VeriTender is operated by EM Consulting, a German limited liability company. This policy explains what personal data we collect, why, on what legal basis, who can access it, how long we keep it, and your rights under the General Data Protection Regulation (Regulation (EU) 2016/679).
The data controller for personal data processed in connection with veritender.com is:
Data Protection Officer. A DPO has not been formally appointed; the company's size falls below the mandatory threshold defined in GDPR Article 37. Founder Elshan Musayev serves as primary contact for data subject requests and supervisory authority correspondence.
Tender notices, contract awards, bidder corporate identities, document metadata. Sourced from official portals — TED EU (Tenders Electronic Daily), ProZorro (Ukraine), national procurement systems in our 22 covered jurisdictions, and equivalent statutory publication channels. Under GDPR this is not personal data: it concerns legal entities, public officials acting in their official capacity, and acts of public administration. We document it here for transparency.
Name, business email, organisation, role, password hash. Collected when a customer subscribes to a Pilot, Cloud, On-Premises, or Advisory engagement. Billing details (company name, billing address, VAT ID, payment instrument metadata) are processed in addition.
Emails sent to briefing@, hello@, support@; chat or direct-message content if you initiate contact via LinkedIn or Cal.com; meeting transcripts where you have given consent at the start of the call.
IP address, user agent, page interactions — collected via server logs and Cache-Control headers. We do not run third-party analytics on veritender.com as of this policy's date (29 May 2026). If analytics are added in future, this policy will be updated and an ePrivacy-compliant consent management platform will be presented before any non-essential storage is set.
Every processing operation rests on a lawful basis as required by GDPR Article 6.
| Processing activity | Legal basis |
|---|---|
| Public-record procurement data | Art. 6(1)(f) — legitimate interest (procurement transparency in the public interest) |
| Customer account & billing data | Art. 6(1)(b) — contract performance |
| Communications (briefings, support, sales) | Art. 6(1)(f) — legitimate interest (responding to legitimate enquiries) |
| Server logs & abuse prevention | Art. 6(1)(f) — legitimate interest (security, debugging, abuse prevention) |
Where a processing activity rests on legitimate interest, a balancing test under Art. 6(1)(f) has been documented internally. You may object at any time on grounds relating to your particular situation under Art. 21.
We engage a small number of subprocessors strictly necessary to operate the service. Each is bound by a Data Processing Agreement under GDPR Art. 28 and, where applicable, the European Commission's Standard Contractual Clauses.
| Subprocessor | Purpose & safeguard |
|---|---|
| Hetzner Online GmbH (Germany) | Application hosting and database. EU-resident infrastructure; no third-country transfer. |
| Anthropic, PBC (USA) | Model inference for translation and rationale generation. EU SCC 2021/914 Module 2 (controller-to-processor). |
| Resend, Inc. (USA) | Transactional email delivery. EU SCC 2021/914 Module 2. |
| ImprovMX (USA, when configured) | Email forwarding for custom domain addresses. EU SCC 2021/914 Module 2. |
We do not sell personal data to anyone. Subprocessors are limited to processing on documented instructions and may not use customer data for their own purposes.
Anthropic and Resend process data in the United States. Transfers occur under European Commission Standard Contractual Clauses (Implementing Decision (EU) 2021/914, Module 2 — controller-to-processor). We do not rely on the EU-US Data Privacy Framework as primary legal basis, although we have monitored its adequacy status since adoption in July 2023.
A Transfer Impact Assessment is maintained internally per the European Data Protection Board's Recommendations 01/2020 and is available to institutional customers under NDA.
You have the following rights under the GDPR with respect to personal data we process about you.
How to exercise these rights. Email consulting@elshanmusayev.com with the subject line "GDPR data subject request — [right]". We respond within 30 days (extendable by a further 60 days per Art. 12(3) for complex or numerous requests, with notification of the delay within the initial period).
As of 29 May 2026, veritender.com sets no cookies of its own. All fonts are self-hosted on our origin (veritender.com/fonts/) — no third-party font CDN, no transit to external servers, no technical cookies from font loading.
When analytics are added in future, we will deploy a GDPR- and ePrivacy-compliant consent management platform (CMP) and update this policy before any non-essential storage is set on your device.
TLS 1.3 in transit. AES-256 at rest. Application hosted by Hetzner Online GmbH in Germany. ISO 27001 currently in audit (target Q4 2026); Statement of Applicability available to institutional buyers under NDA. Full security posture is documented on the Trust section of the homepage.
VeriTender is a business-to-business service. We do not knowingly collect data from anyone under 16 years of age (GDPR Art. 8(1) baseline; some Member States set a lower digital-consent age). If you believe such data has been inadvertently collected, please contact us immediately and we will delete it.
This policy was last updated on 29 May 2026 (launch). Material changes will be communicated via a prominent notice on veritender.com and to active customers via email at least 30 days before they take effect. Editorial corrections (typography, broken links) will be made without notice.
Write to us. We answer privacy enquiries personally, in plain language, within 30 days.
consulting@elshanmusayev.com →