Privacy Policy

Last updated: May 1, 2026.

This is a plain-English summary of what we collect, how we use it, and what you can do about it.

What we collect

Account data: name, email, company, password hash, plan.
Profile data you give us: NAICS codes, states, set-aside certifications, keywords. Used to score and surface contract matches.
Usage data: which pages you load, which contracts you save or pipeline, alert open rates. Used to improve the product.
Billing data: handled by Stripe. We never see your full card number — only a token, your name, and the billing email.

What we don't do

We don't sell your data.
We don't share your contact list with third parties.
We don't run third-party tracking pixels or ad networks.

Email and outbound communication

We send (a) alerts you've subscribed to, (b) account email about your subscription, and (c) occasional product updates. You can unsubscribe from non-essential email at any time via the link at the bottom of any message or by emailing support.

If you receive a one-to-one message from a member of our team about your business, you can reply STOP or click the unsubscribe link in the email and we'll honor it within 24 hours.

Data retention

We keep your account and profile while you're a subscriber, plus 90 days after cancellation in case you come back. Email logs are kept for 12 months. You can request full deletion at any time by emailing us.

Where your data lives

Servers in the U.S. SQLite database, encrypted backups, no offshore replication.

Sub-processors

We use the following third-party services to operate Bidedge. Each is a sub-processor and is contractually bound to protect your data:

Stripe — payment processing
Twilio — SMS alerts on Pro and above (only if you enable SMS)
Google (Gmail SMTP / Workspace) — email delivery
Cloudflare — CDN, DNS, and DDoS protection
DigitalOcean — server hosting
Anthropic — the AI model that scores opportunities and generates proposal outlines (Pro+ only)
USASpending.gov / SAM.gov / state procurement portals — public data sources we read but never write to

Your rights — global

You can:

Get a copy of everything we have about you (data portability).
Correct inaccurate data.
Delete your account and your data.
Opt out of all non-essential email.

Email [email protected] for any of the above. We respond within 5 business days.

EU / UK residents (GDPR)

If you're in the EEA or the UK, the GDPR/UK GDPR applies. The lawful bases on which we process your data are:

Contract performance — to provide the Service you signed up for.
Legitimate interests — to send transactional and product email, prevent fraud, secure the Service. You can object to this at any time.
Consent — for any marketing email beyond product notifications. Withdraw any time via the unsubscribe link.
Legal obligation — when retention is required by tax, accounting, or fraud-prevention laws.

You have the right to lodge a complaint with your local data protection authority. We do not currently have an EU representative because we do not target EU residents; if that changes we will appoint one and update this policy.

California residents (CCPA / CPRA)

California residents have specific rights under the CCPA/CPRA: the right to know what personal information we collect about you, the right to delete that information, the right to correct inaccurate information, and the right to opt out of "sale" or "sharing" of personal information. We do not sell or share your personal information for cross-context behavioral advertising. To exercise any CCPA right, email [email protected]. We won't discriminate against you for using your rights.

Data breaches

If your personal information is involved in a security incident, we'll notify affected users by email within 72 hours of confirming the incident, alongside any required regulatory notifications.

Cookies

We use one session cookie to keep you logged in. No cross-site tracking, no advertising cookies.

Children

The Service is for businesses. Not directed at children under 13.

Contact

Questions? Contact us.