Privacy Policy
Last Updated: October 2025
This Privacy Policy explains how CoSHA ("we," "us," or "our") collects, uses, discloses,and protects information when you access or use CoSHA's Bid Management System (the"Service"). If you use the Service on behalf of a company or organization ("Company"),this Policy applies to your use as an authorized user under that Company account.
By using the Service, you acknowledge that you have read and understood thisPrivacy Policy and agree to its terms. If you do not agree, please do not use theService.
1. OVERVIEW OF OUR PRIVACY PRACTICES
We are committed to protecting your privacy and handling your data responsibly. Here are the key principles that guide our practices:
• We do not sell your personal information to third parties, ever.
• We do not use your data for advertising. We do not engage in cross-context behavioral advertising or ad targeting.
• We do not train public AI models on your data. Your Content is not used to train third-party AI models.
• You control your data. You can access, correct, export, and delete your information, subject to legal and contractual obligations.
• We use trusted service providers. Third parties process data only on our behalf under strict contractual protections.
2. INFORMATION WE COLLECT
We collect the following categories of information, depending on how you and your Companyuse the Service:
| Category | Information Collected |
|---|---|
| Account Information | Name, business email address, hashed password, Company association, role(s), account preferences, and profile settings |
| Authentication Data | Session identifiers, login timestamps, authentication tokens, security cookies, and password reset tokens |
| Usage & Device Data | Application interaction logs, feature usage patterns, approximate geographic location (derived from IP address), browser type and version, operating system, device characteristics, timestamps, and diagnostic information |
| Project & Bid Data | Project names, descriptions, status information, bid amounts, timelines, summaries, contractor details, submission dates, and related metadata |
| Documents & Files | PDFs, word processing documents, spreadsheets, images, and other files you upload; file names, sizes, types, upload dates; extracted text content (including OCR processing of scanned documents and images) |
| Communications | In-app notification metadata, support ticket communications, email addresses, email delivery status and engagement data from our email service provider |
| AI-Generated Content | AI-generated analyses, summaries, comparisons, recommendations, chat responses, prompts you provide, and associated metadata (timestamps, user ID, feature used) |
Note: We collect information directly from you when you create an account, upload documents, or use features. We also collect information automatically through your use of the Service (such as usage logs and device data).
3. HOW WE USE YOUR INFORMATION
We use the information we collect for the following purposes:
3.1 To Provide and Operate the Service
• Authenticate users and manage access based on roles and permissions
• Store and manage your projects, bids, documents, and notes
• Process and display documents, including OCR text extraction
• Enable search functionality across your Content
• Deliver in-app notifications and communications
3.2 To Provide AI-Powered Features
• Generate analyses, summaries, and comparisons of your authorized data
• Provide AI chat and question-answering functionality
• Process prompts and relevant context to deliver requested AI outputs
3.3 To Maintain Security and Prevent Abuse
• Detect and prevent fraud, unauthorized access, and security threats
• Monitor for violations of our Terms of Use and Acceptable Use Policy
• Maintain audit logs for security and compliance purposes
• Protect the rights, property, and safety of our users and the Service
3.4 To Improve and Develop the Service
• Analyze usage patterns to improve performance, features, and user experience
• Troubleshoot technical issues and provide customer support
• Conduct internal research and development
• Create de-identified, aggregated analytics and benchmarks
3.5 To Communicate With You
• Send transactional emails (password resets, account notifications, bid updates)
• Respond to your inquiries and support requests
• Notify you of important changes to the Service, Terms, or this Policy
3.6 To Comply With Legal Obligations
• Respond to lawful requests from government authorities
• Enforce our Terms of Use and other agreements
• Comply with applicable laws, regulations, and legal processes
4. LEGAL BASIS FOR PROCESSING (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data based on the following legal grounds:
4.1 Contractual Necessity
Processing is necessary to deliver the Service to your Company and to you as an authorized user under your Company's subscription agreement.
4.2 Legitimate Interests
We have legitimate business interests in: (a) operating and improving the Service; (b) ensuring security and preventing fraud; (c) conducting internal analytics in a B2B context; and (d) providing customer support. We balance these interests against your privacy rights and do not use your data in ways you would not reasonably expect.
4.3 Consent
Where required by law, we obtain your consent for optional features or processing activities. You can withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
4.4 Legal Obligations
We process data when necessary to comply with legal obligations, such as responding to valid legal requests or regulatory requirements.
