← Back

Privacy Policy

Last updated: April 30, 2026

Draft — pending legal review. This document describes how we intend to handle your data. The final, binding policy is being reviewed by counsel and may differ in places marked “to be confirmed.” For the binding version, email privacy@dalysystems.ai.

This policy explains what data BidWrite (operated by dalysystems.ai) collects, why we collect it, how we use it, and what rights you have over it. If anything here is unclear, email privacy@dalysystems.ai and we’ll explain.

1. Who this policy applies to

This policy covers people who visit our marketing site, sign up for a BidWrite account, use the product as a guest, or contact us. If you’re using BidWrite because your employer set up a workspace, your employer is the “controller” of the proposal content you create — we are the “processor.”

2. What we collect

From you directly

  • Account info: name, email, profile photo, and the OAuth provider you used to sign in (Google, GitHub, Apple, or email).
  • Workspace info: company name, sector, role.
  • Content you create or upload: RFP source documents, your drafted responses, knowledge-base snippets, offerings, and any text you type into the editor. This is the most sensitive data we hold.
  • Billing info: handled by Stripe. We never see your full card number — Stripe gives us a token plus a billing email.
  • Support correspondence: messages you send us.

Automatically

  • Usage telemetry: pages visited, actions taken (e.g. “ran reviewer agent on RFP X”), errors encountered. Used to fix bugs and decide what to build next.
  • Device + connection info: IP address, browser, OS — captured with each request, retained for security and abuse prevention.
  • Cookies: a session cookie to keep you logged in. We do not set advertising cookies. If we add analytics later, we’ll update this policy and surface a consent banner.

3. How we use your data

  • To run the product (drafting, reviewing, searching the knowledge base).
  • To call third-party AI providers (Anthropic Claude, Google Gemini) on your behalf. The text you give us — including RFP source content — is sent to these providers as part of generating responses. They process it under their own privacy terms and do not train their public models on it under our enterprise agreements.
  • To bill you, via Stripe, and to recognise revenue.
  • To send transactional email (welcome, password reset, payment receipts, security alerts). We do not send marketing email without explicit opt-in.
  • To investigate abuse, fraud, or security incidents.
  • To meet legal obligations (e.g. responding to a valid subpoena, complying with tax law).

4. Who we share data with

We share data with the following categories of vendors, only as needed:

  • AI providers — Anthropic, Google. Receive prompt content including your RFP text and draft output.
  • Infrastructure — Replit (hosting), Neon (database), Trigger.dev (background job queue), Sentry (error tracking).
  • Billing — Stripe.
  • Email — Resend.

We do not sell your personal information, and we do not share it with advertising networks.

5. Where your data lives

Primary storage is in the United States. AI providers may process prompt content in other regions including the United States and the European Union. The exact storage region is to be confirmed by counsel before public launch — email privacy@dalysystems.ai if you need it for a procurement questionnaire. By using BidWrite you consent to this cross-border transfer.

6. How long we keep it

  • Account + workspace + content: for as long as your account is active. Deleted within 30 days of account deletion (see Section 8).
  • Audit logs: minimum 12 months, longer for billing or security investigations.
  • Backups: rolling 30 days via Neon’s point-in-time recovery.

7. How we protect it

  • TLS for all traffic in transit.
  • Encrypted at rest by our database and storage providers.
  • Workspace-scoped access — users in one workspace cannot read another workspace’s data.
  • We log every privileged action (creating an RFP, running an agent, exporting data) for incident response.

8. Your rights

Regardless of where you live, you can:

  • Access — download your data via Settings → Export.
  • Correct — edit any field in the product, or email us for things you can’t edit yourself.
  • Delete — close your account in Settings → Delete account. We remove your content within 30 days; backups age out within another 30.
  • Opt out of marketing email — we don’t send any by default; if we ever do, every message will have an unsubscribe link.

If you’re in the EU / UK / EEA (GDPR)

You have additional rights under GDPR: object to processing, restrict processing, request portability, and lodge a complaint with your local supervisory authority. Our lawful bases are: contract performance (running the product you paid for), legitimate interests (security, fraud prevention, improving the product), consent (where you’ve explicitly opted in), and legal obligations (tax, compliance).

If you’re in California (CCPA / CPRA)

You have the right to know what we’ve collected, to delete it, to correct it, and to opt out of any “sale” or “sharing” of personal information. We do not sell or share personal information as those terms are defined in the CCPA. You can exercise these rights via Settings → Export and Settings → Delete account, or by emailing privacy@dalysystems.ai.

9. Children

BidWrite is a B2B product and not directed to children under 16. We do not knowingly collect data from children. If you believe we have, email privacy@dalysystems.ai and we’ll delete it.

10. Changes to this policy

If we change this policy in a material way, we’ll email registered users and surface a notice in the product before the change takes effect.

11. Contact

Privacy questions or rights requests: privacy@dalysystems.ai.
Postal address available on request via the contact email above (required for GDPR requests; will be published here once counsel signs off).
Governing law: to be confirmed by counsel.