Platform Features Pricing Blog Resources
Sign In Get Free Analysis →
Legal

Privacy Policy

Effective date: March 1, 2026  ·  Last updated: March 13, 2026

Opens print dialog — choose "Save as PDF"
This document is provided in English. If you need this document in another language, please contact us at support@trueleveler.com.

Overview

Short version: Your documents are never stored. They are processed in memory and discarded immediately after analysis. We never use your procurement documents to train AI models. We collect only what's needed to run the service and communicate results.

Trueleveler ("we", "our", "us") operates the AI procurement analysis platform available at trueleveler.com and its subdomains. This Privacy Policy explains how we collect, use, and protect information when you use our services.

By using Trueleveler, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the service.

What We Collect

Account information

When you create an account, we collect your email address and a password (stored as a one-way hash). You may optionally provide your name and company. We do not collect payment card details directly — all billing is handled by Stripe, which is PCI-DSS Level 1 certified.

Usage data

We collect anonymised usage telemetry: which analysis engines you use, how many analyses you run, general session duration, and error rates. This data does not include the contents of your documents. It is used to improve product reliability and prioritise features.

Communications

If you contact us by email or submit a free analysis request, we store the email address and message content to respond to your enquiry and deliver your results. Free analysis result emails are sent via our transactional email provider (Resend) and are retained for 30 days for deliverability purposes.

Technical data

We collect standard server logs including IP address, browser type, referring URL, and timestamps. These are retained for up to 90 days for security and abuse prevention purposes.

Your Documents

Documents are never stored. Files you upload — bid documents, contracts, invoices, POs, RFQs — are transmitted over TLS 1.3, processed entirely in server memory, and discarded immediately after the analysis response is returned. We do not write your documents to any database, object storage, or log file.

Document content is transmitted to an AI processing API for analysis. This transmission is covered by the provider's API data processing terms, which prohibit the provider from using API-submitted data to train its models.

We never use your procurement documents, bid data, or contract contents to train our own models or any third-party model.

How We Use Your Data

We use the data we collect for the following purposes:

  • Service delivery — to run analyses, deliver results by email, and maintain your account history
  • Product improvement — anonymised usage patterns to fix bugs, improve accuracy, and prioritise features
  • Security — to detect and prevent abuse, fraud, and unauthorised access
  • Communications — to send you your analysis results, account notices, and (with your consent) product updates
  • Legal compliance — to comply with applicable law, regulations, and lawful requests from authorities

We do not use your data for advertising. We do not sell your data to any third party. We do not use your documents or analysis results for any purpose other than delivering the service to you.

Data Sharing

We share data only with the following categories of service providers, under contractual obligations that restrict their use of the data:

  • Supabase — database and authentication (account data, session history). Hosted on AWS US-East.
  • AI Processing API — AI analysis processing (document content, in transit only, not stored)
  • Vercel — hosting and edge compute infrastructure
  • Stripe — payment processing (billing data only; we never see raw card numbers)
  • Resend — transactional email delivery (email address and analysis result content, 30-day retention)

We do not share your data with advertisers, data brokers, or analytics resellers. We do not sell personal data under any circumstances.

In the event of a merger, acquisition, or sale of assets, user data may be transferred to the acquiring entity, subject to the same privacy protections described here. We will notify affected users by email prior to any such transfer.

Data Retention

  • Analysis documents: Processed in memory only, never stored after analysis
  • Analysis results (saved sessions): Retained until you delete them or close your account
  • Procurement Tracker data: Items you add to the Procurement Tracker (descriptions, PO numbers, vendor details, amounts, dates) are stored persistently in your account database and retained until you delete them or close your account
  • Submittal Tracker data: Submittals, revision history, and extracted spec text are stored persistently in your account database and retained until you delete them or close your account
  • Vendor Database: Vendor names, contact details, ratings, and notes are stored persistently in your account database and retained until you delete them or close your account
  • Account data: Retained until you request deletion, plus 30 days for processing
  • Free trial data: Retained for 90 days, then automatically deleted unless you create an account
  • Email analytics: Retained for 12 months
  • Server logs: 90 days
  • Billing records: 7 years (legal requirement)

Security

We take the security of construction procurement data seriously. Our security measures include:

  • TLS 1.3 encryption for all data in transit
  • In-memory-only document processing — no documents written to persistent storage
  • Supabase row-level security — users can only access their own data
  • Server-side API key management — your AI analysis requests are proxied server-side; API keys are never exposed to the browser
  • SOC 2 Type II audit in progress — target completion Q3 2026; audit report not yet available

No system is perfectly secure. If you discover a security vulnerability, please report it to [email protected]. We aim to respond to security reports within 24 hours.

