Privacy Policy

1. Introduction

GovBid (“we,” “us,” or “our”) operates the website https://govbid.ca and provides AI-powered government procurement intelligence services (the “Service”). This Privacy Policy explains how we collect, use, disclose, and protect your personal information in compliance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's Anti-Spam Legislation (CASL), applicable provincial privacy legislation, and applicable United States federal and state privacy laws.

By creating an account, subscribing to a plan, or otherwise using the Service, you consent to the collection, use, and disclosure of your personal information as described in this Privacy Policy. If you do not agree, please do not use the Service.

Our designated Privacy Officer is responsible for our compliance with this policy and applicable privacy laws. For any questions, concerns, access requests, or complaints, contact our Privacy Officer at our support email.

2. Information We Collect

2.1 Information You Provide Directly

• Account Information: Email address, full name, and company name provided during registration or Stripe checkout. When you create an account, you explicitly consent to our collection and use of this information by checking the consent checkbox.
• Payment Information: Credit card details are collected and processed directly by Stripe, Inc. We never receive, transmit, or store your full credit card number, expiration date, or CVC. We receive only a partial card number (last 4 digits), card brand, and billing address from Stripe.
• Communications: Information you provide when replying to our emails (e.g., matching refinement instructions), contacting support, or providing feedback.
• Consent Records: We record the date, time, IP address, and specific consent language you agreed to at signup. These records are maintained as required by CASL and PIPEDA.

2.2 Information We Collect Automatically

• Business Profile Data: When you subscribe, our AI automatically collects publicly available information about your company from: (a) your company's public website (homepage and about page), (b) publicly available government contract award records from CanadaBuys and SAM.gov, and (c) general business information from public web search results. This data is used solely to build your tender matching profile.
• Email Engagement Data: Email open rates, click-through data on tender links, bounce notifications, and delivery status, collected through our email delivery provider.
• Website Analytics: We collect minimal analytics data including pages visited and general traffic patterns. We do not use Google Analytics or any third-party tracking tools that share data with advertising networks.

2.3 Information from Third-Party Sources

• Government Procurement Data: Tender notices and contract award data from CanadaBuys (Government of Canada) and SAM.gov (United States Federal Government). This is publicly available government data published under open government principles.
• Payment Events: Subscription status, plan type, and billing events from Stripe, Inc.

2.4 Information We Do NOT Collect

• We do not collect social insurance numbers, tax identification numbers, or government-issued identification.
• We do not collect financial statements, banking information, or credit reports.
• We do not purchase consumer data from data brokers.
• We do not collect information about children (the Service is for businesses only).

3. How We Use Your Information

We use your personal information for the following identified purposes. Under PIPEDA, we collect and use personal information only for purposes that a reasonable person would consider appropriate in the circumstances:

• Providing the Service: Matching government tenders to your business profile, generating daily email digests, and processing your subscription payments.
• AI-Powered Profile Building: Our AI analyzes publicly available information about your company (website content, past government contract awards) to automatically build a business profile. This profile determines which tenders are relevant to you. No human reviews your profile unless you request support or a review of automated decisions.
• Tender Translation: We use AI (Anthropic's Claude API) to process government tender text and generate plain-language summaries. Your personal information (email, name, payment details) is never included in these AI requests.
• Matching Refinement: When you reply to our emails with feedback, our AI interprets your instructions and updates your matching profile.
• Transactional Communications: Sending welcome emails, billing confirmations, service notifications, and subscription management messages.
• Commercial Electronic Messages: Sending daily tender digest emails containing matched opportunities. Your explicit consent for these messages is obtained at signup as required by CASL. Every commercial email includes a functioning unsubscribe mechanism.
• Service Improvement: Analyzing aggregate, de-identified usage patterns to improve the Service. Individual subscriber data is never shared externally for this purpose.
• Legal Compliance: Complying with applicable laws, regulations, legal processes, or government requests.

