Privacy Policy
Effective 17 May 2026 · v1.0
This Privacy Policy explains how Tender Surrender (“we”, “us”, “our”) collects, uses, stores, and shares information when you use tendersurrender.ai(the “Service”). Tender Surrender is operated as a sole proprietorship by Atharva Deshpande (the “Proprietor”).
Contact: tech@atharvad.me · Registered address: [TODO: insert legal address before public launch]. Grievance Officer details are at the end of this document.
1. Information we collect
1.1 Account information
- Email address (used for sign-in and notifications).
- Name and organisation name, if you provide them in your profile or tender bundles.
- Authentication tokens issued by our identity provider (Supabase Auth).
1.2 Tender content you upload
- Tender PDFs, BOQs, Excel sheets, and any other documents you upload for processing.
- Parsed text and embeddings derived from those documents.
- Questions you ask the in-app chat and answers it returns.
- Manual edits, confidence overrides, and field-level annotations you create on extractions.
1.3 Technical information
- IP address, browser, operating system, device type, and request timestamps.
- Application logs, errors, and performance traces (via Sentry).
- Server-side metrics on parsing duration, embedding cost, and LLM token usage.
We do not use third-party advertising trackers, analytics fingerprinters, or cross-site tracking pixels.
2. How we use information
- Operate the Service — parse, embed, search, and extract structured insights from your tender bundles, and let you chat with them.
- Authenticate and authorise — verify who you are and limit data access to your organisation.
- Improve reliability — debug errors, monitor performance, and reduce failure rates. Logs include identifiers and may include small text snippets for debugging.
- Communicate — send transactional emails (sign-in links, password resets, billing notices). We do not send marketing email without your separate opt-in.
- Comply with law — respond to lawful requests, enforce our Terms, and protect users.
We do not sell your data, and we do not use your tender content to train our models or any third-party model. Anthropic and Voyage AI, our LLM and embedding providers, are contractually prohibited from training on API inputs you send through them.
3. Subprocessors
We rely on a small set of subprocessors to deliver the Service. Each receives only the data needed to perform its function.
| Subprocessor | Purpose | Data location |
|---|---|---|
| Supabase Inc. | Database, authentication, file storage | United States (AWS us-east) |
| Railway Corp. | API and worker compute | Singapore (Metal region) |
| Vercel Inc. | Frontend hosting and edge delivery | Global (edge), US (build) |
| Anthropic, PBC | Large language model (Claude) for extraction and chat | United States |
| Voyage AI | Document embeddings for semantic search | United States |
| Functional Software, Inc. (Sentry) | Error monitoring | United States / European Union |
| Cloudflare, Inc. | DNS and transit security (where applicable) | Global |
The current subprocessor list is also published in our Data Processing Addendum. We will provide reasonable advance notice through the Service or by email before adding a new subprocessor that handles personal data.
4. Cross-border transfers
Because our subprocessors are located outside India, your data may be transferred to and processed in the United States, the European Union, and Singapore. We rely on contractual safeguards (data processing agreements, standard contractual clauses where applicable) and the legitimate-business-purpose basis under the Digital Personal Data Protection Act, 2023 (“DPDP Act”) for these transfers.
5. Retention
- Tender content: retained while your account is active. You can delete files and tenders at any time from the app, and we will delete them from primary storage within 30 days.
- Account data: retained while your account is active and for up to 90 days after account closure, then deleted or fully anonymised.
- Logs: retained for up to 90 days for security and debugging, after which they are rotated out.
- Backups: Supabase point-in-time recovery snapshots may retain copies for up to 14 days after deletion before being overwritten.
6. Your rights under the DPDP Act
If you are a Data Principal under the DPDP Act, you have the right to:
- Access a summary of personal data we process about you.
- Correct, complete, update, or erase your personal data.
- Nominate another individual to exercise your rights.
- Withdraw your consent at any time (we will then stop further processing based on that consent).
- File a grievance with us in the first instance, and escalate to the Data Protection Board of India if unresolved.
To exercise any of these rights, email tech@atharvad.mewith the subject line “DPDP Request”. We aim to respond within 14 days.
7. Security
- All data in transit is encrypted with TLS 1.2 or higher.
- Database storage at rest is encrypted with AES-256 (managed by Supabase / AWS KMS).
- Row-level security enforces strict per-organisation data isolation.
- Authentication is provided by Supabase Auth; we do not store plaintext passwords.
- Production secrets are managed via Railway and Vercel environment variables and are never committed to source.
No system is perfectly secure. If you believe you have discovered a vulnerability, please report it to tech@atharvad.me rather than disclosing it publicly.
8. Cookies and similar technologies
We use a small number of strictly necessary cookies and localStorage items to keep you signed in and remember UI preferences. We do not use advertising or cross-site tracking cookies.
9. Children
The Service is intended for use by adults working on commercial tenders. We do not knowingly collect data from anyone under 18 years of age. If you believe a minor has provided us data, please contact us so we can remove it.
10. Changes to this policy
We may update this policy from time to time. We will post the new version on this page and update the effective date above. Material changes will be notified to active users by email.
11. Grievance Officer
In accordance with the DPDP Act and IT Rules:
- Name: Atharva Deshpande
- Email: tech@atharvad.me
- Address: [TODO: insert legal address before public launch]