Taisyklės

Privacy Policy

Atnaujinta: 2026 m. birželio 15 d.

Šis dokumentas pateikiamas anglų kalba. Teisiškai įpareigojanti yra versija anglų kalba.

This Privacy Policy explains how Bidrock, UAB collects, uses, shares and protects personal data when you visit our websites, register for or use the Bidrock platform, or otherwise interact with us, and the rights you have under the EU General Data Protection Regulation (the "GDPR"). It supplements our Terms & Conditions.

1. Who We Are (Data Controller)

The data controller responsible for the processing described in this Policy is:

Bidrock, UAB, a private limited liability company established under the laws of the Republic of Lithuania Company code 307144999 · VAT code LT100017806813 Registered office: Draugystės g. 17-1, LT-51229 Kaunas, Lithuania Email: admin@bidrock.io

We have not appointed a data protection officer, as we are not required to do so. For any question about this Policy or about your personal data, contact us at admin@bidrock.io.

2. Scope - Controller and Processor Roles

This Policy covers the personal data we process as a controller: data about visitors to our websites (bidrock.io and its subdomains), prospective customers, account holders and their authorized users, and contact persons appearing in public procurement sources.

Where you or your organisation upload content to the platform ("Customer Data" - for example documents, product catalogues or files that may contain personal data of your employees, clients or other persons), we process that personal data as a processor on your organisation's behalf and documented instructions. Section 6 explains this in more detail; your organisation remains the controller of that data.

This Policy does not cover third-party websites we link to (for example LinkedIn); their own privacy notices apply.

3. Personal Data We Collect

Account and contact data. When you create an account, book a demo, subscribe to updates or contact us, we collect the data you provide: name, work email address, phone number, company name and details, job role, password (stored in hashed form), language and similar account settings.

Billing data. For paid plans we process invoicing details (company name, code, VAT number, billing address) and records of payments. Card details are collected and processed by our payment service provider, not stored by us.

Usage and device data. When you use our websites or the platform, we automatically collect technical data: IP address, browser type and version, device and operating system, pages viewed, features used, timestamps, referral source, and similar log and analytics data (see Section 7 on cookies).

Communications. Emails, support requests, demo calls and other correspondence with us, including the contact details you use and the content of the messages.

Public procurement (tender) data. The platform aggregates information about public tenders from publicly available sources - national procurement registers, the EU Tenders Electronic Daily (TED) database and contracting authorities' platforms. These sources can include limited personal data of contact persons acting in a professional capacity (for example a contracting authority representative's name, work email and phone number published in a tender notice). We process this data because it is published precisely so that bidders can use it; we do not enrich it with data about those persons from other contexts.

Customer Data. Content you or your authorized users upload to the platform, processed on your organisation's behalf as described in Section 6.

We do not intentionally collect special categories of personal data (such as health data or political opinions) and ask that you do not submit them to us.

We process personal data only where a legal basis under Article 6 GDPR applies:

  • To provide the Services - creating and managing accounts, authenticating users, operating platform features, providing support, and sending service messages (such as renewal, security or change notices). Legal basis: performance of a contract (Art. 6(1)(b) GDPR) or steps taken at your request before entering into one.
  • To bill and account - invoicing, payment collection, tax and accounting records. Legal basis: performance of a contract (Art. 6(1)(b)) and compliance with legal obligations (Art. 6(1)(c)), in particular Lithuanian accounting and tax law.
  • To secure and improve the Services - monitoring, logging, preventing fraud and abuse, debugging, measuring how features are used, and developing the Services using aggregated or de-identified information. Legal basis: our legitimate interests (Art. 6(1)(f)) in keeping the Services secure, reliable and improving them.
  • To make tender information searchable - aggregating and displaying publicly published procurement information, including professional contact details of contracting authority representatives. Legal basis: our legitimate interests (Art. 6(1)(f)) and those of our customers in accessing public procurement information that was published for this purpose.
  • To market our Services - sending newsletters and product updates where you have subscribed, and contacting business representatives about our Services. Legal basis: your consent (Art. 6(1)(a)), which you can withdraw at any time, or our legitimate interests (Art. 6(1)(f)) in marketing our Services to existing customers and relevant businesses, with an opt-out in every message.
  • To establish, exercise or defend legal claims and comply with law - responding to lawful requests from authorities, enforcing our Terms, resolving disputes. Legal basis: legal obligation (Art. 6(1)(c)) or legitimate interests (Art. 6(1)(f)).

