Privacy Policy
1. Introduction
Welcome to Procurex.ai ("Procurex," "we," "us," or "our"). Procurex.ai is a multi-organization procurement benchmarking platform that helps procurement professionals compare spend data against market benchmarks, identify savings opportunities, and make better-informed purchasing and financing decisions.
This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website at procurex.ai and use our platform services. Please read this policy carefully. By accessing or using Procurex.ai, you acknowledge that you have read, understood, and agree to be bound by the terms described herein.
If you do not agree with the terms of this Privacy Policy, please do not access or use the platform.
2. Information We Collect
2.1 Account Information
When you create an account, we collect:
- Identity data: First name, last name, and work email address.
- Authentication data: Hashed password (for email/password signups) or OAuth tokens (for Google Workspace or Microsoft single sign-on).
- Organization data: Your email domain is used to associate your account with an organization. If your domain is new to the platform, an organization record is created automatically.
2.2 Procurement Data You Upload
When you upload spend data files (CSV or XLSX), we collect the procurement line items contained in those files. This may include:
- Product or service descriptions and SKU identifiers
- Unit prices, quantities, and units of measure
- Supplier and manufacturer names
- Category classifications
Uploaded data is processed through our ingestion pipeline, which includes header mapping, row-level validation, quality scoring, and anonymization before it enters the shared benchmark pool. See Section 4 for details on how we anonymize this data.
2.3 Financing Offer Data
If you use our financing intelligence feature, you may submit details about financing offers you have received, including lender name, offer type, amount, rate or factor, term, and payback amount. This data is used to generate comparative ratings against market benchmarks.
2.4 Usage and Technical Data
We automatically collect certain information when you access the platform:
- Browser type, operating system, and device information
- IP address and approximate geographic location
- Pages visited, features used, and timestamps of activity
- Referral URLs and navigation paths
2.5 Cookies and Similar Technologies
We use cookies and similar tracking technologies as described in Section 7 of this policy.
3. How We Use Your Information
We use the information we collect for the following purposes, including, but not limited to:
| Purpose | Data Used | Legal Basis (GDPR) |
|---|---|---|
| Account creation and authentication | Identity, authentication, organization data | Contract performance |
| Generating procurement benchmarks and price ratings | Anonymized procurement data from uploads | Legitimate interest |
| Quality scoring and credit calculation for uploads | Upload metadata and line-item completeness | Contract performance |
| Identifying savings opportunities | Your procurement costs vs. anonymized benchmarks | Contract performance |
| Generating AI-powered briefings and recommendations | Aggregated organization-level procurement patterns | Legitimate interest |
| Financing offer comparison and rating | Financing offer details you submit | Consent |
| Platform improvement and analytics | Usage and technical data | Legitimate interest |
| Security monitoring and fraud prevention | Technical data, authentication logs | Legitimate interest |
| Compliance with legal obligations | As required by applicable law | Legal obligation |
| Research, model development, and product innovation | Anonymized and aggregated procurement data, metadata, and derived analytics | Legitimate interest |
4. Data Anonymization Practices
When you upload spend data to Procurex.ai, we retain it as part of our anonymized benchmark pool. Anonymized and aggregated data may be retained indefinitely. You may request deletion of your account and your raw uploaded data at any time by contacting privacy@procurex.ai; anonymized data already incorporated into aggregate benchmarks cannot be removed without affecting the integrity of those benchmarks for all customers.
5. Privacy Thresholds and Minimum Cohort Sizes
To prevent the possibility of re-identification through small cohorts, Procurex.ai enforces a minimum contributor threshold on all benchmark outputs:
- Minimum cohort size: Benchmark statistics for any product category are only displayed when at least 5 distinct contributing organizations have provided data in that category. This is sometimes called a "minimum cohort floor" — it ensures that no single organization's data can be inferred from the aggregate.
- Suppression behavior: If a category has fewer than 5 contributors, benchmark data for that category is suppressed entirely. Users will see a message indicating that the benchmark is unavailable due to insufficient contributors.
- Configurable threshold: The minimum cohort size is a platform-level setting that can be increased (but never decreased below 5) to provide stronger privacy guarantees as the platform grows.
These thresholds apply uniformly regardless of your organization's access level on the platform.
