This Privacy Policy explains how Publicus (“Publicus,” “we,” “us,” or “our”) collects, uses, discloses, and protects information when you use our websites, applications, and related services that help contractors discover, qualify, and respond to government procurement opportunities (the “Services”).

If you use the Services on behalf of a company or organization (a “Customer”), you represent you have authority to do so and that your use is subject to this Policy and our applicable customer agreement.

Scope & roles

• This Policy covers information we process as a controller/business (e.g., your account, profile, telemetry, and website data).

• When a Customer uploads or stores information in the Services (e.g., opportunities, documents, notes) we act as a processor/service provider and process such data under our customer agreement and the Customer’s instructions.

Key definitions

• Personal Information / Personal Data: information that identifies or can reasonably be linked to an individual.

• Customer Data: data a Customer or its users submit to the Services (e.g., saved opportunities, manual opportunities, pipeline stages, notes).

• Public Data: publicly available information we ingest from government and public sources (e.g., RFPs, award notices, meeting minutes).

• Derived Data: insights and outputs we generate (e.g., opportunity recommendations, trend summaries, company subtitles optimized for matching).

• Sensitive Personal Information: categories defined by applicable law (e.g., precise geolocation, account credentials). We do not seek to collect sensitive categories unless strictly necessary for security/authentication.

Information we collect

1) Information you provide

• Account & profile: name, email, password (hashed), company, role, service areas, UNSPSC selections, notification preferences, and team/workspace membership.

• Saved & manual opportunities: opportunities you save or create, pipeline stage, tags (e.g., “amended”), notes, attachments (if enabled), and related metadata.

• Content: text you enter (e.g., descriptions, notes), uploads you make (e.g., RFP PDFs), and settings you configure.

• Communications: messages to support, feedback, survey responses, webinar registrations, and calendaring information you provide.

• Billing: plan, billing contact, tax details, and payment tokens via our payment processor (we do not store full card numbers).

2) Information collected automatically

• Usage & device: app interactions, clicks, views, search queries, pages and screens, timestamps, referral URLs, IP address, approximate location (from IP), device/OS/browser type, language, and session identifiers.

• Event telemetry: product events like opportunity_viewed, opportunity_saved, opportunity_moved, opportunity_liked/disliked, search_performed, and email open/click events for our digests.

• Cookies & similar tech: see Cookies & tracking technologies below.

3) Information from public/government sources

To power discovery and matching, we collect Public Data from public portals (e.g., federal/provincial/municipal procurement sites), notices (e.g., RFPs, RFIs, RFQs, awards), and other public records (e.g., council minutes). Public Data may include titles, descriptions, UNSPSC codes, agencies, dates, documents, and published contact details of procurement officers.

4) Information from service providers and partners

We receive limited information from service providers (e.g., cloud hosting, authentication, logging, analytics, email delivery) to operate the Services. We may also receive business contact information from partners (e.g., referral programs) with appropriate consent or lawful basis.

How we use information

We use Personal Information, Customer Data, Public Data, and Derived Data to:

1. Provide, maintain, and personalize the Services

   • Account creation and authentication

   • Opportunity discovery and recommendations (hybrid semantic + keyword matching)

   • Trend & insight sections in digests (e.g., by UNSPSC, region, issuer)

   • Saved board / pipeline stages, manual opportunity creation, and “saved” indicators in search

   • Amendment notifications for saved opportunities (e.g., opening/closing date changes, amended tag)

   • Email digests and in-app notifications you enable

2. Improve quality and develop new features

   • Product analytics and A/B testing (in aggregate/de-identified form where possible)

   • Training and evaluation of ranking, matching, and summarization models using de-identified/aggregated data

   • Content quality checks (e.g., subtitle optimization for company matching)

3. Operate securely and reliably

   • Debugging, incident response, and fraud/abuse prevention

   • Audit logs (e.g., source updates and field overrides), backups, and availability

   • Enforcing terms and acceptable use

4. Communicate with you

   • Service, security, and transactional messages (e.g., “your saved opportunity was amended”)

   • Optional newsletters, webinars, and marketing (you can opt out)

   • Policy updates and product announcements

Automated processing & recommendations. We use algorithms (including machine learning) to classify and match opportunities, generate summaries, and surface insights. These features are assistive; they do not create legal or similarly significant effects. You can review, ignore, or override suggestions.

