Data Privacy & Compliance
Complete guide to Cothon's PIPEDA compliance, data collection practices, retention policies, Canadian data residency, and privacy commitment for procurement intelligence
Data Privacy & Compliance
Privacy is fundamental to Cothon's mission. We understand that procurement professionals handle confidential proposals, competitive intelligence, and sensitive pricing information daily. Our privacy framework is designed to protect this data while complying with Canadian privacy regulations and respecting your rights as data subjects.
This guide provides complete transparency into how we collect, use, store, and protect your personal and organizational data. We've designed our privacy practices to exceed PIPEDA requirements and align with international best practices.
Our Privacy Commitment
Cothon's privacy philosophy is built on three core principles:
Transparency: We clearly communicate what data we collect, why we collect it, and how we use it. No hidden data practices or unexpected uses.
Control: You maintain control over your data with robust tools for accessing, exporting, correcting, and deleting your information. Your data belongs to you, not us.
Minimization: We collect only the data necessary to operate the procurement intelligence platform. We don't collect data "just in case" or for unrelated purposes like advertising.
Privacy-First Design
Privacy is embedded in every feature we build:
- Data Minimization: We collect the minimum data necessary for each feature
- Purpose Limitation: Data is used only for disclosed purposes
- Anonymization: Analytics and aggregated insights are anonymized
- Encryption: All personal and organizational data is encrypted at rest and in transit
- Access Controls: Row-level security ensures users can only access authorized data
- Retention Limits: Data is automatically deleted when no longer needed
Note
Data residency: Cothon can be deployed in any Supabase region, including Canadian regions (ca-central-1). Residency is a deployment-time choice. If your procurement policy requires Canadian data storage, confirm the deployment region with us in writing during onboarding — we will provide a screenshot of the Supabase project settings as evidence.
How data flows: All sensitive operations (document uploads, bid analyses, proposals, storage) flow directly from the user's browser to the Flask backend hosted on Railway — they do NOT transit through Vercel's edge network. The Next.js frontend on Vercel serves static assets and handles lightweight AI text processing (pre-extracted text only, no raw documents or PII). For organizations with strict Canadian data residency requirements, the Vercel AI routes can be disabled so that all processing goes exclusively through the Railway backend in ca-central-1.
Note that the AI subprocessor (Google Gemini) may process document text outside Canada; see the subprocessor list below. Individual users can opt out of AI processing on a per-upload basis (see AI Consent below).
PIPEDA Compliance
The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada's federal privacy law governing how private-sector organizations collect, use, and disclose personal information.
Cothon is fully compliant with PIPEDA's ten fair information principles.
1. Accountability
Principle: Organizations are responsible for personal information under their control and must designate individuals accountable for compliance.
Our Implementation:
2. Identifying Purposes
Principle: Organizations must identify the purposes for collecting personal information before or at the time of collection.
Our Implementation:
We collect personal information for specific, legitimate purposes and clearly communicate these purposes:
| Data Type | Purpose | Collection Point |
|---|---|---|
| Account Information | Account creation, authentication, support | Signup page, profile settings |
| Email Address | Login identifier, notifications, password reset | Signup page |
| Name | Personalization, collaboration (showing who created analyses) | Signup page, profile settings |
| Organization Name | Multi-tenant data isolation, billing | Organization setup |
| Usage Data | Platform improvement, bug fixing, analytics | Throughout platform (anonymized) |
| Payment Information | Subscription billing, invoice generation | Subscription checkout (processed by Stripe) |
| Document Content | Bid analysis, proposal generation, semantic search | Document upload, analysis creation |
| IP Address & Location | Security monitoring, fraud prevention, session management | Every API request. Retention: IP addresses in session logs are deleted after 90 days. IP addresses that appear in security audit events (login, MFA, role changes) are automatically scrubbed (set to NULL) after 90 days by a daily scheduled task, even though the audit event itself is retained for 2-3 years. This ensures compliance with PIPEDA Principle 5 while preserving the audit trail. |
Note
Purpose Disclosure: When you upload a document for bid analysis, we clearly state: "This document will be processed to extract requirements, assess your capabilities against those requirements, and generate compliance analysis. Document text may be sent to Google's Gemini API for AI-powered analysis (you can disable this in Settings)."
We never repurpose your data without obtaining new consent.
3. Consent
Principle: Organizations must obtain meaningful consent for the collection, use, or disclosure of personal information, except where inappropriate.
