Legal

Privacy policy

Last updated · June 2026

1. Scope

This Privacy Policy explains how TenderOS (“we”, “us”) collects, uses, discloses, and protects personal information when you visit our website or use the TenderOS platform (the “Service”). When you use the Service as part of an organisation, that organisation is the controller of the Customer Data you upload, and we act as a processor on its behalf.

2. Data we collect

  • Account data: name, work email, organisation, role, authentication tokens.
  • Customer Data: RFP documents, proposal drafts, knowledge-base files, tender metadata, comments, and any other content you upload.
  • Usage data: session timestamps, feature usage, API call counts, vision-page counts, generated-token counts.
  • Diagnostic data: error reports and traces sent to Sentry and Langfuse, scrubbed of personal identifiers where possible.

3. Why we process it

We process personal information to:

  • Provide, maintain, and improve the Service.
  • Authenticate users and enforce ABAC permissions.
  • Process payments and issue invoices.
  • Detect, investigate, and prevent fraud and abuse.
  • Send transactional emails (sign-in, ingestion completion).
  • Perform aggregated, de-identified analytics to inform our roadmap.

5. Subprocessors

We use a small number of carefully vetted subprocessors. The current list is maintained in our Data Processing Agreement and includes, at the date of this policy:

  • Amazon Web Services (AWS) — hosting, S3 storage, Bedrock LLMs.
  • Clerk — authentication and SSO.
  • Supabase / Neon — managed PostgreSQL.
  • Resend — transactional email delivery.
  • Sentry — error monitoring.
  • Langfuse — LLM trace and cost monitoring.

We will notify you of any change to the subprocessor list at least thirty (30) days before it takes effect.

6. Retention

We retain Customer Data for as long as your organisation maintains an active subscription. On termination, you have thirty (30) days to export your data. After that, all Customer Data is purged from primary storage and backups within a further thirty (30) days.

7. International transfers

The Service is hosted in the AWS region you select at onboarding. By default we host in ap-south-1 (Mumbai); other regions including eu-central-1, us-east-1, and me-central-1 are available on request. Subprocessor locations are listed in the DPA.

8. Your rights

Depending on where you live, you may have rights to access, correct, delete, restrict the processing of, or port your personal information. To exercise these rights, email privacy@tenderos.io. We will respond within thirty (30) days.

9. Security

We protect personal information with the security measures described on our security page and in our SOC 2-style control set, available under NDA.

10. Children

The Service is intended for use by professionals over 18. We do not knowingly collect personal information from children.

11. Contact

Questions about this policy can be sent to privacy@tenderos.io. Postal address is provided on request.