Privacy Policy
For information only
Notice on language versions
This legal notice is provided in German. Only the German version is legally binding. All translations are for your information and have not been verified by us.
Last updated: 23.07.2025
This Privacy Policy explains how Donar Cloud-Architects GmbH ("we", “us”, or “our”) collects, uses, discloses, and protects personal data when you:
- visit our public landing page located at tenderbot.io (the “Website”); and
- access or use our business-to-business software-as-a-service platform (the “Web App”), its customer portal, dashboard, and related services (together, the “Services”).
We process personal data in accordance with Regulation (EU) 2016/679 (the General Data Protection Regulation or GDPR) and other applicable European data-protection laws.
1. Controller & Contact Details
Controller: Donar Cloud-Architects GmbH, Mies-van-der-Rohe-Straße 6, 80807 Munich, Amtsgericht München - HRB 279709 Data-Protection Officer (DPO): “not applicable” Contact (privacy enquiries): privacy@tenderbot.io
2. Categories of Data We Process
| Context | Personal Data | Source |
|---|---|---|
| Website visit & cookieless analytics | • Truncated IP address • Date/time • URL & referrer • User-agent / device type • Aggregated event metrics | Your browser / device; server-side event collector |
| Authentication (AWS Cognito social login) | • Name • Business e-mail • Identity-Provider unique identifier • ID token metadata (e.g. profile picture, locale) | Your chosen IdP (e.g. Google Workspace, Microsoft Entra, GitHub) |
| Dashboard use | • Last-login timestamp • App-usage telemetry | Generated by your use |
| Company-profile enrichment | • Company name • Registered address • Industry, size, VAT / registration numbers • Professional contact details from public sources | Official company registers & reputable third-party data providers |
| Payments & subscriptions (Stripe) | • Cardholder name • Last four digits & expiry • Billing address & country • VAT / tax ID • Stripe customer ID, invoices, subscription status • Payment timestamps & amounts | You; generated by Stripe or payment networks |
| Tender evaluation via AI provider (company data only) | • Company name • Company identifiers (VAT, registration no.) • Industry classifications • Public financial indicators • Tender specifications (no personal data) | Tender documents; public registers; enrichment APIs |
Note: When evaluating tenders we intentionally exclude personal data; the AI model is supplied solely with company-level information.
We do not intentionally collect special categories of personal data (Art. 9 GDPR) and we ask Customers not to submit such data.
3. Purposes & Legal Bases (Art. 6 GDPR)
| Purpose | Legal Basis |
|---|---|
| Provide Website, maintain server logs, ensure security | Legitimate interest (Art. 6 (1)(f)) – network & information security |
| Measure Website performance via cookieless, first-party analytics | Legitimate interest (Art. 6 (1)(f)) – improve Services while respecting user privacy |
| Authenticate users via AWS Cognito; enable single sign-on | Performance of contract (Art. 6 (1)(b)) |
| Provide and operate the Web App dashboard | Performance of contract (Art. 6 (1)(b)) |
| Enrich and display company profile information | Legitimate interest (Art. 6 (1)(f)) – context-relevant business data |
| Process payments & subscriptions with Stripe; provide Customer Portal | Performance of contract (Art. 6 (1)(b)); legal obligation for financial records (Art. 6 (1)(c)) |
| Evaluate tenders via AI provider using only company data | Legitimate interest (Art. 6 (1)(f)) – efficient, objective tender analysis; no impact on personal rights as no personal data processed |
| Customer support, fraud prevention, enforcement of T&C | Legitimate interest (Art. 6 (1)(f)) |
Where we rely on legitimate interests, we have balanced such interests against your fundamental rights and freedoms and determined they are not overridden (Recital 47 GDPR).
4. Recipients & Data Processors
We only share data where necessary and under a data-processing agreement (Art. 28 GDPR) or equivalent safeguard.