Our Implementation:
Cothon obtains explicit consent for personal information collection:
Meaningful Consent: We ensure consent is meaningful by:
- Writing privacy notices in clear, plain language (not legalese)
- Separating consent requests (not bundling everything into one checkbox)
- Providing genuine choice (you can use Cothon without AI features if you prefer)
- Making withdrawal as easy as providing consent
Warning
Consent for Minors: Cothon is a business platform not intended for individuals under 16 years of age. We do not knowingly collect personal information from children. If we discover a user is under 16, we delete their account and data immediately.
Organizations are responsible for ensuring their team members are of legal age.
4. Limiting Collection
Principle: Organizations shall limit the collection of personal information to that which is necessary for the identified purposes.
Our Implementation:
Cothon collects only the minimum data necessary for platform functionality:
We DON'T Collect:
- Birth date or age (except to verify you're 16+)
- Gender or demographic information
- Physical home address (unless required for billing in some jurisdictions)
- Phone number
- Social insurance number or government ID
- Financial information beyond what is necessary for billing
- Web browsing history outside Cothon
- Location data beyond approximate location from IP address
- Personal emails, files, or documents unrelated to procurement
We DO Collect:
- Email address (required for authentication)
- Name (required for account personalization)
- Organization name (required for multi-tenant isolation)
- Documents you upload (required for bid analysis)
- Usage data (required for platform improvement, anonymized)
- Payment information (required for paid subscriptions)
Data Minimization in Practice:
Example: When you create a bid analysis, we could collect:
- ❌ Your manager's name (not necessary)
- ❌ Your office location (not necessary)
- ❌ Your project budget (not necessary)
- ✓ Document file (necessary for analysis)
- ✓ Analysis settings (complexity threshold, confidence level)
- ✓ Organization ID (necessary for access control)
We collect only the last three items.
5. Limiting Use, Disclosure, and Retention
Principle: Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with consent or as required by law. Personal information shall be retained only as long as necessary.
Our Implementation:
Note
Legal Holds: In rare cases, we may need to retain data beyond normal retention periods due to legal holds (e.g., ongoing litigation, government investigations). If your data is subject to a legal hold, we notify you and explain the reason for extended retention.
6. Accuracy
Principle: Personal information shall be as accurate, complete, and up-to-date as necessary for the purposes for which it is to be used.
Our Implementation:
7. Safeguards
Principle: Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
Our Implementation:
Cothon implements comprehensive security safeguards proportional to data sensitivity. See Security Overview for complete technical details.
Administrative Safeguards:
- Least-privilege access controls (employees access only data necessary for their role)
- Security expectations documented in the Information Security Policy for all personnel
- Platform administrator access restricted to an environment-variable allowlist
Technical Safeguards:
- Encryption at rest (AES-256, managed by our database provider) and in transit (TLS 1.2 or higher)
- Multi-factor authentication required for administrative access
- Automated vulnerability scanning (Dependabot, pip-audit, npm audit, CodeQL static analysis, gitleaks secret scanning)
- Regular security patches with defined SLAs by severity
Physical Safeguards:
- Cothon does not operate on-premise data centers. Physical security is inherited from our cloud providers (Supabase, Railway, Vercel), all of which operate SOC 2 / ISO 27001 certified facilities with 24/7 security, environmental controls, and redundant infrastructure.
Data Classification:
We classify data by sensitivity and apply appropriate protection:
| Classification | Examples | Protection Level |
|---|---|---|
| Critical | Passwords, API keys, encryption keys | Hashed/encrypted, never logged, strict access |
| Confidential | Bid proposals, pricing, capability statements | Encrypted, RLS policies, audit logging, limited access |
| Internal | Organization settings, opportunity metadata | Encrypted, RLS policies, standard access |
| Public | Shared analysis links, public procurement notices | Encrypted in transit, token-based access |
8. Openness
Principle: Organizations shall make readily available to individuals specific information about their policies and practices relating to the management of personal information.
Our Implementation:
9. Individual Access
Principle: Upon request, individuals shall be informed of the existence, use, and disclosure of their personal information and shall be given access to that information.
Our Implementation:
Warning
Access Request Verification: To protect your privacy, we verify your identity before providing access to personal information. You'll be asked to:
- Send the request from your registered email address, or
- Provide government-issued ID if requesting via alternate contact method
This prevents unauthorized individuals from accessing your data by impersonating you.
10. Challenging Compliance
Principle: Individuals shall be able to challenge an organization's compliance with PIPEDA principles to the designated individual accountable for the organization's compliance.
Our Implementation:
Success
Retaliation Prohibition: Cothon will not retaliate against individuals who submit privacy complaints in good faith. Submitting a complaint will not affect your account status, subscription, or relationship with Cothon.