6. Data Sharing and Third-Party Services
We do not sell your personal information. We share information only in the following circumstances:
6.1 Service Providers
We engage third-party service providers to support platform operations, including, but not limited to the categories shown below. These providers process data on our behalf under contractual obligations that require them to protect your information:
| Provider Category | Purpose | Data Shared |
|---|---|---|
| Cloud infrastructure | Hosting, storage, and compute | All platform data (encrypted at rest and in transit) |
| AI language model providers | Generating briefings, product classification, and matching assistance | Anonymized or aggregated procurement descriptions; no organization-identifying information is sent |
| Authentication providers | Google Workspace and Microsoft single sign-on | Email address and basic profile for authentication only |
| Search APIs | Discovering manufacturer catalog sources | Manufacturer names (public information) |
6.2 Legal Requirements
We may disclose your information if required to do so by law, regulation, legal process, or governmental request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
6.3 Business Transfers
In the event of a merger, acquisition, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you via email or a prominent notice on the platform before your information becomes subject to a different privacy policy.
7. Cookies and Tracking Technologies
Procurex.ai uses cookies and similar technologies to operate the platform, remember your preferences, and understand how you use our services.
7.1 Types of Cookies We Use
| Cookie Type | Purpose | Duration |
|---|---|---|
| Strictly Necessary | Authentication, session management, security (CSRF protection). These cookies are essential for the platform to function and cannot be disabled. | Session / up to 30 days |
| Functional | Remembering your preferences such as selected date ranges, table sort orders, and display settings. | Up to 1 year |
| Analytics | Understanding how users navigate the platform to improve the experience. Data is aggregated and does not identify individuals. | Up to 2 years |
7.2 Managing Cookies
When you first visit Procurex.ai, a cookie consent banner will appear allowing you to accept or customize your cookie preferences. You can change your preferences at any time through your browser settings or by using the cookie management controls on our platform.
Most web browsers allow you to control cookies through their settings. Please note that disabling strictly necessary cookies may prevent you from using certain features of the platform.
8. Data Retention
When you upload spend data to Procurex.ai, we retain it as part of our anonymized benchmark pool. Anonymized and aggregated data may be retained indefinitely. You may request deletion of your account and your raw uploaded data at any time by contacting privacy@procurex.ai; anonymized data already incorporated into aggregate benchmarks cannot be removed without affecting the integrity of those benchmarks for all customers.
We retain your information for as long as necessary to fulfill the purposes described in this policy, unless a longer retention period is required or permitted by law.
- Account data: Retained for the duration of your active account and for a reasonable period afterward to comply with legal obligations and resolve disputes.
- Upload and contribution data: Your identifiable upload records are retained while your account is active. If your organization's account is deleted, personally identifiable organization and user records are deleted in accordance with applicable data protection laws.
- Anonymized benchmark pool data: Because anonymized data in the benchmark pool is irreversibly de-identified and cannot be linked back to any individual or organization, it is retained indefinitely to maintain the integrity and accuracy of benchmarks for all platform participants.
- Technical and usage logs: Retained for up to 90 days for security and debugging purposes, then deleted or further anonymized.
- Scrape failure logs: Retained for 90 days for operational monitoring, then purged.
9. Security Measures
We implement technical and organizational measures designed to protect your information against unauthorized access, alteration, disclosure, or destruction. These measures include:
- Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3.
- Encryption at rest: Stored data is encrypted using industry-standard encryption algorithms.
- Access controls: Role-based access controls ensure that platform personnel can only access data necessary for their function. Organization-scoped data isolation prevents cross-organization data leakage.
- Authentication security: Passwords are hashed using modern, salted hashing algorithms. OAuth integrations follow industry-standard protocols.
- Audit logging: Administrative actions, configuration changes, and data access events are logged for accountability and incident investigation.
- Input validation and sanitization: All uploaded files and user inputs are validated and sanitized to prevent injection attacks. File uploads are capped at 50 MB with format validation.
- SSRF and scraping safeguards: Our catalog data collection pipeline enforces robots.txt compliance and server-side request forgery (SSRF) protections.
While we strive to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to promptly addressing any security incidents.
