Privacy Policy

Version: 1.0 Effective date: 2026-05-01 Last updated: 2026-04-20 Applicable law: Republic of Korea Personal Information Protection Act (PIPA); GDPR for EU-resident users

Preamble

The operator of BidSealed ("Operator") handles Members' personal information carefully, in compliance with the Republic of Korea Personal Information Protection Act (개인정보 보호법, "PIPA"), the Act on the Consumer Protection in Electronic Commerce, and — where applicable — the General Data Protection Regulation (GDPR) for Members residing in the European Economic Area.

This Privacy Policy describes what information BidSealed collects, how it is used, how long it is retained, and the rights Members have regarding their data.

This Policy should be read together with the Terms of Service (see 05_terms_of_service.md).

1 — What information BidSealed collects

1.1 Information collected at signup

| Field | Purpose | Required | |---|---|---| | Corporate email address | Authentication, communication, domain verification | ✅ | | Company name | Display after 1:1 Reveal | ✅ | | Display name (representative's name or handle) | User identification within the Service | ✅ | | Role (Buyer / Vendor / Both) | UI adaptation, notification routing | ✅ | | Country code | Auto-detected from email domain; user confirms/adjusts | ✅ | | Preferred language | UI locale, notification language | Auto-set, user-adjustable |

1.2 Information collected automatically

  • IP address at time of access (for security, rate limiting, and abuse prevention)
  • Browser user-agent string (for compatibility and analytics, aggregated only)
  • Session cookies (for authentication state)
  • Aggregate usage metrics via Plausible Analytics (does not track individuals; no cookies)

1.3 Information generated through Service use

  • RFPs posted (title, specifications, body text, category, deadline, attached files if any)
  • Sealed Bids submitted (price, terms, proposal body, attached files if any)
  • Award decisions and audit logs (who awarded, when, to whom)
  • Messages sent via Service-triggered email notifications

1.4 What BidSealed does not collect

  • ❌ Physical address (home or business)
  • ❌ Phone number (unless volunteered post-1:1 Reveal by the Member)
  • ❌ Government-issued ID numbers
  • ❌ Financial account information, credit card numbers
  • ❌ Health, biometric, or political/religious data
  • ❌ Individual tracking cookies (Plausible is cookie-free)
  • ❌ Social media profiles or external account links

2 — How BidSealed uses information

Information is used only for the following purposes:

2.1 Service operation

  • Authenticating Members
  • Facilitating RFP posting, Sealed Bid submission, and award decisions
  • Enforcing platform rules (blocking free-domain signups, detecting abuse)
  • Routing notifications to the correct Member in the correct language

2.2 Service improvement

  • Aggregate analysis of usage patterns (no individual identification)
  • Error diagnostics via Sentry (IP and user-agent may appear in error reports; Sentry retains for 90 days)
  • Feature prioritization based on aggregate demand signals

2.3 Legal compliance

  • Response to lawful requests from government authorities
  • Dispute resolution assistance when necessary
  • Required record retention under applicable law

2.4 What BidSealed does not do with information

  • ❌ Sell or rent Member data to third parties. Ever.
  • ❌ Use Sealed Bid content (before 1:1 Reveal) for any purpose beyond delivering it to the Buyer
  • ❌ Share Buyer identity with Vendors before an award decision
  • ❌ Profile Members for advertising
  • ❌ Train AI models on private Sealed Bid content

3 — How long information is retained

| Category | Retention period | Rationale | |---|---|---| | Member profile | Until withdrawal + 30 days | Grace period in case of accidental withdrawal | | RFPs and associated Sealed Bids | 3 years after RFP closure | Audit, dispute resolution, analytical continuity | | Award records | 5 years after award | Legal retention requirements for commercial records | | Notification delivery logs (Resend) | 90 days | Debugging and delivery confirmation | | Session/access logs | 6 months | Security incident investigation | | Error reports (Sentry) | 90 days | Automatic expiration by Sentry retention policy | | Analytics (Plausible, aggregate only) | Indefinite (no personal data) | Historical trend analysis |

Upon withdrawal:

  • Profile data is deleted within 30 days
  • Attached files are deleted within 30 days
  • RFPs and Sealed Bids posted before withdrawal remain in the system (displayed as "Withdrawn Member") for record integrity, for the retention period above
  • Audit logs associated with the Member are pseudonymized (user ID remains, other identifiers removed)

4 — How information is shared

4.1 Between Members (within the Service)

  • Before award: Buyers see all Sealed Bids on their RFP (RLS enforced). Vendors see only the bid count of other responses.
  • After award (1:1 Reveal): Awarded Vendor and Buyer see each other's full business contact information. Non-awarded Vendors learn only that they were not selected; they do not learn the awarded Vendor's identity, pricing, or conditions.
  • Split Awards: Awarded Vendors in a split award do not see each other's existence, identity, pricing, or conditions.