Legal bases (where required)

Where law requires a legal basis (e.g., GDPR/UK GDPR), we process Personal Data on the basis of:

• Contract (to deliver the Services you request),

• Legitimate interests (to secure and improve the Services, personalize content, de-identify for analytics),

• Consent (for certain cookies/marketing, where required), and

• Legal obligation (e.g., records, compliance, security).

Cookies & tracking technologies

We use cookies and similar technologies to operate the site, keep you signed in, remember preferences, measure usage, and (optionally) run our own marketing campaigns.

Types of cookies:

• Strictly necessary: authentication, security, core features.

• Functional: preferences, product settings.

• Analytics: understanding usage and improving performance.

• Marketing (optional): our own campaigns and retargeting (region-dependent and consent-based where required).

Controls:

• In regions that require consent (e.g., EEA/UK, Québec), we present a cookie banner and granular controls.

• You can also block or delete cookies in your browser; some features may not work without essential cookies.

• We currently [do/do not] respond to “Do Not Track” signals (update this text to reflect your actual behavior).

When we disclose information

We do not sell Personal Information. We disclose limited information to:

• Service providers / processors that help us operate the Services (e.g., cloud infrastructure, authentication, logging, analytics, email delivery, customer support). They may only process data per our instructions and must protect it appropriately.

• Enterprise or referral partners (business contact data) where permitted by law and contracts, with appropriate disclosures and/or consent.

• Legal and safety: to comply with law, respond to lawful requests, or protect rights, safety, and property.

• Corporate transactions: in a merger, acquisition, or asset sale, subject to appropriate confidentiality and continuation of protections.

We may share aggregated or de-identified insights (e.g., market trends, UNSPSC statistics) that do not identify individuals.

Advertising & “sharing.” We do not sell personal information. If we engage in cross-context behavioral advertising, we will provide a “Do Not Sell or Share My Personal Information” control as required by California law.

International data transfers

We may process data in countries other than where you live (e.g., Canada, the United States, and locations where our providers operate). Where required, we implement appropriate safeguards for cross-border transfers (e.g., EU Standard Contractual Clauses, UK Addendum/IDTA). By using the Services, you understand your data may be transferred internationally.

Your rights & choices

Depending on your location, you may have rights to:

• Access your Personal Information

• Correct inaccurate or incomplete data

• Delete certain data

• Port data in a structured, commonly used format

• Object to or restrict certain processing

• Withdraw consent where processing is based on consent

• Appeal a decision regarding your privacy request (where applicable)

• Opt out of marketing communications at any time (via links in emails)

How to exercise rights. Email privacy@publicus.ai with:

• Your request,

• The email address associated with your account, and

• Sufficient details for us to identify you and the data at issue.
  We may request additional information to verify identity. If you are an end user of a Customer account, we may refer your request to the Customer (the data controller) for action.

Marketing choices. You can unsubscribe from marketing emails via the footer link. We may still send transactional or service-related communications.

Data retention

We retain information only as long as needed to provide the Services, comply with legal obligations, resolve disputes, and enforce agreements. We may also retain de-identified or aggregated data for analytics and model improvement.

Indicative retention schedule (subject to change):

Data categoryTypical retentionAccount & profile dataFor the life of the account + up to 24 months archivalSaved & manual opportunities, pipeline metadataFor the life of the account; deleted within 24 months after account closure unless legally requiredEvent telemetry & logs12–18 months (often aggregated/de-identified)Support tickets & communications~24 months (or longer where legally required)BackupsRotating schedules per our disaster recovery policyMarketing listsUntil you unsubscribe or account closure + suppression period

Security

We implement administrative, technical, and organizational measures designed to protect information, including but not limited to: encryption in transit, access controls, environment isolation, secret management, logging/monitoring, vulnerability management, and regular backups. No method of transmission or storage is 100% secure; if we learn of a breach affecting Personal Information, we will notify affected users and regulators as required by law.

Public data & fair use

Publicus aggregates publicly available procurement information. We respect robots.txt, rate-limits, and terms of use for public portals and do not circumvent access controls. Public procurement documents may include names or work contact details of officials published by the issuer; we process such data to index, deduplicate, summarize, correlate to UNSPSC categories, and notify users of relevant opportunities. For authoritative records, consult the original government source.

