Privacy Policy

1. Introduction

GovBid Inc., a British Columbia corporation (“GovBid,” “we,” “us,” or “our”), operates the website https://govbid.ca and provides AI-powered government procurement intelligence services (the “Service”). This Privacy Policy explains how we collect, use, disclose, and protect your personal information in compliance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's Anti-Spam Legislation (CASL), applicable provincial privacy legislation, and applicable United States federal and state privacy laws, including but not limited to the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), the Texas Data Privacy and Security Act (TDPSA), and the Oregon Consumer Privacy Act (OCPA).

By creating an account, subscribing to a plan, or otherwise using the Service, you consent to the collection, use, and disclosure of your personal information as described in this Privacy Policy. If you do not agree, please do not use the Service.

Our designated Privacy Officer is responsible for our compliance with this policy and applicable privacy laws. For any questions, concerns, access requests, or complaints, contact our Privacy Officer at support@govbid.ca.

2. Information We Collect

2.1 Information You Provide Directly

• Account Information: Email address, full name, and company name provided during registration. When you create an account, you explicitly consent to our collection and use of this information by checking the consent checkbox.
• Communications: Information you provide when replying to our emails (e.g., matching refinement instructions), contacting support, or providing feedback.
• Consent Records: We record the date, time, IP address, and specific consent language you agreed to at signup. These records are maintained as required by CASL and PIPEDA.

2.2 Information We Collect Automatically

• Business Profile Data: When you subscribe, our AI automatically collects publicly available information about your company from: (a) your company's public website (homepage and about page), (b) publicly available government contract award records from official procurement sources, and (c) general business information from public web search results. This data is used solely to build your tender matching profile.
• Email Engagement Data: Email open rates, click-through data on tender links, bounce notifications, and delivery status, collected through our email delivery provider.
• Website Analytics: We collect minimal analytics data including pages visited and general traffic patterns. We do not use Google Analytics or any third-party tracking tools that share data with advertising networks.

2.3 Information from Third-Party Sources

• Government Procurement Data: Tender notices and contract award data from CanadaBuys (Government of Canada) and SAM.gov (United States Federal Government). This is publicly available government data published under open government principles.

2.4 Information We Do NOT Collect

• We do not collect social insurance numbers, tax identification numbers, or government-issued identification.
• We do not collect financial statements, banking information, or credit reports.
• We do not purchase consumer data from data brokers.
• We do not collect information about children (the Service is for businesses only).

3. How We Use Your Information

We use your personal information for the following identified purposes. Under PIPEDA, we collect and use personal information only for purposes that a reasonable person would consider appropriate in the circumstances:

• Providing the Service: Matching government tenders to your business profile, generating daily email digests, and processing your subscription payments.
• AI-Powered Profile Building: Our AI analyzes publicly available information about your company (website content, past government contract awards) to automatically build a business profile. This profile determines which tenders are relevant to you. No human reviews your profile unless you request support or a review of automated decisions.
• Tender Translation: We use AI (Anthropic's Claude API) to process government tender text and generate plain-language summaries. Your personal information (email, name, payment details) is never included in these AI requests.
• Matching Refinement: When you reply to our emails with feedback, our AI interprets your instructions and updates your matching profile.
• Transactional Communications: Sending welcome emails, billing confirmations, service notifications, and subscription management messages.
• Commercial Electronic Messages: Sending daily tender digest emails containing matched opportunities. Your explicit consent for these messages is obtained at signup as required by CASL. Every commercial email includes a functioning unsubscribe mechanism.
• Service Improvement: Analyzing aggregate, de-identified usage patterns to improve the Service. Individual subscriber data is never shared externally for this purpose.
• Legal Compliance: Complying with applicable laws, regulations, legal processes, or government requests.

4. How We Share Your Information

We do not sell, rent, or trade your personal information to any third party. We do not share your personal information with advertisers. We share your information only with the following service providers, strictly for the purpose of operating the Service:

• Email Delivery: Resend, Inc. (USA) delivers our daily digest emails and transactional emails.
• AI Processing: Anthropic, PBC (San Francisco, CA, USA) provides AI capabilities for tender translation and profile refinement. Your email address, name, payment details, and private communications are never sent to Anthropic. Anthropic does not use our API inputs to train their models.
• Database Infrastructure: Supabase, Inc. (USA) provides our database infrastructure.
• Web Hosting: Vercel, Inc. (USA) hosts our public website. Railway Corp. (USA) hosts our backend processing services.