GDPR Rights (EEA & UK Users)

If you are located in the European Economic Area or the United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR) and UK GDPR:

  • Access — you can request a copy of the personal data we hold about you
  • Rectification — you can correct inaccurate data via your account settings or by contacting us
  • Erasure — delete your account and data by emailing support@trueleveler.com with subject "Erasure Request." We will confirm deletion within 14 days. Billing records required by law may be retained per our retention schedule.
  • Portability — request your data in JSON format by emailing support@trueleveler.com with subject "Data Portability Request." We will provide your account profile, saved analysis metadata, and activity log within 30 days. Note: original uploaded documents are not retained and cannot be exported.
  • Restriction — you can ask us to restrict processing of your data in certain circumstances
  • Objection — you can object to processing based on legitimate interests
  • Withdraw consent — where processing is based on consent, you may withdraw it at any time

Our lawful basis for processing is: contract performance (to deliver the service you signed up for), legitimate interests (security, fraud prevention, product improvement), and consent (marketing communications).

How to Exercise Your Rights

  • Email support@trueleveler.com with your request
  • We will verify your identity and respond within 30 days
  • For erasure requests: we will delete your account, all saved analyses, vendor data, and project data within 14 days of confirmation. Billing records required by law may be retained per our retention schedule.
  • For data portability: we will provide a JSON export of your data — including your account profile, saved analysis metadata, vendor records, and activity log — within 14 days. Note: original uploaded documents are not retained and cannot be exported.

You also have the right to lodge a complaint with your national data protection authority.

Data Protection Officer: Trueleveler is not required to designate a Data Protection Officer under GDPR Article 37. For all privacy matters, contact support@trueleveler.com.

CCPA Rights (California Residents)

Under the California Consumer Privacy Act (CCPA), California residents have the right to:

  • Know what personal information we collect and how it is used
  • Request deletion of personal information
  • Request a copy of your personal information in a portable, commonly used format
  • Opt out of the sale of personal information (we do not sell personal information)
  • Non-discrimination for exercising CCPA rights

How to Exercise Your CCPA Rights

  • Email support@trueleveler.com with the subject line "CCPA Request"
  • We will verify your identity and respond within 45 days
  • For deletion requests: we will delete your account, all saved analyses, vendor data, and project data within 14 days of identity verification. Billing records required by law may be retained per our retention schedule.
  • For data access requests: we will provide a copy of all personal information collected, including your account profile, saved analysis metadata, and activity log, within 45 days
  • For data portability requests: we will provide your data in JSON format — including your account profile, saved analysis metadata, vendor records, and activity log — within 45 days. Note: original uploaded documents are not retained and cannot be exported.

We do not sell personal information and therefore do not offer a "Do Not Sell" opt-out. We will not discriminate against you for exercising any CCPA rights.

Data Erasure & Data Portability

Regardless of where you are located, you can request deletion of your data or a portable copy of your data at any time. Here is a summary of the process:

To request data erasure or a data export, email support@trueleveler.com. Use the subject line "Erasure Request" or "Data Export Request." We will verify your identity and process your request within the applicable timeframe.

Data Erasure (Right to Deletion)

  • What is deleted: Your account, all saved analyses, vendor records, project data, and activity logs
  • What may be retained: Billing records required by law (up to 7 years per our retention schedule) and anonymised, aggregated usage data that cannot identify you
  • Timeline: We will verify your identity and complete the deletion within 14 days of confirmation. Under GDPR, we respond within 30 days; under CCPA, within 45 days.
  • Confirmation: You will receive an email confirming that your data has been deleted

Data Portability (Right to Export)

  • Format: Your data will be provided in machine-readable JSON format
  • What is included: Account profile, saved analysis metadata, vendor records, project data, and activity log
  • What is not included: Original uploaded documents (these are processed in memory only and are never stored)
  • Timeline: We will deliver the export within 14 days. Under GDPR, the maximum response time is 30 days; under CCPA, 45 days.
  • Delivery: The export file will be sent to your verified account email address via a secure, time-limited download link

If you have questions about either process, contact support@trueleveler.com.

Cookies & Tracking

We use a minimal set of cookies necessary to operate the service:

  • Session cookies — to keep you logged in (Supabase authentication token, first-party, session-scoped)
  • Preference cookies — to remember your UI preferences such as currency selection (first-party, 1-year expiry)

We do not use advertising cookies, tracking pixels, or third-party analytics cookies. We do not use Google Analytics, Facebook Pixel, or similar advertising-network trackers. If we add analytics in the future, we will update this policy and provide an opt-out mechanism.

Local Storage

We use browser localStorage to persist your preferences locally on your device. This data is never sent to our servers. Items stored include:

  • Language and currency preferences
  • UI settings (dark mode, reviewer name)
  • Cookie consent choice
  • Email notification preference
  • Company logo (if uploaded, stored as image data on your device only)

You can clear localStorage at any time through your browser settings.

Children's Privacy

Trueleveler is a business-to-business software service. It is not directed at children under the age of 16. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify registered users by email at least 14 days before the changes take effect. The "Last updated" date at the top of this page will always reflect the most recent revision. Continued use of the service after a policy update constitutes acceptance of the revised terms.

Contact Us

For privacy-related questions, data requests, or to exercise your rights:

Trueleveler · trueleveler.com · Privacy Policy · Effective March 1, 2026