Children

Our Services are intended for use by businesses and are not directed to children. We do not knowingly collect Personal Information from children. If you believe a child has provided Personal Information, contact us at privacy@publicus.ai.

Automated processing, AI, and transparency

We use automated techniques, including machine learning, to:

• Rank and match opportunities (semantic vectors + keywords),

• Generate summaries and “Trends & Insights,”

• Produce internal fields like company subtitles optimized for matching.

These features are assistive. They do not produce legal or similarly significant effects. You remain in control of decisions (e.g., whether to pursue an opportunity). We evaluate these systems for quality using de-identified or aggregated data and human-in-the-loop review where appropriate.

Product-specific notes

• Saved opportunity indicators: We display a distinct visual state for saved opportunities in search and your saved board.

• Amendment notifications: If a saved opportunity is amended (e.g., date/time changes), we may notify you in-app and/or include updates in daily emails.

• Manual opportunities: You may add your own opportunities using the existing fields; these are stored and processed like other records for pipeline purposes.

• Trends & Insights emails: We may include aggregated insights (e.g., changes by UNSPSC, issuer activity, region) derived from Public Data and de-identified usage patterns.

• Subtitle optimization: We may generate internal, non-editable company subtitles from your inputs (e.g., keywords) to improve matching. These are not displayed publicly unless your Customer agreement provides otherwise.

Third-party links & government portals

The Services may link to third-party websites or government portals. Your interactions with those sites are governed by their privacy policies and terms, not ours. We encourage you to review their policies before interacting.

Region-specific disclosures

Canada (PIPEDA and provincial laws, including Québec Law 25)

• We apply the 10 fair information principles (accountability; identifying purposes; consent; limiting collection, use, disclosure, and retention; accuracy; safeguards; openness; individual access; challenging compliance).

• Cross-border processing may occur; your information may be processed outside your province or Canada.

• You may contact our Privacy Officer at privacy@publicus.ai.

• For Québec: we identify a person in charge of the protection of Personal Information (the “privacy officer”) reachable at privacy@publicus.ai; we conduct privacy impact assessments when required and maintain incident logs in accordance with Law 25.

EEA/UK (GDPR/UK GDPR)

• See Legal bases, International transfers, and Your rights & choices above.

• You may lodge a complaint with your local data protection authority if you believe our processing violates applicable law.

California (CPRA)

• We do not sell Personal Information. If we “share” Personal Information for cross-context behavioral advertising, we will provide a “Do Not Sell or Share My Personal Information” link.

• California residents have the right to know, correct, and delete certain information, and to opt out of sale or sharing and the use/disclosure of sensitive Personal Information for additional purposes. We will not discriminate against you for exercising your rights.

• Authorized agents may submit requests on your behalf; we will verify the agent’s authority and your identity.

Notice at collection (CPRA categories we may collect):

• Identifiers (e.g., name, email, account IDs)

• Commercial information (e.g., subscription plan, interaction history)

• Internet/Electronic activity (e.g., device info, usage data)

• Geolocation (coarse) (e.g., from IP address)

• Professional information (e.g., company, role)

• Inferences/Derived data (e.g., recommendations, similarity scores)
  We collect these categories for the purposes described in How we use information and retain them as described in Data retention.

Other U.S. states

Residents of states with comprehensive privacy laws (e.g., Colorado, Connecticut, Virginia, Utah, Oregon, Texas, Montana, Tennessee) may have similar rights. We will honor applicable state rights consistent with this Policy. Contact privacy@publicus.ai to exercise rights.

Your privacy choices & controls

• Email preferences: Use unsubscribe links or account settings to manage marketing communications.

• Cookies: Use our banner (where required) and your browser controls to manage cookies.

• Advertising opt-outs: If we implement cross-context advertising, region-specific opt-out links will be provided.

• Account data: You may request access, correction, or deletion at privacy@publicus.ai.

Verification, appeals, and authorized agents

We may request additional information to verify your identity and authority (e.g., control of the email address associated with the account). Where available by law, you may appeal a denial of your privacy request by replying to our response or emailing privacy@publicus.ai with “Appeal” in the subject line. If you use an authorized agent, we will require proof of authorization and may still require you to verify your identity directly.

Changes to this Policy

We may update this Policy from time to time. If we make material changes, we will notify you (e.g., via the Services, email, or an in-product banner) and update the “Last updated” date at the top. Your continued use of the Services after an update constitutes acceptance of the revised Policy.