Se connecter Essai gratuit
← Back to home

Last updated: 10 May 2026

Privacy Policy

NEXITERA, publisher of TenderCopilot, is committed to protecting your privacy and processing your personal data in full compliance with the EU General Data Protection Regulation (GDPR — Regulation EU 2016/679) and applicable French data protection law. This policy applies to all users of the TenderCopilot service, including users based in the UAE and other international markets.

1. Data Controller

NEXITERA — SAS (French company), share capital EUR 1,000
15 rue du 8 mai 1945, 95110 Sannois, France
RCS Pontoise — SIREN 937 848 505
Contact: contact@tendercopilot.fr

2. Data We Collect and Why

2.1 Account Data

When you create a TenderCopilot account, we collect:

  • Professional email address
  • First and last name (optional at registration)
  • Organisation name and industry sector
  • Organisation profile (activity sectors, references, monitoring keywords)

Legal basis: Performance of contract (GDPR Article 6.1.b).

2.2 Usage and Navigation Data

We automatically collect the following data when you use the application:

  • IP address and browser type (security logs)
  • Pages and features accessed, timestamps of actions
  • Aggregated usage metrics (number of analyses, feature usage frequency)

Legal basis: Legitimate interest in service security and improvement (GDPR Article 6.1.f).

2.3 Tender Documents

PDF files and documents uploaded to TenderCopilot are transmitted to our AI analysis engine to produce the requested outputs. These documents are treated with strict confidentiality:

  • They are not retained beyond the time required to complete the analysis
  • They are never used to train AI models, nor shared with third parties for commercial purposes
  • Analysis outputs (scores, summaries, draft responses) are retained in your workspace until you delete them or cancel your account

Legal basis: Performance of contract (GDPR Article 6.1.b).

2.4 Billing Data

Payment transactions are handled by our payment processor Stripe. NEXITERA retains only the data necessary for invoicing: amount, date, transaction reference, and billing details.

Legal basis: Legal obligation — accounting records must be retained for 10 years under French law (GDPR Article 6.1.c).

2.5 Communications

We use your email address to send:

  • Transactional emails related to your account (registration confirmation, password reset, monitoring alerts)
  • Product updates and new feature announcements (opt-out available at any time)

Legal basis: Performance of contract for transactional emails; legitimate interest for product communications (GDPR Article 6.1.f).

3. Sub-Processors and Data Transfers

NEXITERA uses the following sub-processors, all bound by confidentiality and security obligations:

Sub-processor Role Data location
Microsoft Azure Cloud infrastructure, database hosting, AI model (Azure OpenAI Service) France Central (Île-de-France) — EU
Stripe Technology Europe Payment processing Ireland — EU
Resend Transactional email delivery Ireland (eu-west-1) — EU

All personal data is processed and stored within the European Union. No personal data is transferred to countries outside the EU/EEA without appropriate safeguards (EU Standard Contractual Clauses or European Commission adequacy decision).

Note for UAE users: Your data is stored on Microsoft Azure France Central. NEXITERA commits to migrating UAE client data to Azure UAE North (Abu Dhabi) once that infrastructure is deployed, in accordance with the UAE Personal Data Protection Law (PDPL — Federal Decree-Law No. 45 of 2021). You will be notified in advance of any such migration.

4. Retention Periods

Data Category Retention Period
Active account data Duration of subscription + 1 year after cancellation
Uploaded documents (PDFs) Duration of analysis session — not archived
Analysis results and workspace Duration of subscription; deleted 30 days after cancellation
Billing data 10 years (French statutory accounting obligation)
Security logs 90 rolling days
Deleted account data Deleted within 30 days of request

5. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access (Art. 15) — obtain a copy of your data
  • Right of rectification (Art. 16) — correct inaccurate data
  • Right to erasure (Art. 17) — request deletion of your data, subject to statutory retention obligations
  • Right to data portability (Art. 20) — receive your data in a structured, machine-readable format
  • Right to object (Art. 21) — object to processing based on legitimate interest
  • Right to restriction (Art. 18) — temporarily restrict the processing of your data

To exercise any of these rights, contact us at: contact@tendercopilot.fr. We will acknowledge your request within 48 hours and respond within one month.

You may also lodge a complaint with the French data protection authority (CNIL): www.cnil.fr. UAE-based users may additionally contact the UAE Data Office: tdra.gov.ae.

6. Cookies

TenderCopilot uses only strictly necessary cookies:

  • Session cookie — maintains your login during your browsing session
  • Preference cookie — stores your display preferences (duration: 1 year)

We do not use advertising cookies, cross-site tracking cookies or social media pixels. No consent is required for these essential functional cookies.

7. Security

NEXITERA implements appropriate technical and organisational measures to protect your data against unauthorised access, loss or alteration:

  • Encryption of data in transit (TLS 1.2+) and at rest
  • JWT-based authentication with short-lived tokens
  • Infrastructure on Microsoft Azure (ISO 27001, SOC 2 certified)
  • Production data access restricted to authorised team members only
  • Regular code security reviews

In the event of a personal data breach likely to result in a high risk to your rights and freedoms, NEXITERA will notify the CNIL within 72 hours and inform you without undue delay, in accordance with GDPR Article 33.

8. Policy Updates

NEXITERA reserves the right to update this privacy policy. In the event of a material change, we will notify you by email or via a prominent notice on the platform before the changes take effect. Your continued use of the service after notification constitutes acceptance of the updated policy.