Privacy Policy.

PursuitAgent is a proposal intelligence and generation platform (“PursuitAgent,” “we,” “us”). This Privacy Policy explains what personal data and customer content we collect, how we use it, who we share it with, and the choices you have. It applies to the PursuitAgent application at app.bidforge.com, the marketing site at bidforge.com, trial workspaces, and any other service that links to this policy (together, the “Service”).

This policy is a companion to our Terms of Service and our Data Processing Addendum (DPA). Where this policy uses defined terms that are not defined here — “Customer,” “Customer Data,” “Authorized User” — the Terms govern.

PursuitAgent processes information under one of two roles, and knowing which role applies to you is the fastest way to understand what we do with your data:

• Controller. When you visit our marketing site, sign up for an account, contact sales, subscribe to updates, or apply for a job, PursuitAgent is the controller of the limited personal data we collect for those purposes.
• Processor. When your employer (the Customer) has a PursuitAgent subscription and you use the product as an Authorized User, PursuitAgent processes Customer Data on the Customer's behalf and under the Customer's instructions. The Customer is the controller; we process only to deliver the Service. Direct data-subject requests (access, erasure, correction) to your employer first; we will support them in fulfilling the request.

We collect three categories of information:

• Account & identity data. Name, work email, organization, role, password hash, SSO subject identifiers (SAML / Okta / Azure AD / Google Workspace on Professional tier and above), and — for billing contacts — billing address and tax identifiers. You provide this directly when you sign up, are invited to a workspace, or complete a purchase.
• Customer Data. Documents and content you or your Authorized Users upload, generate, or import: past proposals, RFP/RFQ/RFI documents, knowledge-base content blocks, drafts, comments, tags, citations, win/loss outcomes, and exemplars.
• Usage & telemetry data. Product analytics (events, page views, feature usage) collected via PostHog; HTTP request metadata; audit-log entries for privileged actions (who did what, when, from where); error traces. Telemetry is scoped to the PursuitAgent application and does not track you across other websites.

We use account and usage data to operate and secure the Service, authenticate users, bill subscriptions, respond to support requests, send operational email (service notices, invoices, security alerts), and improve the product. We use Customer Data only to deliver the features the Customer has enabled — indexing into the KB, running RFP extraction, generating grounded drafts, rendering citations, and supporting audit/export.

We do not sell personal data. We do not share personal data with advertisers. We do not use Customer Data or your account activity to train our own models or any third-party model. §6 below explains the AI-specific commitments in detail.

If you are in the European Economic Area, United Kingdom, or Switzerland, our legal bases for processing personal data are:

• Contract — to provide the Service to you or your employer (Art. 6(1)(b) GDPR).
• Legitimate interests — to secure the Service, prevent abuse, diagnose errors, and communicate with customers about operational matters (Art. 6(1)(f) GDPR). You may object; see §11.
• Consent — where required for non-essential cookies, marketing email, or similar (Art. 6(1)(a) GDPR). You may withdraw consent at any time.
• Legal obligation — to comply with tax, accounting, and lawful requests from authorities (Art. 6(1)(c) GDPR).

PursuitAgent uses third-party AI providers (Anthropic, OpenAI, Google AI) to run extractions, embeddings, and drafting. Our contracts with these providers prohibit them from using API inputs (including any Customer Data passed to them) to train their models. We re-validate these terms each quarter; customers may request the attestation under NDA.

Our product-level commitments are consolidated in the Grounded-AI Pledge, which is incorporated by reference into every Customer MSA. In summary: PursuitAgent drafts only from the Customer's approved knowledge base and the RFP in question, never from general training data, and every AI-drafted sentence is cited back to a specific KB source. Violations give the Customer a termination right.

RFP analysis and proposal-drafting uploads are covered by the same never-train-on-data commitment.

We share personal data and Customer Data only with subprocessors who perform operational functions under contract — cloud hosting, object storage, email delivery, analytics, extraction, and AI inference. Our current subprocessor list, including purpose and processing region, is published at /trust/security and kept current. We give Customers at least 30 days' advance notice (by email to the workspace admin contact) before adding or replacing a subprocessor that processes Customer Data; Customers may object on reasonable grounds and terminate the affected part of the subscription if we cannot accommodate the objection.

