Privacy Policy

1. Scope and Definitions

This Privacy Policy applies to information we collect about users of the Service, including organization owners, administrators, and team members. It does not apply to any third-party services that may be integrated with the Service; those services are governed by their own privacy policies.

1.1 Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Customer Content" means all data, documents, text, files, and other content that you or your organization upload, create, or store within the Service, including RFP documents, questions, answers, templates, and knowledge base entries.
• "Processing" means any operation performed on personal data, including collection, storage, use, disclosure, and deletion.
• "Data Controller" means the entity that determines the purposes and means of processing personal data. BidGenie is the data controller for personal data collected through the Service.
• "Data Processor" means an entity that processes personal data on behalf of a data controller. Third-party service providers acting on our behalf are data processors.

2. Information We Collect

2.1 Information You Provide to Us

We collect information you provide directly to us, including:

• Account and profile information: name, email address, password, organization name, role, and related details.
• Customer Content: RFP documents, questions, responses, templates, and other materials you upload or create within the Service.
• Communication information: information contained in support requests, feedback, or other communications with us.
• Billing information: subscription details and limited payment information (handled primarily by our payment processors).

2.2 Information We Collect Automatically

When you use the Service, we automatically collect certain information, including:

• Usage data: pages viewed, actions taken, features used, time spent, and other interaction data.
• Device and log data: IP address, browser type, operating system, device identifiers, referring URLs, and timestamps.
• Cookies and similar technologies: we use cookies, local storage, and similar technologies to remember your preferences, keep you signed in, and understand how the Service is used.

2.3 Information from Third Parties

We may receive information about you from third-party services, including:

• Authentication providers: When you sign in using OAuth providers (Google, GitHub, LinkedIn), we receive your email address, name, and profile picture (if available) from the provider.
• Payment processors: Our payment processor (Dodo Payments/Stripe) provides us with subscription status, billing information, and transaction history.
• Integration partners: If you connect third-party services (such as Google Drive), we may receive information about your account and usage of those services, subject to your authorization and the third party's privacy policy.

3. How We Use Information

We use the information we collect for the following purposes:

• To provide, operate, and maintain the Service.
• To create and manage user and organization accounts.
• To process subscriptions, payments, and billing.
• To secure the Service, prevent fraud, and enforce our Terms of Service.
• To respond to inquiries, provide support, and communicate with you.
• To analyze usage, improve the Service, and develop new features, including AI-powered capabilities.
• To comply with legal obligations and protect our legal rights.

4. AI Features and Data Processing

BidGenie uses artificial intelligence and machine learning technologies to provide core features of the Service, including automated answer generation, document analysis, and content recommendations.

4.1 AI Service Providers

We use the following AI service providers:

• OpenAI: We use OpenAI's API services, including:
  • Embedding Models: text-embedding-3-small for converting text to vector embeddings for similarity search
  • Language Models: GPT-4 and GPT-4o-mini for generating answers and analyzing RFP documents
• Anthropic (Claude): We may use Claude 3 models as an alternative or complementary AI service for answer generation.

4.2 Data Sent to AI Providers

When you use AI features, the following data may be transmitted to our AI providers:

• RFP Questions: The text of questions extracted from RFP documents
• Answer Library Content: Relevant excerpts from your organization's answer library used as context for generating responses
• Generated Answers: Draft answers created by the AI for your review
• Organization Context: Limited organizational information (e.g., company name) used to personalize responses

4.3 AI Provider Data Use Policies

We have entered into data processing agreements with our AI providers that include the following protections:

• No Training on Your Data: Our agreements prohibit AI providers from using your Customer Content to train or improve their general-purpose models. Your data is used solely to generate responses for your account.
• Data Retention: AI providers retain your data only for the duration necessary to process your requests and for limited periods required for security and compliance purposes, as specified in our agreements.
• Security Standards: AI providers are contractually required to maintain industry-standard security measures and comply with applicable data protection laws.
• Sub-processors: AI providers may use sub-processors, but only those that meet equivalent data protection standards.

4.4 Your Responsibilities

You are responsible for ensuring that Customer Content you provide to AI features:

• Does not contain sensitive personal data (e.g., Social Security numbers, health records) unless you have appropriate legal basis and safeguards
• Complies with your own contractual and regulatory obligations
• Does not violate any third-party rights (e.g., intellectual property, confidentiality)
• Is appropriate for processing by third-party AI services

4.5 Vector Embeddings and Similarity Search

We generate vector embeddings of your answer library content and RFP questions using OpenAI's embedding models. These embeddings are stored in our database (hosted by Supabase) to enable semantic similarity search. Embeddings are mathematical representations of text and do not contain readable personal data, but they are derived from your content and are associated with your organization.

5. Legal Bases for Processing (EEA/UK Users)

If you are located in the European Economic Area or the United Kingdom, we process your personal data on the following legal bases:

• Contractual necessity: to provide and operate the Service and perform our obligations under our agreement with you or your organization.
• Legitimate interests: to secure and improve the Service, prevent abuse, and protect our legal rights, provided that our interests are not overridden by your fundamental rights and freedoms.
• Consent: where required by law, for example for certain types of cookies or marketing communications.
• Legal obligation: to comply with applicable laws and regulations.