Where we rely on legitimate interests, we have balanced them against your rights and freedoms; you can object as described in Section 11. We do not use your personal data for automated decision-making that produces legal or similarly significant effects on you (Art. 22 GDPR) - AI features of the platform are decision-support tools whose output is reviewed and acted on by people.

5. AI Features

The platform includes AI-powered features (document analysis, summaries, matching and assistant-style features). Inputs you submit to AI features and the generated output are processed to provide the feature, on the legal bases set out in Section 4. We do not use your confidential Customer Data to train models made available to other customers unless you expressly agree otherwise. Where AI features are delivered using third-party model providers, those providers act as our processors under contracts restricting their use of the data (see Section 8).

6. Customer Data - Bidrock as Processor

Where Customer Data contains personal data, your organisation is the controller and Bidrock is the processor under Article 28 GDPR. This means we:

  • process such data only on your documented instructions (as set out in the Terms, your use of platform features, and any other written instructions);
  • keep it confidential and require the same of our personnel;
  • implement appropriate technical and organisational security measures;
  • engage subprocessors only under contracts imposing equivalent data protection obligations (see Section 8);
  • assist you, taking into account the nature of the processing, with data subject requests and your other GDPR obligations; and
  • delete or return the data at the end of the engagement, as described in the Terms.

A data processing agreement (DPA) under Article 28 GDPR governing this processing is available - contact us at admin@bidrock.io. If a person whose data appears in Customer Data contacts us directly with a privacy request, we will refer them to the relevant customer (the controller) unless the law requires otherwise.

7. Cookies and Similar Technologies

Our websites and platform use cookies and similar technologies:

  • Strictly necessary - required for the site and platform to function (for example session, authentication and security cookies). These do not require consent.
  • Analytics - with your consent, we use Google Analytics 4 (cookies such as _ga and _ga_*, stored for up to 2 years) to understand how visitors use our websites. We apply Google Consent Mode, so analytics cookies are set only after you accept; until then GA runs in a cookieless, non-identifying mode. Our website platform (Framer) also collects aggregated page-view events. The resulting statistics are aggregated and do not identify you to us.
  • Session analytics and heatmaps - with your consent, we use Contentsquare (the platform behind Hotjar) to record pseudonymised session replays and heatmaps - mouse movement, clicks, scrolling and pages viewed - so we can see how the site is used and improve it. This script loads only after you accept, and by default the text you type into forms is masked and not captured. You can withdraw consent at any time (see below).
  • Advertising - with your consent, we use Google Ads to measure our advertising and to show relevant ads to people who have visited our website (remarketing). Google's advertising cookies and identifiers are set only after you accept - under Google Consent Mode the ad_storage, ad_user_data and ad_personalization signals stay denied until then.

Where required by law, non-essential cookies are set only with your consent, which you can withdraw at any time. You can also control or delete cookies in your browser settings, opt out of Google Analytics via Google's opt-out browser add-on, and manage or turn off personalised ads in your Google Ads Settings; blocking strictly necessary cookies may break parts of the Services.

8. Who We Share Personal Data With

We do not sell personal data. We share it only with:

  • Service providers (processors) acting on our instructions under Article 28 GDPR contracts, in these categories: cloud hosting and infrastructure (including Google Firebase, on which our website is hosted), website and analytics services (Framer B.V.; Google Ireland Ltd for Google Analytics and Google Ads; Contentsquare SAS for session analytics and heatmaps), email and communications tools, payment service providers, customer support tools, and AI model providers used to deliver AI features.
  • Professional advisers - lawyers, accountants, auditors and insurers, where necessary and under confidentiality obligations.
  • Authorities - courts, tax, law-enforcement or supervisory authorities, where we are legally required or permitted to do so.
  • Business transfers - a buyer or successor in the event of a merger, acquisition or sale of assets, with notice to you and continued protection of your data.

