Legal

Privacy Policy

Effective: April 27, 2026 · Last updated: April 27, 2026 · Version 2.0

1. Who we are

BidFrame is a production bidding application operated by Vismu LLC ("BidFrame," "we," "us," or "our"). This Privacy Policy explains how we collect, use, store, share, and protect information when you use the BidFrame web application, our website, and related services (together, the "Services").

By using the Services, you agree to the practices described here. If you do not agree, do not use the Services.

2. Scope & definitions

This policy distinguishes between two categories of information, because they are protected differently:

  • Personal Information. Information that identifies or relates to an individual (for example: name, work email, IP address). Handled under applicable privacy laws.
  • Customer Content. The briefs, project data, bid data, rate cards, and other materials you upload, paste, or generate inside BidFrame on behalf of your organization. This is your or your client's confidential business information. It is not generally personal information, and we treat it as confidential under Section 3.

3. Customer Content: confidentiality & ownership

Customer Content belongs to you and your organization. We act only as a processor and custodian.

  • Confidentiality. We treat Customer Content as confidential. Vismu LLC personnel may not access Customer Content except as strictly necessary to operate the Services, prevent abuse, or comply with law. All such access is logged and limited to authorized staff under written confidentiality obligations.
  • No use for our purposes. We do not read your Customer Content for marketing, sales prospecting, training of any model, or to publish industry benchmarks. We do not analyze it across customers without prior written consent.
  • NDA-bound material. If your Customer Content is subject to a third-party NDA (for example, a brief from a brand or agency), our handling is consistent with treating that content as confidential. We are happy to execute additional confidentiality terms on request.
  • Ownership. You retain all right, title, and interest in your Customer Content. The license you grant us is limited to operating the Services for your benefit.

4. Information we collect

Account & organization (Personal Information)

  • Name, work email address, and authentication credentials
  • Organization name, role, and team membership
  • Account preferences and settings

Customer Content

BidFrame collects structural production data, not personal information about specific people. The materials you upload, paste, or generate include:

  • Briefs you upload (PDFs, Word documents, decks, or pasted text)
  • Project structure: deliverables, talent counts and categories (for example, "3 principals, 20 background"), locations as cities or production zones, schedule, usage rights, budget range, assumptions
  • Bid structure: line items, role-based rates, scenarios, versions, change orders, exports
  • Rate cards uploaded by your organization (rates by role)
  • Activity records (edits, exports, restores) used for audit and version history
What BidFrame does not collect

BidFrame does not need, and we ask you not to paste, the following into briefs or any other field: names of individual talent, crew, or vendors; contact information (email, phone, address); social security or tax identification numbers; banking or payment information; or residential addresses for shoot locations. If a brief you upload contains any of this information, please redact it before upload. Enforcement at parse time, so that named individuals are ignored automatically, is on our roadmap.

Usage & device data

  • Server logs: IP address, browser type, pages visited, timestamps, request IDs, error traces
  • Device data: operating system, browser version, screen size
  • Cookies and similar technologies for authentication and session management
  • First-party product telemetry (page views and feature usage within the app)

We do not currently use third-party advertising or cross-site behavioral tracking technologies on the Services. If this changes, we will update this policy and provide notice.

Communications

If you contact us for support, sales, or feedback, we keep a record of the conversation and any information you choose to share.

5. How we use information

We use information to:

  • Provide, maintain, secure, and improve the Services
  • Authenticate users and manage account access
  • Parse briefs, draft first-pass bids, and run risk and confidence checks
  • Maintain version history and audit trails
  • Generate exports (AICP HTML, client HTML, CSV, XLSX)
  • Communicate with you about the Services, updates, and security
  • Detect, investigate, and prevent abuse, fraud, and security incidents
  • Comply with legal obligations and enforce our agreements

We do not sell your Personal Information. We do not share Personal Information for cross-context behavioral advertising. We do not use Customer Content to train any third-party model.

6. Automated processing

BidFrame parses briefs into structured production data and drafts first-pass bids. Producers review and edit every machine-drafted value before export. Automated output is treated as a suggestion, not authority.

How Customer Content reaches our processing provider

To draft a bid, the contents of briefs you upload (and limited project context such as scope and deliverables) are transmitted to our processing provider, Anthropic, through its API. The structured output is returned to BidFrame and stored in your workspace inside Supabase.

What this means in practice

Your brief content travels: your browser → BidFrame (Supabase) → Anthropic API → BidFrame. It is encrypted in transit at every hop. It is encrypted at rest in Supabase. Anthropic processes it only to return a response.

Anthropic specifics

  • No training on your data. Under Anthropic's commercial API terms, customer API inputs and outputs are not used to train Anthropic's models.
  • Anthropic data retention. By default, Anthropic may retain API inputs and outputs for up to 30 days for trust-and-safety review (for example, abuse monitoring). After that retention window, content is deleted. We work toward zero-retention processing where contractually available.
  • Trust-and-safety review. Anthropic may apply automated classifiers to detect abuse. In rare cases of flagged content, a small number of authorized Anthropic personnel may review the flagged content under their own confidentiality controls.
  • Geographic processing. Anthropic processes Customer Content primarily in the United States, on infrastructure provided by Amazon Web Services and Google Cloud as Anthropic's sub-processors.

7. Subprocessors

We rely on the following providers to deliver the Services. Each is bound by contractual confidentiality and data-protection obligations.

ProviderPurposeData processedRegion
SupabaseApplication database, authentication, file storage, audit logsPersonal Information & Customer ContentUnited States (AWS)
VercelWeb application hosting and edge deliveryServer logs, request metadataUnited States (global edge)
AnthropicBrief parsing and bid drafting via APICustomer Content (briefs & project context) and limited metadataUnited States (AWS, Google Cloud)
Email & support toolingTransactional email and customer supportName, email, message contentsUnited States

Subprocessor change notice

For any new subprocessor that will process Customer Content or Personal Information, we provide at least 30 days' advance notice by email and on this page. Customers on enterprise plans may object to a new subprocessor in writing during the notice period; if we cannot accommodate the objection, the customer may terminate the affected service for cause without penalty.

