Privacy Policy

Effective date: June 27, 2022.

Light RFP — Privacy Policy

Effective date: August 22, 2025
Applies to: lightrfp.com (the "Website"), platform.lightrfp.com (the "Platform"), and related services offered by Light RFP, Inc. ("Light RFP," "we," "us," or "our").

Plain‑language highlights

  • We run a B2B procurement platform for real estate teams. We collect business contact details and RFP/RFQ content you choose to upload, plus technical data (cookies, logs) to keep the service secure and reliable.
  • We use data to provide and improve the Platform (e.g., scope creation, vendor curation, and bid leveling features), to communicate with you, and to comply with law.
  • For AI features, we use a mix of in‑house models and vetted third‑party model providers under agreements that prohibit using your content to train their foundation models. You can opt out of AI processing for specific projects where feasible.
  • You can access, correct, export, or delete certain data. Depending on where you live, you may have additional rights.
  • We don't sell your personal information. We share information with service providers under strict contracts.
  • This policy explains what we collect, how we use it, how long we keep it, and how to contact us.

This summary is for convenience only; the full policy controls.

1) Who we are & scope

This Privacy Policy describes how Light RFP, Inc. processes information when you:

  • Visit lightrfp.com (marketing site) or interact with our emails and ads;
  • Use platform.lightrfp.com (the Platform), including creating or responding to RFPs/RFIs, uploading documents, configuring vendor lists, or making payments; or
  • Communicate with our sales, success, or support teams.

This policy does not apply to third‑party websites, apps, or services linked from our properties. Their policies govern.

Controller vs. Processor. For Website data and our own business operations, we act as an independent controller. For content that customers upload to the Platform (e.g., RFPs, contracts, vendor data), we usually act as a processor/service provider to that customer (the "Customer"), who remains the controller of that content. Our processing as a processor is further governed by our Data Processing Addendum (DPA) and the Customer's instructions.

2) Information we collect

A. Information you provide

  • Account & profile data (name, work email, role, company, phone, password, preferences)
  • Customer content (RFP/RFQ text, scopes of work, assessments, bid sheets, files, drawings, photos, contracts, messages, comments)
  • Vendor information (firmographics, licenses, insurance certificates, references, capabilities, pricing submissions)
  • Payment & billing data (billing contact, business address, PO/POC, tax/VAT IDs; cardholder or bank details are collected and processed by our PCI‑compliant payment processor; we do not store full card or bank numbers)
  • Support & sales communications (survey responses, troubleshooting information, call/meeting notes, recordings if disclosed)

B. Information we collect automatically

  • Usage & device data (IP address, device/browser type, language, time zone, referring/exit pages, URLs, feature interactions, crash reports)
  • Cookies and similar technologies (see Cookies section). We use necessary cookies for login/session security and analytics/marketing cookies with consent where required.

C. Information from third parties

  • Service providers (fraud prevention, enrichment, customer support, analytics)
  • Public sources (business registries, public profiles, government license databases)
  • Marketplaces/Integrations you connect (e.g., SSO provider, cloud storage, accounting/payments platform)

3) How we use information

We use information to:

  1. Provide the Platform (create/manage accounts, host projects, route RFPs, enable vendor onboarding, payments, notifications)
  2. Power AI‑assisted features (scope creation, vendor curation, bid leveling, summarization, document extraction)
  3. Secure and maintain the services (fraud/misuse detection, debugging, incident response, monitoring uptime and performance)
  4. Communicate with you (transactional emails/SMS, service changes, updates, onboarding, training)
  5. Support & improve the services (usage analytics, user research, product development)
  6. Personalize content and experiences (e.g., recommended vendors or templates, subject to your settings)
  7. Comply with law and enforce agreements (including billing, audits, disputes)

AI & automated decision‑making.

  • We use AI models to generate or summarize content and to rank or match vendors to an RFP. These features assist human decision‑makers; they do not replace your judgment. You can review, edit, or override AI outputs.
  • Where we rely on third‑party model providers, we configure and contractually require them not to use your content to train their foundation models. If a provider cannot meet this requirement, we will not share your content with that provider without your explicit permission.
  • You can request that specific projects be excluded from AI processing where feasible (may limit functionality).

