Privacy Policy

This Privacy Policy explains how Tenqual ("we", "us", "our") processes personal data when you use our products, websites, and services (collectively, the "Service"). We are committed to GDPR-compliant processing and to being transparent about what we collect, why we collect it, and how you can exercise your rights.

Controller and Contact

Controller: Tenqual ANS
Organization number: 935 920 604
Business address: Lerkerinden 61, 5099 Bergen, Norway
Municipality: 4601 Bergen
Country: Norway

Contact: support@tenqual.com

For data protection inquiries, please use this address. If we appoint a DPO or EU representative, we will update this page.

Scope

This policy covers personal data processed when you visit our websites, create an account, sign in, upload content, collaborate in workspaces, receive email alerts, interact with support, or respond to marketing.

Categories of Data We Collect

• Account and profile: name, email address, company, country, role, consent timestamps (ToS/Privacy), and workspace membership metadata.
• Authentication: identity tokens from your chosen provider (e.g., Google; via Firebase Auth), session identifiers, and security logs.
• Service data: files and text you upload, search queries, tender selections, usage events (e.g., feature invocations, model tokens in/out for cost estimation), and system diagnostics.
• Device/usage: IP address, browser/OS information, timestamps, and cookies necessary for sign-in and security. Analytics cookies are used only with consent.
• CRM/marketing: business contact details, event and campaign interactions, email preferences, and attribution data when you opt in or engage with our sales team.

Sources of Data

We collect data directly from you, from your organization (if your account is provisioned by an admin), from integrated services (Firebase Authentication, Stripe), and from our applications as you use the Service.

Purposes and Legal Bases

• Provide and secure the Service (Art. 6(1)(b) contract; Art. 6(1)(f) legitimate interests for security): account creation, authentication, access control, fraud prevention, logging.
• Operate product features (Art. 6(1)(b)): document processing, search, qualification, collaboration, notifications.
• Measure usage and costs (Art. 6(1)(f)): event and token accounting per workspace for transparency and billing.
• Billing (Art. 6(1)(b) and (c)): subscription management, invoicing, and tax compliance via Stripe.
• CRM and marketing (Art. 6(1)(a) consent; Art. 6(1)(f) legitimate interests B2B): keeping a record of business contacts, responding to inquiries, sending product updates where permitted, and honoring opt-outs at any time.
• Legal obligations (Art. 6(1)(c)): record keeping, responding to lawful requests, enforcing terms.

AI Processing

When you invoke AI features, we process the text you provide and model outputs solely to deliver the feature and to compute usage statistics. We do not use your customer content to train our own models.

Our AI providers may retain service logs in line with their own terms and applicable law. Where supported, we configure provider data controls to disable use of customer content for model training and to minimize retention.

Cookies

We use strictly necessary cookies and similar technologies for authentication and security. With your consent, we may set analytics cookies to improve product experience. Analytics load only after you select “Accept” in our cookie banner. You can adjust preferences at any time via your browser or our banner.

Disclosures and Processors

We share data with service providers under data processing agreements and require appropriate confidentiality, security, and subprocessing controls.

Our current subprocessors include:

• Google Cloud Platform (hosting and cloud infrastructure)
• Firebase (authentication)
• Stripe (payments and billing)
• SendGrid (transactional email)
• HubSpot (CRM and B2B marketing communications)

International Transfers

Where data moves outside your region, we rely on GDPR transfer mechanisms (e.g., SCCs) and implement technical and organizational measures appropriate to the risks.

Retention

Account records and workspace data are retained for the life of the account and then deleted or anonymized per our retention schedule. You may request export or deletion at any time, subject to legal holds.

• Operational logs: typically retained for up to 90 days.
• Backups: retained for up to 30 days unless required longer for recovery or legal reasons.
• Billing and invoicing records: retained for periods required by tax and accounting laws (commonly 5–10 years).

Security

We apply least-privilege access, encryption in transit and at rest, network isolation for production systems, audit logging, and automated deployment with secrets from a managed store.

Your Rights

Under GDPR you may request access, rectification, erasure, restriction, portability, and object to certain processing (including direct marketing). You can withdraw consent at any time without affecting the lawfulness of processing before withdrawal. We may ask you for information to verify your identity, and we aim to respond within 30 days of receiving a complete request, subject to extensions permitted by law. Contact support@tenqual.com.

Children

The Service is not directed to children under 16 (or the lower age permitted by local law) and we do not knowingly collect their personal data.

Changes

We may update this policy to reflect product, legal, or operational changes. We will post revisions with an effective date and, where material, provide reasonable advance notice.

Effective date: 2025-09-25