Privacy Policy

Version v2026.3

Privacy Policy

Effective date: 1 March 2026 — Version v2026.1

1. Data Controller

The data controller for account administration, service operations, and billing data is:
Midpilot AS
Organisasjonsnummer: 934 411 983
Norway
Contact: privacy@midpilot.com

For Customer workspace data (documents and bid materials uploaded to the Services), Customer is the data controller and Midpilot acts solely as a data processor under a Data Processing Agreement (DPA) incorporated into the Master Services Agreement.

2. Personal Data We Process (as Controller)

When you create an account or use our services, we may process the following categories of personal data:

  • Account data: Name, work email address, company name, job title.
  • Contact and communications data: Support emails, feedback, and correspondence.
  • Billing data: Invoice contact details, payment references (no card numbers stored directly).
  • Technical and security data: IP addresses, browser/device type, session tokens, access logs, and audit trails.
  • Legal consent data: Records of agreement acceptance including document version, timestamp, and IP address.

We do not process Customer Documents (bid files, tender documents) as controller. Those are processed solely on your instructions as described in the DPA.

3. Purposes and Legal Basis (GDPR Art. 6)

Purpose Legal Basis
Providing, operating, and securing the Services Art. 6(1)(b) – Contract performance
User support and communications Art. 6(1)(b) – Contract performance
Invoicing and payment administration Art. 6(1)(b) – Contract performance / Art. 6(1)(c) – Legal obligation
Security monitoring, fraud prevention, and audit logging Art. 6(1)(f) – Legitimate interests
Legal consent recordkeeping (clickwrap evidence) Art. 6(1)(c) – Legal obligation / Art. 6(1)(f) – Legitimate interests
Service reliability improvement (aggregate, anonymised) Art. 6(1)(f) – Legitimate interests

Legitimate interests: Where we rely on legitimate interests, these are: maintaining security and integrity of the platform, defending legal claims, and improving service reliability. You have the right to object to processing based on legitimate interests (see Section 8).

4. Data Location and Security

All personal data is stored and processed within the European Economic Area (EEA) (Google Cloud EU regions). Data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Access is restricted to authorised personnel on a need-to-know basis.

No international transfers: We do not transfer personal data to countries outside the EEA. If this changes, we will update this policy and implement appropriate safeguards (Standard Contractual Clauses or adequacy decision).

AI training: Customer Data is never used to train general-purpose AI models.

5. Sub-processors and Recipients

We use third-party sub-processors to operate the Services (Google Cloud Platform, Gemini API, SendGrid, Stripe, Microsoft OneDrive). All sub-processors are contractually bound to process data only on our instructions and maintain appropriate security measures.

The complete, current sub-processor register — including names, locations, purposes, and links to each sub-processor's own DPA — is maintained and publicly available at:
/legal/sub-processors

Customers will be notified of any new or changed sub-processors with a 30-day notice period, giving them the right to object before the change takes effect.

6. Cookies and Session Data

The Midpilot portal uses strictly necessary session cookies to maintain your authenticated session (JWT-based). No advertising, analytics, or tracking cookies are used. Session tokens expire after inactivity. You can clear cookies by logging out or via your browser settings.

7. Retention Periods

Data Category Retention Period
Account and contact data Duration of contract + 3 years
Legal consent records (clickwrap audit trail) 10 years (limitation period for contract claims)
Billing and invoice records 5 years (Norwegian Bookkeeping Act)
Security and access logs 12 months rolling
Customer workspace data (uploaded documents) Per MSA/DPA terms; deleted within 30 days of contract end
Support communications 3 years from last interaction

8. Your Rights (GDPR Art. 15–22)

As a data subject, you have the following rights regarding personal data we hold about you as controller:

  • Access (Art. 15): Request a copy of your personal data.
  • Rectification (Art. 16): Request correction of inaccurate data.
  • Erasure (Art. 17): Request deletion ("right to be forgotten"), subject to legal retention obligations.
  • Restriction (Art. 18): Request that we restrict processing in certain circumstances.
  • Portability (Art. 20): Receive your data in a structured, machine-readable format.
  • Objection (Art. 21): Object to processing based on legitimate interests.

To exercise any right, contact privacy@midpilot.com. We will respond within 30 days. Identity verification may be required.

9. Automated Decision-Making

We do not use fully automated decision-making (including profiling) that produces legal or similarly significant effects on you (GDPR Art. 22). AI-generated bid analysis outputs are always reviewed by the Customer before any business decision is made.

10. Right to Lodge a Complaint

You have the right to lodge a complaint with the supervisory authority in your country. Our lead supervisory authority (as Midpilot AS is registered in Norway) is:

Datatilsynet (Norwegian Data Protection Authority)
Website: www.datatilsynet.no
Email: postkasse@datatilsynet.no
Phone: +47 74 07 70 00

If you are based in another EEA country, you may also complain to your local supervisory authority.

11. Changes to This Policy

Material changes to this Privacy Policy will be notified to active customers by email and will require re-acknowledgement at next login. Minor editorial changes will be noted in the version history. The current version is always available at /legal/privacy.

← Back