Legal

Privacy Policy

Effective: July 2026 · Version 1.1 · Creaitor Labs EOOD (deflation.app)

1Data Controller

The data controller responsible for the processing of your personal data is: Creaitor Labs EOOD, trading as deflation.app. Registered address: bul. Knyaz Aleksandar Dondukov 79, Floor 7, Apt. 7, Sofia 1504, Bulgaria. ЕИК/VAT: 208832093. Contact: hello@deflation.app.

This Privacy Policy explains how we collect, use, store, and share your personal data when you use the deflation.app platform and related services. It complies with the EU General Data Protection Regulation (GDPR) and applicable Bulgarian data protection law.

2Data We Collect

Account Data: When you register, we collect your name, company name, email address, password (stored in hashed form), and subscription plan details.

Company Profile Data: During onboarding we collect your company description, industry, country, city, website, social media URLs and procurement email address.

Tender Data: For each tender you create we collect the description, quantities, specifications, delivery terms, location, budget range and any other information you provide.

Supplier and Offer Data: We collect information about suppliers identified through our platform (name, email, phone, website, country, public registry data) and the contents of any offers received in response to your tenders. This may include personal data of supplier representatives (such as a contact name and email). We process this on the basis of our and your legitimate interest in business-to-business procurement, and such individuals may exercise their rights as described in Section 8.

Email Correspondence Data: We store the content of RFQ, order, negotiation and reply emails exchanged between you and suppliers through the platform (including message subject, body and metadata) so we can parse offers and keep your correspondence in one place.

Price Comparison Data: When you use the price-comparison feature, we store the product link you paste, any barcode and description you enter, and the store listings, prices and trust scores we find.

Authentication Data: If you sign in with Google, we receive your name, email address and profile picture from Google to create and authenticate your account.

Payment Data: Payment is processed by Stripe, Inc. We do not store credit card numbers or full payment details. We retain transaction records including amounts, dates, and subscription status.

Usage Data: We collect information about how you use the platform, including pages visited, feature interactions, and session activity.

Technical Data: IP address, browser type and version, operating system, device type, referring URLs, and approximate geographic location.

Communications: If you contact us by email or through the platform, we retain those communications.

3Legal Basis for Processing (GDPR)

We process your personal data on the following legal bases under Article 6 GDPR:

Contractual Necessity (Art. 6(1)(b)): Processing your account, company and tender data is necessary to provide the Services you have contracted for.

Legitimate Interests (Art. 6(1)(f)): We process technical and usage data to improve the platform, prevent fraud, ensure security, and conduct business analytics.

Consent (Art. 6(1)(a)): Where we send marketing communications, we rely on your freely given, specific, and informed consent. You may withdraw consent at any time.

Legal Obligation (Art. 6(1)(c)): We may process data to comply with applicable tax, accounting, and legal obligations.

4How We Use Your Data

To provide, maintain, and improve the Services.

To process payments and manage your subscription.

To identify suitable suppliers based on your tender requirements and to send RFQ emails on your behalf from your designated procurement email.

To parse, analyze and score supplier offers using AI.

To communicate with you regarding your account, subscription, service updates, and support requests.

To send you marketing communications, where you have consented to receive them.

To detect, prevent, and respond to fraud, abuse, and security incidents.

To comply with legal obligations and respond to lawful requests from authorities.

5Data Sharing and Third Parties

We do not sell your personal data. We share data only as described below:

We use the following sub-processors to provide the Services. Each is bound by a data processing agreement and appropriate safeguards:

Supabase, Inc.: Database and authentication infrastructure. Our primary database is hosted in the European Union (EU region).

Stripe, Inc.: Payment processing. Stripe's privacy policy is available at stripe.com/privacy.

Anthropic, PBC: AI processing for supplier identification, RFQ generation and offer analysis. Tender descriptions, supplier replies and offer text are processed by Anthropic's API.

Google LLC / Google Ireland Limited: AI processing via the Gemini API for the price-comparison feature (product and store data), and Google Sign-In authentication when you choose to log in with Google.

Resend, Inc.: Outbound and inbound email infrastructure used to send RFQs, order and negotiation emails, and to receive supplier replies on your behalf. Email content passes through Resend for delivery.

Vercel, Inc.: Platform hosting and deployment infrastructure.

Suppliers: When you create a tender, we send your tender description and contact information (your procurement email) to the suppliers identified for that tender. We do not share your account credentials or personal identifiers beyond what is necessary for the RFQ.

Legal Authorities: We may disclose data to competent authorities where required by applicable law, court order, or to protect deflation.app's legal rights.

Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity, subject to the same privacy protections.

6International Data Transfers

Our primary database (Supabase) is hosted within the European Union. However, some of our service providers (including Stripe, Anthropic, Google, Resend and Vercel) are located in, or process data in, the United States. In particular, content you submit for AI processing (tender text, supplier replies, and price-comparison product data) is transferred to Anthropic and Google in the United States.

When we transfer your personal data outside the European Economic Area, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission and the providers' data processing agreements.

By using the Services, you acknowledge that your data may be transferred to and processed in countries outside your country of residence, including the United States.

7Data Retention

Account, company and tender data are retained for the duration of your subscription and for five (5) years thereafter, or as required by applicable law.

Payment and transaction records are retained for ten (10) years to comply with Bulgarian and EU accounting and tax obligations.

Supplier data, email correspondence and historical offers are retained as part of your vendor history and records so long as your account is active.

Upon account deletion, we delete your account and all associated data — including company profile, tenders, suppliers, offers, email correspondence and price comparisons — within thirty (30) days, except where retention is required by law.

8Your Rights

Under GDPR and applicable Bulgarian law, you have the following rights regarding your personal data:

Right of Access (Art. 15): You may request a copy of the personal data we hold about you.

Right to Rectification (Art. 16): You may request correction of inaccurate or incomplete data.

Right to Erasure (Art. 17): You may request deletion of your data in certain circumstances.

Right to Restriction (Art. 18): You may request that we restrict processing of your data.

Right to Data Portability (Art. 20): You may request your data in a structured, machine-readable format.

Right to Object (Art. 21): You may object to processing based on legitimate interests.

Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, contact us at hello@deflation.app. We will respond within thirty (30) days. You also have the right to lodge a complaint with the Bulgarian Commission for Personal Data Protection (CPDP) at www.cpdp.bg.

9Cookies and Tracking

We use technically necessary cookies to maintain your session and authentication state. These cookies are essential for the platform to function and do not require consent.

We do not currently use advertising cookies, tracking pixels, or cross-site tracking technologies. If this changes, we will update this Policy and obtain your consent where required.

10Security

We implement commercially reasonable technical and organizational measures to protect your personal data, including encrypted data transmission (TLS), hashed password storage, access controls, and row-level security on our database.

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay, as required by GDPR.

11Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or platform notification at least fourteen (14) days before taking effect.

12Contact

For any privacy-related questions, requests, or concerns, please contact: Creaitor Labs EOOD (deflation.app), bul. Knyaz Aleksandar Dondukov 79, Floor 7, Apt. 7, Sofia 1504, Bulgaria. ЕИК/VAT: 208832093. Email: hello@deflation.app.

© 2026 Creaitor Labs EOOD, trading as deflation.app. ЕИК/VAT: 208832093. This Privacy Policy was last updated in July 2026.