4.1 Data Processing Agreements

In accordance with PIPEDA's accountability principle, we maintain contractual agreements with all service providers that process personal information on our behalf. These agreements require each provider to process personal information only as instructed by us, implement appropriate security measures, notify us of any security breach, and delete or return personal information upon termination.

4.2 Cross-Border Data Transfers

Your personal information is transferred to and processed in the United States, where several of our service providers are located. We ensure appropriate protections through contractual obligations, selecting providers with recognized security certifications (SOC 2, PCI-DSS), and limiting categories of personal information transferred.

By using the Service, you acknowledge and explicitly consent to the transfer of your personal information to the United States for processing. You understand that while your information is in the United States, it may be accessible to US law enforcement and national security authorities under US law.

4.3 Sub-Processor Changes

We will update this Privacy Policy to reflect any new service providers added to the list in Section 4. If we add a new sub-processor that materially changes how your personal information is processed, we will notify you by email at least 14 days before the change takes effect.

4.4 Other Disclosures

We may disclose your personal information without your consent only where required or permitted by law, including in response to a valid court order, to comply with breach reporting obligations, to protect rights and safety, or in connection with a merger, acquisition, or sale of all or substantially all of GovBid Inc.'s assets.

5. Consent

5.1 How We Obtain Consent

We obtain your express consent at the point of account creation through a clear checkbox mechanism that requires you to affirmatively agree to this Privacy Policy and our Terms of Service before creating an account. This consent covers:

• Collection and use of your personal information to provide the Service.
• AI-powered automated profiling of your business using publicly available information.
• Receipt of daily commercial electronic messages (tender digest emails) as defined under CASL.
• Transfer of personal information to service providers in the United States.

5.2 Withdrawing Consent

You may withdraw your consent at any time by:

• Unsubscribing from commercial emails using the unsubscribe link in any email (takes effect within 10 business days as required by CASL).
• Replying “unsubscribe” to any alert email.
• Requesting deletion of your account and all associated data by emailing support@govbid.ca.

5.3 Implied Consent for Service-Related Communications

By maintaining an active subscription, you provide implied consent to receive transactional and service-related messages (billing confirmations, service disruption notices, security alerts). These are not commercial electronic messages under CASL.

6. Outbound Communications and CASL Compliance

In addition to serving subscribers, GovBid may contact businesses that have recently been awarded government contracts to inform them about our Service. This outreach is conducted in compliance with CASL, CAN-SPAM (for US recipients), and applicable telecommunications regulations.

6.1 Email Outreach

We contact businesses at their publicly listed business email addresses only. We do not send outreach to personal email addresses. Every outreach email clearly identifies GovBid as the sender, includes our mailing address, and contains a functioning unsubscribe mechanism. Our legal basis for initial contact to Canadian businesses is the B2B implied consent provision under CASL Section 10(9)(b). For US-based businesses, we comply with the CAN-SPAM Act, including accurate header information, clear identification as an advertisement, a valid physical postal address, and prompt opt-out processing.

6.2 Telephone Outreach

If we conduct telephone outreach, we comply with the CRTC Unsolicited Telecommunications Rules and the National Do Not Call List (DNCL) requirements. For US-based contacts, we comply with the Telephone Consumer Protection Act (TCPA) and applicable FCC regulations.

6.3 Opting Out of Outreach

If you receive an outreach communication and do not wish to be contacted again, you may click the unsubscribe link, reply with “stop” or “unsubscribe,” request removal during a phone call, or email support@govbid.ca. We maintain a permanent suppression list and process all opt-out requests within 10 business days.

7. Data Retention

• Active Account Data: Retained for the duration of your subscription.
• Post-Cancellation: Account information and business profile are permanently deleted within 90 days of subscription cancellation.
• Email Reply History: Replies containing matching refinement instructions are retained for 12 months, then permanently deleted.
• Consent Records: Records of consent are retained for 3 years after the last commercial electronic message sent, as required by CASL.
• Outreach Suppression List: Email addresses of individuals who have opted out are retained indefinitely to prevent future contact.
• Tender Data: Government tender data is retained for up to 6 months after the tender closing date, then deleted.
• Breach Records: Records of any privacy breaches are retained for 24 months as required by PIPEDA.

