Data Privacy & GDPR Policy

Governance: Data processing is executed in strict accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Contact: For all enquiries regarding data management, Subject Access Requests (SARs), or deletion requests, contact the system administrator directly at dpo@diligio.co.

Legitimate Interest: Corporate email addresses are captured exclusively to fulfil requested demonstrations and manage the procurement lifecycle.

Contractual Necessity: Diligio collects and handles institutional data parameters under explicit lawful execution boundaries of contractual necessity. Any company reference library metadata, parsed questionnaire assets, or tenant workspace files uploaded onto our systems are processed exclusively to fulfil requested automated proposal intelligence outputs.

Controller/Processor Relationship: Diligio operates solely as the Data Processor for proprietary documents; the client definitively remains the Data Controller.

To monitor platform stability, improve user experience, and analyse engagement metrics, Diligio utilises minimal cookies and analytics tracking technologies.

These tracking mechanisms are implemented strictly for operational analytics and functional performance. We do not sell analytics data to third-party data brokers. Users retain the ability to manage or reject non-essential cookies via their browser settings.

Mathematical Isolation: In absolute alignment with our zero-knowledge containment principles, customer proprietary documents and organisational knowledge arrays are mathematically isolated and strictly siloed.

Encryption at Rest: All proprietary records and database volumes are secured using AES-256 bit encryption profiles across our AWS and Supabase cloud infrastructure buckets.

Encryption in Transit: All data transmission, API payloads, and edge routing telemetry are strictly encrypted in transit utilising TLS 1.2+ over HTTPS protocols.

Authorised Partners: Data may be processed outside the UK/EEA by our authorised enterprise infrastructure partners (AWS, Supabase, Vercel, Resend).

Transfer Safeguards: All international telemetry routing and cross-border transfers are safeguarded by Standard Contractual Clauses (SCCs) and robust Row-Level Security (RLS) constraints.

Diligio retains proprietary client data strictly for the duration of the active contract. Upon subscription termination or upon receiving a verified deletion request, all related organisational data, raw documents, and vector embeddings are permanently and irreversibly purged from our active databases and subsequently from all secure backups within our standard retention lifecycle (typically 30 days).

In the unlikely event of a structural data breach exposing personally identifiable information (PII) or proprietary corporate data, Diligio is committed to notifying the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the incident, in strict compliance with UK GDPR Article 33. Affected enterprise data controllers will be notified without undue delay to allow for appropriate internal mitigation.

Comprehensive Rights: Under UK GDPR protocols, authorised representatives preserve comprehensive structural rights to access, correct, restrict, object to, or mandate the definitive erasure of proprietary telemetry files linked to their enterprise identifier tokens.

Structural Execution: Access controls, user permissions, and metadata deletion parameters are fully managed natively at our database layer via robust row-level isolation logic.