Skip to content

Privacy Policy

Effective date:

Your Data at a Glance

A plain-English overview before the legal language. This summary is provided for convenience only. It does not replace the full Privacy Policy below. In the event of any conflict, the full Policy governs.

Where is my data stored?

All Client data — every document you upload, every proposal we produce, every file in your account — is stored on infrastructure located in the United States.

Who can see my bid documents?

Only the systems and authorized ScalaBid personnel necessary to produce your Submission Package. Your documents are not shared with other clients, not used as templates for other bids, and not made available to anyone outside the production process. We maintain strict access controls and logical separation between client accounts.

Does ScalaBid use AI to process my documents?

Yes. We use Anthropic's Claude AI services to analyze tender documents and draft proposal content. Anthropic does not use Client data to train its models. Standard Anthropic retention windows apply, as described in Section 4.4.

How long do you keep my documents?

Uploaded documents and generated proposals are retained for up to 12 months from upload or delivery. You can request deletion at any time. When you close your account, all documents are deleted within 90 days.

Do you sell my data?

No. We do not sell personal information or business data to anyone.

What if there is a security incident?

We notify affected clients promptly and provide details about what happened, what data was affected, and what we are doing about it.

Can I delete my data?

Yes. You may request deletion of any or all data associated with your account at any time by emailing legal@scalabid.com. We honor deletion requests within 30 days, subject to legal retention requirements.

Do you send marketing emails?

If you provide your email through our website or lead magnet tool, we may send you service-related communications. Every marketing email includes an unsubscribe link. One click and you are off the list.

1. Introduction

This Privacy Policy ("Policy") describes how ScalaBid ("Company," "we," "us," or "our") collects, uses, discloses, and protects information when you access our website at scalabid.com or use our services (the "Services").

ScalaBid provides done-for-you bid documentation services to U.S. general contractors and specialty trades. We understand that the documents you entrust to us — tender packages, pricing information, company qualifications — are commercially sensitive. This Policy reflects that understanding. We built our data handling practices around one principle: your bid documents are your competitive advantage, and protecting them is part of our job.

By accessing or using the Services, you acknowledge that you have read and understood this Policy.

2. Scope

This Policy applies to:

  • Website visitors at scalabid.com;
  • Clients and prospective clients;
  • Authorized users acting on behalf of a client;
  • Individuals who interact with our marketing communications or lead magnet tools.

This Policy applies to business-to-business services. We do not target consumers, and we do not knowingly collect information from individuals under the age of 16. Our services are directed exclusively to clients located in the United States.

3. Information We Collect

3.1 Information You Provide

  • Account information: name, company name, job title, email address, phone number;
  • Billing information: processed by our payment processor. We do not store full credit card numbers on our systems;
  • Tender and proposal documents you upload in connection with the Services;
  • Company profile information you choose to store (project history, certifications, key personnel, standard narratives);
  • Communications with us: emails, support requests;
  • Lead magnet submissions: name, email address, and form inputs submitted through our Bid Capacity Check tool.

3.2 Information Collected Automatically

When you visit our website, we automatically collect:

  • IP address;
  • Browser type and version;
  • Device information (operating system, screen resolution);
  • Pages visited, click behavior, session duration, and navigation paths;
  • Referral source.

This information is collected through server logs, cookies, and the analytics tools described in Section 8.

3.3 Information from Other Sources

We may receive business contact information from third-party data providers for the purpose of B2B sales outreach. This includes publicly available business information such as company names, job titles, and business email addresses. We use this information only for direct business communications as described in Section 5.

4. How We Handle Your Bid Documents

This is the section that matters most to our clients. Here is exactly how we handle the tender documents and company information you provide.

4.1 What We Process

When you place an order, we process:

  • Tender documents, invitations to bid, requests for proposals, specifications, drawings, and schedules you upload;
  • Company profile information you provide during onboarding or with a specific order;
  • Any addenda or supplementary materials you provide for a specific bid.

