Privacy Policy

Last Updated: March 30, 2026
Effective Date: March 30, 2026

1. Introduction

RFP.ai ("we," "our," or "us") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

This policy applies to all users of RFP.ai and is designed to support compliance with:

General Data Protection Regulation (GDPR) - EU 2016/679
California Consumer Privacy Act (CCPA)
Other applicable data protection laws

Key Commitment: Your data is NEVER used to train our AI models.

2. Data Controller

The data controller responsible for your personal data is:

Dutchcode B.V.
Trading as RFP.ai
Litserstraat 20
5275 BV Den Dungen
The Netherlands

Contact:

Email: [email protected]
Data protection contact: [email protected]
Website: https://rfp.ai

3. Information We Collect

3.1 Information You Provide Directly

Account Information:

Full name
Email address
Password (encrypted)
Organization name
Job title (optional)

Payment Information:

Billing address
Payment method details (processed securely through Stripe)
Note: We do NOT store full credit card numbers

Content Data:

Documents and files you upload
RFP questions and responses
Templates and content library items
Comments and annotations
Project information

Profile Data:

Profile photo (optional)
Preferences and settings
Notification preferences

Communications:

Support tickets and messages
Feedback and survey responses
Email correspondence

3.2 Automatically Collected Information

Usage Data:

Features and pages accessed
Time spent in the application
Actions taken (uploads, generations, exports)
Search queries within the Service
Performance and error data

Device and Technical Information:

IP address (anonymized where possible)
Browser type and version
Operating system
Device identifiers
Screen resolution
Referral URLs

Log Data:

Access timestamps
API requests and responses
Error logs and diagnostics
Performance metrics

Cookies and Similar Technologies:

Session cookies (essential)
Authentication tokens
Preference cookies
Analytics cookies (with consent)

4. How We Use Your Information

4.1 Service Delivery

Provide the Service: Process documents, generate responses, manage projects
AI Processing: Generate content using AI (NO training on your data)
Account Management: Authentication, access control, user profiles
Collaboration: Enable team features and workflow management
Storage: Securely store your documents and generated content

4.2 Business Operations

Billing and Payments: Process subscriptions, generate invoices, manage payments
Customer Support: Respond to inquiries, troubleshoot issues, provide assistance
Communications: Send service updates, security alerts, important notices (transactional emails)
Analytics: Understand usage patterns, improve features, optimize performance
Research and Development: Develop new features and improve existing ones

4.3 Security and Compliance

Security: Detect fraud, prevent abuse, protect against security threats
Compliance: Meet legal obligations, enforce Terms of Service
Auditing: Maintain logs for security and compliance purposes
Incident Response: Investigate and respond to security incidents

4.4 Marketing (With Consent)

Product updates and new features (opt-in)
Educational content and best practices (opt-in)
Survey requests (opt-in)

You can opt out of marketing communications at any time.

5. Legal Basis for Processing (GDPR)

Under GDPR, we process your data based on:

Contract (Art. 6(1)(b)):

Processing necessary to provide the Service you've subscribed to
Account management and authentication
Billing and payment processing

Legitimate Interest (Art. 6(1)(f)):

Service improvement and optimization
Fraud prevention and security
Anonymous analytics
Business operations

Consent (Art. 6(1)(a)):

Marketing communications
Optional features
Non-essential cookies

You can withdraw consent at any time.

Legal Obligation (Art. 6(1)(c)):

Compliance with EU and national laws
Tax and accounting requirements
Response to legal requests

6. Data Sharing and Disclosure

We do NOT sell your personal data.

6.1 Service Providers (Sub-processors)

We share data with trusted third parties who help us provide the Service:

Mistral AI:

Purpose: AI model inference for response generation
Data: Document content, questions, context (API calls only)
Processing: API-based inference subject to contractual restrictions
Training: Your data is NEVER used for training

Cloudflare:

Purpose: Infrastructure, hosting, CDN, database, file storage
Data: All application data
Processing: Primary application storage hosted in the EU, with related services potentially involving broader network operations
Security: ISO 27001, SOC 2 Type II certified

Stripe:

Purpose: Payment processing and subscription management
Data: Billing information, payment methods
Processing: EU entity with possible global operations subject to applicable safeguards
Security: PCI DSS Level 1, SOC 2 Type II certified

Resend:

Purpose: Transactional email delivery
Data: Email addresses, email content
Processing: EU-oriented routing where available, with safeguards where applicable

Sentry:

Purpose: Error tracking and performance monitoring
Data: Error logs, anonymized user IDs
Processing: EU-oriented configuration where available, with safeguards where applicable
Security: SOC 2 Type II certified

See our Sub-processor List for complete details and safeguards.

