Legal

Privacy Policy

Effective date: 25 May 2026 · Last updated: 25 May 2026

TedScout is a tool for finding EU public procurement notices. We collect only what is necessary to operate the service. We do not sell your data, show you ads, or share your information with third parties except as required to deliver the service.

1. Who we are

TedScout is operated by the operator of TedScout ("we", "us", "our"). Our service is accessible at tedscout.eu. For privacy matters, contact us at privacy@tedscout.eu.

2. What data we collect

We collect the minimum data necessary to operate TedScout:

Account data — email address, bcrypt-hashed password, company name, subscription plan, and account creation date.
API credentials — we store only the SHA-256 hash of your API key, never the raw key.
Company profile — if you choose to save a profile (company description, CPV codes, operating countries, contract value preferences), this is stored to power automatic tender matching.
Usage logs — each MCP tool call is logged with tool name, timestamp, success/failure status, and response latency. No query content or results are stored.
Watchlists — saved search configurations (CPV codes, countries, keywords, notification preferences) that you create.
OAuth tokens — hashed refresh tokens for AI assistant connections. Access tokens are stored in Redis with a 90-day expiry.
Payment data — billing is handled entirely by Creem.io. We store only your subscription plan and Creem subscription ID. We never see or store payment card details.

3. How we use your data

To authenticate you and provide access to the service.
To run your saved watchlists and send tender alert emails.
To personalise tender matching using your saved company profile.
To enforce subscription plan limits (request rate limiting).
To analyse usage patterns in aggregate to improve the service.
To send transactional emails (account verification, watchlist alerts, billing notifications). We do not send marketing email without your explicit consent.

4. Legal basis for processing (GDPR)

We process your personal data on the following legal bases under GDPR Article 6:

Contract performance (Art. 6(1)(b)) — processing necessary to provide the service you have signed up for.
Legitimate interests (Art. 6(1)(f)) — usage logging for security monitoring, fraud prevention, and service improvement.
Legal obligation (Art. 6(1)(c)) — where required by applicable law.

5. Data storage and security

All data is stored on servers located in Nuremberg or Frankfurt, Germany (Hetzner Online GmbH), within the European Union. Hetzner is ISO 27001 certified.

Security measures include:

All connections encrypted with TLS 1.2/1.3.
Passwords stored as bcrypt hashes (never plaintext).
API keys stored as SHA-256 hashes (never plaintext).
Database not directly accessible from the internet.
SSH access restricted to key-based authentication.

6. Data retention

Account data — retained for the duration of your account and deleted within 30 days of account closure.
Usage logs — retained for 12 months, then deleted.
Watchlist matches — retained for 90 days after match date.
OAuth access tokens — expire after 90 days in Redis.
OAuth refresh tokens — expire after 180 days.
Email verification tokens — expire after 24 hours.

7. Third-party services

We use the following third-party services to operate TedScout:

Hetzner Online GmbH (Germany) — server infrastructure and hosting.
Creem.io — payment processing. Creem handles all payment card data under their own privacy policy.
Postmark / Brevo — transactional email delivery (account verification, watchlist alerts). Only your email address and the content of system emails are transmitted.
Anthropic PBC — the summarize_tender and draft_bid_outline tools call the Anthropic API. Tender notice content is sent to Anthropic's API to generate summaries. No personal data is included in these requests.
TED (Tenders Electronic Daily) — EU procurement data source, operated by the Publications Office of the European Union. All tender data retrieved is public.

We do not sell, rent, or share your personal data with any third party for their own marketing purposes.

8. Your rights (GDPR)

As a data subject under GDPR, you have the following rights:

Access — request a copy of the personal data we hold about you.
Rectification — request correction of inaccurate data.
Erasure — request deletion of your account and associated data.
Portability — request your data in a machine-readable format.
Objection — object to processing based on legitimate interests.
Restriction — request that we restrict processing in certain circumstances.

To exercise any of these rights, email privacy@tedscout.eu. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection authority.

9. Cookies

TedScout uses a single session cookie (tsdash_session) to keep you logged into the dashboard. This cookie is strictly necessary for the service to function. It is HttpOnly, Secure, and SameSite=Lax. No tracking, advertising, or analytics cookies are used.

10. Children

TedScout is a business service not directed at children. We do not knowingly collect personal data from anyone under 16 years of age.

11. Changes to this policy

We may update this policy as the service evolves. Material changes will be communicated by email to registered users. The effective date at the top of this page will always reflect the most recent version.

12. Contact

For any privacy-related questions or to exercise your rights:

Email: privacy@tedscout.eu
Web: tedscout.eu