BidIDSign in

Privacy Policy

Last updated: 27 April 2026 · Version 1.0

This Privacy Policy explains how RWJ Consulting Ltd trading as BidID ("BidID", "we", "us", "our"), a company registered in England and Wales under company number 16973221 and registered with the Information Commissioner's Office under registration number ZC132899, collects, uses, stores, and protects personal data in connection with the BidID referral triage platform ("the Service").

This policy applies to all users of the BidID platform. It should be read in conjunction with our Data Processing Agreement where BidID processes personal data on behalf of a care provider organisation.

1. Who We Are

Legal entity
RWJ Consulting Ltd
Trading as
BidID
Company number
16973221
Registered office
3rd Floor, 86-90 Paul Street, London, EC2A 4NE
ICO registration
ZC132899
Contact
hello@bidid.co.uk

2. What Data We Collect and Why

2.1 Account Data (Data Controller)

When you create a BidID account, we collect and process the following data for which we act as Data Controller:

  • Email address — used for authentication, password reset, and service notifications;
  • Organisation name — used to scope your account and referral data;
  • Role within your organisation (admin or member);
  • Login timestamps and session data;
  • Usage events (features accessed, scans performed) for product improvement.

Legal basis: Performance of a contract (Article 6(1)(b) UK GDPR) and our legitimate interests in providing and improving the Service (Article 6(1)(f) UK GDPR).

2.2 Referral Data (Data Processor)

When you use BidID to scan and import referrals, we process personal data about individuals who are the subject of those referrals. For this processing, BidID acts as a Data Processor on behalf of your organisation (the Data Controller).

The personal data we process includes:

  • Abbreviated name or initial of the individual being referred (e.g. "John S.");
  • Age band and gender;
  • Care needs, diagnoses, and clinical information extracted from referral documents;
  • Funding information and proposed weekly rate;
  • Geographic location and referring local authority;
  • Hashed (non-reversible SHA-256) values of full names and email addresses for duplicate detection only.

Full names, NHS numbers, addresses, and other directly identifying information are not stored.

3. Special Category Data

Referral data routinely contains Special Category Data within the meaning of Article 9 UK GDPR, including health data, mental health diagnoses, learning disabilities, and other medical information. We process this data on the basis of:

  • Article 9(2)(h) UK GDPR — processing necessary for the provision of health or social care;
  • Schedule 1, Part 1, paragraph 2 of the Data Protection Act 2018 — health or social care purposes.

4. How We Use AI Processing

BidID uses artificial intelligence provided by Anthropic, Inc. (via the Claude API) to extract structured data from referral text and score referrals against configured criteria. The following applies:

  • Email and portal content identified as likely referrals is transmitted to Anthropic's API for extraction and scoring only.
  • A two-stage client-side pre-screening process filters automated notifications and emails lacking care referral keywords before any content is transmitted — filtered content never leaves your browser.
  • Keyword-based screening is heuristic and not exhaustive — occasional false positives may occur where non-referral emails contain care sector terminology. Users should apply the extension only to email views filtered to known referral sources to minimise this risk.
  • Anthropic does not retain this data beyond processing each individual request.
  • No personal data is used to train AI models without explicit consent.
  • The AI does not make autonomous decisions — all scoring is subject to human review.
  • Transfers to Anthropic's US-based servers are covered by Standard Contractual Clauses.

5. Data Retention

  • Account data: retained for the duration of your account and 90 days following closure;
  • Referral data: retained for 24 months from import, then automatically deleted;
  • Usage logs: retained for 12 months;
  • Backup data: retained for up to 30 days on a rolling basis.

You may request deletion of your data at any time by contacting hello@bidid.co.uk.

6. Where Your Data is Stored

  • Supabase (database) — hosted in EU (Ireland);
  • Vercel (application hosting) — hosted in EU (Frankfurt);
  • Anthropic (AI processing, transient) — US-based, Standard Contractual Clauses in place;
  • Resend (email delivery) — US-based, Standard Contractual Clauses in place.

7. Your Rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you (Article 15);
  • Rectification of inaccurate data (Article 16);
  • Erasure of your data in certain circumstances (Article 17);
  • Restriction of processing (Article 18);
  • Data portability (Article 20);
  • Object to processing (Article 21).

To exercise any of these rights, contact hello@bidid.co.uk. We will respond within one calendar month.

If you are dissatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office at ico.org.uk or by telephone on 0303 123 1113.

8. Security

  • TLS 1.2+ encryption for all data in transit;
  • AES-256 encryption for data at rest;
  • Role-based access controls and row-level security;
  • Logical data isolation between customer organisations;
  • Regular review of sub-processor security practices.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes by email at least 30 days before they take effect. The current version is always available at bidid.co.uk/privacy.

10. Contact

Email
hello@bidid.co.uk
Post
RWJ Consulting Ltd t/a BidID, 3rd Floor, 86-90 Paul Street, London, EC2A 4NE

BidID is a trading name of RWJ Consulting Ltd. Registered in England and Wales. Company No. 16973221.

Registered office: 3rd Floor, 86-90 Paul Street, London, EC2A 4NE.