Privacy Policy

Effective Date: March 04, 2026

Data Controller:
DAXT B.V.
The Netherlands
Email: info@biedfabriek.nl

1. Introduction

Welcome to BiedFabriek. We are committed to protecting your personal data and your right to privacy. This Privacy Policy explains what information we collect, how we use it, and your rights regarding your data.

BiedFabriek is operated by DAXT B.V., a company registered in the Netherlands. We comply with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Data We Collect

We collect and process the following categories of personal data:

2.1 Account Information

Basic Profile Data: Name, email address, phone number, profile picture
Preferences: Language/locale settings, timezone, notification preferences
Authentication Data: Email verification status, one-time password (OTP) tokens, passkey credentials (WebAuthn public keys)

2.2 Company Information

Company legal details and registration information
Business certifications and qualifications
Company location and equipment details
User roles within companies (owner, admin, manager, member)

2.3 Business Activity Data

RFQs (Requests for Quotation): Content, line items, attached files and documents
Bids: Bid submissions, pricing, scoring data
Communications: Messages and conversations between companies
Reviews and Ratings: Feedback on transactions and partnerships
Orders: Order details, status tracking, and fulfillment information
Projects: Project data and project items

2.4 Usage and Activity Data

Activity logs of significant events (RFQ creation, bids received, messages, etc.)
Onboarding and tour progress tracking
Filter preferences and saved filter presets
Session data and last active timestamps

2.5 Technical Data

Session information (encrypted, 120-minute lifetime)
Login tokens and remember tokens
IP addresses (for security and authentication purposes)

3. How We Use Your Data

We use your personal data for the following purposes:

3.1 Service Provision

Creating and managing your account
Facilitating RFQ creation, bid submissions, and business matching
Enabling communication between buyers and suppliers
Processing orders and managing projects
Providing real-time notifications and updates

3.2 Authentication and Security

Verifying your identity through email OTP or passkey authentication
Protecting your account from unauthorized access
Preventing fraud and abuse
Rate limiting to prevent automated attacks

3.3 Business Operations

Processing payments and managing subscriptions through Stripe
Syncing data with your ERP system (Exact Online) when authorized
Generating analytics on RFQ metrics, spend analysis, and performance
Calculating cost savings and bid win rates

3.4 Service Improvement

Using AI (OpenAI GPT-4o) to enhance supplier search and RFQ analysis
Using Google Custom Search for supplier discovery
Analyzing usage patterns to improve user experience
Tracking feature adoption and onboarding completion

3.5 Communication

Sending transactional emails (authentication, notifications, updates)
Providing customer support
Sending important service announcements

4. Legal Basis for Processing

Under GDPR, we process your personal data based on the following legal grounds:

Contractual Necessity (Article 6(1)(b)): Processing necessary to provide our services to you
Legitimate Interests (Article 6(1)(f)): Analytics, service improvements, fraud prevention, and security
Consent (Article 6(1)(a)): Optional features like advanced AI analysis, where you've given explicit consent
Legal Obligation (Article 6(1)(c)): Tax compliance, accounting requirements, and legal record-keeping

5. Third-Party Services and Data Processors

We share your data with the following trusted third-party service providers:

5.1 Payment Processing

Stripe: We use Stripe for payment processing and subscription billing. Stripe processes your payment information according to their Privacy Policy.

5.2 Artificial Intelligence

OpenAI (GPT-4o): We use OpenAI's AI services for supplier search and RFQ analysis. We track token usage and costs for transparency. Data sent to OpenAI is processed according to their Privacy Policy.

5.3 Search Functionality

Google Custom Search: We use Google's search API for supplier discovery. Search queries are processed according to Google's Privacy Policy.

5.4 ERP Integration

Exact Online: When you authorize the connection, we sync quotations, orders, projects, and company data with your Exact Online account. This integration is optional and requires your explicit consent.

5.5 Email Delivery

We use SMTP email services to deliver transactional emails such as authentication codes and notifications.

5.6 Real-Time Communication

Laravel Reverb: We use WebSocket technology for real-time notifications and messaging within the platform.

            Note on International Data Transfers: Some of our service providers (OpenAI, Google, Stripe)
            may process data outside the European Union. These transfers are protected by Standard Contractual Clauses
            and other appropriate safeguards as required by GDPR.
        

6. Data Storage and Security

6.1 Storage

Database: PostgreSQL with encryption at rest
Sessions: Encrypted database storage with 120-minute lifetime
Files: Secure local filesystem for RFQ attachments, logos, and documents
Cache: Database-based caching for performance

6.2 Security Measures

BCRYPT password hashing with 12 rounds
WebAuthn passwordless authentication support
Session encryption with HTTP-only cookies
CSRF (Cross-Site Request Forgery) protection
Rate limiting on authentication endpoints
HTTPS encryption in production
Soft deletes for user and company data (recovery possible)
Regular security audits and updates

7. Data Retention

We retain your personal data for as long as your account is active or as needed to provide you services. Specifically:

Active Accounts: Data is retained while your account is active
Deletion Requests: You can request deletion of your data at any time
Legal Requirements: Some data may be retained longer to comply with legal obligations (e.g., tax records, accounting)
Session Data: Session data expires after 120 minutes of inactivity
OTP Tokens: One-time passwords expire after 10 minutes

8. Your Rights Under GDPR

As a data subject in the EU, you have the following rights:

8.1 Right to Access (Article 15)

You can request a copy of all personal data we hold about you.

8.2 Right to Rectification (Article 16)

You can update or correct your personal data through your account settings or by contacting us.

8.3 Right to Erasure / "Right to be Forgotten" (Article 17)

You can request deletion of your personal data. We will comply unless we have legal grounds to retain it.

8.4 Right to Restriction of Processing (Article 18)

You can request that we limit how we use your data in certain circumstances.

8.5 Right to Data Portability (Article 20)

You can request your data in a structured, machine-readable format to transfer to another service.

8.6 Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing purposes.

8.7 Automated Decision-Making (Article 22)

We use AI to assist with supplier matching and RFQ analysis. These are assistive tools only - final decisions are always made by humans. You have the right to human review of any AI-assisted decisions.

How to Exercise Your Rights:
To exercise any of these rights, please contact us at info@biedfabriek.nl. We will respond within 30 days as required by GDPR.

9. Cookies and Tracking

We use the following cookies:

Session Cookies: Essential for authentication and maintaining your logged-in state
Security Cookies: CSRF tokens for protecting against cross-site attacks
Preference Cookies: Remembering your language, timezone, and UI preferences

We do not use third-party tracking cookies, advertising cookies, or analytics cookies. All cookies are first-party and essential for service functionality.

10. Children's Privacy

BiedFabriek is intended for business use only. We do not knowingly collect personal data from individuals under 16 years of age. If you believe we have collected data from a minor, please contact us immediately.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of significant changes by:

Updating the "Effective Date" at the top of this policy
Sending an email notification to your registered email address
Displaying a prominent notice on the platform

Your continued use of BiedFabriek after changes become effective constitutes acceptance of the updated policy.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Privacy Inquiries:
DAXT B.V.
The Netherlands
Email: info@biedfabriek.nl

13. Supervisory Authority

You have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) if you believe we have not handled your data properly:

Autoriteit Persoonsgegevens
Postbus 93374
2509 AJ Den Haag
The Netherlands
Website: autoriteitpersoonsgegevens.nl

This Privacy Policy is compliant with GDPR and applicable Dutch data protection laws.