6.2 Legal Requirements

We may disclose information when required by:

Law enforcement or government requests
Court orders or legal processes
Protection of our rights, property, or safety
Investigation of fraud or security incidents
Compliance with applicable laws

6.3 Business Transfers

In the event of:

Merger or acquisition
Sale of assets
Bankruptcy or reorganization

Your information may be transferred to the successor entity. We will notify you and ensure equivalent protection.

6.4 With Your Consent

We may share data for other purposes with your explicit consent.

7. AI and Data Training

7.1 Strict No-Training Policy

Your data is NEVER used to train AI models. This includes:

Documents you upload
Questions you ask
Responses we generate
Any content in your account

7.2 How AI Processing Works

All AI processing uses on-demand API calls
Data is sent temporarily to Mistral AI for inference
Our AI-provider agreements are designed to prohibit retention or training on customer content except as needed to deliver the service
Results are returned and stored only in your account
No learning or model improvement from your data

7.3 Contractual Guarantees

Our agreements with AI providers prohibit training on customer data
API-based access is designed to minimize unnecessary data persistence
We review providers and controls periodically as part of our privacy and security process

8. Data Storage and Security

8.1 Storage Location

Primary Hosting Region: European Union

Data Residency:

Core application storage is primarily hosted in the EU
Some service providers may process limited categories of data outside the EEA
Where international transfers occur, we rely on appropriate safeguards such as Standard Contractual Clauses or other lawful transfer mechanisms
Compliance measures are described in this Privacy Policy, our DPA, and our sub-processor documentation

Key Service Providers:

Mistral AI - AI processing
Cloudflare - Infrastructure
Resend - Email delivery
Sentry - Error monitoring
Stripe - Payments

8.2 Security Measures

Encryption:

In transit: TLS 1.3 (Transport Layer Security)
At rest: AES-256 encryption
Passwords: Bcrypt hashing with salt

Access Controls:

Multi-tenant isolation by organization ID
Role-based access control (RBAC)
OAuth 2.0 and session-based authentication
Additional authentication controls may be introduced over time
Regular access reviews

Monitoring and Response:

Logging and alerting for reliability and security events
Incident response procedures
Periodic security reviews and remediation work

Backups and Recovery:

Automated daily backups
Encrypted backup storage
Disaster recovery and restoration procedures

Organizational Security:

Employee background checks
Security awareness training
Confidentiality agreements
Principle of least privilege
Secure development practices

8.3 Data Retention

Active Accounts:

Data retained while your subscription is active
Indefinite retention as long as account exists

After Cancellation:

Grace period: 30 days for data export
After 30 days: Permanent deletion from production systems
Backups: May persist up to 90 days for disaster recovery

Legal Retention:

Billing records: 7 years (tax compliance)
Security logs: 1 year
Legal hold: Retained as required by law

User-Requested Deletion:

Immediate deletion available upon request
Subject to legal requirements
Certification provided upon request

9. Your Rights Under GDPR

9.1 Access Rights

Right to Access (Art. 15):

Request a copy of your personal data
Receive data in structured, machine-readable format
Response time: 30 days

9.2 Correction and Deletion

Right to Rectification (Art. 16):

Correct inaccurate or incomplete data
Update information via account settings or support

Right to Erasure ("Right to be Forgotten") (Art. 17):

Request deletion of your data
Exceptions: Legal obligations, legitimate interests, established claims

9.3 Control Over Processing

Right to Restriction (Art. 18):

Limit how we process your data
Available while disputes are resolved

Right to Object (Art. 21):

Object to processing based on legitimate interests
Object to direct marketing (honored immediately)

Right to Data Portability (Art. 20):

Export your data in JSON, CSV, DOCX, or PDF format
Transfer data to another service

Right to Withdraw Consent (Art. 7(3)):

Withdraw consent for marketing or optional features
Does not affect lawfulness of prior processing

9.4 How to Exercise Your Rights

Methods:

Email: [email protected]
Support ticket: Submit a formal request
We may provide self-service tools for certain requests inside the product

Verification:

We may request identity verification before fulfilling requests
Response time: 30 days (may extend to 60 days for complex requests)

No Fee:

Rights requests are free
May charge reasonable fee for manifestly unfounded or excessive requests

10. Cookies and Tracking Technologies

10.1 Types of Cookies

Essential Cookies (Required):

Session authentication
Security tokens
Load balancing
Cannot be disabled without affecting functionality

Functional Cookies:

User preferences
Language selection
UI settings

Analytics Cookies (With Consent):

