Privacy Policy of www.reqfit.com

Latest Update: 24 May 2026

This Privacy Policy describes how CASM Labs Ltd ("we", "us", or "our") collects, utilises, processes, shares, and protects personal data. This policy applies to individuals who browse our website, register a corporate account, utilise our subscriptions, or interact with our support channels.

This Application operates strictly as a Business-to-Business (B2B) service. This policy has been drafted in strict accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).

This document operates alongside our Terms and Conditions and our Data Processing Agreement (DPA). In the event of any conflict regarding the handling of personal data contained within uploaded customer documents, the terms of the DPA shall prevail in accordance with Section 12.7 of our Terms and Conditions. A plain-English summary of our core compliance framework can also be viewed at our UK GDPR Statement.

1. Corporate Identity and Dedicated Inboxes

1.1 Data Controller: The legal entity responsible for the processing of your corporate account configuration, website analytics, and customer relationship records is:

  • Company Name: CASM Labs Ltd (trading as "ReqFit")
  • Registration: Incorporated in England and Wales under company number 17115248.
  • Registered Office: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ.
  • Regulatory Registration: Registered as a data controller with the UK Information Commissioner's Office (ICO) under registration number ZC111039.

1.2 Communication Infrastructure: To ensure operational separation and rapid response, we maintain two dedicated entry points for data protection matters:

  • For routine data access requests, general privacy preferences, and account management queries: info@reqfit.com
  • For reporting security anomalies, potential data breaches, or serving formal data protection notices: security@reqfit.com

2. Our Operational Role (Controller vs. Processor)

We process personal data under two entirely distinct operational capacities, depending on the nature of the information:

2.1 Data We Handle as a Data Controller: We act as a Data Controller for the personal data required to administer your business relationship, manage your corporate account settings, evaluate platform security logs, and execute technical support (e.g., user business email addresses, account profile settings, system logs, and browsing analytics). Payment processing is performed independently by Paddle as our Merchant of Record, acting as an independent Controller in respect of billing information (see Section 5 for detail).

2.2 Data We Handle as a Data Processor: When your corporate users upload Requests for Proposals (RFPs) or proposal files into the ReqFit platform, those commercial documents may contain unstructured personal data (such as team CVs, employee credentials, or procurement contact names). We process this information strictly as a Data Processor on your documented instructions to generate automated review reports. Our processing of this data is strictly governed by our Data Processing Agreement (DPA).

3. Categories of Personal Data We Collect

We collect and process the following categories of personal data across our digital properties:

  • Account Identifiers: First name, last name, business email address, account username, corporate organisation name, and hashed, memory-hard, salted password configurations.
  • Technical and Network Analytics: IP addresses, device identifiers, web browser specifications, operating system details, access timestamps, referral URLs, page views, session statistics, and click path data.
  • Communications Metadata: Professional contact details and raw message text voluntarily submitted through our contact forms, direct support emails, or live-chat widgets.
  • Commercial Relationship Metadata: Corporate transaction IDs, active subscription states, volume tiers, and billing tracking indicators.

4. Authorised Data Processors (Our Sub-processors)

To provide our cloud-first infrastructure and processing pipelines, we utilise specific third-party technical service providers. Where these vendors process personal data on our behalf, they act as Sub-processors and are bound by written contractual terms providing data protection protections no less restrictive than our own.

A. Core Service and Customer Personal Data Sub-processors

  • Google Cloud Platform (Google Cloud EMEA Limited): 70 Sir John Rogerson's Quay, Dublin 2, D02 R296, Ireland. Provides our primary application compute (stateless Cloud Run nodes), audit logging architecture, and customer relationship database platforms. All static customer account profiles and uploaded evaluation data remain resident at rest within the europe-west2 (London, UK) cloud region.
  • Google Cloud Vertex AI (Google Cloud EMEA Limited): 70 Sir John Rogerson's Quay, Dublin 2, D02 R296, Ireland. Executes transient automated analysis and generative AI model inference for our proposal review pipeline. The User acknowledges that text snippets are processed strictly in-memory and may execute across dynamic international cloud infrastructure zones outside the UK and EEA to ensure service availability. No input data is stored at rest or utilised for model training by the provider in any jurisdiction. Transfers are protected via the UK Addendum to the EU Standard Contractual Clauses and the UK Extension to the EU-US Data Privacy Framework.
  • Loops (Astrodon Corporation): 9450 SW Gemini Drive, PMB 22902, Beaverton, OR 97008, USA. Manages transactional system emails, including account verification codes and report delivery notifications. Transfers are protected via the UK Addendum to the EU Standard Contractual Clauses.
  • Cloudflare, Inc.: 101 Townsend Street, San Francisco, CA 94107, USA. Provides our edge network routing, Content Delivery Network (CDN) caching, and Web Application Firewall (WAF) threat mitigation. Filters incoming traffic metadata to block malicious actors and automated bots.
  • Crisp IM SARL: 2 boulevard de Launay, 44100 Nantes, France. Powers the embedded customer service live-chat support widget on our web properties.
  • iubenda s.r.l.: Via San Raffaele, 1, 20121 Milan, Italy. Centralised solely to provide our script management and cookie consent compliance banner.

