— GDPR compliance

Privacy Policy

Last updated: April 2026

Who we are

Biddexis is operated by Novidex Technologies S.R.L., a Romanian limited liability company headquartered in Bucharest, Romania. We are the data controller for personal data processed through the Biddexis application.

Contact: privacy@biddexis.com

What data we collect

  • · Account data: email, name, hashed password, account creation date
  • · Company profile data: company name, sectors, past projects, team members, certifications — provided by you
  • · Tender content: documents you upload, extracted requirements, AI-generated responses, your edits
  • · Usage data: tenders processed, responses generated, plan and subscription status
  • · Technical data: session tokens, IP address, browser type, used only for security and operational purposes

Why we process it

  • · Service delivery (contractual basis, GDPR Art. 6(1)(b)): to provide the Biddexis service you signed up for
  • · Account management (contractual basis): authentication, billing, support
  • · Service improvement (legitimate interest, GDPR Art. 6(1)(f)): aggregate, anonymized usage analysis
  • · Legal compliance (Art. 6(1)(c)): tax records, e-Factura, GDPR audit logs

We do not sell your data. We do not use your data for advertising. We do not train AI models on your data.

Where your data is stored

All your data is stored in EU data centers. We use:

  • · Supabase (EU region, Frankfurt): primary database, authentication, file storage
  • · Vercel (EU edge regions): application hosting
  • · Anthropic (US, with EU-US DPF safeguards): AI processing — your tender content is sent to Anthropic's API for response generation, then deleted from their systems per their data retention policy
  • · Stripe (EU operations): payment processing — we never store card details

We have signed Data Processing Agreements (DPAs) with all processors. International transfers to the US (Anthropic) rely on the EU-US Data Privacy Framework adequacy decision.

How long we keep your data

  • · Active accounts: retained while your account is active
  • · Deleted accounts: removed within 30 days of deletion request, except where retention is legally required
  • · Billing and tax records: retained for 10 years per Romanian fiscal law
  • · Backups: rolling 30-day backups, encrypted at rest

Your rights under GDPR

You have the right to:

  • · Access (Art. 15): request a copy of your data
  • · Rectification (Art. 16): correct inaccurate data
  • · Erasure (Art. 17): delete your account and data — available self-service in your profile settings
  • · Portability (Art. 20): receive your data in a structured format
  • · Restriction (Art. 18): limit processing of your data
  • · Objection (Art. 21): object to processing based on legitimate interest
  • · Lodge a complaint: with ANSPDCP (the Romanian data protection authority) or your local DPA

To exercise any of these rights, email privacy@biddexis.com. We respond within 30 days.

Security

We use industry-standard security measures: encryption in transit (TLS 1.3), encryption at rest, Row-Level Security on all database tables, hashed passwords, and audit logging. Access to production systems is limited to authorized personnel.

AI processing

For details on how we use AI and what data flows through our AI systems, see our AI Transparency disclosure.

Changes to this policy

We may update this policy. Material changes will be communicated by email and via a banner in the application. The "Last updated" date at the top reflects the most recent version.

Contact

Questions about privacy or to exercise your rights: privacy@biddexis.com

Romanian DPA: ANSPDCP — dataprotection.ro