data
If you subscribe to a paid plan, we store your Paddle customer identifier, your Paddle subscription identifier, your subscription status (for example: active, trialling, or cancelled), your plan type (monthly, quarterly, or annual), and your next billing date. We do not store your payment card number, CVV, or expiry date, all payment data is handled directly by Paddle (see section 6).
2.9 Activity data
We maintain an internal activity log recording actions taken on your account (such as posting a job, submitting a tender, or awarding a contract) together with timestamps. This is used for platform integrity and to assist with any disputes.
2.10 Technical session data
We process standard technical data as part of operating a web application, including session tokens and security tokens necessary for login and form submission. We do not log or store your IP address or browser user-agent string in your user record.
We use the information we collect to:
We do not use your personal data for advertising, profiling, or selling to third parties. We do not send unsolicited marketing emails.
We process your personal data on the following legal bases under the Isle of Man Data Protection Act 2018:
5.1 Other platform users
When you post a job, your profile information (name, company, rating, location) is visible to other authenticated users. When you submit a tender or quote, its contents are visible to the relevant client. When you leave a review, your name is associated with it. Direct messages are only visible to the sender and recipient.
5.2 Paddle — subscription billing
Subscription payments are processed by Paddle, who acts as merchant of record. When you subscribe, you complete payment through Paddle's hosted checkout. Paddle processes your payment and sends us a secure confirmation of your subscription status. We share only the minimum data necessary to link your subscription to your account (a user identifier passed in the checkout). Paddle has its own privacy policy which applies to the payment data it handles.
5.3 Google — hosting and file storage
Our platform is hosted on Google Cloud (Cloud Run for the application and Cloud SQL for the database). All files you upload, including profile images, job documents, tender documents, insurance certificates, CVs, and message images, are stored in Google Cloud Storage. Google processes this data on our behalf under a data processing agreement.
5.4 Google Gmail — email delivery
Transactional emails (including password reset emails and platform activity notifications) are sent via Google Gmail's SMTP service. Email content may pass through Google's mail infrastructure for delivery purposes.
5.5 Browser push notification services
Push notifications are delivered through your browser's built-in push messaging infrastructure. Depending on your browser, notification payloads may pass through Google (Chrome/Android), Apple (Safari), or Mozilla (Firefox) servers. This is standard behaviour for web push notifications and is not within our direct control.
5.6 Content delivery networks
Our pages load user interface resources (stylesheet and icon libraries) from third-party CDNs (Tailwind CSS CDN and Cloudflare/jsDelivr for Font Awesome). Your browser makes requests to those CDN providers as part of loading our pages. These requests are not associated with your account data but may involve your IP address being visible to the CDN provider as part of standard network routing.
5.7 Platform administrators
Members of the Tenderly team with administrator access can view account information, activity logs, and platform content as necessary to manage the platform, investigate reported content, and provide user support. Administrator access is restricted to authorised personnel only.
We do not sell your personal data to any third party.
Subscription fees are charged through Paddle, who acts as merchant of record for all transactions. When you subscribe, you complete payment through a Paddle-hosted checkout form. Tenderly's servers never receive or process your payment card number, CVV, or expiry date.
Paddle sends us a secure webhook notification confirming your subscription status. We store only your Paddle customer ID, subscription ID, subscription status, plan type, and next billing date. For questions about payment processing, refunds processed through Paddle, or billing disputes, Paddle's privacy policy and terms also apply.
Files you upload to the platform, including job images, tender documents, insurance certificates, CVs, portfolio photographs, and message images, are stored in Google Cloud Storage under the tenderly-uploads bucket. Uploaded files are assigned randomised filenames to reduce the risk of unauthorised access. However, file storage URLs are not access-controlled at the application level. You should not upload documents containing sensitive personal information beyond what is reasonably necessary for the tendering or application process.
Files associated with your account are deleted when you delete your account.
If you grant notification permission through your browser, we store a push subscription record containing your browser's push endpoint URL and encryption keys. This record is stored per device and per browser and is used solely to deliver notifications about your platform activity. You can withdraw permission at any time through your browser or device settings. When push notifications can no longer be delivered to a device (for example because you have cleared browser data or uninstalled the app), the subscription record is automatically removed from our system.
We retain your personal data for as long as your account is active and for a minimum of 12 months following account deletion or last activity, except where a longer retention period is required by law or is necessary to protect our legitimate interests.
Some content, such as reviews posted about you by other users, may remain visible on the platform after your account is deleted, as it forms part of the public reputation record of the reviewed party. Where such content identifies you, we will handle any removal requests in accordance with applicable data protection law.
After the applicable retention period, personal data is securely deleted or anonymised.
Your data may be processed outside the Isle of Man by the third-party services listed in section 5 (including Google and Paddle, whose infrastructure operates globally). Where this occurs, we ensure that appropriate safeguards are in place in accordance with applicable Isle of Man data protection law, including the use of standard contractual clauses or equivalent mechanisms where required.
Under the Isle of Man Data Protection Act 2018, you have the right to:
Our account settings currently provide a basic data export (name, email, role, account ID). If you require a more complete copy of your data, please contact us directly at support@tenderly.im and we will respond within 30 days.
Please refer to our separate Cookie Policy for full details of what we store in your browser, including cookies, local storage, and service worker caching.
We implement appropriate technical and organisational security measures, including bcrypt password hashing, CSRF protection on all forms and API requests, HMAC-SHA256 signature validation on payment webhooks, and HTTPS enforcement. No system is completely secure. If you have a security concern, please contact us at support@tenderly.im.
This platform is intended for professional and business use. You must be at least 18 years of age to register, except that individuals aged 16 or over may register as an apprentice for the purposes of the platform's apprenticeship placement features. We do not knowingly collect personal data from anyone under the age of 16.
We may update this Privacy Policy from time to time to reflect changes in law, technology, or our business practices. Where changes are material, we will notify registered users through the platform. The date at the top of this page shows when it was last updated. Continued use of the platform after notification constitutes acceptance of the updated policy.
This Privacy Policy is governed by the laws of the Isle of Man. Any disputes shall be subject to the exclusive jurisdiction of the Isle of Man courts.
If you have any questions, concerns, or requests regarding this Privacy Policy or the way we handle your personal information, please contact us:
Tenderly
Email: support@tenderly.im
Tenderly is a trading name of AH Grace Ltd
Registered in the Isle of Man, Company Number 133190/C
Registered Office: 32 Cronk Avenue, Onchan, Isle of Man, IM3 3DF
Isle of Man Information Commissioner: www.inforights.im
Install the Tenderly app
Faster access, works like a native app
Add Tenderly to your Home Screen
Tap ⇧ Share then Add to Home Screen
This feature is available on the Pro plan.