From these documents, we generate derived data including OCR text, structured data extractions, compliance analyses, draft and final proposal narratives, compliance matrices, and Client Preparation and Attachments Packages (CPAPs). Derived data is stored separately from original documents.

4.2 Where Your Data Is Stored

All Client data is stored on infrastructure located in the United States. This includes:

  • All uploaded documents;
  • All generated proposals and deliverables;
  • All databases, file storage, and processing infrastructure.

Specifically, our infrastructure is hosted in the following US regions:

  • Database and object storage: AWS US-East-2 (Ohio);
  • Workflow orchestration: US-East-4;
  • Compute services: US-Central-1;
  • Web hosting and CDN: US-East-1;
  • Analytics, CRM, payment processing, and outreach: United States.

We do not store Client document content on infrastructure located outside the United States.

4.3 Personnel Access from Outside the United States

Authorized ScalaBid personnel may access Client data from locations outside the United States, including from the United Arab Emirates, for the purpose of producing deliverables and operating the Services. All such access is:

  • Subject to the same role-based access controls, authentication requirements, and security monitoring described in Section 9;
  • Limited to authorized personnel under written confidentiality obligations;
  • Logged and auditable;
  • Performed using secured access methods with encryption in transit;
  • Not authorized for any purpose other than delivery of the Services to the specific Client whose data is being accessed.

Personnel access from outside the United States does not constitute a transfer of Client data outside the United States for storage purposes. Client data continues to reside on US-based infrastructure regardless of the personnel access location.

4.4 Who Can Access Your Documents

Access to your documents is restricted to:

  • Production systems that process your documents to generate deliverables;
  • Authorized ScalaBid personnel directly involved in producing your Submission Package, regardless of personnel location;
  • Authorized service providers necessary to deliver the Services (described in Section 6).

Your documents are logically separated from other clients' data. We maintain unique identifiers per client, per tender, and per revision. Full document text is not stored in workflow orchestration systems — only processing metadata (status, timestamps, identifiers) passes through those systems.

4.5 AI Processing

We use Anthropic's Claude AI services(via Anthropic's API platform) to analyze tender documents and generate proposal content. Our commitments regarding AI processing:

  • AI processing providers process your document content solely to deliver model outputs to ScalaBid for the purpose of generating your Submission Package;
  • Anthropic does not use Client inputs or outputs to train its models under its published commercial terms applicable to ScalaBid's account tier;
  • Anthropic retains API request and response data for up to thirty (30) daysfor trust-and-safety and abuse-prevention purposes, after which it is automatically deleted in accordance with Anthropic's published retention policies;
  • ScalaBid does not currently maintain a Zero Data Retention (ZDR) agreement with its AI processing providers;
  • All AI processing infrastructure operated by ScalaBid's AI providers for ScalaBid's account is located in the United States.

We review our AI provider terms periodically and will update this Policy if material changes occur. We do not use your documents to train any AI model, and we do not authorize our service providers to do so.

4.6 How Long We Keep Your Documents

Data TypeRetention PeriodWhat Triggers Deletion
Uploaded documents (tender files, specs, drawings)12 months from uploadAutomated scheduled deletion
Generated deliverables (proposals, CPAPs, matrices)12 months from deliveryAutomated scheduled deletion
OCR text and structured extractionsSame as parent documentDeleted with parent document
Processing metadata (workflow records)24 monthsAutomated archival and deletion
System and application logs30 daysAutomated log rotation
Lead magnet submissions24 months from submissionAutomated scheduled deletion
AI provider request/response dataUp to 30 days (per provider terms)Automated provider-side deletion
Billing and legal recordsAs required by applicable lawManual review

You may request early deletion of any or all data associated with your account at any time (see Section 10).

4.7 What Happens When You Close Your Account

Upon account closure:

  • Portal access is revoked immediately;
  • All active processing workflows are cancelled;
  • Within 90 days: all stored documents and generated artifacts are permanently deleted;
  • A deletion confirmation email is sent to the account administrator;
  • Minimal operational metadata may be retained where required for legal or billing purposes.