6. How We Share Information

We may share information as follows:

• Within your organization: account and usage information may be visible to organization owners and administrators, in accordance with your organization's settings.
• Service providers: with cloud hosting providers, payment processors, analytics tools, email providers, and AI model providers that assist us in operating the Service.
• Professional advisors: with lawyers, auditors, and other professional advisors where necessary for the purposes of our business.
• Business transfers: in connection with a merger, acquisition, corporate reorganization, or sale of all or part of our business.
• Legal and safety: where we believe disclosure is reasonably necessary to comply with law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of BidGenie, our users, or the public.

6.1 Third-Party Service Providers

We use the following categories of third-party service providers to operate the Service:

• Cloud Infrastructure & Hosting:
  • Supabase: Database hosting, authentication, file storage, and vector search services. Data is stored in the United States and European Union regions.
  • Vercel: Application hosting and content delivery network (CDN). Data may be processed in multiple global regions.
• Payment Processing:
  • Dodo Payments / Stripe: Payment processing, subscription management, and invoicing. Payment card data is handled directly by Stripe and never stored by BidGenie.
• AI & Machine Learning:
  • OpenAI: Text embeddings and language model services for answer generation.
  • Anthropic: Claude language models for answer generation (when used).
• Monitoring & Analytics:
  • Sentry: Error tracking and performance monitoring.
  • Vercel Analytics: Web vitals and user experience metrics.
  • OpenTelemetry / Honeycomb: Distributed tracing and observability.
• Authentication Providers:
  • Google OAuth: For users who choose to sign in with Google.
  • GitHub OAuth: For users who choose to sign in with GitHub.
  • LinkedIn OAuth: For users who choose to sign in with LinkedIn.
• Optional Integrations:
  • Google Drive: For users who choose to export documents to Google Drive.

All third-party service providers are contractually required to:

• Process personal data only for the purposes specified in our agreements
• Implement appropriate technical and organizational security measures
• Comply with applicable data protection laws
• Not use personal data for their own purposes without authorization

Important: We do not sell your personal data. We do not share personal data with third parties for their own direct marketing purposes without your consent.

7. Data Retention

We retain personal data for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. Specific retention periods are as follows:

7.1 Account Data

• Active accounts: Retained for the duration of your account and subscription
• Deleted accounts: Account data is deleted within 30 days of account deletion, except where retention is required by law
• Billing records: Retained for 7 years from the date of the last transaction to comply with tax and accounting requirements

7.2 Customer Content

• RFP documents and answers: Retained until you delete them or until your account is deleted
• Answer library entries: Retained until you delete them or until your account is deleted
• Vector embeddings: Deleted when the associated content is deleted

7.3 Usage and Analytics Data

• Usage logs: Retained for 12 months for security and troubleshooting purposes
• Performance metrics: Retained for 24 months for service improvement
• Error logs: Retained for 90 days unless required for ongoing investigation

7.4 Deletion Requests

Upon your request to delete your personal data, we will:

• Delete or anonymize your personal data within 30 days, subject to legal retention requirements
• Delete Customer Content associated with your account
• Retain only data required by law (e.g., billing records for tax compliance)
• Provide confirmation of deletion upon completion

8. Data Security

We implement comprehensive technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Our security measures include:

8.1 Technical Security Measures

• Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher
• Encryption at rest: Sensitive data stored in our databases is encrypted at rest
• Authentication: Multi-factor authentication (MFA) available for user accounts
• Access controls: Role-based access control (RBAC) and Row-Level Security (RLS) policies enforce data isolation
• Network security: Firewalls, intrusion detection, and DDoS protection
• Secure development: Regular security audits, code reviews, and dependency scanning

8.2 Organizational Security Measures

• Employee training: Regular security awareness training for all personnel
• Access management: Principle of least privilege for employee access to systems and data
• Incident response: Documented procedures for detecting, responding to, and reporting security incidents
• Vendor management: Security assessments of third-party service providers
• Business continuity: Regular backups and disaster recovery procedures

8.3 Security Certifications and Compliance

Our service providers maintain the following certifications and compliance standards:

• Supabase: SOC 2 Type II, GDPR compliant, HIPAA eligible
• Vercel: SOC 2 Type II, ISO 27001, GDPR compliant
• Stripe: PCI DSS Level 1 certified, SOC 2 Type II, GDPR compliant

8.4 Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

• Notify affected users and relevant supervisory authorities within 72 hours, where required by law
• Provide clear information about the nature of the breach and steps we are taking to address it
• Recommend actions you can take to protect yourself
• Maintain records of all data breaches as required by law

Important: While we implement industry-standard security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we are committed to protecting your data and will promptly notify you of any security incidents that may affect you.