A current list of our subprocessors relevant to your use of the Services is available on request at admin@bidrock.io. We will give customers prior notice of subprocessor changes as set out in the DPA.

9. International Data Transfers

We are based in the European Union and prefer to process personal data within the European Economic Area (EEA). Some of our service providers (for example Google) may process data outside the EEA, including in the United States. Where that happens, we rely on safeguards recognised by the GDPR: an adequacy decision of the European Commission (including the EU–U.S. Data Privacy Framework for certified U.S. providers) or the European Commission's Standard Contractual Clauses, with supplementary measures where needed. You can request more information about the safeguards we use at admin@bidrock.io.

10. How Long We Keep Personal Data

We keep personal data only as long as needed for the purposes described above, then delete or anonymise it:

  • Account data - for the life of your account. After termination, Customer Data export is available for 30 days (as set out in the Terms); after that we delete account and Customer Data from active systems, with residual copies removed from backups on their normal rotation cycle.
  • Billing and accounting records - 10 years, as required by Lithuanian accounting legislation.
  • Contracts and related correspondence - for the duration of the relationship plus the applicable limitation periods for legal claims (generally up to 10 years under Lithuanian law).
  • Marketing data - until you unsubscribe or withdraw consent; suppression records (so we stop contacting you) are kept thereafter.
  • Usage logs and analytics - typically up to 14 months for analytics statistics and up to 12 months for server logs, unless needed longer for security investigations.
  • Inquiries from non-customers - up to 2 years after our last contact.

Tender data sourced from public registers is retained while it remains relevant for procurement research and as published by the underlying sources.

11. Your Rights

Under the GDPR you have the right to:

  • access the personal data we hold about you and receive a copy (Art. 15);
  • rectify inaccurate or incomplete data (Art. 16);
  • erase your data in the circumstances set out in Art. 17;
  • restrict processing in the circumstances set out in Art. 18;
  • data portability - receive data you provided to us in a structured, commonly used, machine-readable format and have it transmitted to another controller (Art. 20);
  • object to processing based on legitimate interests, on grounds relating to your particular situation, and to object at any time to direct marketing (Art. 21);
  • withdraw consent at any time, where processing is based on consent, without affecting the lawfulness of processing before withdrawal (Art. 7(3)).

To exercise any of these rights, email admin@bidrock.io. We may need to verify your identity, and we will respond within one month (extendable by two further months for complex requests, in which case we will tell you). Exercising these rights is free of charge unless a request is manifestly unfounded or excessive.

If you believe our processing infringes the GDPR, you have the right to lodge a complaint with a supervisory authority - in Lithuania, the State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija), L. Sapiegos g. 17, LT-10312 Vilnius, vdai.lrv.lt - or with the authority of the EU member state where you live or work. We would, however, appreciate the chance to address your concern first.

12. How We Protect Personal Data

We apply technical and organisational measures appropriate to the risk, including encryption of data in transit, access controls and authentication, the principle of least privilege for personnel access, logging and monitoring, and contractual confidentiality and security obligations on our providers. No system is completely secure; if a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the supervisory authority and, where required, the affected persons in accordance with Articles 33–34 GDPR.

13. Children

The Services are intended exclusively for business use by adults and are not directed at children. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us personal data, contact us and we will delete it.

14. Changes to This Policy

We may update this Policy from time to time - for example to reflect new features, providers or legal requirements. The current version, with its "Last updated" date, is always available on this page. For material changes we will notify you by email or through the Services before they take effect. Earlier versions are available on request.

15. Contact

Bidrock, UAB Company code 307144999 · VAT code LT100017806813 Draugystės g. 17-1, LT-51229 Kaunas, Lithuania admin@bidrock.io