Privacy Policy

1. Data Controller

SOCHOICES SAS ("we", "us", or "Captara") is the data controller for personal data processed through Captara.

• Registered office: Spain
• Email: privacy@captara.eu
• Data Protection Officer: dpo@captara.eu

2. Data We Collect

2.1 Data collected directly from you (Art. 13)

• Account data: Name, email address, hashed password at registration.
• Consent records: Timestamps and versions of accepted Terms and Privacy Policy.
• Company profiles: Business descriptions, capabilities, certifications you provide.
• Usage data: Search queries, saved searches, alert preferences, bid pipeline entries, watchlist items.
• Notification preferences: Email opt-in choice.
• Technical data: IP address, browser user-agent string, and session cookies for authentication.

2.2 Data obtained from public sources (Art. 14)

We process publicly available procurement data from official EU and national government sources, including:

• Tender notices: Buyer organization names, contracting authority contact persons (as published on TED and national portals).
• Award data: Names of companies that won public contracts, contract values, award dates (public record).
• SIGINT signals: Buyer names and procurement plans from published government documents.

This data is sourced from Tenders Electronic Daily (TED), national procurement portals, and published government documents. We process it under legitimate interest (Art. 6(1)(f)) for the purpose of providing procurement intelligence services.

3. How and Why We Use Your Data

4. Recipients and Third Parties

We do not sell your personal data. We share data with the following categories of processors:

• Cloud infrastructure: Hosting provider (EU data center).
• AI processing: Google Gemini API (for text analysis, embeddings, translations). Text content may be processed on Google infrastructure.
• Payment processing: Stripe (processes payment data directly; we only store a customer reference ID).
• Email delivery: Transactional email provider (for notification emails).

All processors operate under Data Processing Agreements (DPAs) and are bound to process data only on our instructions.

5. International Transfers

Your account data is stored in the EU. However, when AI features are used, text content may be processed by Google Gemini API on Google infrastructure, which may involve transfer to the United States.

These transfers are safeguarded by: (a) the EU-US Data Privacy Framework adequacy decision, and (b) Standard Contractual Clauses (SCCs) incorporated in Google's Data Processing Terms.

6. Data Retention

• Account data: Retained while your account is active. Anonymized within 30 days of deletion request; fully erased after 60 days.
• Audit logs: Retained for 24 months for security and legal compliance, then deleted.
• Search history: Retained while account is active; deleted with account.
• Public procurement data: Retained indefinitely (public record data).
• AI-generated content: Retained while account is active; deleted with account.
• Consent records: Retained for 5 years after consent withdrawal (Art. 7(1) evidence).

7. Your Rights

Under GDPR, you have the following rights:

• Access (Art. 15): Request a copy of your personal data.
• Rectification (Art. 16): Correct inaccurate data via your account settings or by contacting us.
• Erasure (Art. 17): Delete your account and all associated data. Use "Delete Account" in Settings or contact us.
• Restriction (Art. 18): Request that we limit processing of your data.
• Portability (Art. 20): Export your data in machine-readable JSON format via "Export Data" in Settings.
• Objection (Art. 21): Object to processing based on legitimate interest, including profiling.
• Withdraw consent: Withdraw email notification consent at any time in Settings. Withdrawal does not affect the lawfulness of prior processing.

To exercise any right, email privacy@captara.eu. We will respond within 30 days per Art. 12(3).

8. Automated Decision-Making and Profiling (Art. 22)

Captara uses AI to generate the following automated analyses. These are advisory only and do not produce legally binding decisions:

• StrengthScore: A 0-100 score predicting competitive strength based on four factors: semantic similarity (40%), geographic proximity (20%), recency of wins (20%), and win volume (20%). All inputs are derived from public procurement data.
• Win probability: An estimate of your likelihood of winning a tender, based on your company profile compared to the tender requirements.
• SIGINT signals: AI extraction of procurement signals from published government documents.

Known limitations: The geographic weighting factor (20% of StrengthScore) gives higher scores to entities in the same country as the buying authority, which may systematically advantage domestic entities. This reflects empirically observed procurement patterns and is not a quality judgment. The model may also favor larger companies with more historical wins over SMEs or new market entrants.

You have the right to contest AI-generated scores by using the "Report Inaccuracy" feature or contacting us at privacy@captara.eu.

9. Cookies

We use only strictly necessary cookies for authentication (session token). No tracking, analytics, or advertising cookies are used. Under the ePrivacy Directive Art. 5(3), strictly necessary cookies do not require consent.

10. Supervisory Authority

You have the right to lodge a complaint with your national data protection authority. Our lead supervisory authority is the Spanish Data Protection Agency (AEPD):

• Agencia Española de Protección de Datos (AEPD)
• Website: www.aepd.es

11. Changes

We may update this policy. Material changes will be communicated via email to registered users. Continued use after notification constitutes acceptance. If changes affect processing based on consent, we will request re-consent.