5. How We Use Your Information

We use the information we collect for the following purposes:

  • Producing and delivering your Submission Packages;
  • Managing your account and subscriptions;
  • Processing payments;
  • Communicating with you about active orders, revisions, and your account;
  • Generating and delivering lead magnet reports (Bid Capacity Check);
  • Sending marketing communications, including service announcements, nurture emails, and newsletters (see Section 5.1);
  • Improving our services, internal operations, and production quality;
  • Understanding how visitors use our website so we can improve it;
  • Preventing fraud, abuse, and unauthorized access;
  • Meeting legal and regulatory obligations.

5.1 Marketing Communications

If you provide your email address through our website — including the Bid Capacity Check tool, account registration, or a contact form — we may send you marketing communications about ScalaBid services.

You may unsubscribe from marketing communications at any time by clicking the unsubscribe link in any marketing email or by contacting legal@scalabid.com. Unsubscribing from marketing emails does not affect transactional communications related to active orders or your account.

All marketing emails include the postal address required under the CAN-SPAM Act:

ScalaBid
800 N King Street, Suite 304-1426
Wilmington, DE 19801
United States

We do not sell your personal information or business data. We do not share your email address with other companies for their own marketing purposes.

6. Service Providers

We use trusted third-party service providers to operate our business and deliver the Services. These providers fall into the following categories:

CategoryPurposeWhat They Access
Cloud infrastructure and hostingWebsite hosting, application hosting, compute resourcesWebsite data, application data as needed for hosting
Database and storage providersSecure storage of documents, metadata, and account dataDocuments, metadata, account information
AI processing providersDocument analysis and proposal content generationDocument content (under provider commercial terms; no training use)
Workflow orchestrationCoordinating document processing stepsProcessing metadata only (no full document text)
Payment processorProcessing subscription and one-time paymentsBilling information, transaction data
Email delivery providersTransactional emails (order confirmations, PDF delivery)Email addresses, delivery metadata
Email outreach providersB2B sales communications and marketing emailsBusiness email addresses, company names
CRM providerSales pipeline and customer relationship managementContact information, communication history
Analytics providersWebsite usage analytics and product improvementIP addresses, device info, browsing behavior

All service providers are:

  • Bound by contractual data protection obligations;
  • Authorized to use data only as necessary to provide services to us;
  • Selected based on their security practices, data handling commitments, and US data processing capabilities.

Detailed subprocessor list: Active clients may request a complete list of named service providers, including their specific functions and data processing locations, by contacting legal@scalabid.com. This list is provided under the confidentiality terms of the client's agreement and is updated as providers change. We notify active clients of material changes to service providers at least 14 days in advance.

7. Legal Basis

7.1 US State Privacy Laws

For residents of states with comprehensive privacy laws (including California, Virginia, Colorado, Connecticut, and others as enacted):

  • We process personal information for the business and commercial purposes described in Section 5;
  • We do not sell personal information as defined under applicable state privacy laws;
  • We do not use sensitive personal information for purposes beyond those permitted by applicable law;
  • We do not engage in profiling that produces legal or similarly significant effects.

California (CCPA/CPRA):ScalaBid's Services are directed to businesses, not consumers. To the extent the CCPA applies to personal information we process, California residents may exercise the rights described in Section 10. The CCPA B2B exemption applies to the majority of information we process in connection with client engagements.

7.2 General Legal Basis

We process information based on:

  • Performance of a contract: processing necessary to deliver Services you have purchased;
  • Legitimate business interests: service improvement, fraud prevention, B2B marketing, and business development;
  • Legal obligation: processing required to comply with applicable laws;
  • Consent: where specifically required by applicable law, such as for certain marketing communications.

8. Cookies and Analytics

8.1 Cookies

We use cookies for the following purposes:

  • Strictly necessary: required for the website to function (session management, security tokens);
  • Analytics: used to understand how visitors interact with our website;
  • Functionality: used to remember your preferences.