8. Data Security

• All data in transit is encrypted using TLS 1.2 or higher.
• Database storage is encrypted at rest using AES-256 encryption.
• Database access requires authenticated, role-based credentials. No direct public database access is permitted.
• API keys, secrets, and credentials are stored in encrypted environment variables. They are never committed to source code repositories.
• Access to personal information is limited to personnel who require it to operate the Service.

No method of electronic transmission or storage is 100% secure. While we implement commercially reasonable safeguards, we cannot guarantee absolute security against all threats.

9. Data Breach Notification

In the event of a security breach involving personal information that creates a real risk of significant harm, we will report the breach to the Office of the Privacy Commissioner of Canada as required by PIPEDA Section 10.1, notify affected individuals directly describing the nature of the breach and steps being taken, and maintain a record of every breach for 24 months.

For US-based users, we will comply with applicable state breach notification laws, including but not limited to the California Civil Code §1798.82, and other state-specific notification requirements.

10. Automated Decision-Making and AI

• Automated Profile Building: AI analyzes your company's publicly available web presence and government contract history to generate a business profile. This is generated automatically with no human involvement. You can modify your profile at any time by replying to any GovBid email.
• Automated Tender Matching: A scoring algorithm compares your profile against tenders using industry overlap (40%), location match (20%), contract value alignment (15%), business size compatibility (10%), and keyword relevance (15%). Tenders scoring 40+ are included in your daily digest.
• AI Tender Translation: Government tender text is processed through Anthropic's Claude API. No personal information is included in these requests.
• AI Reply Interpretation: Your email replies are processed through AI to update your matching profile.
• Right to Human Review: You have the right to request human review of any automated decision. Contact support@govbid.ca and we will respond within 30 days.

11. Your Privacy Rights

11.1 Rights Under PIPEDA (Canadian Residents)

• Right to Access: Request a copy of all personal information we hold about you. We will respond within 30 days.
• Right to Correction: Request correction of inaccurate or incomplete personal information.
• Right to Withdraw Consent: Withdraw consent for collection, use, or disclosure at any time.
• Right to Challenge Compliance: Challenge our compliance by contacting our Privacy Officer.
• Right to Complain: File a complaint with the Office of the Privacy Commissioner of Canada (www.priv.gc.ca, 1-800-282-1376).

11.2 Rights Under US State Privacy Laws

If you are a resident of California, Virginia, Colorado, Connecticut, Texas, Oregon, or another US state with applicable privacy legislation, you have the following rights to the extent provided by your state's law:

• Right to Know: What categories and specific pieces of personal information we collect, use, and disclose.
• Right to Delete: Request deletion of your personal information, subject to certain exceptions.
• Right to Opt Out of Sale or Sharing: We do not sell or share (as defined under CCPA/CPRA) your personal information for cross-context behavioral advertising.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Limit Use of Sensitive Personal Information: We do not collect sensitive personal information as defined under CCPA/CPRA.

To exercise any right, email support@govbid.ca with your request. We will verify your identity and respond within 30 days (or 45 days for California residents, with a possible 45-day extension upon notice). If you are a California resident, you may designate an authorized agent to make requests on your behalf.

11.3 Do Not Track Signals

Our website does not respond to “Do Not Track” browser signals because we do not engage in cross-site tracking. We do not track you across third-party websites.

12. Cookies and Tracking Technologies

• Essential Cookies: Session cookies required for the website to function (authentication, session management). These are strictly necessary and do not require consent.
• Cookie Banner: Our website displays a cookie consent banner informing visitors of our cookie practices.
• No Advertising Cookies: We do not use retargeting pixels, advertising trackers, or cross-site tracking technologies.
• No Third-Party Tracking: We do not allow third parties to place cookies or tracking technologies on our website.

13. Web Scraping and Public Data Collection

To build your business profile, our automated systems access publicly available web pages. We access only publicly available web pages that do not require authentication, respect robots.txt directives, do not bypass CAPTCHAs or access controls, and do not scrape personal social media profiles. The information collected is limited to business-related content and is used solely to build your tender matching profile.

14. Children's Privacy

The Service is intended exclusively for business use and is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have inadvertently collected personal information from a child under 18, we will delete that information promptly.

15. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or changes to our service providers. For material changes, we will notify you by email at least 14 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance. If you do not agree, you may cancel your subscription before the effective date.

16. Accessibility

We are committed to making our Service and this Privacy Policy accessible to people with disabilities. If you have difficulty accessing any part of this policy, please contact us at support@govbid.ca and we will provide the information in an alternative format.