bidraft

Legal

Privacy Policy

Effective date: 17 April 2026  ·  Last updated: 17 April 2026

What you should know

  • • We collect what we need to run your account and generate proposals — nothing more.
  • • We do not sell your data. We do not use your briefs or proposals to train third-party AI models.
  • • Your briefs are sent to OpenAI to generate drafts. They are processed under OpenAI’s API data policy.
  • • You can export or delete your data at any time by emailing us.
  • • We use a minimal set of analytics and do not set advertising cookies.

This summary is for readability and is not a substitute for the full policy below.

1. Who we are

bidraft (“bidraft”, “we”, “us” or “our”) operates the bidraft proposal drafting platform and the website at bidraft.app. This Privacy Policy describes how we collect, use, store, and disclose personal data when you use our Service.

For data-protection purposes, we act as the controller of personal data we collect about you as a user, and as a processor for the proposal content and client data you submit to the Service.

2. Information we collect

We collect the following categories of information:

  • Account data — your name, email address, and securely hashed password, provided when you sign up.
  • Profile preferences — country, currency, and locale settings you configure in the app.
  • Workspace data — workspace names, logos, members, and roles.
  • Proposal content — briefs you submit and AI-generated proposal sections you create, edit, or save.
  • Usage data — counts of AI generations, timestamps, model names, and token usage used to enforce plan limits and bill fairly.
  • Technical data — IP address, user-agent, and server logs used for security, diagnostics, and abuse prevention.
  • Support communications — emails or messages you send us.

We do not knowingly collect special-category personal data (such as health or biometric data) and ask that you do not submit such data to the Service.

3. How we use information

  • To create and maintain your account and workspaces.
  • To process your briefs through our AI provider and return proposal drafts.
  • To meter usage and enforce plan limits and billing entitlements.
  • To send transactional messages (for example, workspace invitations and password resets).
  • To detect, investigate, and prevent abuse, fraud, and security incidents.
  • To comply with legal obligations.
  • To improve the Service using aggregated, de-identified usage patterns — never by reading your proposals.

4. Legal bases for processing

Where the GDPR or a similar regime applies, we rely on the following legal bases: (a) performance of our contract with you to deliver the Service you requested; (b) our legitimate interests in keeping the Service secure, preventing abuse, and improving product quality; (c) compliance with legal obligations; and (d) your consent where we request it (for example, for non-essential analytics).

5. AI processing

When you request a proposal draft or section regeneration, the relevant brief input is transmitted to OpenAI’s API and processed in accordance with OpenAI’s API data usage policies. As of the effective date of this policy, OpenAI does not use API inputs or outputs to train its foundation models by default. We do not send more data to OpenAI than is needed to produce the output you requested.

6. Sub-processors & service providers

We rely on a small number of infrastructure providers to run the Service. They only process personal data on our instructions and under appropriate data-protection terms.

  • Supabase — authentication, Postgres database, and secure storage. Supabase Privacy Policy.
  • Vercel — application hosting, edge delivery, and serverless functions. Vercel Privacy Policy.
  • OpenAI — large-language-model inference used to generate proposal drafts. See link above.

We will update this list before we onboard new sub-processors that have material access to personal data.

7. Cookies & analytics

We use only the cookies necessary to run the Service, including authentication cookies set by Supabase to keep you signed in. We do not use advertising cookies or cross-site trackers. If we later add product analytics, we will use privacy-respecting, cookieless or first-party tooling and update this policy before enabling it.

8. Sharing & disclosure

We do not sell personal data. We share personal data only with (i) the sub-processors listed above, to run the Service; (ii) professional advisers under confidentiality obligations; (iii) competent authorities where required by law, court order, or to protect our rights, users, or the public; and (iv) in the event of a merger, acquisition, or sale of assets, in which case we will ensure any successor honours this policy.

9. International transfers

Our sub-processors may process data in data-centres outside your country of residence, including in the United States and the European Union. Where required, we rely on appropriate safeguards such as the EU Standard Contractual Clauses and equivalent mechanisms to protect your data in transit and at rest.

10. Retention

We retain account and proposal data for as long as your account is active. When you delete a proposal, it is removed from our live database. When you close your account, we will delete or anonymise your personal data within 30 days, except where we must retain specific records to comply with legal, accounting, or security obligations. Backup copies are rotated and overwritten on a rolling schedule.

11. Security

We apply technical and organisational measures appropriate to the risk, including TLS encryption in transit, Postgres row-level-security policies that restrict data access to authorised users, server-side authentication checks on every AI request, principle-of-least-privilege credentials, and segregated production secrets. No system is perfectly secure, and we cannot guarantee absolute security.

12. Your rights

Depending on where you live, you may have the right to:

  • Access the personal data we hold about you.
  • Correct data that is inaccurate or incomplete.
  • Delete your account and associated personal data.
  • Obtain a portable copy of the data you provided.
  • Object to or restrict certain processing activities, including processing based on legitimate interests.
  • Withdraw any consent you previously gave, without affecting the lawfulness of prior processing.
  • Lodge a complaint with your local data-protection authority.

To exercise any of these rights, email support@bidraft.app. We may need to verify your identity before fulfilling your request.

13. Children

The Service is intended for use by professionals and is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

14. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date at the top of this page and, where changes are material, notify you by email or an in-app notice. Your continued use of the Service after the effective date constitutes your acceptance of the updated policy.

15. Contact

Questions, requests, or privacy-related concerns? Contact us at support@bidraft.app.

← Back to bidraft