You may control cookies through your browser settings. Disabling non-essential cookies may affect certain website features.

8.2 Analytics

We use analytics tools to understand how visitors use our website so we can improve the experience. These tools may collect IP addresses, device information, pages visited, and session behavior. We use analytics data in aggregate. We do not use analytics tools to personally identify individual visitors for marketing purposes.

8.3 Do Not Track

Some browsers send a "Do Not Track" signal. There is no industry-wide standard for responding to this signal. We do not currently alter our data collection practices based on DNT signals, but we respect the opt-out mechanisms provided by our analytics tools.

9. Data Security

We take the security of your data seriously. Our safeguards include:

  • Role-based access controls and least-privilege access model;
  • Encryption in transit (TLS) for all data communications;
  • Encryption at rest where supported by our infrastructure providers;
  • Logical separation of document content from processing metadata;
  • Unique workflow identifiers per client, per tender, and per revision;
  • Operational logging and monitoring (excluding full document text in logs);
  • Restricted access to production environments;
  • Authentication and authorization mechanisms for all system access;
  • Confidentiality obligations binding all personnel with access to Client data, regardless of access location.

No system is completely secure. We cannot guarantee absolute security, but we design and operate our systems to protect your data as if our business depends on it — because it does.

9.1 Incident Response

In the event of a confirmed security incident affecting Client data:

  • We notify affected clients promptly, and within 72 hours of confirming the incident where feasible;
  • We provide details regarding the nature of the incident, what data was affected, and what steps we are taking;
  • We cooperate with affected clients in remediation efforts;
  • We maintain records of all security incidents for audit purposes.

10. Your Rights

Depending on your state of residence, you may have the following rights regarding your personal information:

  • Right to know: what personal information we collect and how we use it;
  • Right to access: request a copy of personal information we hold about you;
  • Right to correction: request correction of inaccurate information;
  • Right to deletion: request deletion of your personal information, subject to legal retention requirements;
  • Right to opt out: opt out of the sale or sharing of personal information (we do not sell personal information, but you may exercise this right if applicable);
  • Right to non-discrimination: we will not discriminate against you for exercising your privacy rights.

10.1 How to Exercise Your Rights

To exercise any of these rights, contact us at legal@scalabid.com. We may require verification of your identity before fulfilling requests. We will respond to verified requests within 30 days. If we need additional time, we will notify you within the initial 30-day period.

10.2 Authorized Agents

You may designate an authorized agent to submit requests on your behalf. We may require verification of the agent's authority and your identity before processing the request.

10.3 Data Deletion Requests

You may request deletion of:

  • Specific tenders and associated documents;
  • Company profile documents;
  • Lead magnet submissions;
  • All data associated with your account.

Upon verified request, documents and generated artifacts are permanently deleted from storage. Associated structured outputs are deleted. Certain minimal records may be retained where required for legal or billing purposes (such as transaction records required by tax law).

11. Use of Anonymized Data

We may use anonymized and aggregated data derived from service operations for internal analytics, quality improvement, and process optimization. Anonymized data does not identify you, your company, or any individual, and is not subject to this Policy's restrictions on personal information.

For the avoidance of doubt: we do not use your bid documents, company information, or deliverables as templates, examples, training data, marketing examples, or sales demonstrations for other clients' work, ever.

12. Your Responsibilities

  • You are responsible for ensuring that you have the legal right to upload and process the documents you submit to our platform;
  • If documents you upload contain personal information of third parties (such as names or contact details of individuals appearing in tender documents), you are responsible for having the appropriate basis to share that information with us;
  • You are responsible for the accuracy of company information you provide for use in deliverables.

13. Third-Party Links

Our website may contain links to third-party websites. We are not responsible for the privacy practices of those websites.

14. Children's Privacy

Our Services are not directed to individuals under 16. We do not knowingly collect personal information from children. If we become aware that we have collected information from a child under 16, we will delete it promptly.

