UK GDPR data protection statement

ReqFit is a proposal review service operated by CASM Labs Limited, a company registered in England and Wales (company number 17115248). We are registered with the UK Information Commissioner's Office under registration ZC111039 and we process personal data in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This statement explains, in plain English, what personal data we handle, why we handle it, where it goes, how long we keep it, your rights, and how to contact us. The formal privacy notice (covering all data handling at full legal detail) is published at our Privacy Policy. This page is the readable summary that sits alongside it.

What personal data we collect

We collect three categories of data:

  1. Account data: the email address and password you use to sign up, plus any organisation name and verified email domain you provide.
  2. Document data: the request for proposal (RFP) and proposal documents you upload for review, and the requirements list we extract from the RFP.
  3. Service and payment data: standard service logs (IP address, browser, pages visited), and order records held on our behalf by our payment provider.

We do not buy or rent personal data from third parties.

Why we process your data (lawful basis)

We rely on the following lawful bases under UK GDPR Article 6:

  • Contract for everything needed to deliver the service you signed up for: creating your account, processing your documents, generating reports, taking payment, and providing customer support.
  • Legitimate interests for service security, fraud prevention, abuse detection, and product improvement based on aggregated usage patterns.
  • Consent for optional marketing emails and any non-essential analytics or tracking. You can withdraw consent at any time.
  • Legal obligation where we need to retain records for tax, accounting, or regulatory purposes.

How we handle your documents

This is the part that matters most for proposal review, so we are precise rather than sweeping:

  • Your proposal document is analysed in memory and deleted once your report is delivered.
  • The extracted requirements list from your RFP is retained against your account. This guarantees that if you re-run a review on an improved proposal, we measure it against exactly the same requirements as before. The RFP source document itself is deleted.
  • Analysis intermediate files and processing artefacts are deleted with the proposal.
  • We do not maintain audit logs of document content. The system processes your files and discards the content.
  • Reports are kept in your account, viewable online with PDF and DOCX download available throughout, for up to 90 days. You can delete a review manually at any point within that window. After 90 days, reports are deleted automatically. We encourage you to download your reports while they are available; downloaded copies remain on your own device after our retention window ends.
  • Deleting your account removes all retained data, including stored requirements lists and any reports still within their 90-day retention window.

We do not use your documents to train any AI model. Our processor terms with Google Cloud Vertex AI prohibit your content being used for that purpose.

Where your data is processed

We process data on Google Cloud Platform using Vertex AI. The default processing region is selected for performance and is governed by Google Cloud's standard terms.

International transfers outside the UK take place under the protections required by UK GDPR: adequacy decisions where they apply, and the UK International Data Transfer Agreement (or the UK Addendum to EU Standard Contractual Clauses) where they do not. If your organisation has specific data residency requirements, contact us at security@reqfit.com.

Sub-processors

Our main sub-processors are:

  • Google Cloud Platform / Vertex AI: document processing
  • Paddle: payment processing (Merchant of Record)
  • iubenda: privacy and cookie policy hosting, consent management
  • Loops: transactional and marketing email
  • Crisp: live chat support
  • Cloudflare: content delivery and DDoS protection

A full and current sub-processor list is available on request.

Your rights under UK GDPR

You have the following rights in relation to your personal data:

  • Access: a copy of the personal data we hold about you.
  • Rectification: correction of inaccurate or incomplete data.
  • Erasure: deletion of your data, often called "the right to be forgotten".
  • Restriction: temporary suspension of processing while a query is resolved.
  • Portability: a copy of your data in a structured, machine-readable format.
  • Objection: object to processing based on legitimate interests, or to direct marketing.
  • Withdraw consent: withdraw any consent you previously gave, at any time.
  • Automated decision-making: rights in relation to decisions made solely by automated means.

To exercise any of these rights, email security@reqfit.com. We will respond within one month, in line with UK GDPR.

Data Processing Agreement

A Data Processing Agreement (DPA) is available on request for any customer that requires one. Email security@reqfit.com and we will provide a DPA suitable for review by your procurement or legal team. We can also sign a DPA you provide, whichever is faster for your process.

How to contact us, and how to complain

For any data protection question, email security@reqfit.com or write to:

CASM Labs Limited
71-75 Shelton Street
Covent Garden
London WC2H 9JQ

If you are not satisfied with our response, you can complain to the UK Information Commissioner's Office at https://ico.org.uk/make-a-complaint/. You may also complain to the supervisory authority in your country of residence.

Last updated: 24/05/2026

Cookie Policy