We view complaints as opportunities to improve our privacy practices and appreciate users who take the time to raise concerns.
Data Collection Details
Personal Information We Collect
Comprehensive breakdown of all personal information collection:
Account & Profile Data
What We Collect:
- Email address (required)
- Full name (required)
- Profile picture (optional, from OAuth or uploaded)
- Job title (optional)
Why We Collect It:
- Email: Account identifier, authentication, password reset, notifications
- Name: Personalization, attribution (showing who created analyses), collaboration
- Profile picture: Visual identification in collaboration features
- Job title: Role-based UI customization (future feature)
Where It Comes From:
- Directly from you during signup or profile updates
- From OAuth providers (Google, Microsoft) if you use social login
- From SSO providers if your organization uses enterprise SSO
How Long We Keep It:
- While your account is active
- 90 days after account closure (recovery period)
- Then permanently deleted
Organization Data
What We Collect:
- Organization name (required)
- Industry sector (optional)
- Company size (optional)
- Organization logo (optional)
- Billing address (required for paid subscriptions)
- VAT/Tax ID (if applicable)
Why We Collect It:
- Organization name: Multi-tenant data isolation, billing invoices
- Industry sector: Customize opportunity recommendations
- Company size: Feature recommendations, customer segmentation
- Logo: Branding on generated proposals
- Billing address: Invoice generation, tax compliance
- Tax ID: Tax reporting compliance
How Long We Keep It:
- While organization is active
- 90 days after organization deletion (recovery period)
- Billing records: 7 years (legal requirement for tax compliance)
Usage & Analytics Data
What We Collect:
- Pages viewed and features used (anonymized)
- Button clicks and UI interactions (anonymized)
- Time spent on different sections
- Error messages and technical issues
- Performance metrics (page load times, API response times)
Why We Collect It:
- Improve platform usability and performance
- Identify and fix bugs
- Prioritize feature development based on actual usage
- Monitor system health and reliability
How We Anonymize It:
- User IDs are hashed before storage
- IP addresses are truncated (last octet removed)
- Exact timestamps are rounded to nearest hour
- No linkage to identifiable account information
How Long We Keep It:
- Anonymized aggregate data: Indefinitely (no privacy risk)
- Raw usage logs: 90 days, then deleted
Note
Analytics Opt-Out: You can opt out of analytics collection at Settings → Privacy → Analytics. This disables all usage tracking while still allowing core platform functionality. We respect Do Not Track browser signals as well.
Document & Content Data
What We Collect:
- PDF files you upload for bid analysis
- DOCX files you create or import
- Bid analysis results and requirement extractions
- Generated proposals
- Comments and annotations
- Folder organizations and tags
Why We Collect It:
- Document files: Required for bid analysis, proposal generation, semantic search
- Analysis results: Provide capability assessments and compliance recommendations
- Proposals: AI-generated proposal content based on your capabilities
- Comments: Team collaboration and feedback
- Organization: Help you manage multiple opportunities
Security:
- All documents encrypted at rest (AES-256)
- Access controlled via Row-Level Security (only your organization can access)
- Optional AI processing (can be disabled to keep all processing in-house)
How Long We Keep It:
- While your account is active (you control deletion)
- 30 days after you delete a document (recovery period)
- 90 days after account closure
- Then permanently deleted from production systems (database rows and storage files). Managed backups are overwritten as Supabase rotates them per their retention schedule.
Technical & Security Data
What We Collect:
- IP address (every API request)
- Browser user agent (every API request)
- Approximate geographic location (derived from IP)
- Login timestamps
- Session information (access tokens, refresh tokens)
- Failed login attempts
- Password change events
- 2FA enrollment and authentication events
Why We Collect It:
- Security monitoring and fraud prevention
- Detect unusual access patterns (logins from new countries)
- Investigate security incidents
- Comply with rate limiting and abuse prevention
How Long We Keep It:
- Session logs: 90 days
- Authentication events (login/logout): 2 years (security investigations)
- Security incidents: 3 years (compliance requirements)
Payment Data
What We Collect:
- Billing name and address
- Subscription plan and pricing
- Invoice history
Important: Cothon does not currently process payments directly through the platform. When payment processing is introduced, it will be handled by a PCI DSS-certified payment processor — Cothon will not store full payment card numbers.
How Long We Keep It:
- Subscription data: While subscription is active + 90 days
- Invoice records: 7 years (legal requirement)
Cookies & Tracking Technologies
Cothon uses cookies and similar technologies for authentication, preferences, and analytics.