15. Changes to This Policy

We may update this Policy from time to time. Changes become effective upon posting the revised version at scalabid.com/privacy-policy with an updated effective date. For active clients, material changes are communicated by email at least 14 days before taking effect. Continued use of the Services after the effective date constitutes acceptance of the updated Policy.

16. Operating Entity and Contact

ScalaBid is a professional services brand operated by VIIXI FZC, a company registered under the Sharjah Publishing City Free Zone, United Arab Emirates. All Client data processing is governed by this Policy and the Data Processing Addendum below, regardless of the operating entity's place of incorporation.

For privacy questions, data requests, or concerns:

  • Email: legal@scalabid.com
  • US mailing address (correspondence only): 800 N King Street, Suite 304-1426, Wilmington, DE 19801, United States

We aim to respond to all privacy inquiries within five (5) business days.

Data Processing Addendum

Forming part of the Privacy Policy at scalabid.com/privacy-policy

DPA 1. Parties and Scope

This Data Processing Addendum ("DPA") forms part of the Terms of Service and Privacy Policy between:

  • Data Owner: The Client
  • Service Provider: ScalaBid (operated by VIIXI FZC)

This DPA governs how ScalaBid processes data on behalf of the Client in connection with the Services. The Privacy Policy and Terms of Service apply to this DPA. In the event of conflict between this DPA and the Terms of Service on data processing matters, this DPA prevails.

DPA 2. ScalaBid's Obligations

ScalaBid shall:

  • Process Client data only as necessary to perform the Services described in the Terms of Service and Privacy Policy, or as required by applicable law;
  • Ensure that personnel authorized to process Client data are subject to confidentiality obligations, regardless of personnel access location;
  • Implement appropriate technical and organizational security measures as described in Section 9 of the Privacy Policy and the Security Measures appendix to this DPA;
  • Engage service providers only in accordance with DPA Section 4 below;
  • Assist the Client in responding to data subject or individual rights requests, to the extent reasonably possible;
  • Notify the Client promptly of any confirmed security incident affecting Client data, in accordance with the incident response commitments in the Privacy Policy;
  • Upon termination of the Services, delete Client data in accordance with the retention and deletion schedule in the Privacy Policy, or earlier upon Client request;
  • Make information reasonably necessary to demonstrate compliance with this DPA available to the Client upon request, subject to confidentiality obligations.

DPA 3. Client's Obligations

The Client shall:

  • Ensure that it has a valid legal basis for sharing data with ScalaBid under applicable law;
  • Provide only such data as is necessary for ScalaBid to perform the Services;
  • Notify individuals whose personal information appears in uploaded documents about the processing described in the Privacy Policy, where required by applicable law.

DPA 4. Service Providers (Subprocessors)

The Client provides general authorization for ScalaBid to engage the categories of service providers described in Section 6 of the Privacy Policy.

ScalaBid shall:

  • Enter into written agreements with each service provider imposing data protection obligations consistent with this DPA, or rely on the service provider's published commercial terms where such terms provide equivalent protections;
  • Remain responsible for the acts and omissions of its service providers to the extent required by applicable law;
  • Notify active clients by email at least 14 days before engaging a new service provider category or making material changes to an existing provider arrangement.

Confidential Subprocessor List

A complete list of named service providers, including their specific functions, data categories processed, and processing locations, is available to active clients upon request to legal@scalabid.com. This list is provided under the confidentiality terms of the Client's agreement and may not be disclosed to third parties without ScalaBid's prior written consent.

If the Client objects to a new service provider on reasonable grounds, the Client must notify ScalaBid in writing within 14 days. The parties will work in good faith to resolve the objection. If no resolution is reached, the Client may terminate the affected Services without penalty.

DPA 5. Security Measures

ScalaBid implements the following safeguards:

Access Controls

  • Role-based access controls (RBAC) and least-privilege model;
  • Restricted production environment access;
  • Authentication and authorization mechanisms;
  • Confidentiality obligations binding all personnel with data access, regardless of geographic location.

Data Segregation

  • Logical separation of client data;
  • Document content isolated from workflow metadata;
  • Unique workflow identifiers per client, tender, and revision.

