BidScribe

Privacy Policy

Last updated: February 2025

1. Controller

Christian Gerloff
Brahmsstraße 7, 33775 Versmold, Germany
Email: christian.gerloff.it@gmail.com

2. Overview

BidScribe is a SaaS tool for AI-powered proposal response generation. We process personal data only to the extent necessary to provide our service or where you have given consent.

3. Legal Basis

  • Art. 6(1)(b) GDPR — Performance of contract (account, service usage)
  • Art. 6(1)(f) GDPR — Legitimate interest (security, analytics)
  • Art. 6(1)(a) GDPR — Consent (where given)

4. Hosting — Vercel

Our website and application are hosted by Vercel Inc. (340 S Lemon Ave #4133, Walnut, CA 91789, USA). When you access our service, server log data is automatically collected (IP address, timestamp, URL, user agent). Legal basis: Art. 6(1)(f) GDPR.

Vercel is certified under the EU-U.S. Data Privacy Framework.

5. Authentication — Supabase Auth

We use Supabase (Supabase Inc., USA) for registration and login. The following data is processed:

  • Email address and password hash (email login)
  • Google profile data (name, email, profile picture) when using Google OAuth
  • Session tokens, timestamps, IP address

Legal basis: Art. 6(1)(b) GDPR (performance of contract).

6. Database & File Storage — Supabase

Your uploaded documents (e.g., RFP files, knowledge base entries) and usage data are stored in Supabase (PostgreSQL database and object storage). Data is stored in the EU region (Frankfurt) where configured.

Legal basis: Art. 6(1)(b) GDPR.

7. AI Processing — Google Gemini API

To generate proposal answers, we transmit text content (your inputs and relevant knowledge base excerpts) to the Google Gemini API (Google LLC, USA).

  • No personal data is intentionally transmitted; however, documents may contain such data.
  • Data sent via the API is not used to train models (per API terms of service).
  • Data transfer is encrypted (TLS).

Legal basis: Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR.

8. Payment Processing — Stripe

Payments are processed by Stripe Inc. (510 Townsend Street, San Francisco, CA 94103, USA). Stripe receives:

  • Name, email address
  • Payment details (credit card, SEPA, etc.)
  • Billing address

Stripe is an independent controller for payment data. See Stripe Privacy Policy.

Legal basis: Art. 6(1)(b) GDPR.

9. Cookies

We use only strictly necessary cookies (session cookies for authentication). No tracking or marketing cookies are used.

10. Your Rights

You have the right to:

  • Access (Art. 15 GDPR)
  • Rectification (Art. 16 GDPR)
  • Erasure (Art. 17 GDPR)
  • Restriction of processing (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR)
  • Objection (Art. 21 GDPR)

Please direct your requests to: christian.gerloff.it@gmail.com

You also have the right to lodge a complaint with a supervisory authority, in particular the State Commissioner for Data Protection and Freedom of Information NRW.

11. International Data Transfers

Some of our service providers (Vercel, Google, Stripe) are based in the USA. Data transfers are based on:

  • EU-U.S. Data Privacy Framework (Art. 45 GDPR)
  • Standard Contractual Clauses (Art. 46(2)(c) GDPR)

12. Data Retention

Personal data is deleted once the purpose of processing no longer applies and no legal retention obligations exist (e.g., tax retention: 10 years).

When you delete your account, your data will be removed within 30 days, unless legal retention requirements apply.

13. Changes

We reserve the right to update this privacy policy to reflect changes in legal requirements or our service. The current version is always available on this page.