Privacy Policy
Last updated 23 June 2026
This Privacy Policy explains how Procurato.ai, operated by Benchmarked d.o.o. ("Procurato", "we", "us"), collects, uses and protects personal data when you use our website and procurement platform (the "Service"). We act as a data controller for our own business contacts and as a data processor for data you upload while using the Service.
1. Data we collect
We collect account details (name, work email, company, role), usage and device data (log files, IP address, browser type), and the procurement content you choose to upload - supplier records, tenders, offers and related documents. We do not knowingly collect special categories of personal data.
2. How we use it
We use personal data to provide and secure the Service, to run AI-assisted sourcing and offer comparison on your behalf, to communicate with you, to handle billing, and to comply with legal obligations. We do not sell personal data, and we do not use your uploaded procurement content to train third-party models.
3. Legal bases (GDPR)
We process personal data on the bases of contract performance (delivering the Service), legitimate interests (securing and improving the Service), legal obligation (tax and accounting), and consent where required (for example, optional marketing emails, which you can withdraw at any time).
4. Sub-processors & sharing
We share data only with vetted sub-processors that help us run the Service - cloud hosting, email delivery, error monitoring and payment processing - each bound by data-protection terms. A current list of sub-processors is available on request and forms part of our Data Processing Agreement.
5. International transfers & retention
You choose your hosting region (EU - Frankfurt, or US - Virginia). Where data leaves the EEA, we rely on Standard Contractual Clauses. We retain personal data for as long as your account is active and for the period required to meet legal obligations, after which it is deleted or anonymised.
6. Your rights
You have the right to access, correct, delete, restrict and port your personal data, and to object to certain processing. You may exercise these rights, or lodge a complaint with a supervisory authority, at any time. Contact us at privacy@procurato.ai.
Terms of Service
Last updated 23 June 2026
These Terms of Service govern your access to and use of the Procurato.ai platform provided by Benchmarked d.o.o. By creating an account or using the Service, you agree to these Terms on behalf of your organisation.
1. The Service
Procurato.ai provides software for sourcing suppliers, running tenders, comparing offers and maintaining an audit trail. We may update, improve or modify features over time. We will not materially reduce core functionality of a paid plan during your billing term without notice.
2. Accounts & acceptable use
You are responsible for safeguarding your credentials and for activity under your account. You agree not to misuse the Service, attempt to circumvent security, reverse-engineer the platform, or use it to store unlawful content or infringe the rights of others.
3. Fees & billing
Paid plans are billed monthly in advance; one-time implementation fees are invoiced at kickoff. Fees exclude applicable taxes. Plans are month-to-month with no long-term lock-in - you may cancel effective at the end of the current billing period.
4. Customer data & intellectual property
You retain all rights to the data you upload. You grant us a limited licence to process it solely to provide the Service. We retain all rights to the platform, software and trademarks. Our processing of personal data is governed by our Data Processing Agreement.
5. Warranties & liability
The Service is provided on a commercially reasonable basis. To the maximum extent permitted by law, we disclaim implied warranties, and our aggregate liability is limited to the fees paid in the twelve months preceding the claim. Nothing limits liability that cannot be excluded by law.
6. Term, termination & governing law
Either party may terminate for material breach not cured within 30 days. On termination you may export your data for 30 days, after which it is deleted. These Terms are governed by the laws of Slovenia, and the courts of Ljubljana have exclusive jurisdiction.
Security
Last updated 23 June 2026
Security is foundational to how we build and operate Procurato.ai. This page summarises the controls that protect your procurement data.
1. Infrastructure & hosting
The Service runs on hardened, ISO 27001-certified cloud infrastructure with regional isolation. You choose EU (Frankfurt) or US (Virginia) hosting. Environments are segmented, and production access is restricted to a small, audited group of engineers.
2. Encryption & access control
Data is encrypted in transit (TLS 1.2+) and at rest (AES-256). We enforce role-based access control, single sign-on (SSO/SAML) on eligible plans, mandatory multi-factor authentication for staff, and the principle of least privilege.
3. Monitoring & testing
We run continuous logging and anomaly detection, automated dependency and vulnerability scanning, and independent penetration tests at least annually. Backups are encrypted and tested regularly for restorability.
4. Compliance
We maintain SOC 2 Type II and ISO 27001, and we align with the GDPR and the EU AI Act. Reports and certificates are available to customers and prospects under NDA.
5. Incident response & reporting
We maintain a documented incident-response plan and will notify affected customers without undue delay in the event of a personal-data breach. To report a security concern or vulnerability, email security@procurato.ai.
Data Processing Agreement
Last updated 23 June 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between the customer ("Controller") and Benchmarked d.o.o. ("Processor") and applies where we process personal data on your behalf under the GDPR.
1. Roles & scope
The Controller determines the purposes and means of processing; the Processor processes personal data only on documented instructions from the Controller, namely to provide the Service. The subject matter is procurement data; the duration is the term of the agreement.
2. Processor obligations
We ensure personnel are bound by confidentiality, implement appropriate technical and organisational measures, and assist the Controller in fulfilling data-subject requests and in meeting its security, breach-notification and impact-assessment obligations.
3. Sub-processors
The Controller authorises the use of sub-processors listed in our current register. We impose data-protection obligations on each sub-processor equivalent to those in this DPA and remain liable for their performance. We give notice of intended changes, allowing the Controller to object.
4. International transfers
Where processing involves a transfer of personal data outside the EEA, we rely on the European Commission's Standard Contractual Clauses together with any supplementary measures required to ensure an equivalent level of protection.
5. Security, audits & deletion
We maintain the security measures described on our Security page, make available information necessary to demonstrate compliance, and allow for audits on reasonable notice. On termination, we return or delete personal data at the Controller's choice, save where retention is required by law.
To request a counter-signed copy of this DPA, contact privacy@procurato.ai.