Encryption

  • Encryption in transit (TLS);
  • Encryption at rest where supported by infrastructure providers.

Monitoring

  • Operational logging (excluding full document text);
  • Error tracking and incident monitoring;
  • Limited log retention (30 days).

Processing Integrity

  • Deterministic workflow orchestration;
  • Idempotency enforcement;
  • Cancellation controls on active workflows.

Deletion Controls

  • Client-requested deletion capability;
  • Automated retention-based deletion;
  • Artifact tracking for controlled removal.

DPA 6. Data Location and Personnel Access

Data storage: All Client data is stored on infrastructure located in the United States. Infrastructure components include database services (AWS US-East-2), secure object storage (AWS US-East-2), workflow orchestration services (US-East-4), compute services (US-Central-1), web hosting and CDN (US-East-1), and AI processing services (United States). ScalaBid does not intentionally transfer Client document content to storage infrastructure outside of the United States.

Personnel access: Authorized ScalaBid personnel may access Client data from locations outside the United States, including from the United Arab Emirates, for the purpose of producing deliverables and operating the Services. All such access is subject to the same security controls described in DPA Section 5 and Privacy Policy Section 9. Personnel access does not constitute a transfer of Client data for storage purposes.

DPA 7. Incident Response

In the event of a confirmed security incident affecting Client data:

  • ScalaBid notifies the Client promptly, and within 72 hours of confirmation where feasible;
  • ScalaBid provides available details regarding the nature of the incident, the data affected, and mitigation steps taken;
  • ScalaBid cooperates with the Client in reasonable remediation efforts;
  • ScalaBid maintains records of all security incidents for audit purposes.

DPA 8. Return and Deletion of Data

Upon termination of the Agreement or upon verified Client request:

  • Client documents and generated artifacts are deleted within the retention periods described in the Privacy Policy, or earlier upon request;
  • Minimal operational metadata may be retained where required for legal or billing purposes;
  • Written confirmation of deletion is available upon request.

Upon account closure, the deletion timeline described in Section 4.7 of the Privacy Policy applies.

DPA 9. Audit

The Client may request information regarding ScalaBid's compliance with this DPA. ScalaBid may satisfy such requests by providing relevant certifications, security documentation, or compliance reports. If these are insufficient, the Client may request an audit subject to:

  • At least 30 days' written notice;
  • Conduct during normal business hours without unreasonable interference;
  • Confidentiality obligations on all auditors;
  • Cost borne by the Client unless the audit reveals material non-compliance.

DPA 10. Liability

Each party's liability under this DPA is subject to the limitations of liability in the Terms of Service. This DPA does not create liability beyond what is provided in the Terms of Service.

DPA 11. Term

This DPA remains in effect for the duration of the Agreement. Data processing obligations survive termination until all Client data has been deleted or returned in accordance with this DPA and the Privacy Policy.

DPA 12. Frameworks Not Covered

This DPA and the Services are not currently designed to meet any of the following frameworks. The Client shall not represent to any third party that ScalaBid maintains compliance with any of these frameworks:

  • FedRAMP (any baseline);
  • ITAR (International Traffic in Arms Regulations);
  • EAR (Export Administration Regulations);
  • CMMC (Cybersecurity Maturity Model Certification);
  • CJIS (Criminal Justice Information Services Security Policy);
  • HIPAA (Health Insurance Portability and Accountability Act);
  • PCI-DSS (Payment Card Industry Data Security Standard);
  • NIST 800-171 / 800-53;
  • Federal Acquisition Regulation (FAR) / DFARS data handling requirements;
  • State-level "mini-FAR" frameworks;
  • Classified data handling requirements;
  • Any other government-specific or industry-specific security framework not expressly identified in writing as applicable.

Any such requirements must be agreed separately in writing.

For questions about this Privacy Policy or Data Processing Addendum, contact legal@scalabid.com. See also our Terms of Service.

End of Privacy Policy and Data Processing Addendum.