Skip to content
TenderLift

Privacy Policy

Last updated: 20. April 2026

Data Controller

Ruzicic IT
Company ID: CHE-354.595.375
Via al Mulin 1
6803 Camignolo TI, Switzerland
Email: privacy@tenderlift.ch

1. Information We Collect

1.1 Information You Provide

  • Account Information: Email address, password (encrypted), name
  • Company Information: Company name, UID from ZEFIX, canton, industry
  • Preferences: CPV codes, tender categories, notification settings
  • Communications: Support emails, feedback, feature requests

1.2 Information from Public Sources

  • ZEFIX Data: Company registration details, address, legal form
  • SIMAP Data: Public tender information relevant to your company

1.3 Automatically Collected Information

  • Usage Data: Features used, searches performed, tenders viewed
  • Technical Data: IP address (for security), browser type, device information
  • Essential Cookies: Session management, security tokens, language preference (see section 4)

2. Legal Basis for Processing

We process your data based on:

  • Contract Performance (Art. 31 para. 1 lit. a revFADP / Art. 6(1)(b) GDPR): To provide our tender matching services
  • Legitimate Interests (Art. 31 para. 1 lit. a revFADP / Art. 6(1)(f) GDPR): For security, fraud prevention, and service improvements
  • Consent (Art. 31 para. 1 lit. a revFADP / Art. 6(1)(a) GDPR): For marketing communications (if you opt-in)
  • Legal Obligations (Art. 31 para. 1 lit. b revFADP / Art. 6(1)(c) GDPR): Swiss accounting and tax requirements

3. How We Use Your Information

  • Match relevant tenders to your company profile
  • Send tender alerts and deadline reminders
  • Provide AI-powered tender summaries and analysis
  • Process payments and manage subscriptions
  • Send service updates and important notices
  • Send marketing communications (only with your consent)
  • Improve our services through aggregated analytics
  • Ensure platform security and prevent abuse
  • Comply with legal and regulatory requirements

Product use and customer support. We record product-usage events — such as sign-up, onboarding completion, preview opens, and tender clicks — and link them to your account so we can offer timely, relevant support and improve the product. We rely on our legitimate interest in supporting and improving the service (Art. 31 para. 1 lit. b revFADP / Art. 6(1)(f) GDPR), and where this processing is directly connected to delivering the service you signed up for, on the performance of our contract with you (Art. 31 para. 2 lit. a revFADP / Art. 6(1)(b) GDPR). Events are accessible only to authorized TenderLift staff and processors, retained for the duration of your account, and deleted within 30 days of account closure.

API and MCP request logging. When you call the TenderLift API or the MCP server (mcp.tenderlift.ch) with an API key, we record each request — endpoint, status code, latency, and API key identifier — for billing, abuse triage, and security review. We intentionally do not store the contents of MCP tool arguments. We rely on our legitimate interest in operating and securing the service (Art. 31 para. 1 lit. b revFADP / Art. 6(1)(f) GDPR). Request logs are retained for 90 days and then automatically deleted.

4. Cookies and Tracking

We use only essential cookies required for functionality:

  • __cf_bm: Cloudflare bot protection (30 minutes)
  • __session: Authentication state (session only)
  • locale: Language preference (1 year)

We use Cloudflare Web Analytics and PostHog for cookie-less, privacy-preserving analytics. PostHog is hosted in the EU and accessed through our own proxy domain — no third-party cookies are set. PostHog also records anonymized session replays (mouse movement, clicks, page navigation) to help us diagnose bugs and improve usability. All form inputs, passwords, and payment details are masked and never transmitted. Recordings are stored in the EU and retained for a limited period.

5. Data Sharing

5.1 Service Providers

We share data with these processors under data processing agreements:

  • Cloudflare: Infrastructure, security, and analytics (EU/US)
  • PostHog: Product analytics and masked session replays, EU-hosted, cookie-less (EU)
  • PlanetScale: Database hosting (US, SOC 2 compliant)
  • Stripe: Payment processing (when implemented)

5.2 Legal Requirements

We may disclose data when required by law, court order, or Swiss authorities.

5.3 Business Transfers

In case of merger or acquisition, data may be transferred with appropriate protections.

6. International Data Transfers

For transfers outside Switzerland/EU:

  • EU: Adequacy decision ensures equivalent protection
  • US: Standard Contractual Clauses and additional safeguards
  • Data Privacy Framework certification for US processors

7. Data Retention

  • Account Data: Duration of account plus 30 days
  • Financial Records: 10 years (Swiss OR Art. 957)
  • Support Communications: 2 years
  • Technical Logs: 90 days
  • Marketing Consent: Until withdrawn or 3 years inactive

8. Your Rights

Under Swiss revFADP and EU GDPR, you have the right to:

  • Access: Request a copy of your personal data (Art. 25 revFADP / Art. 15 GDPR)
  • Rectification: Correct inaccurate data (Art. 32 para. 1 revFADP / Art. 16 GDPR)
  • Erasure: Delete your data where legally permitted (Art. 17 GDPR)
  • Restriction: Limit processing of your data (Art. 18 GDPR)
  • Portability: Receive your data in machine-readable format (Art. 28 revFADP / Art. 20 GDPR)
  • Object: Oppose processing for direct marketing (Art. 30 revFADP / Art. 21 GDPR)
  • Withdraw Consent: Revoke consent at any time

To exercise these rights, contact: privacy@tenderlift.ch

Account Deletion

To request deletion of your account and personal data, email privacy@tenderlift.ch. We will verify your identity and process the request within 30 days. Upon deletion:

  • Your account, preferences, saved searches, alerts, and activity history are permanently removed
  • Marketing contacts in third-party systems (e.g. email automation) are deleted
  • Any active subscription is canceled with no further charges
  • Public procurement data (SIMAP tenders) is not affected — these are public records
  • Anonymized delivery logs may be retained up to 30 days for fraud prevention based on our legitimate interest in fraud prevention (GDPR Art. 17(3)(e) / revFADP Art. 32)

You will receive a confirmation email once the deletion is complete.

9. Data Security

We implement appropriate technical and organizational measures:

  • Encryption in transit (TLS 1.3) and at rest
  • Regular security assessments and updates
  • Access controls and authentication
  • Incident response procedures
  • Employee data protection training

10. Children's Privacy

Our services are not intended for individuals under 16. We do not knowingly collect data from children. If you believe we have collected data from a child, please contact us immediately.

11. Automated Decision-Making

We use AI for tender matching and summarization, but all significant decisions (like account suspension) involve human review. You can request human review of any automated decision affecting you.

12. Supervisory Authorities

You have the right to lodge a complaint with:

  • Switzerland: Federal Data Protection and Information Commissioner (FDPIC)
    Website: www.edoeb.admin.ch
  • EU: Your local data protection authority

13. Updates to This Policy

We will notify you of material changes via email or prominent notice on our platform. Continued use after changes constitutes acceptance.

14. Contact Us

For privacy questions or to exercise your rights:
Email: privacy@tenderlift.ch
Response Time: Within 30 days