Types of Cookies
| Cookie Type | Purpose | Duration | Essential? |
|---|---|---|---|
| Authentication | Maintain login session, store refresh tokens | 30 days | Yes |
| Preferences | Remember UI settings, language, theme | 1 year | No |
| Analytics | Track usage patterns (anonymized) | 1 year | No |
| Security | CSRF protection, rate limiting | Session | Yes |
Essential Cookies: Required for platform functionality. Cannot be disabled.
Non-Essential Cookies: Used for analytics and personalization. Can be disabled at Settings → Privacy → Cookie Preferences or via the cookie consent banner.
Third-Party Cookies
We use minimal third-party cookies:
- Sentry (error monitoring): Session identifier for error correlation
We do not use:
- Advertising cookies
- Social media tracking pixels
- Cross-site tracking cookies
- Third-party analytics (Google Analytics, Facebook Pixel, etc.)
Managing Cookies
Control cookies via:
- Cookie Consent Banner: Appears on first visit; click "Customize" to enable/disable cookie categories
- Settings → Privacy → Cookie Preferences: Granular control over cookie types
- Browser Settings: Use browser controls to block all cookies (may break authentication)
Tip
Privacy-Focused Browsers: Cothon works well with privacy-focused browsers like Brave, Firefox with tracking protection, or Safari with Intelligent Tracking Prevention. These browsers block third-party tracking cookies while allowing essential first-party cookies.
Data Sharing & Disclosure
Service Providers (Subprocessors)
We share personal information with third-party service providers to operate the platform. All service providers:
- Sign data processing agreements committing to PIPEDA-equivalent protection
- Process data only according to our instructions
- Implement appropriate security measures
- Notify us of data breaches within 24 hours
| Service Provider | Purpose | Data Shared | Their Certifications |
|---|---|---|---|
| Supabase | Database, authentication, file storage | All customer data | SOC 2 Type II, ISO 27001 |
| Vercel | Frontend hosting (edge network) | No persistent customer data; cached static assets and in-flight requests | SOC 2 Type II, ISO 27001 |
| Railway | Backend API and worker hosting | Data in transit; application logs | Verify current status on Railway's trust page |
| Google (Gemini) | AI analysis (optional, can be disabled) | Document text sent for processing; not retained for training under paid API terms | SOC 2 Type II, ISO 27001 |
| Sentry | Error tracking | Stack traces with PII scrubbing enabled; no customer document content | SOC 2 Type II, ISO 27001 |
About AI processing: When AI-powered bid analysis is enabled, document text is sent to Google's Gemini API for processing under API terms that do not permit training on submitted data. If your organization prefers to keep all document content inside your deployment region, you can disable AI features entirely at Settings → AI Features.
Subprocessor changes: We will notify enterprise customers in advance before adding new subprocessors that process their data. The notification process is described in enterprise customer agreements.
Legal Disclosures
We may disclose personal information without consent in limited legal circumstances:
Valid Legal Process:
- Court orders or subpoenas
- Search warrants
- Production orders under Canadian law
- Valid requests from law enforcement with proper legal authority
Emergency Situations:
- To prevent imminent harm to individuals
- To protect life, health, or security in emergency situations
- To investigate suspected fraud or illegal activity
Business Transfers:
- If Cothon is acquired, merged, or sold, personal information may transfer to the acquiring entity
- We require acquirers to honor our privacy commitments
- You'll be notified 30 days before any transfer occurs
Our Legal Disclosure Process:
Note
Our commitment: We review every legal request carefully and push back on requests that are overly broad or that lack proper legal foundation. We do not provide backdoor access to customer data and will not silently comply with bulk surveillance requests.
Data Residency
How residency works in Cothon
Cothon is a managed SaaS platform deployed on Supabase, Railway, and Vercel. Each of these providers offers multiple regions, and the region your Cothon tenant runs in is a deployment-time choice — it is not dynamically selected per customer, and it is not enforced by our application code.
What this means for you: if your procurement policy requires that data remain in a specific jurisdiction (Canada, EU, etc.), you must confirm the deployment region with us in writing before signing. We will provide a screenshot of the Supabase project settings confirming the database region as part of standard enterprise onboarding, and we will record this in your customer file.
