RFP Matrix

Privacy Policy

Last updated: January 2026 | Version 1.0

1. Introduction

RFP Matrix ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our RFP (Request for Proposal) management platform.

We comply with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws.

2. Information We Collect

2.1 Account Information

  • Email address
  • Name (optional)
  • Password (stored as a secure hash)
  • Account creation date

2.2 RFP Documents

When you upload RFP documents, we collect and process:

  • Document content (PDF or Word files)
  • Extracted text from documents
  • AI-extracted requirements
  • Your draft responses and internal notes
  • Project names and company names you specify

2.3 Usage Data

  • IP addresses
  • Browser type and version
  • Pages visited and features used
  • Date and time of access
  • Actions taken within the platform

2.4 Payment Information

If you subscribe to a paid plan, payment processing is handled by Stripe. We do not store your full credit card number. We receive only:

  • Last four digits of your card
  • Card brand (Visa, Mastercard, etc.)
  • Billing address
  • Stripe customer ID

3. How We Use Your Information

We use your information to:

  • Provide and maintain the RFP Matrix service
  • Process your RFP documents and extract requirements
  • Generate AI-powered draft responses
  • Process payments and manage subscriptions
  • Send service-related communications
  • Improve and optimize our service
  • Detect and prevent fraud or abuse
  • Comply with legal obligations

4. AI Processing

We use OpenAI's API to analyze your RFP documents and generate draft responses. When you upload a document:

  • Document text is sent to OpenAI for processing
  • OpenAI may retain data for up to 30 days for abuse monitoring
  • OpenAI does not train their models on data sent via their API
  • We do not share your personal account information with OpenAI

For more information, see OpenAI's Privacy Policy.

5. Data Sharing and Third Parties

We share your data with the following service providers:

5.1 OpenAI

Purpose: AI-powered document analysis and response generation

5.2 Stripe

Purpose: Payment processing

5.3 Hosting Provider

Purpose: Infrastructure and data storage

We do not sell your personal information to third parties. We do not share your data with advertisers.

6. Data Retention

  • Account data: Retained until you delete your account
  • Projects and requirements: Retained until you delete them or your account
  • Audit logs: Retained for 2 years for compliance purposes
  • Consent records: Retained for 7 years to demonstrate compliance

After account deletion, we may retain anonymized data for analytics purposes.

7. Your Rights Under GDPR

If you are in the European Economic Area (EEA) or UK, you have the right to:

  • Access: Request a copy of your personal data (Article 15)
  • Rectification: Correct inaccurate data (Article 16)
  • Erasure: Request deletion of your data ("right to be forgotten") (Article 17)
  • Portability: Receive your data in a machine-readable format (Article 20)
  • Object: Object to processing of your data (Article 21)
  • Restrict processing: Request limitation of processing (Article 18)
  • Withdraw consent: Withdraw consent at any time (Article 7)

To exercise these rights, visit your account settings or contact us at the address below.

8. Your Rights Under CCPA

If you are a California resident, you have the right to:

  • Know what personal information we collect
  • Know whether your personal information is sold or disclosed
  • Say no to the sale of personal information
  • Request deletion of your personal information
  • Not be discriminated against for exercising your rights

See our California Privacy Rights page for more details.

9. Cookies and Tracking

We use cookies and similar technologies for:

  • Essential cookies: Required for authentication and security
  • Preference cookies: Remember your settings
  • Analytics cookies: Understand how you use our service (with consent)

See our Cookie Policy for details and to manage your preferences.

10. Data Security

We implement industry-standard security measures including:

  • Encryption in transit (TLS/HTTPS)
  • Encryption at rest for sensitive data
  • Secure password hashing (bcrypt)
  • Rate limiting and abuse prevention
  • Regular security audits
  • Access controls and authentication

11. International Transfers

Your data may be transferred to and processed in countries outside your residence, particularly the United States where our primary sub-processors are located. We ensure appropriate safeguards are in place as required by GDPR Chapter V.

11.1 Transfer Mechanisms

  • Standard Contractual Clauses (SCCs): We use the European Commission's 2021 SCCs (Commission Implementing Decision (EU) 2021/914) with all US-based sub-processors
  • Data Processing Agreements: Binding contracts ensuring GDPR-equivalent protections

11.2 Sub-processor Locations

Sub-processorLocationSafeguards
OpenAIUnited StatesSCCs + DPA + Encryption
StripeUnited StatesSCCs + DPA + PCI-DSS
VercelUnited States / GlobalSCCs + DPA + Edge encryption

11.3 Supplementary Measures

Following the Schrems II decision, we implement additional technical and organisational measures:

  • End-to-end encryption for data in transit (TLS 1.2+)
  • Encryption at rest for all stored data
  • Data minimisation - we only transfer data necessary for each service
  • Pseudonymisation where technically feasible
  • Regular review of sub-processor security certifications

11.4 Transfer Impact Assessments

We conduct Transfer Impact Assessments (TIAs) for each US sub-processor to evaluate the legal framework in the destination country and the effectiveness of our supplementary measures. These assessments are reviewed annually and are available to enterprise customers upon request.

For questions about international transfers or to request TIA summaries, contact our DPO at dpo@rfpmatrix.com.

12. Children's Privacy

RFP Matrix is not intended for use by individuals under 16 years of age. We do not knowingly collect personal information from children.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by:

  • Posting the new policy on this page
  • Updating the "Last updated" date
  • Sending an email notification for material changes

14. Contact Us

For privacy-related questions or to exercise your rights, contact us at:

  • Email: privacy@rfpmatrix.com
  • Data Protection Officer: dpo@rfpmatrix.com

If you are in the EU and are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority.

15. Legal Basis for Processing (GDPR)

We process your data under the following legal bases:

  • Contract: To provide our service to you
  • Consent: For marketing communications and analytics cookies
  • Legitimate interest: For fraud prevention and service improvement
  • Legal obligation: To comply with laws and regulations