Legal · last updated 24 May 2026
Privacy Policy
This policy explains what personal data Tanax Edge collects, why, and how you can exercise the rights GDPR gives you over it.
1. Data controller
Tanax Edge (Tanax, the “Operator”) is the data controller for the personal data described below. Contact: [email protected].
2. What we collect
- Account data: email, organisation name, country, role. Provided by you at signup or via the URL-onboarding hook.
- Capability profile: industries, certifications, turnover band, past projects. Provided by you to tune match scoring.
- Usage telemetry: feature events (which brief you viewed, which tender you saved). Used to improve the product and surface quotas / billing.
- Cookies: a single session cookie for authentication. We do not run third-party analytics by default.
- IP address: logged for rate-limiting on public endpoints (URL-onboarding hook); retained for 30 days then dropped.
3. Why we process it
Legal basis is contract performance (delivering the service you signed up for) for account + capability data; legitimate interests (security, abuse prevention) for IP / rate-limit logs; consent for any optional analytics, where applicable.
4. Subprocessors
We use the following subprocessors. Each operates under a written data-processing agreement and (for non-EU vendors) Standard Contractual Clauses.
| Vendor | Purpose | Region |
|---|---|---|
| Anthropic | LLM-powered brief generation, chat, and pricing extraction | United States |
| Resend | Transactional email delivery (digests, magic links) | United States / EU |
| Cloudflare | CDN, edge caching, DDoS protection | Global |
| Hetzner | Application hosting (Postgres, FastAPI) | Germany |
| Supabase | Authentication (magic-link / OAuth) | EU (eu-central-1) |
5. Your GDPR rights
- Right of access — request a copy of the data we hold.
- Right to rectification — correct inaccurate data.
- Right to erasure — delete your account and data.
- Right to data portability — export in a machine-readable format.
- Right to object / restrict processing.
- Right to lodge a complaint with your local supervisory authority.
To exercise any right, email [email protected]. We respond within 30 days.
6. Retention
Account + capability data: retained while the account is active, deleted within 30 days of closure. Billing records: retained as required by tax law (10 years). Public-page IP logs: 30 days.
7. Security
Data in transit is TLS-encrypted. Database access is restricted to named application roles enforcing row-level security. Backups are encrypted at rest. We disclose any data breach affecting personal data to affected users within 72 hours of discovery.
8. Changes
Material changes to this policy are announced by email at least 14 days before they take effect.