9. Your Rights and Choices

Depending on your location and applicable law, you may have the following rights regarding your personal data:

9.1 How to Exercise Your Rights

To exercise any of these rights, please:

• Contact us at privacy@bidgenie.com
• Include your name, email address, and a clear description of the right you wish to exercise
• We may need to verify your identity before processing your request
• We will respond to your request within 30 days (or as required by applicable law)

9.2 Right to Lodge a Complaint

If you are located in the EEA or UK, you have the right to lodge a complaint with your local data protection authority if you believe we have not addressed your concerns adequately. You can find your local authority at edpb.europa.eu.

10. Cookies and Similar Technologies

We use cookies and similar technologies (such as local storage and session storage) to provide and improve the Service. Cookies are small text files stored on your device when you visit our website.

10.1 Types of Cookies We Use

10.2 Cookie Duration

• Session cookies: Deleted when you close your browser
• Persistent cookies: Remain on your device for a set period (typically 30-365 days) or until you delete them

10.3 Managing Cookies

You can control cookies through:

• Browser settings: Most browsers allow you to refuse or delete cookies. However, disabling strictly necessary cookies may prevent the Service from functioning properly.
• Cookie banner: When you first visit the Service, you can choose which non-essential cookies to accept.
• Account settings: You can update your cookie preferences in your account settings at any time.

For more information about managing cookies, visit www.allaboutcookies.org.

11. International Data Transfers

BidGenie may process and store information in countries outside your country of residence, which may have data protection laws that are different from those of your country. We take steps to ensure that your personal data receives adequate protection regardless of where it is processed.

11.1 Data Transfer Locations

Your data may be transferred to and processed in the following regions:

• United States: Primary hosting location for our databases and application servers
• European Union: Alternative hosting region available for EU customers
• Global CDN: Content delivery network nodes worldwide for faster access

11.2 Transfer Safeguards

For transfers from the EEA, UK, or Switzerland to countries without adequate data protection laws, we implement the following safeguards:

• Standard Contractual Clauses (SCCs): We use EU-approved standard contractual clauses with all third-party processors
• Data Processing Agreements (DPAs): All service providers are bound by DPAs that include GDPR-compliant terms
• Adequacy Decisions: Where possible, we use service providers in countries with adequacy decisions from the European Commission
• Technical Safeguards: Encryption and access controls protect data in transit and at rest

11.3 Your Rights Regarding Transfers

If you are located in the EEA, UK, or Switzerland, you have the right to:

• Request information about the countries where your data is processed
• Request a copy of the safeguards we have in place for international transfers
• Object to specific transfers if you believe adequate safeguards are not in place

12. Children's Privacy

The Service is not directed to children under the age of 16, and we do not knowingly collect personal data from children under 16. If we become aware that a child under 16 has provided us with personal data, we will take steps to delete such information where required by law.

13. Additional Rights for California Residents

If you are a resident of California, you have additional rights under the California Consumer Privacy Act ("CCPA") and the California Privacy Rights Act ("CPRA"):

13.1 CCPA/CPRA Rights

• Right to Know: You can request disclosure of:
  • The categories of personal information we collect
  • The categories of sources from which we collect personal information
  • The business or commercial purposes for collecting or selling personal information
  • The categories of third parties with whom we share personal information
  • The specific pieces of personal information we hold about you
• Right to Delete: You can request deletion of your personal information, subject to certain exceptions (e.g., legal compliance, fraud prevention)
• Right to Correct: You can request correction of inaccurate personal information
• Right to Opt-Out of Sale/Sharing: We do not sell personal information as defined under the CCPA. We do not share personal information for cross-context behavioral advertising.
• Right to Limit Use of Sensitive Personal Information: You can request that we limit the use of sensitive personal information to what is necessary to provide the Service
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

13.2 Categories of Personal Information We Collect

In the past 12 months, we have collected the following categories of personal information:

• Identifiers: Name, email address, IP address, device identifiers
• Commercial Information: Subscription details, payment history, usage data
• Internet Activity: Browsing history, interaction data, cookies
• Professional Information: Organization name, job title, role
• Customer Content: RFP documents, questions, answers, templates

13.3 How to Exercise Your California Privacy Rights

To exercise your California privacy rights:

• Email us at privacy@bidgenie.com with the subject line "California Privacy Request"
• Include your name, email address, and specify which right(s) you wish to exercise
• We may need to verify your identity by requesting additional information
• We will respond within 45 days (or as required by law)
• You may designate an authorized agent to make requests on your behalf

Important: We do not sell personal information as that term is defined under the CCPA. We do not knowingly sell or share personal information of consumers under 16 years of age.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in legal, technical, or business developments. When we update the policy, we will revise the "Last updated" date at the top of this page and, where appropriate, provide additional notice (such as a banner in the application).

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

15.1 Data Protection Officer (DPO)

If you are located in the EEA or UK and wish to contact our Data Protection Officer, please email dpo@bidgenie.com or use the general privacy email above with "DPO" in the subject line.