Privacy Policy
Effective Date: July 1, 2026
This privacy policy describes how SoulMen Tech LLC ("we", "us", or "our"), operating the VendorReady compliance verification tool, collects, uses, and stores information when a subcontractor company ("Customer", "you") uses the product to prepare tender submission documents for review.
We are committed to protecting your privacy in compliance with applicable data protection regulations, including the UAE Personal Data Protection Law (Federal Decree-Law No. 45/2021) and the General Data Protection Regulation (GDPR).
1. Who This Covers
This policy applies to all registered users, reviewers, and representatives of subcontractor companies utilizing our platform to analyze and verify subcontractor tender submission packages.
2. What We Collect
To provide our service, we collect the following categories of information:
- Account and Profile Information: Name, business email address, company affiliation, and login credentials.
- Uploaded Documents: Trade licenses, VAT certificates, chamber of commerce certificates, ISO certificates, HSE policy manuals, audited financial statements, bank letters, lease agreements, ICV certificates, and professional competency certificates uploaded for compliance analysis. These documents may contain sensitive fields such as corporate names, registration numbers, financial figures, IBANs, signatures, and corporate stamps.
- System-Generated Metadata: Extracted field values (e.g., expiry dates, TRN numbers, ISO standards), compliance findings, confidence scores, and historical audit logs recording which user verified or approved each finding.
- Platform Usage Logs: Actions taken within the workspace, checklist templates used, upload timestamps, and performance metrics.
We do not collect this information for any purpose beyond providing, maintaining, and improving the document compliance-verification service.
3. How We Use Your Information
We process your data strictly to perform our contract with you, specifically to:
- Route, classify, and extract metadata from uploaded compliance packages.
- Check extracted details against selected buyer portal checklists (e.g., ADNOC, DEWA, or custom client requirement packs).
- Compile readiness reports and highlight missing, expired, or non-compliant documents.
- Keep a detailed audit ledger (recording overrides, approvals, and decisions by named users) to meet enterprise auditing standards.
- Deliver automated alerts for upcoming document expiries if configured by your account.
- Monitor pipeline latency, model performance, and system health to prevent service disruption.
We do not sell your personal or corporate data, and we do not use your uploaded documents or extracted content to train AI models.
4. Subprocessors and Third-Party Providers
To deliver the service, we utilize the following third-party providers (subprocessors):
| Subprocessor | Purpose | Location | Data Protection Guarantee |
|---|---|---|---|
| Google Gemini API | AI-assisted classification and metadata extraction | United States / global endpoints | Standard Gemini API paid terms apply: prompts and files are not used for model training or product improvement, but they may be logged and cached in countries where Google or its agents operate. No Google Cloud DPA or regional residency guarantees are active in the default configuration. (Can be configured by admins to route through Google Cloud Vertex AI for full Google Cloud DPA and regional data residency guarantees). |
| Cloudflare (R2 Object Storage) | Encrypted document storage | Western Europe / Middle East | Encrypted at rest (AES-256) with access limited to short-lived pre-signed URLs (15-min TTL). |
| Supabase / PostgreSQL | Storage of metadata, user profiles, and audit trails | Western Europe / Middle East | High-availability PostgreSQL database with strict tenant isolation. |
| Resend | Delivery of system alerts and expiry emails | United States / European Union | Enterprise-grade transactional email delivery. |
For customers under strict data sovereignty requirements, we offer dedicated regional database and storage deployments upon request.
5. Retention and Deletion Policy
Uploaded files, extracted metadata, and readiness findings are stored to enable your reviews and compliance tracking. Completed or errored review runs and their associated files are automatically deleted after 90 days (configurable per tenant).
You can also delete any review session, document, or personal data immediately from your account dashboard at any time. When a review is deleted, the files are deleted from storage and all database references are pruned permanently.
6. Security Measures
We implement robust administrative, technical, and physical safeguards:
- Data Encryption: All files are encrypted at rest using AES-256 and in transit using TLS 1.3.
- Tenant Isolation: Every database query is strictly partitioned by your tenant ID, resolved and verified on every request before it reaches application code.
- Malware Screening: Every upload is checked for disguised executable signatures and the EICAR test signature. When a ClamAV daemon is configured (`CLAMAV_HOST`/`CLAMAV_PORT`), every file is additionally streamed to it for full payload-level threat screening. In production, uploads are rejected outright (fail closed) if ClamAV is not configured or is unreachable — a production deployment cannot silently run without malware screening. (A fail-open convenience mode exists for local development only, gated by `ALLOW_UNSCANNED_UPLOADS=true`, and has no effect in production.) The signature-only checks above are not a substitute for real antivirus scanning on their own; see `docs/DEPLOYMENT_CHECKLIST.md` for production configuration.
- Credential Protection: User passwords are securely hashed using Node.js scrypt and sessions are protected by signed, HTTP-only, SameSite-lax cookies.
7. Your Rights
Under the UAE PDPL and GDPR, you have the following rights regarding your personal data:
- Right to Access: Request a copy of the personal data we hold about you.
- Right to Rectification: Request correction of any inaccurate or incomplete data.
- Right to Deletion: Request the deletion of your personal data when it is no longer needed.
- Right to Restriction: Request restriction of processing under specific circumstances.
- Right to Data Portability: Receive your data in a structured, commonly used, machine-readable format.
- Right to Object: Object to the processing of your data based on legitimate interests.
To exercise any of these rights, please contact our Data Protection Officer at privacy@soulmen.ae.
8. Policy Updates
We may update this policy periodically to reflect operational, legal, or regulatory changes. We will notify you of any material changes by posting the updated policy on our platform and, where feasible, sending an email notification or displaying an in-app banner.
9. Contact Us
If you have questions about this Privacy Policy or our data handling practices, please contact us:
- Email: privacy@soulmen.ae
- Mailing Address: SoulMen Tech LLC, Dubai Internet City, Dubai, United Arab Emirates