Privacy Policy
Last updated: April 25, 2026
BidPilot ("we", "us") respects your privacy. This Policy explains what we collect, how we use it, who we share it with, and the rights you have. It applies to our website, web app, and Chrome extension (the "Service").
1. Data we collect
You give us
- Account data: name, email, password (hashed), plan.
- Profile data: skills, bio, past wins, writing samples you provide to improve proposal quality.
- Job and proposal content: job descriptions you analyze, drafts and final proposals you generate, win/loss tags.
- Billing data: handled by Stripe. We store only the customer ID, plan, and last four digits of the card; we never see the full card number.
- Support communication: messages you send us.
We collect automatically
- Usage and device: pages visited, feature usage, browser, OS, IP address.
- Cookies / local storage: session tokens, preferences. We do not use third-party advertising cookies.
- Anti-abuse signals: Cloudflare Turnstile risk score for signup and login.
2. How we use it
- To provide and operate the Service.
- To generate proposals and job scores tailored to your profile.
- To process payments and manage subscriptions.
- To improve the Service (in aggregated, de-identified form).
- To prevent fraud, abuse, and multi-account creation on the free plan.
- To communicate with you (transactional emails, support, occasional product updates).
3. Legal bases (GDPR / LGPD)
- Contract: providing the Service you signed up for.
- Legitimate interest: security, fraud prevention, product improvement.
- Consent: optional analytics or marketing emails (you can opt out anytime).
- Legal obligation: tax records, responding to lawful requests.
4. AI processing
To generate proposals and scores, we send the relevant job description and profile context to a large-language-model provider (currently OpenAI). Inputs and outputs are not used by the provider to train their models when accessed through their API. We do not send your name, email, or billing info to the model.
5. Sharing
We share data only with sub-processors that help us run the Service:
- Supabase — database, authentication, file storage.
- Vercel — application hosting and CDN.
- Stripe — payments.
- OpenAI (or successor model provider) — AI generation.
- Cloudflare — Turnstile (anti-abuse) and DNS.
- Resend (or successor) — transactional email.
We do not sell your personal data and we do not share it for cross-context behavioral advertising.
6. International transfers
Some of our sub-processors are located outside Brazil and the EU. When data is transferred internationally, we rely on Standard Contractual Clauses or equivalent safeguards.
7. Retention
- Account data: while your account is active, plus up to 30 days after deletion for backups.
- Proposals and job content: until you delete them or your account.
- Billing records: retained as required by tax law (typically 5 years).
- Logs: up to 90 days.
8. Your rights
Under GDPR, LGPD, and similar laws, you have the right to access, correct, delete, port, restrict, or object to processing of your personal data, and to withdraw consent. You can exercise most rights from the in-app settings or by emailing support@upbidpilot.com. We respond within 30 days.
Brazilian residents: you may also contact the ANPD (Autoridade Nacional de Proteção de Dados). EU residents: you may file a complaint with your local Data Protection Authority.
9. Security
We use HTTPS in transit, encryption at rest (Supabase / Vercel), strict Content-Security-Policy, password hashing (bcrypt / Supabase Auth), and access controls. No system is 100% secure; we will notify you and the relevant authority if we discover a breach affecting your data.
10. Children
The Service is not directed to children under 18 and we do not knowingly collect data from them.
11. Changes
We may update this Policy from time to time. Material changes will be notified by email or in-app notice.
12. Contact
Data Controller: BidPilot. Contact our DPO at support@upbidpilot.com.