Usage statistics (anonymized)
Performance monitoring
Feature usage tracking

We do NOT use:

Third-party advertising cookies
Cross-site tracking
Social media tracking

10.2 Cookie Control

Browser Settings:

Configure cookie preferences in your browser
Clear cookies at any time
Note: Disabling essential cookies may break functionality

Opt-Out:

You can control cookies through your browser settings
Where we use non-essential cookies, we will request consent where required by law

10.3 Cookie Lifespan

Session cookies: Expire when you close the browser
Persistent cookies: 30 days to 1 year maximum
Authentication tokens: 7 days (refresh)

11. International Data Transfers

11.1 Transfer Mechanisms

Some of our providers may process limited categories of data in countries outside the EEA. Where that happens, we use lawful transfer mechanisms and appropriate safeguards, including:

Standard Contractual Clauses (SCCs):

European Commission-approved clauses
Contractual data protection guarantees
Binding obligations on data recipients

Adequacy Decisions:

Countries deemed adequate by EU Commission
Currently: Switzerland, UK (post-Brexit adequacy)

11.2 Additional Safeguards

Encryption in transit and at rest
Contractual obligations exceeding local law requirements
Data minimization and anonymization where possible
Regular compliance audits

11.3 Your Rights

Right to be informed of transfers
Right to object to transfers
Right to receive information on safeguards

12. Children's Privacy

Age Restriction: Our Service is NOT intended for users under 16 years of age.

No Knowing Collection:

We do not knowingly collect data from children
Parental consent required for users under 18 (where applicable)

If You Believe We Have Child Data:

Contact us immediately at [email protected]
We will investigate and delete the data promptly

13. California Privacy Rights (CCPA)

13.1 Rights for California Residents

Right to Know:

Categories of personal information collected
Sources of personal information
Business purpose for collection
Categories of third parties we share with

Right to Delete:

Request deletion of your personal information
Subject to legal exceptions

Right to Opt-Out:

We do NOT sell personal information
No opt-out necessary

Right to Non-Discrimination:

We will not discriminate for exercising CCPA rights

13.2 How to Exercise CCPA Rights

Email: [email protected]
Subject: "California Privacy Rights Request"

We will verify your identity and respond within 45 days.

14. Third-Party Links and Integrations

External Links:

Our Service may contain links to third-party websites
We are not responsible for their privacy practices
Review their privacy policies before use

Integrations:

OAuth login providers (Google, Microsoft)
Their privacy policies apply to authentication data
We receive only basic profile information (name, email)

15. Data Breach Notification

15.1 Our Obligations

In case of a personal data breach:

Notify supervisory authority within 72 hours (GDPR Art. 33)
Notify affected users without undue delay (GDPR Art. 34)
Provide details of breach, consequences, and mitigation

15.2 What We Notify

Nature of the breach
Categories and volume of affected data
Likely consequences
Measures taken or proposed
Contact point for more information

16. Changes to This Privacy Policy

16.1 Updates

We may update this Privacy Policy to reflect:

Changes in laws or regulations
New features or services
Feedback from users or regulators
Best practice updates

16.2 Notification

Material Changes:

30 days advance notice via email
In-app notification
Prominent notice on website

Minor Changes:

Updated "Last Updated" date
Continued use constitutes acceptance

16.3 Version History

Previous versions available upon request.

17. Supervisory Authority

17.1 Right to Lodge a Complaint

If you believe we have violated your data protection rights:

EU Residents:

Contact your local data protection authority
List available at: https://edpb.europa.eu/about-edpb/board/members_en

Netherlands (Our Location): Autoriteit Persoonsgegevens
P.O. Box 93374
2509 AJ The Hague
The Netherlands
Website: https://autoriteitpersoonsgegevens.nl

UK Residents: Information Commissioner's Office (ICO)
Website: https://ico.org.uk

17.2 Our Commitment

We take complaints seriously and will:

Investigate promptly
Cooperate with authorities
Implement corrective measures

18. Contact Information

18.1 Privacy Inquiries

General Privacy Questions:
Email: [email protected]

Data Protection Contact:
Email: [email protected]

Support:
Email: [email protected]

18.2 Postal Address

Dutchcode B.V. - Privacy Team
Litserstraat 20
5275 BV Den Dungen
The Netherlands

18.3 Response Time

Privacy requests: Within 30 days
Data subject rights: Within 30 days (may extend to 60 days)
Security incidents: Immediate (where required by law)

This Privacy Policy is effective as of the date stated above and applies to all users of RFP.ai. By using our Service, you acknowledge that you have read and understood this policy.

Last Reviewed: March 30, 2026
Version: 2.1