| Recipient | Role | Location | Safeguards |
|---|---|---|---|
| Amazon Web Services EMEA SARL | Cloud hosting & infrastructure (VPC, RDS, S3) | Frankfurt (EU-central-1) | AWS DPA + technical measures; SCCs if cross-border replication |
| Amazon Cognito | Authentication / social login | EU AWS Region | Same as above |
| Stripe Payments Europe, Ltd. (controller) & Stripe Technology Europe, Ltd. (processor) | Payment processing, subscriptions, Customer Portal | Ireland; limited transfers to Stripe, Inc. (USA) | 2021 SCCs + Stripe Binding Corporate Rules |
| Stripe, Inc. | Sub-processor for certain payment operations | USA | 2021 SCCs; encryption & PCI-DSS Level 1 |
| Mistral AI SAS | Generative‑AI language‑model API for tender evaluation (company data only) | France (primary processing in EU) | Art. 28 DPA + 2021 SCCs; EU datacentres; logs 30 days; no personal data processed |
| OpenAI, Inc. | Generative‑AI language‑model API for tender evaluation and public company data (company data only) | USA; optional EU processing region | 2021 SCCs; logs up to 30 days; no personal data processed |
We disclose data to competent authorities where required by EU or Member-State law.
5. International Transfers
Our application, database and analytics servers are hosted exclusively within the European Economic Area (EEA).
Stripe, Mistral AI SAS, and OpenAI, Inc. may transfer limited data to the USA for resilience and fraud detection. These transfers rely on Standard Contractual Clauses (2021/914/EU) and, for Stripe, Binding Corporate Rules, ensuring an appropriate level of protection (Art. 46 GDPR).
Because only company‑level (non‑personal) information is sent to the AI providers, no cross‑border transfer of personal data occurs in that workflow.
6. Data Retention
| Data Category | Retention Period |
|---|---|
| Web-server logs & raw analytics events | 30 days, then anonymised |
| Aggregated Website analytics reports | 3 years |
| User-account metadata (name, e-mail, IdP ID) | Duration of customer contract + 12 months, then deleted |
| Company-profile enrichment data | Refreshed on each login; historical snapshots 12 months |
| Stripe payment & billing records | 10 years (statutory) |
| AI tender-evaluation logs (company data) | 30 days, then deleted |
| Back-ups (all categories) | up to 35 days |
7. Your Rights (Ch. III GDPR)
You have the right to access, rectify, erase, restrict, port your data and object to processing based on legitimate interests, as well as to lodge a complaint with a supervisory authority.
Contact privacy@tenderbot.io. We respond within one month (Art. 12 GDPR).
8. Cookies & Tracking Technologies
Our Website uses no non-essential cookies. A single essential session cookie is set post-login. Analytics are cookieless, with IP truncation and no device fingerprinting.
9. Secure Payments via Stripe
Payments are processed by Stripe. We never store full card numbers. Stripe is PCI-DSS Level 1 certified. You can manage your subscription, invoices, and payment methods via the Stripe Customer Portal accessible from the Web App.
10. AI-Powered Tender Evaluation
Certain tender screening features use a generative-AI model provided by Mistral AI SAS and OpenAI, Inc. to summarise and score tenders. We only send company-level information (no personal data) to the model. The AI output does not constitute an automated decision producing legal or similarly significant effects on individuals (Art. 22 GDPR).
11. Data Security
We implement appropriate technical and organisational measures, including TLS 1.3, AES-256 at-rest encryption, least-privilege IAM, continuous vulnerability scanning, regular pentests, and a Web Application Firewall.
12. Automated Decision-Making
We do not use personal data for automated decision-making that produces legal or similarly significant effects.
13. Changes to This Policy
We may update this Privacy Policy periodically. The current version is indicated by the “Last updated” date above. Significant changes will be notified via e-mail or in-app notice.
14. Contact
For any privacy-related questions or requests, please e-mail privacy@tenderbot.io or write to Donar Cloud-Architects GmbH, Mies-van-der-Rohe-Straße 6, 80807 Munich.
© 2025 tenderbot.io. All rights reserved.
Save Time and Make Better Tender Decisions
Focus on the tenders that matter—Tender Bot automatically screens EU-wide public opportunities, ranks them against your capabilities, and delivers a shortlist you can act on. Spend less time sifting through notices and more time crafting winning proposals.
* Internal benchmark tests (July 2025) show that an experienced analyst needs about 15 minutes¹ to perform the first-pass qualification of a typical EU tender. With TENDERBOT IO, that same analyst can pre-qualify roughly 150 tenders in the same 15 minutes — around 10 tenders in ± 1 minute. This represents a reduction in screening time of well over 90 %. To stay conservative and cover variations in document length and working style, we therefore communicate “up to 75% time savings.
¹ Calculation assumes an average reading speed of ~2 minutes per A4 page and an average tender length of ~7 pages.