5. HOW WE SHARE YOUR INFORMATION
We do not sell your personal information. We share your information only in the limited circumstances described below:
5.1 Service Providers
We share information with trusted third-party service providers who process data on our behalf under written contracts that require them to protect your information and use it only for specified purposes:
• Cloud Storage: Google Cloud Storage (file storage and object storage)
• Database Hosting: Neon Postgres (managed database services)
• Email Delivery: SendGrid (transactional email delivery and status tracking)
• AI Processing: OpenAI and Claude.ai (large language model processing limited to authorized context for AI features)• Infrastructure & Monitoring: Hosting platforms and monitoring services (application logs, performance monitoring, error tracking)
5.2 Within Your Company
Information you create or upload is accessible to other authorized users within your Company account based on role-based permissions configured by your Company administrator.
5.3 Legal Requirements
We may disclose information if required by law, legal process, or government request, or if we believe in good faith that disclosure is necessary to: (a) comply with legal obligations; (b) protect our rights or property; (c) prevent fraud or abuse; or (d) protect the safety of users or the public.
5.4 Business Transfers
If we are involved in a merger, acquisition, bankruptcy, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and/or prominent notice in the Service of any change in ownership or use of your information.
5.5 With Your Consent
We may share your information for other purposes with your explicit consent or at your direction.
6. INTERNATIONAL DATA TRANSFERS
The Service is operated globally, and information may be transferred to, stored, and processed in the United States and other countries where our service providers operate. These countries may have data protection laws that differ from those in your jurisdiction.
When we transfer personal data from the EEA, UK, or Switzerland to countries that have not been determined to provide adequate data protection, we implement appropriate safeguards, including:
• Standard Contractual Clauses (SCCs) approved by the European Commission or UK authorities
• Data Processing Addenda (DPA) with service providers that include appropriate data transfer mechanisms
• Other legally approved transfer mechanisms as permitted by applicable law For more information about our data transfer mechanisms, please contact us at tracy@cosha.us.
7. DATA RETENTION
We retain your information for as long as necessary to provide the Service, fulfill the purposes described in this Policy, comply with legal obligations, resolve disputes, and enforce our agreements. Specific retention periods include:
| Data Type | Retention Period |
|---|---|
| Account Information | Duration of contract plus 7 years, or as required by law |
| Session & Security Logs | Approximately 12-18 months, unless longer retention is required for security investigations |
| Projects, Bids & Documents | Duration of contract plus 7 to 10 years, or as agreed with your Company or required by law |
| AI Outputs & OCR Text | Same as the associated project or document; deleted when source Content is deleted |
| Backup Copies | Rolling 30 to 90 days; automatically deleted after this period |
Deletion Criteria: We determine retention periods based on: (a) the nature and sensitivity of the data; (b) the purposes for which we collected it; (c) legal, regulatory, tax, or accounting requirements; (d) contractual obligations; and (e) legitimate business needs.
Early Deletion: Data may be deleted earlier if requested by authorized Company administrators, subject to legal holds, litigation preservation requirements, or regulatory obligations.
8. YOUR RIGHTS AND CHOICES
Depending on your jurisdiction and role, you may have the following rights regarding your personal information:
8.1 Access and Portability
You have the right to request access to the personal information we hold about you and, in some cases, receive a copy in a commonly used, machine-readable format.
8.2 Correction and Update
You can update your account information directly through the Service settings. For other corrections, you may contact your Company administrator or us at tracy@cosha.us.
8.3 Deletion
You may request deletion of your personal information. Please note that: (a) your Company administrator may need to authorize certain deletions; (b) we may retain information as required by law or for legitimate business purposes; and (c) deletion may affect your ability to use the Service.
8.4 Restriction and Objection
You may request that we restrict processing of your personal information or object to certain types of processing (such as processing based on legitimate interests), subject to legal and contractual limitations.
8.5 Withdraw Consent
Where we process your information based on consent, you may withdraw that consent at any time. This will not affect the lawfulness of processing before withdrawal.
8.6 Lodge a Complaint
If you are in the EEA, UK, or Switzerland, you have the right to lodge a complaint with your local data protection authority if you believe we have violated your privacy rights.
8.7 How to Exercise Your Rights
To exercise any of these rights, please:
• Contact your Company administrator (who may be the data controller for your information); or
• Email us directly at tracy@cosha.us with your request
We will verify your identity before processing requests and will respond within the time required by applicable law (typically 30 days, which may be extended by an additional 30 days for complex requests).
9. SECURITY MEASURES
We take the security of your information seriously and implement technical, administrative, and physical safeguards designed to protect it from unauthorized access, disclosure, alteration, and destruction. Our security measures include:
• Encryption: Data in transit is encrypted using TLS (Transport Layer Security); data at rest is encrypted using industry-standard encryption methods
• Authentication: Session-based authentication with secure cookies; passwords are hashed using bcrypt
• Access Controls: Role-based access controls; company-scoped authorization checks; principle of least privilege
• Storage Security: Object storage access controls; server-proxied file downloads; no direct client access to storage
• Monitoring: Security logging and monitoring; anomaly detection; regular security assessments
• Vendor Security: Third-party service providers are evaluated for security practices and bound by data protection agreements
Important: While we implement robust security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we strive to use commercially reasonable measures to protect your information.