B. Internal Business Relationship and Relationship Tools

We utilise additional cloud tools to manage our internal operations. These systems handle business contact data of our authorised users (but never touch or process your uploaded proposal texts or bid materials):

  • HubSpot, Inc. (USA): Operates as our internal Customer Relationship Management (CRM) database to track sales leads, support ticket lifecycles, and commercial account interactions. Protected via standard international transfer addenda.
  • Google Workspace (Google Cloud EMEA Limited): Operates our internal corporate email infrastructure and document administration pipelines.

5. Independent Controllers — Paddle as Merchant of Record

5.1 For the avoidance of doubt, the Parties acknowledge that CASM Labs Ltd utilises Paddle.com Market Limited (Judd House, 18-29 Mora Street, London, EC1V 8BT, UK) as its Merchant of Record for all commercial transactions. Paddle acts as an independent Data Controller in respect of business relationship billing information, payment cards data collection, processing operations, and regional tax compliance.

5.2 CASM Labs Ltd does not see, capture, or store payment card details. Paddle holds the canonical record of transactions, and their data processing activities are governed entirely by the Paddle Privacy Policy, accessible at https://www.paddle.com/legal/privacy.

6. Legal Bases for Account Data Processing

Under Article 6 of the UK GDPR, we process your personal account data under the following valid legal bases:

  • Contractual Performance (Article 6(1)(b)): Processing is strictly required to establish your access credentials, maintain your account profile, manage your subscription thresholds, and deliver the core automated review service.
  • Legitimate Interests (Article 6(1)(f)): Processing technical logs and security metadata is necessary to defend our Google Cloud infrastructure from cyber attacks, monitor capacity anomalies, and maintain platform stability.
  • Legal Compliance (Article 6(1)(c)): Retaining statutory corporate records, VAT metrics, or data protection breach tracking frameworks as mandated under English corporate law.
  • Consent (Article 6(1)(a)): Where you have given explicit consent via our cookie consent banner for non-essential analytical tracking, or opted in to receive optional product updates. Consent can be revoked instantly at any time.

7. Data Minimisation and Storage Retention Lifecycle Matrix

We enforce a strict data minimisation schedule across all asset tracks. The matrix below defines our precise retention rules, ensuring full alignment across our public terms:

Data Asset Track Retention Duration Operational Handling and Expiry Rationale
Uploaded Source Documents Immediate Erasure Original proposal texts and RFP source files are instantly cleared from application runtime memory following successful generation of the review report.
Extracted Baseline Requirements Lifecycle of the Corporate Account Extracted requirements are attached to your account profile to guarantee technical consistency across sequential reviews. Retained for the duration of the account and permanently purged immediately upon Account Deletion.
Generated Review Reports Ninety (90) Days Completed reports remain securely accessible on your dashboard for exactly 90 days from creation, after which they are automatically purged. Users can delete any report manually at any time.
Administrative Account Profiles Term of the Corporate Relationship User registration identifiers, billing histories, and profile logs are maintained for the active duration of the account lifecycle and are completely and permanently cleared immediately upon explicit Account Deletion by the User. Where the customer explicitly chooses to request a manual return of personal account data rather than direct erasure upon account termination, a maximum 90-day return window applies per our Data Processing Agreement Clause 11.1.
Technical System Logs Up to Twelve (12) Months Diagnostic logs are retained in line with Google Cloud Operations defaults (typically 30 days for application logs and up to 400 days for administrative activity tracking).

