Privacy Policy

Last updated: March 16, 2026

1. Introduction

RFPvault ("we", "us", "our") is a B2B software-as-a-service platform for RFP response automation. This Privacy Policy explains how we collect, use, and protect your data in accordance with the EU General Data Protection Regulation (GDPR) and the Swedish Data Protection Act (Dataskyddslagen, SFS 2018:218).

2. Data Controller

RFPvault (registered in Sweden)
Contact: privacy@rfpvault.io

3. Data We Collect

Account Data

  • Name, email address, organization name
  • Hashed password (never stored in plain text)
  • Role and department (if provided)

Service Data

  • Uploaded documents (RFPs, product documentation)
  • Extracted question-answer pairs and knowledge base entries
  • AI-generated responses and confidence scores
  • Project metadata (names, dates, outcomes)

Technical Data

  • IP address, browser type (from server logs)
  • Session cookies (strictly necessary, login only)
  • Audit log entries (actions performed, timestamps)

4. Legal Basis for Processing

  • Contractual necessity (Art. 6(1)(b) GDPR) — to provide the RFPvault service as agreed
  • Legitimate interest (Art. 6(1)(f) GDPR) — security logging, fraud prevention, service improvement

5. How We Use Your Data

  • Providing and operating the RFPvault platform
  • Processing uploaded documents and generating AI-assisted responses
  • Sending transactional emails (password resets, team invitations, notifications)
  • Security monitoring and audit logging
  • Service improvement and usage analytics (aggregated, non-personal)

6. Third-Party Processors

We use the following sub-processors to deliver the service:

  • Hetzner Online GmbH (Helsinki, Finland) — cloud infrastructure and data hosting
  • Anthropic (USA) — AI language model for response generation
  • Voyage AI (USA) — text embeddings and semantic search
  • Exa AI (USA) — web search for response enhancement
  • Postmark / ActiveCampaign (USA) — transactional email delivery
  • Google LLC (USA) — OAuth authentication ("Sign in with Google")
  • Cloudflare (USA) — CDN, DDoS protection, and DNS
  • Paddle.com Market Limited (UK) — payment processing, subscription billing, invoicing, and sales tax compliance (Merchant of Record)

Where data is transferred outside the EU/EEA, appropriate safeguards are in place (Standard Contractual Clauses or adequacy decisions).

7. Data Retention

  • Account data: retained while your account is active, deleted within 30 days of account closure
  • Uploaded source files (PDFs, documents): automatically deleted 7 days after processing
  • Knowledge base entries: retained until you delete them or close your account
  • Audit logs: retained for 12 months, then automatically purged
  • Server logs: retained for 90 days

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include encryption in transit and at rest, secure password storage using industry-standard hashing algorithms, protection against common web vulnerabilities, rate limiting, and strict tenant data isolation between organizations.

9. Your Rights

Under the GDPR, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Erase your data ("right to be forgotten")
  • Restrict processing
  • Data portability — receive your data in a structured format
  • Object to processing based on legitimate interest

To exercise any of these rights, submit a request through our Support page. We will respond within one calendar month as required under GDPR Article 12.

10. Cookies

RFPvault uses only a single strictly necessary session cookie to maintain your login session. We do not use analytics, advertising, or tracking cookies. No cookie consent is required for strictly necessary cookies under the ePrivacy Directive.

11. Supervisory Authority

You have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) at imy.se, or with the supervisory authority in your country of residence if different from Sweden.

12. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email or an in-app notification. The "last updated" date at the top reflects the most recent revision.

Privacy Policy · Terms of Service · Pricing · Sign In