Privacy Policy
Last updated: February 20, 2026
This Privacy Policy explains how Balan Bogdan Valentin, a sole proprietorship registered in Greece (ΑΦΜ: 194465389), operating as "BidLoom" ("we", "us", "our"), collects, uses, stores, and protects your personal data when you use the BidLoom platform ("Service").
We are the data controller for the purposes of the EU General Data Protection Regulation (GDPR) and applicable Greek data protection law (Law 4624/2019).
1. Data We Collect
1.1 Account Data
When you create an account, we collect:
- Email address — for authentication and communication
- Name (first and last) — for personalization and proposals
- Authentication data — managed by our auth provider (Clerk)
1.2 Business Data
When you use the Service, you may provide:
- Company information — name, address, phone, email, logo
- Labor rate settings — hourly wage, tax rates, insurance costs
- Client information — company name, contact details, address
- Bid data — facility details, areas, tasks, pricing, proposals
1.3 Payment Data
Payment processing is handled entirely by Stripe. We do not store your credit card number, CVC, or full payment details. We only store your Stripe customer ID and subscription status.
1.4 Automatically Collected Data
- Usage data — pages visited, features used (via cookie-free analytics)
- Device data — browser type, operating system (from HTTP headers)
- IP address — for security, rate limiting, and fraud prevention
2. Legal Basis for Processing (GDPR Article 6)
| Processing Activity | Legal Basis |
|---|---|
| Providing the Service (account, bids, proposals) | Contract performance (Art. 6(1)(b)) |
| Processing payments | Contract performance (Art. 6(1)(b)) |
| Sending transactional emails (receipts, password resets) | Contract performance (Art. 6(1)(b)) |
| Security and fraud prevention | Legitimate interest (Art. 6(1)(f)) |
| Anonymous analytics | Legitimate interest (Art. 6(1)(f)) |
| Marketing emails | Consent (Art. 6(1)(a)) |
| Tax and legal compliance | Legal obligation (Art. 6(1)(c)) |
3. How We Use Your Data
We use your data to:
- Provide, maintain, and improve the Service
- Generate bid calculations and PDF proposals
- Process subscription payments
- Send transactional communications (account confirmations, receipts)
- Monitor and prevent security threats
- Comply with tax and legal obligations
- Provide customer support
We do not sell your personal data. We do not use your bid data to train AI models. We do not share your data with advertisers.
4. Sub-Processors (Data Sharing)
We share your data with the following third-party processors, all of which are bound by data processing agreements:
| Processor | Purpose | Location | Data Shared |
|---|---|---|---|
| Clerk | Authentication | United States | Email, name, auth tokens |
| Stripe | Payment processing | United States | Email, payment details |
| Neon | Database hosting | United States | All Service data (encrypted at rest) |
| Vercel | Application hosting | United States (edge) | HTTP requests, IP addresses |
| Plausible | Analytics (cookie-free) | European Union | Anonymous page views only |
International Data Transfers
Some of our sub-processors are located in the United States. These transfers are protected by:
- The EU–US Data Privacy Framework (for certified processors)
- Standard Contractual Clauses (SCCs) where the DPF does not apply
5. Data Retention
| Data Type | Retention Period |
|---|---|
| Active account data | As long as your account exists |
| Data after account deletion | Deleted immediately (cascade delete), except as noted below |
| Billing records | 7 years after last transaction (Greek tax law requirement) |
| Anonymous usage analytics | Indefinitely (no personal data) |
| Account deletion tombstone | Email hash + bid count retained to prevent free tier abuse |
6. Your Rights (GDPR)
As a data subject, you have the right to:
- Access — request a copy of your personal data
- Rectification — correct inaccurate data (edit your profile and settings anytime)
- Erasure — delete your account and all associated data (available in account settings or by contacting us)
- Restriction — request that we limit processing of your data
- Data portability — receive your data in a machine-readable format
- Object — object to processing based on legitimate interest
- Withdraw consent — where processing is based on consent (e.g., marketing emails), you may withdraw at any time
To exercise any of these rights, email us at privacy@bidloom.com. We will respond within 30 days as required by GDPR.
You also have the right to lodge a complaint with the Hellenic Data Protection Authority (HDPA): www.dpa.gr.
7. Cookies
We use a minimal set of cookies. For full details, see our Cookie Policy.
In summary:
- Essential cookies (no consent required) — authentication session cookies set by Clerk to keep you logged in
- Analytics — we use Plausible Analytics, which is cookie-free and does not track individual users
- Payment cookies — Stripe may set cookies during the checkout flow for fraud prevention (legitimate interest)
8. Security
We protect your data through:
- Encryption in transit (TLS/HTTPS on all connections)
- Encryption at rest (database encryption via Neon)
- Authentication via Clerk with support for multi-factor authentication
- Row-level data isolation (each user can only access their own data)
- Regular security updates and dependency monitoring
9. Children
The Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service. The "Last updated" date at the top of this page indicates when the policy was last revised.
11. Data Controller Contact
Balan Bogdan Valentin
Kastellorizou 19, 16561 Glyfada, Greece
ΑΦΜ: 194465389
Email: privacy@bidloom.com
12. Supervisory Authority
The competent data protection authority is the Hellenic Data Protection Authority (HDPA):
- Website: www.dpa.gr
- Address: Kifissias 1-3, 11523 Athens, Greece
- Phone: +30 210 6475600
- Email: contact@dpa.gr