4. How We Share Your Information

We do not sell, rent, or trade your personal information to any third party. We do not share your personal information with advertisers. We share your information only with the following service providers, strictly for the purpose of operating the Service:

• Payment Processing: Stripe, Inc. (San Francisco, CA, USA) processes all payment transactions. Stripe is PCI-DSS Level 1 certified.
• Email Delivery: Resend, Inc. (USA) delivers our daily digest emails and transactional emails.
• AI Processing: Anthropic, PBC (San Francisco, CA, USA) provides AI capabilities for tender translation and profile refinement. Your email address, name, payment details, and private communications are never sent to Anthropic. Anthropic does not use our API inputs to train their models.
• Database Infrastructure: Supabase, Inc. (USA) provides our database infrastructure.
• Web Hosting: Vercel, Inc. (USA) hosts our public website. Railway Corp. (USA) hosts our backend processing services.

4.1 Data Processing Agreements

In accordance with PIPEDA's accountability principle, we maintain contractual agreements with all service providers that process personal information on our behalf. These agreements require each provider to process personal information only as instructed by us, implement appropriate security measures, notify us of any security breach, and delete or return personal information upon termination.

4.2 Cross-Border Data Transfers

Your personal information is transferred to and processed in the United States, where several of our service providers are located. We ensure appropriate protections through contractual obligations, selecting providers with recognized security certifications (SOC 2, PCI-DSS), and limiting categories of personal information transferred.

By using the Service, you acknowledge and explicitly consent to the transfer of your personal information to the United States for processing. You understand that while your information is in the United States, it may be accessible to US law enforcement and national security authorities under US law.

4.3 Other Disclosures

We may disclose your personal information without your consent only where required or permitted by law, including in response to a valid court order, to comply with breach reporting obligations, to protect rights and safety, or in connection with a merger or acquisition.

5. Consent

5.1 How We Obtain Consent

We obtain your express consent at the point of account creation through a clear checkbox mechanism that requires you to affirmatively agree to this Privacy Policy and our Terms of Service before creating an account. This consent covers:

• Collection and use of your personal information to provide the Service.
• AI-powered automated profiling of your business using publicly available information.
• Receipt of daily commercial electronic messages (tender digest emails) as defined under CASL.
• Transfer of personal information to service providers in the United States.

5.2 Withdrawing Consent

You may withdraw your consent at any time by:

• Unsubscribing from commercial emails using the unsubscribe link in any email (takes effect within 10 business days as required by CASL).
• Cancelling your subscription through the Stripe billing portal or by contacting us.
• Requesting deletion of your account and all associated data by emailing our support email.

5.3 Implied Consent for Service-Related Communications

By maintaining an active subscription, you provide implied consent to receive transactional and service-related messages (billing confirmations, service disruption notices, security alerts). These are not commercial electronic messages under CASL.

6. Outbound Communications and CASL Compliance

In addition to serving subscribers, GovBid may contact businesses that have recently been awarded government contracts to inform them about our Service. This outreach is conducted in compliance with CASL and applicable telecommunications regulations.

6.1 Email Outreach

We contact businesses at their publicly listed business email addresses only. Every outreach email clearly identifies GovBid as the sender, includes our mailing address, and contains a functioning unsubscribe mechanism. Our legal basis for initial contact is the B2B implied consent provision under CASL Section 10(9)(b).

6.2 Telephone Outreach

If we conduct telephone outreach, we comply with the CRTC Unsolicited Telecommunications Rules and the National Do Not Call List (DNCL) requirements. For US-based contacts, we comply with the Telephone Consumer Protection Act (TCPA) and applicable FCC regulations.

6.3 Opting Out of Outreach

If you receive an outreach communication and do not wish to be contacted again, you may click the unsubscribe link, reply with “stop” or “unsubscribe,” request removal during a phone call, or email our support email.

7. Data Retention

• Active Account Data: Retained for the duration of your subscription.
• Post-Cancellation: Account information and business profile are permanently deleted within 90 days of subscription cancellation.
• Payment Records: Billing history retained for up to 7 years as required by Canadian and US tax regulations. Full payment card data is held only by Stripe.
• Email Reply History: Replies containing matching refinement instructions are retained for 12 months, then permanently deleted.
• Consent Records: Records of consent are retained for 3 years after the last commercial electronic message sent, as required by CASL.
• Outreach Suppression List: Email addresses of individuals who have opted out are retained indefinitely to prevent future contact.
• Tender Data: Government tender data is retained for up to 6 months after the tender closing date, then deleted.
• Breach Records: Records of any privacy breaches are retained for 24 months as required by PIPEDA.