8. Cookies and Technical Tracking Technologies

We utilise essential and analytical tracking technologies on www.reqfit.com. Essential cookies are deployed automatically to manage secure user sessions and route traffic efficiently. Non-essential cookies (such as analytics scripts) are strictly blocked by default and are only executed if an authorised user grants explicit consent via our cookie consent banner. Our complete tracker definitions, cookie lists, and dynamic consent preferences are governed by our separate Cookie Policy.

9. Technical Security Measures and Infrastructure Defense

We maintain comprehensive technical and organisational security controls to protect all data under our control. All data transfers across our platform utilise TLS 1.3 (or later) encryption in transit, and all customer databases and storage buckets within our Google Cloud Platform environment are encrypted at rest using automated AES-256 keys. We enforce hardware separation, multi-factor authentication (MFA/Passkeys) across all director credentials, and continuous vulnerability patch management. Full technical security specifications are detailed within Schedule 2 of our formal Data Processing Agreement.

10. Account Data Breach Commitments

In the event of a personal data breach affecting your administrative account information (such as a credential compromise or configuration exposure), we will notify affected users without undue delay and in any event within forty-eight (48) hours of becoming aware of the incident. Where such a breach is reasonably deemed likely to result in a risk to the rights and freedoms of natural persons, we will also notify the Information Commissioner's Office (ICO) within seventy-two (72) hours of discovery in strict accordance with Article 33 UK GDPR. For data breaches affecting unstructured personal data contained within files uploaded by users as Data Controllers, our notification windows and mitigation workflows are governed strictly by Clause 6 of our Data Processing Agreement.

11. Statutory Privacy Rights and Request Procedures

11.1 Your Statutory Privacy Rights: In accordance with Chapter III of the UK GDPR and Article 77, individuals whose personal data we control maintain the following statutory privacy rights:

  1. The Right to be Informed: Transparent tracking of how we use data (as set out in this policy).
  2. The Right of Access: To request confirmation of processing and obtain a clean copy of your personal data.
  3. The Right to Rectification: To require the immediate correction of inaccurate or incomplete information.
  4. The Right to Erasure ("To Be Forgotten"): To demand the absolute deletion of data where contractual or legal retention bases have lapsed.
  5. The Right to Restrict Processing: To demand that we pause data processing, restricting our actions purely to safe storage.
  6. The Right to Data Portability: To obtain and transfer your digital records to an alternative software provider.
  7. The Right to Object: To challenge processing activities driven by our legitimate interests or direct marketing.
  8. The Right to Object to Automated Decision-Making: To safeguard against purely automated determinations that carry significant legal or professional weight.
  9. The Right to Complain: To lodge a formal regulatory dispute with the Information Commissioner's Office (ICO).

11.2 Formal Verification and Response Procedures: To exercise any of your statutory rights, you must submit a clear request to security@reqfit.com. To protect your corporate information from fraudulent interception, we enforce a strict verification process and will not release records until identity is proven. In accordance with UK GDPR requirements:

  • All legitimate statutory data requests are processed entirely free of charge.
  • We will provide our formal response, along with any requested data extractions, within one (1) calendar month of receiving a verified request.
  • If a request is found to be manifestly unfounded, repetitive, or excessive, we reserve the right to either charge a reasonable administrative fee or formally refuse to act on the request, providing clear legal reasons for our decision.

12. General Provisions and Version Control

12.1 Age Restrictions: Our Application and Services are designed strictly for business procurement operations and are not intended for individuals under eighteen (18) years of age. We do not knowingly collect or parse personal data from minors.

12.2 Notice of Amendments: We reserve the right to modify this Privacy Policy at any time. For material amendments that alter user data rights, processing legal bases, or third-party listings, we will provide a minimum of thirty (30) days' prior notice via direct email or a prominent dashboard alert. For non-material administrative formatting updates, a notice window of seven (7) days shall apply. Continued use of the platform after updates go live signifies your acceptance of the revised terms.

12.3 Archived Versions: Previous iterations of this document are permanently archived for version control and remain available to corporate users upon written request sent to security@reqfit.com.

Last updated: 24 May 2026. Contact: info@reqfit.com for general inquiries, security@reqfit.com for legal notices and data protection matters.

Cookie Policy