Legal bases (EEA/UK/Switzerland). Where applicable, we rely on: (i) contract necessity (to provide the services); (ii) legitimate interests (e.g., security, product improvement, B2B marketing); (iii) consent (where required for cookies/marketing); and (iv) legal obligations.

4) How we share information

We do not sell personal information. We share:

  • Service providers / processors (hosting, storage, security, email/communications, analytics, payments, KYC/AML where applicable, AI model providers used under strict terms)
  • Customer‑authorized sharing (e.g., inviting collaborators, sharing RFPs with vendors)
  • Corporate transactions (merger, acquisition, financing, or sale of assets)
  • Legal & safety (to comply with law, enforce terms, or protect rights and safety)

We require service providers to use information only to perform services for us, to protect it, and to delete or return it when no longer needed.

5) Payments

We use third‑party payment processors to handle card and ACH payments. These processors are responsible for the collection and processing of payment data and are contractually required to protect it and comply with applicable standards (e.g., PCI DSS). We receive limited payment metadata (e.g., last four digits, card type, expiration month/year, transaction result) for recordkeeping and fraud prevention.

6) Data retention

We retain information for as long as necessary to provide the services, comply with legal obligations, resolve disputes, and enforce agreements. Typical retention periods:

  • Account profile & audit logs: retained while the account is active and for up to 24 months after closure, unless a longer period is required by law or your contract
  • Customer content (RFPs, files, bids): retained per your workspace settings and contract; by default for the life of the workspace and 12–24 months after termination for audit, unless you request earlier deletion where feasible
  • Marketing records: until you opt out, or for 24 months from last interaction
  • Cookies: per cookie type (see Cookies section)

We may anonymize data and use it indefinitely in aggregate form.

7) Security

We implement administrative, technical, and physical safeguards designed to protect information, including encryption in transit and at rest, least‑privilege access controls, secrets management, logging/monitoring, and employee training. No system is perfectly secure; you are responsible for maintaining the confidentiality of your credentials and promptly notifying us of any suspected compromise.

8) International data transfers

We are based in the United States and may transfer information to the U.S. and other countries with different data‑protection laws. Where required, we use appropriate safeguards for cross‑border transfers, such as the EU Standard Contractual Clauses and the UK Addendum, and implement supplementary measures as needed.

9) Your rights and choices

Depending on your location, you may have rights to request:

  • Access to a copy of your personal information
  • Correction of inaccurate data
  • Deletion (erasure) of certain data
  • Restriction or objection to certain processing
  • Portability of certain data
  • Opt‑out of marketing communications and of targeted advertising/"sharing" or certain profiling

If we process your information as a processor on behalf of a Customer, we will redirect your request to that Customer and support them in responding.

How to exercise your rights. Submit a request at cyrus@lightrfp.com (or via in‑product settings). We may need to verify your identity. You can opt out of marketing by using the "unsubscribe" link in our emails.

Appeals (certain U.S. states). If we deny a request, you may appeal by replying to our decision email. If you remain unsatisfied, you may contact your state attorney general.

EEA/UK. You may lodge a complaint with your local supervisory authority.

10) Cookies & similar technologies

We use:

  • Strictly necessary cookies (authentication, security, fraud prevention)
  • Functional cookies (preferences)
  • Analytics cookies (usage statistics, performance)
  • Advertising cookies (only with consent where required)

You can manage preferences via our cookie banner and your browser settings. Blocking cookies may impact functionality. We respond to Global Privacy Control (GPC) signals where required by law.

11) Do Not Track

Some browsers offer "Do Not Track" (DNT). We do not currently respond to DNT signals because there is no industry standard for doing so. We will update this policy if that changes.

12) Children's privacy

Our services are intended for business users and are not directed to children under 16. We do not knowingly collect personal information from children under 16. If you believe a child has provided us information, contact cyrus@lightrfp.com and we will take appropriate action.

