Privacy Policy

1. Who We Are

Bidready ("Bidready", "we", "our") operates the Bidready.ca platform and is the controller of personal information collected through the Service. You can reach our privacy contact at hello@bidready.ca.

Bidready is available worldwide. This Privacy Policy is written with Canadian federal privacy law (PIPEDA), the EU and UK General Data Protection Regulations (GDPR and UK GDPR), and the California Consumer Privacy Act as amended by the CPRA in mind. Where local law grants you stronger rights, those rights apply.

2. Information We Collect

We collect the following categories of personal information:

• Account information: name, work email address, company name, role, password hash, and authentication metadata.
• Company and proposal content: documents, tender materials, company profile, project history, and draft responses you upload or generate in the Service.
• Usage and device data: log records, IP address, user agent, timestamps, pages visited, actions performed, and error telemetry used to operate and secure the Service.
• Communications: support requests, feedback, and correspondence with our team.
• Cookies and similar technologies: strictly necessary cookies for authentication and security. We do not use advertising or cross-site tracking cookies.

We do not knowingly collect personal information from children. The Service is intended for business use by adults.

3. How We Use Information

We use personal information to:

• Provide, operate, secure, and support the Service.
• Generate AI-assisted drafts and workflow outputs based on your inputs.
• Authenticate users and enforce access controls between organizations.
• Detect, investigate, and prevent fraud, abuse, and security incidents.
• Communicate with you about service updates, security notices, and support.
• Improve reliability, performance, and accuracy of the Service.
• Comply with legal obligations and enforce our Terms.

Under GDPR, our legal bases for processing are: performance of a contract with you (Art. 6(1)(b)), our legitimate interests in operating and securing the Service (Art. 6(1)(f)), compliance with legal obligations (Art. 6(1)(c)), and where required, your consent (Art. 6(1)(a)).

4. AI Processing and Subscriber Content

Documents and prompts you submit are processed by AI model providers acting as our sub-processors solely to generate outputs for your organization. We do not sell your Subscriber Content and we do not allow sub-processors to use it to train their general models. Subscriber Content is isolated per organization; no other subscriber can view, access, or download it.

5. When We Share Information

We share personal information only with:

• Service providers and sub-processors who operate infrastructure, hosting, email delivery, analytics, authentication, and AI model inference on our behalf, under contractual confidentiality and data protection obligations.
• Professional advisors such as legal, accounting, and audit providers where strictly necessary.
• Successors in the event of a merger, acquisition, or sale of assets, subject to continued protection of your information.
• Authorities when required by law, court order, or to defend our legal rights and the safety of users.

We do not sell personal information and we do not share it for cross-context behavioural advertising.

6. Data Location and International Transfers

Your account data, company profile, uploaded documents, and proposal content are hosted in Canada, in the Amazon Web Services Canada (Central) region (ca-central-1), via our database and storage provider, Supabase.

Some processing necessarily occurs outside Canada. In particular, AI drafting and extraction are performed by Anthropic (our AI sub-processor), which may process the content you submit to those features in the United States. Email delivery, error monitoring, and application hosting may also involve providers that operate in the United States or other jurisdictions. Where personal data is transferred outside Canada, it remains subject to this Privacy Policy, and we require our sub-processors to provide a comparable level of protection through contractual safeguards. Where data is transferred from the EEA, UK, or Switzerland to a country without an adequacy decision, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses.

A current list of sub-processors and a data processing addendum (DPA) are available on request by writing to hello@bidready.ca.

7. Retention

We retain personal information for as long as your account is active and for a reasonable period thereafter to meet legal, tax, accounting, and legitimate business requirements. Subscriber Content is retained while your organization has an active subscription. On termination, we will delete or anonymize Subscriber Content within a reasonable period, subject to legal retention obligations and backup rotation schedules.

8. Security

We use administrative, technical, and physical safeguards appropriate to the sensitivity of the information we handle. These include encryption in transit, access controls based on least privilege, tenant isolation, audit logging, and routine vulnerability management. No method of electronic storage or transmission is completely secure; we cannot guarantee absolute security. If we become aware of a security incident affecting your personal information, we will notify you and relevant regulators as required by law.

9. Your Rights

Depending on where you live, you may have the right to:

• Access the personal information we hold about you.
• Correct inaccurate or incomplete information.
• Delete your personal information, subject to legal exceptions.
• Restrict or object to certain processing.
• Port your data to another service in a commonly used format.
• Withdraw consent at any time where processing is based on consent.
• Lodge a complaint with your local data protection authority (for example, the Office of the Privacy Commissioner of Canada, a supervisory authority in the EEA or UK, or the California Privacy Protection Agency).

Under CCPA/CPRA, California residents also have the right to know, to delete, to correct, to opt-out of the sale or sharing of personal information (Bidready does not sell or share as defined by CCPA/CPRA), and to limit the use of sensitive personal information. We will not discriminate against you for exercising these rights.

To exercise your rights, contact hello@bidready.ca. We may need to verify your identity before responding. We will respond within the timeframes required by applicable law.

10. Cookies

We use strictly necessary cookies to keep you signed in and to protect the Service against abuse. We do not set third-party advertising or cross-site tracking cookies. If and when we introduce non-essential cookies (for example, for product analytics), we will ask for your consent first where required.

11. Automated Decisions

Bidready generates drafts and recommendations using AI, but it does not make automated decisions that produce legal or similarly significant effects about individuals. The subscriber always reviews, validates, and approves outputs before any submission or decision.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be signalled by updating the "Last updated" date and, where appropriate, by additional notice. Your continued use of the Service after an update takes effect means you accept the revised Policy.

13. Contact

Questions, requests, or complaints about privacy at Bidready can be sent to hello@bidready.ca.