To receive subprocessor change notifications, contact privacy@bidframe.co.

8. Sharing & legal process

We share information only as described below:

  • Within your organization. Customer Content is visible to other authorized members of your workspace, per your role and sharing settings.
  • With subprocessors. As listed in Section 7, only to operate the Services.
  • For legal reasons. See commitments below.
  • Business transfers. In connection with a merger, acquisition, or sale of assets, with notice to affected customers and an opportunity to export Customer Content before transition.

Government and legal demands

If we receive a subpoena, court order, or other legal demand for your data, we will:

  • Review the demand for legal sufficiency and scope
  • Push back on overbroad, unlawful, or improperly served demands
  • Where the demand seeks Customer Content, attempt to redirect the requester to the customer first whenever feasible
  • Notify the customer before producing data, except where prohibited by law (for example, a non-disclosure order). Where a notice prohibition expires, we provide notice as soon as legally permitted.

9. Retention

We retain information only as long as needed for the purposes described in this policy and applicable law. Specific retention periods:

Data categoryRetention period
Account & organization dataWhile your account is active. Deleted within 30 days of a verified deletion request or account closure.
Customer Content (briefs, projects, bids, exports)While your account is active. Deleted within 30 days of customer-initiated deletion.
Encrypted backupsUp to 90 days from the last appearance of the data in production. Deleted content ages out of backups within this window.
Server & application logs90 days
Audit logs (security & account events)24 months
Support communications24 months after last contact
Billing & tax recordsAs required by applicable law (typically 7 years)

10. Security

We use technical and organizational measures designed to protect your information, including encryption in transit (TLS 1.2 or higher) and at rest (AES-256), role-based access controls, row-level security in our database to enforce per-organization data isolation, multi-factor authentication on the infrastructure dashboards used to administer the Services, and audit logging of sensitive actions.

Full details, including infrastructure, access controls, multi-tenant isolation, incident response, and our compliance roadmap, are on the Security page.

Breach notification

If we determine that a security incident has materially affected your data, we will notify you within 72 hours of confirmation, regardless of jurisdictional minimums. Notice will include what we know, what we are doing about it, and what (if anything) we recommend you do.

11. Your rights

Depending on where you live, you may have rights regarding your Personal Information, including:

  • Access to information we hold about you
  • Correction of inaccurate information
  • Deletion of your account and associated Personal Information
  • Export of your Customer Content in a portable format (CSV, XLSX, HTML)
  • Objection to or restriction of certain processing
  • Withdrawal of consent where processing is based on consent
  • Lodging a complaint with a supervisory authority

To exercise these rights, email privacy@bidframe.co from the email address on your BidFrame account. If the request comes from a different address, we may ask you to confirm the request from your account email or via a logged-in support flow before responding. We respond to verified requests within 30 days.

12. State-specific disclosures (US)

If you are a resident of California, Virginia, Colorado, Connecticut, Utah, or another state with comprehensive privacy legislation, the following applies in addition to Section 11.

Categories of Personal Information collected (last 12 months)

  • Identifiers (name, email, IP address, account ID)
  • Customer records (account, organization, role)
  • Internet or network activity (server logs, product telemetry)
  • Professional or employment-related information (employer, job title)

Categories disclosed to subprocessors

The categories above are disclosed only to the subprocessors listed in Section 7 for the purposes stated.

Sale & sharing

We do not sell Personal Information. We do not share Personal Information for cross-context behavioral advertising. We have not done so in the preceding 12 months.

Sensitive Personal Information

We do not knowingly collect Sensitive Personal Information as defined under California or Virginia law and do not use it to infer characteristics about you.

Right to appeal

If we deny your rights request, you may appeal by replying to our denial. We will respond within 60 days. If you disagree with the appeal outcome, you may contact your state attorney general.

13. International users

BidFrame is operated from the United States and processes data in the United States. If you access the Services from outside the U.S., your information will be transferred to and processed in the U.S. For transfers from the European Economic Area, the United Kingdom, or Switzerland, we rely on the EU Standard Contractual Clauses (and the UK Addendum, where applicable) as the lawful transfer mechanism. These clauses are incorporated into our Data Processing Agreement (see Section 14).

14. Data Processing Agreement

For customers acting as a data controller under GDPR, UK GDPR, or comparable law, BidFrame offers a Data Processing Agreement incorporating the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, and a current subprocessor list. Request a DPA at privacy@bidframe.co. We countersign DPAs as part of standard onboarding for organizations that require one.

15. Vendor continuity

If BidFrame is acquired, ceases operations, or enters insolvency proceedings:

  • We will provide customers with at least 60 days' notice before any planned shutdown or material change in operations, where legally and practically feasible.
  • Customers will be able to export Customer Content during the notice period using the standard export functions (CSV, XLSX, HTML) and, on request, via a database extract.
  • In the event of insolvency, we will work with any trustee or successor to honor the export window before any data transfer.

16. Children

The Services are intended for business users and are not directed to children under 16. We do not knowingly collect Personal Information from children. If you believe a child has provided us information, contact us and we will delete it.

17. Changes

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" and "Version" markers at the top. For material changes, we will provide additional notice (for example, by email or an in-app notice) at least 30 days before the changes take effect, where practicable.

18. Contact

Questions, requests, complaints, or DPA requests:

Vismu LLC (BidFrame)
General privacy: privacy@bidframe.co
Security disclosures: security@bidframe.co