4.2 With service providers (sub-processors)

BidSealed uses the following sub-processors, each under strict data processing agreements:

| Sub-processor | Purpose | Data shared | |---|---|---| | Supabase Inc. (USA) | Database, authentication | All structured data | | Vercel Inc. (USA) | Hosting, edge CDN | Request-level logs (IP, user-agent) | | Resend (USA) | Email delivery | Recipient email, message content | | Sentry (USA) | Error tracking | Error stack traces, IP, user-agent | | Plausible (EU) | Privacy-respecting analytics | Aggregated only, no personal data |

Each sub-processor is SOC 2 Type II certified or equivalent. Data is encrypted in transit (TLS 1.2+) and at rest (AES-256).

4.3 With law enforcement

BidSealed discloses information to law enforcement only in response to valid legal process (court order, subpoena, or equivalent). BidSealed will notify the affected Member prior to disclosure when lawful to do so.

4.4 Cross-border data transfer

Because sub-processors are based primarily in the United States, Member data is transferred outside of the Member's country of residence.

  • Korean Members consent to transfer of their data to the United States and other countries where sub-processors operate, as required to provide the Service. Standard contractual clauses apply where GDPR-equivalent protections are not otherwise in place.
  • EU Members: BidSealed relies on Standard Contractual Clauses (SCCs) as the transfer mechanism for data transferred outside the EEA.

5 — Member rights

All Members have the following rights regarding their personal information:

5.1 Right of access

Members may request a copy of all personal information BidSealed holds about them. Response time: within 30 days.

5.2 Right of correction

Members may correct their own profile directly in the Service. For fields not editable via UI, Members may email the Operator.

5.3 Right of deletion (withdrawal)

Members may withdraw membership at any time, triggering deletion per §3 above.

5.4 Right of portability

Members may request a machine-readable export (JSON format) of their own RFPs, Sealed Bids, and profile. Response time: within 30 days.

5.5 Right to object

Members may object to specific processing activities. Where the activity is essential to providing the Service, withdrawal may be the only way to cease processing.

5.6 Right to complain

Members may lodge a complaint with the supervisory authority (Korea: 개인정보보호위원회; EU: local data protection authority).

5.7 How to exercise rights

Email the Operator at the privacy contact address listed at the bottom of this document. Include:

  • Your registered email address
  • The nature of your request
  • Any supporting details

BidSealed verifies identity (typically via email confirmation) before acting on requests.

6 — Security measures

BidSealed implements the following technical and organizational measures:

Technical

  • Transport encryption: TLS 1.2+ for all connections
  • At-rest encryption: AES-256 for database contents (Supabase-managed)
  • Authentication: Passwordless (email OTP + magic link), reducing credential exposure risk
  • Row-Level Security: Database-enforced access control; Sealed Bid integrity is technical, not just policy
  • Minimum privilege: Service role keys are used only in server-side code, never exposed to clients
  • Rate limiting: Brute-force and automated abuse prevention
  • Vulnerability scanning: Dependencies updated regularly; security advisories monitored

Organizational

  • Access control: Operator access to production data is logged and limited to debugging necessity
  • Incident response: Defined playbook for breach detection, containment, and notification (see 05_ops/incident_playbook.md)
  • Breach notification: Affected Members are notified within 72 hours of confirmed breach, as required by law
  • Retention discipline: Automated deletion at the retention periods listed in §3

7 — Cookies and tracking

BidSealed uses the minimum cookies required for service functionality:

Necessary cookies (cannot be disabled)

  • Session cookie: Authentication state
  • CSRF token: Cross-site request forgery protection
  • Locale cookie: Remembers user's chosen language

Analytics (opt-out possible)

  • Plausible Analytics: Cookie-free, privacy-respecting. No user tracking. Aggregated statistics only.

BidSealed does not use third-party advertising cookies, tracking pixels from ad networks, or social media embed cookies.

8 — Children's data

BidSealed is a B2B service and does not intentionally collect data from individuals under 19 years old. Members must be authorized employees or representatives of registered businesses. If BidSealed becomes aware that a minor has registered, the account will be immediately removed and any data deleted.

9 — Changes to this Policy

BidSealed will notify Members of material changes via:

  • In-Service announcement
  • Email to the Member's verified address

Material changes take effect at least 30 days after notification. Continued use after the effective date constitutes acceptance.

Minor clarifications (typo corrections, formatting changes) may be made without notification.

10 — Contact information

For privacy-related inquiries, requests, or complaints:

  • Privacy contact: privacy@bidsealed.com
  • Data Protection Officer (EEA Members): To be designated before EEA expansion
  • Response time: Within 30 days of receipt

For the purposes of PIPA, the Operator serves as the personal information manager (개인정보 처리자) and takes overall responsibility for personal information handling.

Revision log

  • v1.0 (2026-04-20): Initial Privacy Policy. Covers PIPA compliance for Korea, GDPR readiness for EU expansion.