8. Data Security

• All data in transit is encrypted using TLS 1.2 or higher.
• Database storage is encrypted at rest using AES-256 encryption.
• Database access requires authenticated, role-based credentials. No direct public database access is permitted.
• Payment processing is handled entirely by Stripe (PCI-DSS Level 1 certified). We never process or store full card numbers.
• API keys, secrets, and credentials are stored in encrypted environment variables. They are never committed to source code repositories.
• Access to personal information is limited to personnel who require it to operate the Service.

No method of electronic transmission or storage is 100% secure. While we implement commercially reasonable safeguards, we cannot guarantee absolute security against all threats.

9. Data Breach Notification

In the event of a security breach involving personal information that creates a real risk of significant harm, we will report the breach to the Office of the Privacy Commissioner of Canada as required by PIPEDA Section 10.1, notify affected individuals directly describing the nature of the breach and steps being taken, and maintain a record of every breach for 24 months.

For US-based users, we will comply with applicable state breach notification laws.

10. Automated Decision-Making and AI

• Automated Profile Building: AI analyzes your company's publicly available web presence and government contract history to generate a business profile. This is generated automatically with no human involvement. You can modify your profile at any time by replying to any GovBid email.
• Automated Tender Matching: A scoring algorithm compares your profile against tenders using industry overlap (40%), location match (20%), contract value alignment (15%), business size compatibility (10%), and keyword relevance (15%). Tenders scoring 40+ are included in your daily digest.
• AI Tender Translation: Government tender text is processed through Anthropic's Claude API. No personal information is included in these requests.
• AI Reply Interpretation: Your email replies are processed through AI to update your matching profile.
• Right to Human Review: You have the right to request human review of any automated decision. Contact our support email and we will respond within 30 days.

11. Your Privacy Rights

11.1 Rights Under PIPEDA (Canadian Residents)

• Right to Access: Request a copy of all personal information we hold about you. We will respond within 30 days.
• Right to Correction: Request correction of inaccurate or incomplete personal information.
• Right to Withdraw Consent: Withdraw consent for collection, use, or disclosure at any time.
• Right to Challenge Compliance: Challenge our compliance by contacting our Privacy Officer.
• Right to Complain: File a complaint with the Office of the Privacy Commissioner of Canada (www.priv.gc.ca, 1-800-282-1376).

11.2 Rights Under US Privacy Laws

• Right to Know: What personal information we collect, use, and disclose.
• Right to Delete: Request deletion of your personal information.
• Right to Opt Out of Sale: We do not sell personal information.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
• Right to Correct: Request correction of inaccurate personal information.

To exercise any right, email our support email with your request. We will respond within 30 days.

12. Cookies and Tracking Technologies

• Essential Cookies: Session cookies required for the website to function. These are strictly necessary and do not require consent.
• No Advertising Cookies: We do not use retargeting pixels, advertising trackers, or cross-site tracking technologies.
• No Third-Party Tracking: We do not allow third parties to place cookies or tracking technologies on our website.

13. Web Scraping and Public Data Collection

To build your business profile, our automated systems access publicly available web pages. We access only publicly available web pages that do not require authentication, respect robots.txt directives, do not bypass CAPTCHAs or access controls, and do not scrape personal social media profiles. The information collected is limited to business-related content and is used solely to build your tender matching profile.

14. Children's Privacy

The Service is intended exclusively for business use and is not directed to individuals under the age of 18. We do not knowingly collect personal information from children.

15. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. For material changes, we will notify you by email at least 14 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance. If you do not agree, you may cancel your subscription before the effective date.

16. Accessibility

We are committed to making our Service and this Privacy Policy accessible to people with disabilities. If you have difficulty accessing any part of this policy, please contact us at our support email and we will provide the information in an alternative format.