LAST UPDATED AT: SEP 24, 2025
Privacy Policy
Introduction
This policy explains how ProcuHelp B.V., incorporated under Dutch law ("ProcuHelp", "we", "us"), processes personal data in connection with the ProcuHelp platform (the "Platform"), our website at www.procuhelp.com, and any portals operated by us on behalf of our customers.
We process personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Dutch law. Our supervisory authority is the Autoriteit Persoonsgegevens, accessible at www.autoriteitpersoonsgegevens.nl.
The Platform is for business use only. It is not designed for personal or household use.
1. Who is the data controller?
ProcuHelp B.V. is the data controller when processing personal data for its own operational purposes, including managing customer accounts, billing, security, and marketing to prospects and customers.
When customers use the Platform, the customer is the data controller and ProcuHelp is the data processor, acting on the customer's documented instructions under our Data Processing Agreement (DPA). The customer is responsible for determining the legal basis for processing, notifying data subjects, and handling data subject requests relating to their own data.
Where third parties such as vendors or employees access a portal operated by ProcuHelp on a customer's behalf, the customer is the data controller for data submitted through that portal. ProcuHelp's role is limited to operating the technical infrastructure on the customer's behalf as a processor.
2. What personal data we collect and why
The table below covers processing where ProcuHelp acts as an independent controller. For processing where ProcuHelp acts as a processor on behalf of customers, the customer's own privacy policy and notices apply.
| Purpose | Data categories | Legal basis | Retention period |
|---|---|---|---|
| Providing the Platform and managing accounts | Name, email, job title, organisation, role, authentication data |
Contract performance
Article 6(1)(b) GDPR
|
Duration of subscription plus 30 days for data export |
| Billing and financial administration | Name, organisation, billing details, invoice records |
Contract performance
Legal obligation
Article 6(1)(b) and (c) GDPR
|
7 years as required by Dutch tax law |
| Platform security and fraud prevention | IP addresses, login timestamps, session data, activity logs |
Legitimate interests
Article 6(1)(f) GDPR
|
12 months, extended up to 3 years where necessary for legal claims |
| Customer support and troubleshooting | Name, email, support correspondence, account identifiers |
Contract performance
Article 6(1)(b) GDPR
|
2 years from resolution |
| Responding to demo requests and enquiries | Name, email, company name, professional details |
Legitimate interests
Article 6(1)(f) GDPR
|
3 years from last contact |
| Marketing communications | Name, email, company name, professional role |
Legitimate interests
Article 6(1)(f) GDPR
|
3 years from last contact or until opt-out |
| Platform improvement and analytics | Aggregated and pseudonymised usage data |
Legitimate interests
Article 6(1)(f) GDPR
|
Anonymised data retained indefinitely; personal data deleted within 2 years |
| Legal compliance and claims | Relevant correspondence and records |
Legal obligation
Legitimate interests
Article 6(1)(c) and (f) GDPR
|
As required by applicable law or as necessary for legal proceedings |
Where ProcuHelp relies on legitimate interests as a legal basis, we have conducted a balancing assessment and determined that our interests do not override your rights and freedoms. You may request details of any such assessment by contacting privacy@procuhelp.com.
3. Vendor onboarding and purchase request portals
Where a customer has enabled the vendor onboarding portal or purchase request portal, third parties including vendors and employees may submit personal data through those portals.
The customer is the data controller for all data submitted through their portal. ProcuHelp processes that data as a processor on the customer's behalf. Data submitted through a portal is used solely to fulfil the purpose of that portal as configured by the customer.
Vendors and employees who have questions about how their data is used should contact the organisation whose portal they are accessing. If you cannot identify that organisation or need assistance, contact us at privacy@procuhelp.com and we will direct you to the relevant controller.
4. AI-assisted features
The Platform includes optional AI-assisted features. Where enabled by the customer, relevant data is processed by an EU-based AI provider solely to produce the requested output. This processing occurs within the European Economic Area.
Personal data processed through AI features is not used to train or improve any AI model by ProcuHelp or by our AI provider.
AI outputs involve automated analysis only. They do not constitute decisions with legal or similarly significant effects on individuals within the meaning of Article 22 GDPR. Human review is required before any reliance on AI outputs. ProcuHelp does not make automated decisions about individuals.
AI features are optional and can be disabled in Platform settings.
5. Who receives your data
We share personal data only where necessary to deliver our services or where required by law. Recipients include:
Internal staff with a genuine need to access the data for the purposes described above
Service providers engaged to support delivery of the Platform, including infrastructure, email, payment processing, and AI processing providers, each bound by data protection agreements meeting GDPR requirements
Professional advisers including legal, financial, and insurance advisers, subject to confidentiality obligations
Competent authorities and regulators where required by applicable law
We do not sell personal data. We do not share personal data with third parties for their own marketing purposes.
6. International transfers
All Customer Data is stored and processed within the European Union. Where any service provider processes data outside the EEA, such transfers are subject to appropriate safeguards in accordance with Chapter V GDPR, including standard contractual clauses approved by the European Commission or an applicable adequacy decision. Details of the safeguards applied to specific transfers are available on request.
7. Security
We maintain technical and organisational security measures proportionate to the risks associated with processing personal data, including encryption, access controls, logical isolation between customer environments, and security monitoring. Access to personal data is restricted to authorised personnel on a need-to-know basis under confidentiality obligations.
We cannot guarantee that any system is entirely free from security risks. Customers and portal users are responsible for maintaining appropriate security on their own side.
8. Your rights
Where ProcuHelp processes your personal data as a controller, you have the following rights under GDPR. To exercise any of them, contact privacy@procuhelp.com. We will respond within one month, extendable by two further months for complex requests. We may ask you to verify your identity before responding.
Right to information (Articles 13 and 14) — to know how and why your data is processed. This policy fulfils that right.
Right of access (Article 15) — to obtain confirmation of whether we hold data about you and a copy of that data.
Right to rectification (Article 16) — to have inaccurate or incomplete data corrected without undue delay.
Right to erasure (Article 17) — to request deletion where data is no longer necessary, where consent is withdrawn, or where processing is unlawful, subject to legal retention obligations.
Right to restriction (Article 18) — to request that we limit processing in certain circumstances, for example while accuracy is contested.
Right to data portability (Article 20) — to receive data you have provided to us in a structured, commonly used, machine-readable format, and to request its transfer to another controller where technically feasible.
Right to object (Article 21) — to object to processing based on legitimate interests. Where you object to direct marketing, we will stop immediately. For other processing, we will stop unless we can demonstrate compelling legitimate grounds.
Right not to be subject to solely automated decision-making (Article 22) — we do not make decisions with legal or similarly significant effects based solely on automated processing.
Right to withdraw consent (Article 7(3)) — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
Right to lodge a complaint (Article 77) — you have the right to lodge a complaint with the Autoriteit Persoonsgegevens at www.autoriteitpersoonsgegevens.nl.
Where data is held about you as a processor on behalf of a customer, requests should be directed to that customer as controller. If you need help identifying the correct controller, contact us and we will assist.
9. Cookies
We use cookies and similar technologies on our Website. For full details of the cookies we use and how to manage your preferences, see our Cookie Policy at www.procuhelp.com/cookies.
10. Changes to this policy
We may update this policy from time to time. Material changes will be communicated by email or in-app notice before they take effect. The current version is always available at www.procuhelp.com/privacy.
11. Contact
For privacy questions, requests, or complaints: Email: privacy@procuhelp.com
Security matters: security@procuhelp.com
Ready to take control of your procurement?
See how ProcuHelp gives your team complete visibility over every vendor, contract, license and renewal. Before anything costs you more than it should.