Privacy Policy

1. Scope

This Privacy Policy explains how hawtar collects, uses, stores, and protects personal data when you use our platform, including sign-in with social providers such as Google, Facebook, Apple, and GitHub.

2. Account, Identity, and Social Sign-In Data

We process account and identity data that you provide directly and, when you choose social sign-in, identity data returned by your selected provider. Depending on your use of the service, this may include:

• Account and profile data such as your name, email address, phone number, avatar, organisation membership, and role assignments.
• Provider account identifiers, provider name, and profile name.
• Email address supplied by the provider and the provider email-verification signal when available.
• Profile avatar URL and basic provider metadata when needed to complete sign-in or account linking.
• Connection and usage timestamps such as linked time, last login time, and last used time.
• A one-way hash or equivalent protected representation of provider token data where needed for integrity and security checks; we do not retain provider access tokens in plaintext in our social identity records.

For first-time social sign-in, we require an email from the provider to create or safely link an account. If a provider does not return a usable email, sign-in can be blocked until a safe identity match is available.

3. Operational, Publication, and Support Data

• Operational data such as tenders viewed, saved searches, workflows, submissions, compliance actions, generated document activity, and other platform interactions.
• Files, document metadata, questionnaire answers, product records, and related entity content submitted through the platform.
• Support, onboarding, and contact-form data such as messages, attachments, and follow-up history shared with our teams.
• Vendor publication data such as product, showroom, quotation, or other business content that the relevant party has submitted and approved for publication through platform workflows.

Commerce and Billing Data

• Commerce records such as orders, subscriptions, entitlements, report purchases, invoices, confirmations, payment references, and related commercial metadata.
• Checkout evidence such as terms version, pre-contract disclosure version, recurring-consent text, immediate-access evidence text, any applicable waiver text, buyer type, buyer country, resolved buyer classification, and associated timestamps.
• Seller identity and tax-status snapshots, including merchant legal name, address, internal tax references, VAT registration status, and buyer tax or country data where relevant.

4. Technical, Security, and Anti-Abuse Data

• Technical data such as IP address, device and browser details, language, session metadata, and sign-in context.
• Request and activity data such as request path, method, response status, workflow actions, audit entries, and operational diagnostics needed for security, troubleshooting, and compliance.
• First-party form-integrity and abuse-prevention signals such as hidden anti-automation fields, encrypted timing tokens, request context, guarded mutation method names, and submission-frequency metadata.
• Rate-limit, bot-detection, and abuse-prevention events related to actions such as create, save, register, reset, upload, import, send, or other protected mutations.

For standard browser form protection, Hawtar currently uses first-party anti-abuse controls operated within the application instead of a third-party CAPTCHA challenge provider.

4. Why We Process Data

• To authenticate users and operate account sign-in, account linking, and profile-connected account features.
• To secure accounts, prevent abuse, and enforce sign-in safeguards.
• To operate core procurement intelligence, workflow, and support services.
• To improve reliability, platform safety, and service performance.
• To send required service notices and security notifications.
• To display vendor-approved product/showroom and quotation information to intended audiences.
• To display vendor-approved public business content to intended audiences through platform publication workflows.

Commerce Classification, Tax, and Legal Evidence

For paid and zero-price commerce flows, Hawtar processes buyer classification, buyer-country evidence, merchant tax-status data, and disclosure, immediate-access, or any applicable waiver evidence to determine whether checkout, invoicing, and access can proceed lawfully.

An organization purchase is not automatically treated as B2B. Business treatment requires validated business evidence or explicit finance approval.

If buyer jurisdiction or seller VAT registration status is unresolved, Hawtar can place checkout or invoice issuance on compliance hold rather than proceeding on an assumed tax outcome.

5. Google API and OAuth Commitments

For Google sign-in, we request only the identity access needed for authentication and account management. We do not use Google user data for advertising, and we do not sell personal data.

If and when Google API Services user data is accessed, our use and transfer of that data will comply with the Google API Services User Data Policy, including Limited Use requirements.

7. AI and Optional Assisted Features

Certain Hawtar features use AI to assist with analysis, drafting, or conversational support. Where required, AI processing is optional and subject to a separate consent flow.

When you use these features, relevant prompt and response data may be sent to OpenAI for processing. AI conversation data is retained for a limited period under our retention schedule, and current application retention for AI conversations is 90 days unless a stricter operational rule applies.

Do not submit passwords, secrets, or unnecessary sensitive personal information into AI conversations. AI outputs can be useful but still require human review and verification.

6. Vendor Data Boundaries

We do not use vendor-provided data as open public marketing data unless that data has been explicitly approved by the vendor for publication in platform workflows (for example, product/showroom and quotation-facing materials). Internal or non-public submissions are processed only for service operation, security, compliance, and support.

7. Legal Bases

We process personal data based on contractual necessity, legitimate interests, legal obligations, and consent where required.

8. Sharing

We do not sell personal data. We may share data with vetted processors and infrastructure providers only to operate the service, including cloud hosting and storage, identity and OAuth providers, email delivery providers, payment processors, and AI providers where you have enabled the relevant feature.

We may also disclose data to regulators, courts, or other authorities when legally required, or where necessary to investigate fraud, abuse, security incidents, or violations of our platform rules.

10. Retention and Deletion

We keep data only as long as needed for business, security, contractual, and legal purposes. Retention windows vary by data type and regulatory obligations.

If you disconnect a social provider from your account, the corresponding linked social identity record is removed from your profile, except where limited records must be retained for legal, fraud-prevention, or security audit obligations.

Commercial, tax, consent, disclosure, immediate-access, and any applicable waiver evidence for Premium subscriptions and Tender Match Report purchases are retained by evidence class and legal obligation. Financial and tax records are retained longer than ordinary operational logs, and legal holds override ordinary deletion or anonymization schedules.

When you request account deletion, access credentials and contact channels are removed or anonymized, while official workflow and audit records may retain actor labels where legally required to preserve process integrity, legal defensibility, and accountability.

11. Your Rights and Choices

Depending on applicable law, you may request access, correction, deletion, restriction, portability, or objection to processing. You may also request account closure.

You may also manage connected social providers from your profile settings, and you can revoke provider access from your Google, Facebook, Apple, or GitHub account settings at any time.

For account deletion instructions and retention disclosures, see the Account Deletion page.

13. Automated Security Decisions

We use automated security controls to temporarily reject, delay, throttle, or require resubmission of requests that appear abusive, scripted, unsafe, or inconsistent with normal platform use. This helps protect accounts, workflows, and the broader service from fraud and operational abuse.

These controls are used for security and service integrity. They are not used as the sole basis for decisions producing legal or similarly significant effects about you.

Global Standardization and Assurance

Hawtar applies a unified global privacy and security baseline across platform workflows, with controls and legal disclosures maintained as a coordinated standard rather than isolated policies.

• Security and privacy controls are continuously validated through automated test suites and operational audits before release.
• Retention, consent, AI transparency, and data-subject rights are governed by documented runbooks and enforced implementation contracts.
• Legacy behavior that conflicts with current compliance controls is re-baselined to the latest documented standards.

This Privacy Policy and our Terms of Service are maintained as synchronized customer-facing legal disclosures and are updated together when compliance posture changes.

For global privacy and compliance inquiries, contact dpo@hawtar.com.

12. Contact

For privacy requests, contact us through the Contact page or reach our data protection contact through the address above when your request is specifically privacy or compliance related.