13) Third‑party links & integrations

Our properties may contain links to third‑party sites and allow integrations (e.g., SSO, cloud storage, accounting/payments). Your use of those services is governed by their terms and privacy policies.

14) Changes to this policy

We may update this policy from time to time. If we make material changes, we will notify you (e.g., by email or in‑app notice) and update the "Effective date" above. Your continued use of the services after the effective date constitutes acceptance of the updated policy.

15) Contact us

Light RFP, Inc.
214 W 39th St Suite 705
New York, NY 10018
Email: cyrus@lightrfp.com
For EEA/UK inquiries: [If applicable, name and contact of EU/UK representative]
Data Protection Officer (if applicable): cyrus@lightrfp.com

16) Regional notices

California (and other U.S. state laws)

Depending on your state (e.g., CA, CO, CT, UT, VA, and others with similar laws), you may have rights to know/access, correct, delete, portability, and to opt out of the "sale" or "sharing" of personal information and certain profiling for targeted advertising. We do not sell personal information. We may "share" identifiers and internet activity with advertising/analytics partners when you consent to advertising cookies. You may toggle these settings via our cookie banner or by contacting us at cyrus@lightrfp.com with the subject line "State Privacy Request."

Categories collected (last 12 months): identifiers (name, email, phone), commercial information (workspace and plan), internet/network activity (usage logs), geolocation (approximate, from IP), professional/ employment information (role, company). We disclose these categories to service providers and, with consent, to advertising/analytics partners. We retain information as described in Data retention.

Sensitive information. We do not seek to collect sensitive personal information. If you provide it (e.g., on a form), we will use it only for the limited purposes allowed by law.

Non‑discrimination. We will not discriminate against you for exercising your privacy rights.

EEA/UK/Switzerland

Controller: For Website data and our own business operations, Light RFP, Inc. is the controller. For Customer content, Light RFP acts as processor to the Customer.

Transfers: We rely on appropriate safeguards (e.g., SCCs) for transfers to the U.S. and other countries.

Your rights: access, rectification, erasure, restriction, objection, portability, and the right to withdraw consent at any time (without affecting processing before withdrawal). You also have the right to lodge a complaint with your data‑protection authority.

17) Subprocessors & disclosures

We maintain a current list of subprocessors (hosting, storage, email, analytics, AI model providers, payments, customer support) at https://www.lightrfp.com/legal/subprocessors. We will provide notice of material changes as required by our DPA.

18) Data Processing Addendum (summary)

For Customer contracts that include our DPA:

  • We process personal data only on documented instructions, subject to confidentiality and security obligations.
  • We assist with data‑subject requests, DPIAs, and incident notifications.
  • We restrict international transfers via SCCs/UK Addendum where applicable.
  • We flow down equivalent protections to subprocessors and remain responsible for them.
  • Upon termination, we delete or return Customer personal data, subject to limited retention obligations.

19) AI processing disclosures (additional detail)

  • Sources: Customer‑provided content, vendor records, and permitted third‑party data.
  • Purposes: Drafting scopes, summarizing proposals, extracting fields from documents, suggesting vendors, and bid comparisons.
  • Human oversight: Users can review and edit all AI outputs; automated rankings are advisory.
  • Training: We configure third‑party model providers, where applicable, not to use Customer content to train their foundation models. Aggregated, de‑identified statistics may be used to improve model performance and platform quality.
  • Opt‑out: Workspace owners can request project‑level opt‑outs where feasible by contacting cyrus@lightrfp.com. Feature parity may be reduced.

20) How to reach our privacy team

Questions or requests? Email cyrus@lightrfp.com. Security researchers can reach us at cyrus@lightrfp.com.

Legal note: This policy is provided for informational purposes and does not constitute legal advice. Privacy laws evolve quickly; please consult your counsel to tailor the final version and to confirm state‑specific or industry‑specific requirements (e.g., financial services, public sector).