10. Compliance Framework and Targets
Procurex.ai is building toward compliance with the following standards and regulations. The table below reflects the current status of each initiative:
| Standard / Regulation | Scope | Status |
|---|---|---|
| GDPR (General Data Protection Regulation) | Data protection for individuals in the European Economic Area | Pursuing compliance |
| CCPA (California Consumer Privacy Act) | Privacy rights for California residents | Pursuing compliance |
| SOC 2 Type II | Security, availability, and confidentiality controls | Target 2026 |
| ISO 27001 | Information security management system | Target 2026 |
| PCI DSS | Payment card data security (if applicable) | Roadmap |
Architectural Controls Currently Implemented
| Control | Description | Status |
|---|---|---|
| Minimum cohort floor | Benchmarks suppressed when fewer than 5 organizations contribute to a category | Active |
| TLS 1.3 in transit | All client-server communication encrypted via TLS 1.3 | Active |
| Encryption at rest | All stored data encrypted using industry-standard algorithms | Active |
| Irreversible data anonymization | Uploaded data is anonymized before public surfacing in aggregate benchmarks subject to the k-anonymity floor; identifying information about the source organization is never disclosed in pool-wide outputs. | Active |
| Organization-scoped data isolation | Multi-organization architecture ensures each organization's identifiable data is isolated from others | Active |
| Role-based access control | Contributor, organization administrator, and platform administrator roles with scoped permissions | Active |
| Audit logging | Administrative actions and configuration changes are recorded with timestamps and actor identity | Active |
| SSRF and robots.txt enforcement | Catalog data collection pipeline respects robots.txt and blocks server-side request forgery attempts | Active |
11. Your Rights Under GDPR
If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation:
- Right of access: You may request a copy of the personal data we hold about you.
- Right to rectification: You may request that we correct inaccurate or incomplete personal data.
- Right to erasure ("right to be forgotten"): You may request that we delete your personal data, subject to certain legal exceptions. As noted in Section 8, irreversibly anonymized data in the benchmark pool cannot be deleted because it is no longer personal data.
- Right to restriction of processing: You may request that we restrict the processing of your personal data in certain circumstances.
- Right to data portability: You may request a machine-readable copy of the personal data you provided to us.
- Right to object: You may object to our processing of your personal data based on legitimate interests.
- Right to withdraw consent: Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing.
- Right to lodge a complaint: You have the right to lodge a complaint with your local data protection supervisory authority.
To exercise any of these rights, please contact us using the information in Section 15. We will respond to your request within 30 days, as required by law.
Data Transfers
If we transfer personal data outside the EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission or other legally recognized transfer mechanisms.
12. Your Rights Under CCPA
If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with the following rights:
- Right to know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share it.
- Right to delete: You may request that we delete personal information we have collected from you, subject to certain exceptions.
- Right to correct: You may request that we correct inaccurate personal information.
- Right to opt out of sale or sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.
- Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA rights.
To exercise your rights, please contact us using the information in Section 15. We will verify your identity before processing your request and respond within 45 days.
Categories of Personal Information Collected
In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA:
- Identifiers (name, email address, IP address)
- Commercial information (procurement data you upload, financing offers you submit)
- Internet or electronic network activity (usage data, browser information)
- Professional or employment-related information (work email domain, organization association)
13. Children's Privacy
Procurex.ai is a business-to-business platform designed for use by procurement professionals. We do not knowingly collect personal information from individuals under the age of 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at the address in Section 15.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:
- Update the "Last Updated" date at the top of this page.
- Provide a prominent notice on the platform (such as a banner on the dashboard) for at least 30 days following the change.
- Send an email notification to the organization administrator for each affected organization when the changes are material.
We encourage you to review this Privacy Policy periodically. Your continued use of the platform after the effective date of any changes constitutes your acceptance of the revised policy.
15. Contact Us
If you have questions about this Privacy Policy, wish to exercise your data protection rights, or have concerns about how we handle your information, please contact us:
- Email: privacy@procurex.ai
- Subject line: "Privacy Inquiry" or "Data Subject Request"
- Website: procurex.ai
We aim to respond to all privacy-related inquiries within 30 days. For GDPR data subject access requests, we will respond within the legally required timeframe.
If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.