Components and where they run
| Component | Provider | Region |
|---|---|---|
| Database & authentication | Supabase | Whichever region your Cothon tenant was deployed in — confirm with your account contact |
| Backend API + background workers | Railway | Same region where your tenant is deployed |
| Frontend hosting | Vercel | Vercel Edge Network (globally cached static assets; no persistent customer data stored at the edge) |
| Error monitoring | Sentry | Sentry's own infrastructure (US-based at time of writing). Stack traces only, PII scrubbing enabled. |
| AI analysis (if enabled) | Google (Gemini) | Google Cloud infrastructure. Document text is sent for processing under paid API terms that do not permit training on submitted data. You can disable AI features per-organization to keep all processing inside your deployment region. |
Cross-border data flows
The following categories of data may cross borders, even when your primary tenant is deployed in Canada:
- AI analysis requests go to Google's Gemini API, which may be hosted outside Canada. Document text is transmitted for processing and is not retained for training per our API terms. If this is incompatible with your policy, disable AI features in your organization settings.
- Error telemetry goes to Sentry with PII scrubbing applied.
- User-initiated exports land on the user's own device, which may be anywhere.
We do not otherwise transfer customer data between regions.
Residency documentation for procurement
For government procurement or regulated industries that require written evidence of where your data sits, contact us through your usual support channel and we can provide a short memo summarizing:
- The Supabase project region (with a dated screenshot)
- The Railway deployment region
- Which AI providers are enabled (and therefore which cross-border flows apply)
- Our subprocessor list (below)
We do not currently issue formal "Data Residency Certificates" — the written memo is the artifact we can commit to delivering.
Children's Privacy
Cothon is a business-to-business platform designed for procurement professionals. It is not intended for children under 16 years of age.
Age Verification: We require users to confirm they are 16 or older during signup.
No Knowing Collection: We do not knowingly collect personal information from children under 16.
Deletion Upon Discovery: If we discover a user is under 16, we immediately:
- Suspend the account
- Permanently delete all personal information
- Notify the email address on file of the account closure
Parental Notification: If you believe your child has created a Cothon account without permission, contact your usual support channel immediately. We'll delete the account and all associated data within 48 hours.
Data Privacy Framework
We strictly adhere to Canadian data privacy frameworks, including PIPEDA and Quebec's Law 25, regarding the secure processing of data by our third-party infrastructure providers.
Privacy by Design
Cothon embeds privacy into our development process from the start.
Privacy Consideration in Feature Design
Before launching new features that involve personal information, we consider the privacy impact as part of the design process:
- Identify privacy risks
- Evaluate alternatives with better privacy properties
- Implement mitigation measures
- Assess compliance with PIPEDA principles
Privacy considerations that informed our feature design include:
- AI-powered bid analysis: assessed risks of sending document text to AI providers, implemented per-organization and per-upload opt-out controls
- Public sharing links: evaluated risks of sharing analyses externally, implemented expiration and revocation
- Tenders opportunity aggregation: verified only public procurement data is collected, no personal information scraped
Default Privacy Settings
New accounts default to privacy-protective settings:
| Setting | Default | Privacy Benefit |
|---|---|---|
| AI-Powered Analysis | Disabled | Document text stays in Canada unless you opt in |
| Email Notifications | Essential only | No marketing emails without explicit consent |
| Analytics Cookies | Require consent | No tracking until you accept cookies |
| Public Profile | Private | Organization information not publicly visible |
| Activity Sharing | Organization only | Your activity not shared with external users |
You can enable features as needed, but we start with maximum privacy.
Data Minimization Examples
We actively minimize data collection:
Bid Analysis:
- ❌ Could collect: Your company's pricing strategy, past bid success rates, competitors you're tracking
- ✓ Actually collect: Only the specific opportunity you're analyzing and your stated capabilities
Opportunity Browser:
- ❌ Could collect: Every opportunity you view, how long you spend on each, which ones you skip
- ✓ Actually collect: Only opportunities you explicitly save or analyze
Team Collaboration:
- ❌ Could collect: Every keystroke, how long team members spend on each analysis, who views whose work
- ✓ Actually collect: Only published comments and explicit activity (creating/editing analyses)
Frequently Asked Questions
Additional Resources
- Data Management & Portability - Export, delete, and manage your data
- Security Overview - Comprehensive security architecture
- Authentication & Access Control - 2FA, SSO, and session management
Privacy inquiries: contact us through your usual support channel.
Office of the Privacy Commissioner of Canada:
- Website: https://www.priv.gc.ca
- Toll-free: 1-800-282-1376
- File complaint: https://www.priv.gc.ca/en/report-a-concern/
Last updated: April 8, 2026
This document is kept in sync with the product by engineering. If you notice a claim here that doesn't match what you see in the application, please let us know.
This privacy guide is reviewed quarterly and updated whenever privacy practices change materially.
Related Articles
Was this page helpful?