Privacy Policy

1. Who we are and our role

Tawrio provides software that helps businesses (“Customers”) run procurement by sending requests for quotation (RFQs) to their suppliers, receiving and analyzing supplier responses, and managing the resulting communications and documents. Our role under data-protection law depends on the data:

• For a Customer’s account and the people who use it (names, login details, settings), we generally act as a data controller.
• For the content of communications a Customer sends to or receives from its suppliers through the Service, we act as a data processor on behalf of that Customer, who is the controllerand is responsible for having a lawful basis to use the Service to process its suppliers’ information.

2. Information we collect

• Account and profile information. Name, business email, password (hashed), organization name, role, and settings.
• Communications content. The subject lines, message bodies, attachments, and metadata (sender/recipient addresses, timestamps, message identifiers, threading headers) of emails sent and received through the platform — used to deliver messages, track conversations, extract quote and pricing information, maintain negotiation history, and provide an audit trail.
• Supplier information.Communications may contain personal data about your suppliers’ staff (names, emails, phone numbers) and commercial information (prices, terms), processed on your behalf.
• Connected mailbox data. If you connect a Gmail or Outlook account, we access only what is necessary to send messages on your behalf (and, where you enable it, to read replies). See Section 9.
• Usage and technical data. Log data, device/browser information, IP address, and product usage events.

3. How and why we use information

We use information to provide and operate the Service; analyze supplier responses to extract quotes, pricing, and terms and to provide negotiation assistance and history; maintain an audit trail; authenticate users and secure the Service; provide support; and comply with legal obligations.

Legal bases (GDPR/UK GDPR). Where we act as controller we rely on performance of a contract, our legitimate interests in operating and improving the Service, your consent (where required), and compliance with legal obligations. Where we act as processor, we process on the documented instructions of the Customer.

4. Automated and AI processing

The Service uses automated systems, including third-party AI (large language model) providers, to classify incoming emails and extract structured information (such as prices, quantities, and terms) from communications. Content processed by these AI providers is used only to provide the Service to you and is not used to train their models. We do not make legally significant decisions about individuals solely by automated means without human involvement.

5. Sub-processors

We use trusted third-party service providers (“sub-processors”) to help deliver the Service, in the following categories: cloud hosting and database storage; email delivery and inbound email processing; AI processing of communications content; and email mailbox connections (only where you connect your own Gmail or Outlook account). A current list of named sub-processors is available on request and is included in our Data Processing Agreement. We require sub-processors to protect personal data under terms consistent with this Policy, and we will inform Customers of intended additions or changes so they have the opportunity to object.

6. How we share information

We do not sell personal data. We share information only with the sub-processors described above; with other users in your organization; where you direct us to (for example, sending an email to a supplier you specify); to comply with law, enforce our terms, or protect rights and safety; and in connection with a business transfer, subject to this Policy.

7. International data transfers

We may process and store information in countries other than your own. Where we transfer personal data internationally, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses (and the UK Addendum). Customer data is hosted in the European Union.

8. Data retention

We retain communications content and related records for as long as your account is active and as needed to provide the Service and maintain your audit trail, and thereafter as required for legal, accounting, or dispute-resolution purposes. You may delete individual conversations or records within the Service, and you may request deletion of your account data, after which we will delete or anonymize it within 30 days, except where retention is legally required.

9. Connecting a Gmail or Outlook mailbox

If you connect a Google or Microsoft mailbox, we request the minimum access needed: to send messages on your behalf and, where you enable reply tracking, to read messages related to your procurement conversations. You can disconnect a mailbox at any time in your settings, which revokes our access.

Google API Services Limited Use disclosure.Tawrio’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data for advertising, do not sell it, and do not transfer or use it except to provide or improve features that are prominent in the Service, or as required for security or legal reasons.

Microsoft.Where you connect a Microsoft account, our use of data obtained through Microsoft Graph is limited to providing the features you enable, consistent with Microsoft’s terms.

10. Security

We protect information using encryption in transit (TLS) and at rest, role-based access controls, tenant isolation (so one Customer’s data is not accessible to another), and access limited to personnel who need it. No system is perfectly secure, but we use appropriate technical and organizational measures to protect your information.

11. Your rights

Depending on your location, you may have the right to access, correct, delete, or port your personal data; to object to or restrict certain processing; and to withdraw consent. EU/UK individuals may lodge a complaint with a supervisory authority. California residents have rights under the CCPA/CPRA, including to know, delete, and correct personal information, and to opt out of “sale” or “sharing” (we do not sell or share personal information as those terms are defined). To exercise your rights, contact support@tawrio.com. If you are a supplier whose information is processed through a Customer’s account, please contact that Customer (the controller); we will assist them in responding.

12. Children

The Service is not directed to individuals under 16, and we do not knowingly collect personal data from children.

13. Changes to this Policy

We may update this Policy from time to time. We will post the updated version with a new “Last updated” date and, where appropriate, notify you.

14. Contact

Tawrio
Email: support@tawrio.com