This notice covers GovBidAI as offered by IT Custom Solution LLC ("ITC", "we"). It applies whether you reach us via trygovbidai.com, the GovBidAI app, our public API, or the free tools we publish.
01What we collect
Three buckets: account data (name, work email, role, company), product usage (the queries you run, the saved opportunities, the captures you start), and technical metadata (IP, user agent, request timestamps) required for security and abuse-prevention.
We do not collect: government clearance numbers; personally-identifying information about anyone other than our account holders; biometric data; or any data category protected by GDPR Art. 9 (sensitive personal data) unless a customer voluntarily uploads it as part of their own work.
02Why we collect it
To deliver the product (run searches, save your captures), to keep it secure (rate-limit, detect abuse), to bill you (the parts of account data Stripe needs), and to improve it (aggregate, de-identified usage analytics). We do not sell data. We do not use customer data to train third-party AI models.
03Who we share it with
Eight named subprocessors: Supabase (database, auth, storage), Railway (application hosting), Cloudflare (CDN, DNS, edge functions), Stripe (billing), Anthropic (LLM inference for product features), SendGrid (transactional email), PostHog (product analytics), and Sentry (error monitoring). Each is contractually bound to the privacy standards we offer you. Full list, purposes, and regions are in the Trust center subprocessor table. We notify customers 30 days before adding a new subprocessor.
04Where it lives
Customer data is stored in the United States. Our database, hosting, edge, and analytics subprocessors all operate in US regions. EU and dedicated regional tenancy are on the roadmap; we will notify customers when they are generally available. Backups co-locate with primary.
05How long we keep it
Account data: for the lifetime of the account + 90 days. Product data: for the lifetime of the account + 30 days (extended to 7 years for audit log records on Enterprise plans, contractually). Technical metadata: 90 days. We honor deletion requests within 30 days of receipt.
06Your rights
Under GDPR (EU/UK), CCPA (California), and equivalent state laws (CO, CT, VA, UT, others as enacted), you have the right to:
- Access: request a copy of your personal data we hold
- Correction: fix inaccurate data we hold
- Deletion: request erasure of your data (subject to retention obligations)
- Portability: receive your data in a machine-readable format
- Object: to specific kinds of processing (marketing, profiling)
- Withdraw consent: without affecting prior lawful processing
Exercise any right via your account settings → "Privacy controls", or email privacy@trygovbidai.com. We respond within 30 days.
07International transfers
For data leaving the EU/UK, we rely on Standard Contractual Clauses (SCC, 2021/914 Annex). Our pre-signed DPA includes Module Two SCCs and the UK Addendum. EU representative on file: per Art. 27 GDPR, contactable via the DPA.
08Changes & contact
We will notify customers in-app and by email 30 days before any material change to this notice. Past versions are archived and available on request. For all privacy questions: privacy@trygovbidai.com.