10. CHILDREN'S PRIVACY
The Service is not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe a child has provided personal information to us, please contact us immediately at tracy@cosha.us, and we will take steps to delete such information.
If we learn that we have collected personal information from a child without proper parental consent, we will delete that information as quickly as possible.
11. AI AND OCR DISCLOSURES
11.1 AI-Generated Content
AI outputs (analyses, summaries, comparisons, chat responses) are generated using probabilistic machine learning models and may contain errors, inaccuracies, omissions, or inconsistencies. You should verify AI outputs before relying on them for important decisions. AI outputs are provided for informational purposes only and do not constitute professional advice.
11.2 OCR Text Extraction
OCR (Optical Character Recognition) accuracy varies depending on document quality, formatting, layout, and language. Always verify extracted text against original source documents before relying on it for critical decisions.
11.3 No Training on Your Data
We do not use your Content to train publicly available AI models. When we use third-party AI processors (such as OpenAI), they are contractually configured not to use your data for their own model training purposes.
11.4 AI Processing Context
When you use AI features, we transmit your prompts and the minimum necessary context from your authorized Content to third-party AI processors. This processing is limited to fulfilling your specific request and is subject to data protection agreements.
12. COOKIES AND TRACKING TECHNOLOGIES
We use cookies and similar technologies (such as localStorage) to provide and improve the Service. Cookies are small text files stored on your device that help us recognize you and remember your preferences.
Important: We use cookies and similar technologies (e.g., localStorage) for authentication, session continuity, and security purposes only. We do not use them for analytics or advertising. All session data and authentication tokens are cleared when you log out.
12.1 What We Collect and Why
• Essential Cookies and localStorage: Required for authentication, session management, and core security functionality. These store session tokens and authentication state to keep you logged in and protect your account. These cannot be disabled without preventing use of the Service.
• Functional Preferences: Remember your user interface preferences and settings to enhance your experience across sessions.
12.2 Data Cleared on Logout
When you log out of the Service, we automatically clear your session cookies, authentication tokens, and related localStorage data. This ensures your session cannot be accessed after logout.
12.3 Your Cookie Choices
Most browsers allow you to refuse cookies or delete existing cookies. However, disabling essential cookies will prevent you from using the Service. You can manage your cookie preferences through your browser settings. Note that clearing your browser's localStorage will also log you out of the Service.
13. CHANGES TO THIS PRIVACY POLICY
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will:
• Update the "Last Updated" date at the top of this Policy
• For material changes: provide notice through the Service, by email, or by posting a prominent notice on our website at least thirty (30) days before the changes take effect
• For non-material changes (clarifications, formatting): the updated Policy may take effect immediately
Your continued use of the Service after the effective date of changes constitutes your acceptance of the updated Policy. If you do not agree to the changes, you must discontinue use of the Service.
14. CALIFORNIA PRIVACY RIGHTS (CCPA/CPRA)
If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
14.1 Right to Know
You have the right to request information about the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share information.
14.2 Right to Delete
You have the right to request deletion of your personal information, subject to certain exceptions (legal obligations, fraud prevention, security, etc.).
14.3 Right to Correct
You have the right to request correction of inaccurate personal information.
14.4 Right to Opt-Out
We do not sell or share your personal information for cross-context behavioral advertising. If our practices change, we will provide an opt-out mechanism.
14.5 Right to Non-Discrimination
You have the right to non-discriminatory treatment for exercising your CCPA/CPRA rights. We will not deny service, charge different prices, or provide a different quality of service based solely on your exercise of privacy rights.
14.6 How to Exercise California Rights
To exercise these rights, email us at tracy@cosha.us with "California Privacy Request" in the subject line. We will verify your identity before processing your request and respond within 45 days (which may be extended by an additional 45 days for complex requests).
14.7 Authorized Agents
You may designate an authorized agent to submit requests on your behalf. We will require proof of authorization and may need to verify your identity directly.
15. OTHER U.S. STATE PRIVACY RIGHTS
Residents of certain U.S. states (including Virginia, Colorado, Connecticut, Utah, and others with comprehensive privacy laws) have rights similar to those described in Section 14 (California Privacy Rights). To exercise these rights, please contact us at tracy@cosha.us.
We will honor privacy rights requests consistent with applicable state laws and respond within the timeframes required by law.
16. CONTACT US
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Company Legal Name: CoSHA
Registered Address: 211 N. Union Street, Suite 100, Alexandria, VA 22314
Email: tracy@cosha.us
END OF PRIVACY POLICY
.png){kind=logo}