We may also disclose information (a) to comply with a lawful request from a government authority with jurisdiction, (b) to enforce our Terms or protect the rights, safety, or property of PursuitAgent, our users, or the public, or (c) in connection with a merger, acquisition, or sale of assets, subject to reasonable confidentiality protections and continuity of this policy.

Retention depends on the type of data:

• Account data. Kept for the life of the account plus 30 days after deletion, then purged (except records we must retain for tax/accounting, typically 7 years).
• Customer Data in a paid workspace. Retained while the subscription is active. On termination, the Customer has 30 days to export; after that, Customer Data is deleted within 60 days, except backups, which roll off within 90 days.
• Trial and paid workspace uploads. Source files, extracted text, embeddings, and generated artifacts remain available in the workspace so the Customer can review, reuse, export, or delete them. Workspace administrators may request assisted deletion through privacy@bidforge.com.
• Support correspondence. Retained for 2 years from the last message.
• Audit logs for privileged actions. 90 days rolling.
• Billing records. 7 years (statutory).

We apply administrative, technical, and physical safeguards appropriate to the sensitivity of the data and the state of the art. Highlights: TLS 1.2+ in transit; AES-256 at rest across Postgres, object storage, and compute volumes; per-company API keys encrypted at the application layer; signed URLs with short TTLs for object-storage access; role-based access control; SSO/SAML on Professional tier and above; and an audit log for every privileged action with 90-day retention.

Our SOC 2 Type II audit is in progress; the Type II report will be available under NDA when issued. The full program, current subprocessor list, and a vulnerability-disclosure contact are at /trust/security. Report suspected vulnerabilities to security@bidforge.com; we commit to acknowledging within 48 hours and triaging within 5 business days.

No security program eliminates all risk. If a breach affecting your personal data or Customer Data occurs, we will notify the affected Customer without undue delay and, where required, data-protection authorities and affected individuals, in each case within the timelines required by applicable law.

PursuitAgent operates primarily in the United States. Customer Data is stored on US infrastructure (Railway / GCP-backed) and processed by subprocessors listed at /trust/security, most of which are US-based. Where personal data originates in the EEA, UK, or Switzerland and is transferred to the US, we rely on the European Commission's Standard Contractual Clauses (2021/914) and the UK International Data Transfer Addendum, with supplementary measures documented in our DPA. Customers may request an EU-region deployment roadmap status update at privacy@bidforge.com.

Depending on where you live, you may have rights to access, correct, delete, port, restrict, or object to the processing of your personal data, and to withdraw consent where processing is consent-based. Residents of California (CCPA/CPRA), Colorado, Connecticut, Virginia, Utah, Texas, and similar US states have equivalent rights, including the right not to be discriminated against for exercising them.

To exercise rights as an Authorized User of a paid workspace, contact your employer (the Customer) first — they control the data. For data PursuitAgent controls (marketing, sales, direct account signups), email privacy@bidforge.com. We verify requests by matching the requester against the account on file and reply within 30 days (sometimes extended to 60 where permitted). You also have the right to lodge a complaint with a supervisory authority in your jurisdiction.

PursuitAgent does not sell personal data and does not use it for targeted advertising. The Global Privacy Control (GPC) signal is honored on the marketing site.

The marketing site (bidforge.com) sets a minimal set of first-party cookies for session continuity and CSRF protection, and uses PostHog for product analytics with IP addresses truncated at ingest. We do not use third-party advertising cookies. The application (app.bidforge.com) sets only authentication and session cookies strictly necessary to operate the Service.

Where required, a cookie banner requests consent before any non-essential analytics run. Consent can be changed at any time from the banner's re-open link in the footer.

The Service is a B2B product intended for use by employees of our Customers. It is not directed to children under 16, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact privacy@bidforge.com and we will delete it.

We will update this policy when our practices change or when the law requires us to. The “Effective” date at the top always reflects the current version. Material changes — anything that expands the categories of data we collect, broadens sharing, weakens the AI commitments in §6, or shortens data-subject rights — get at least 30 days' advance notice to workspace administrators via email, and we link the previous version in the changelog below.

Privacy questions, DSAR / erasure requests, and DPA requests: privacy@bidforge.com. Security issues and coordinated disclosure: security@bidforge.com. Postal mail and the name of our EU / UK representative will be added here before GA; until then, email is the primary channel and we reply within 2 business days.