BidReady AI is built for construction teams that need clear data provenance, tenant isolation, and predictable controls. Here's exactly how we handle your projects — in plain language.
TLS encryption
In transit, end-to-end
No model training
On your data, ever
Per-project isolation
Ownership enforced
You're in control
Export & delete anytime
Last updated: June 2026
The commitments we design every feature around.
TLS is enforced end-to-end between your browser, our functions, and Google Cloud. Data at rest is encrypted by Google Cloud.
Your documents and prompts are used to answer your questions only. We don't sell your data or use it to train models.
Every project has an owner. Ownership and team access are re-checked in security rules and in every server function.
Secrets live in server-side environment config — never in the client bundle. Viewer/editor roles limit what teammates can do.
We keep lean operational logs for reliability and abuse prevention. Share endpoints are rate-limited and PIN-validated.
Answers carry citations back to the source page, with a manual-verification prompt — so you can check the AI, not just trust it.
Where your data lives and what processes it.
Cloud: Google Cloud / Firebase — Authentication for sign-in, Cloud Firestore for projects and messages, Firebase Storage for uploaded files, and Cloud Functions for server-side processing.
AI model: Google Gemini powers chat, compliance audits, and extracts. Prompts are constructed server-side with citation and guardrail instructions.
Storage: Original files are kept in Firebase Storage; extracted text is stored per project in Firestore so audits and extracts stay fast and scoped.
Isolation: Project ownership is enforced by Firestore security rules and independently re-verified inside every callable and HTTPS function.
What we keep, for how long, and why.
Retention: Projects, messages, files, and extracted text remain in your workspace until you delete them. Deleting a project removes its associated data.
Share links: Time-bound tokens stored in Firestore, with an optional PIN (stored hashed, never in plaintext) and rate-limited validation.
Exports: PDF/CSV/JSON exports are generated on demand. Personal names and contact details are redacted from exports by default.
Usage data: We track page and feature usage to enforce plan limits and improve reliability — not to profile you or sell to third parties.
The controls behind the principles above.
Authentication: Firebase Auth; every server function re-checks identity and project ownership.
Transport: TLS enforced for all client, function, and storage traffic.
Secrets: Managed in Cloud Functions environment configuration; no secrets shipped in client bundles.
Abuse protection: Share endpoints are rate-limited with PIN validation; quota-aware retries handle provider spikes.
Access roles: Viewer and editor roles scope what team members can see and change on shared projects.
Infrastructure: Runs on Google Cloud, which maintains ISO 27001, SOC 2/3, and PCI DSS certifications for its platform.
The third parties that process data to deliver the service.
| Provider | Purpose |
|---|---|
| Google Cloud / Firebase | Hosting, authentication, database, file storage, serverless functions |
| Google Gemini API | AI inference for chat, audits, and extracts |
| Stripe | Subscription billing & payment processing |
| Email delivery (SMTP) | Transactional emails (invites, notifications) via Firebase Extensions |
We don't sell data or share it with advertisers. Payment card data is handled entirely by Stripe — it never touches our servers.
What you can do today, right from the app.
Delete anytime: Remove projects, files, and their extracted data on demand.
Export your work: Generate PDF, CSV, or JSON reports whenever you need them.
PIN-protect shares: Add a PIN and rely on expiring tokens for any link you share.
Control team access: Assign viewer/editor roles per shared project on Team plans.
We believe in being precise about what's done versus in flight.
Shipped
In progress
Running a security or procurement review? We're happy to walk through architecture, data flows, and our compliance roadmap. If you've found a vulnerability, please report it responsibly and give us a reasonable window to remediate before any public disclosure.