i-landing

Privacy Policy

Effective date: March 1, 2025

1. Introduction

i-landing ("we", "our", or "us") operates a multi-tenant B2B procurement platform accessible at i-landing.com, app.i-landing.com, and portal.i-landing.com.

This Privacy Policy explains what personal data we collect when you use our platform, why we collect it, how we use and protect it, and what rights you have over your data. It applies to all users of our services: buyers (procurement teams), suppliers, and any other visitors to our marketing site.

By creating an account or using our services you agree to this policy. If you do not agree, please do not use i-landing.

2. Information We Collect

Account Information

When you register, we collect:

  • First and last name
  • Business email address
  • Password (stored as a one-way bcrypt hash — we never store your plain-text password)
  • Phone number (optional, used for account recovery)

Organization Information

When you create or join an organization on our platform, we collect:

  • Organization name and description
  • Business address, city, province/state, and postal code
  • Phone and fax numbers
  • Timezone preference

Procurement & Bid Data

As part of using the procurement workflow, we store:

  • Bids and requests for quote/proposal/information (RFQ, RFP, RFI) that you create, including titles, descriptions, deadlines, and attachments
  • Supplier contact information you add to your supplier database (name, email, phone, category)
  • Supplier responses, pricing submissions, and uploaded files
  • Evaluation scores, criteria, and comments
  • Invitation records and audit activity logs

Usage & Technical Data

We collect certain technical data automatically when you use our platform:

  • IP address (used for rate limiting, fraud prevention, and audit logging)
  • Browser user-agent string
  • Pages viewed and actions taken (bid created, invitation sent, file downloaded) stored in our activity log
  • Session timestamps

We do not use third-party analytics services such as Google Analytics. Usage data is stored only in our own infrastructure.

3. How We Use Information

We use the information we collect for the following purposes:

  • Providing the service. Operating accounts, processing bids, routing invitations to suppliers, storing and retrieving uploaded documents.
  • Authentication and security. Issuing and validating signed JSON Web Tokens (JWTs), detecting suspicious login attempts, and enforcing per-organization data isolation.
  • Billing and subscriptions. Linking your account to a Stripe customer record for plan management and payment processing.
  • Transactional email. Sending bid invitations, account invitations, password reset links, and system notifications via SendGrid.
  • Customer support. Responding to support requests submitted to [email protected].
  • Platform improvement. Analyzing aggregate usage patterns to prioritize features and improve reliability. This analysis is performed on our own data — we never share individual-level data with third parties for analytics.
  • Legal compliance. Retaining records as required by applicable law and responding to lawful requests from public authorities.

We will never sell your personal data or use it to serve you advertising.

4. Data Storage & Security

Database

All structured data — accounts, organizations, bids, supplier records, and evaluation data — is stored in a managed PostgreSQL database. The database is encrypted at rest and access is restricted to application servers via private networking. Each organization's data is logically isolated: every database query is scoped to the authenticated organization's ID, and cross-tenant access is blocked at the application layer.

File Storage

Uploaded files (bid documents, supplier attachments, NDA documents) are stored in Cloudflare R2, an S3-compatible object storage service. All files are encrypted at rest. Files are accessed exclusively through time-limited presigned URLs generated per request — the storage bucket itself is never publicly accessible.

Authentication Tokens

We use a self-hosted JWT authentication system (no third-party identity provider). Access tokens are short-lived (15 minutes) and signed with RS256. Refresh tokens are opaque UUIDs stored server-side in our database with a 7-day expiry; they rotate on each use. On the client side, access tokens are held in memory only, and refresh tokens are stored in browser localStorage. We do not use session cookies for authentication.

Transport Security

All traffic between your browser and our servers is encrypted with TLS 1.2 or higher. API endpoints are served exclusively over HTTPS.

Access Controls

Internal access to production systems is restricted to authorized personnel using the principle of least privilege. Our team members do not access customer data except when necessary to resolve a support request, and only with the account holder's consent or as required by law.

5. Data Sharing & Third Parties

We do not sell, rent, or trade your personal data. We share data only in the limited circumstances described below.

Sub-processorPurposeData shared
StripePayment processing & subscription managementEmail address, organization name, billing address. We do not store credit card numbers — Stripe tokenizes all payment details.
SendGridTransactional email deliveryRecipient email address and name for bid invitations, account notifications, and password reset emails.
CloudflareFile storage (R2) & network infrastructureUploaded files (bid documents, attachments). Cloudflare acts as a data processor under its DPA.
Cloud hosting providerServer infrastructure for the application and databaseAll data stored in our database, subject to server-level encryption.

We may also disclose data when required by law, court order, or to protect the rights, property, or safety of i-landing, our users, or the public. In such cases we will notify affected users unless legally prohibited from doing so.

6. Cookies & Local Storage

Cookies

We use a minimal, functional cookie on the supplier portal (supplier_logged_in) solely for server-side route protection. This cookie contains no personal data and no tracking identifiers. We do not use advertising cookies, analytics cookies, or any third-party cookies.

localStorage

Our buyer application stores a refresh token and basic user profile information (name, email, role) in your browser's localStorage to keep you signed in between sessions. This data never leaves your device except as part of an authenticated API request to renew your session.

No tracking or advertising

We do not use Google Analytics, Meta Pixel, or any other third-party tracking scripts on any part of our platform. Your browsing behavior is not shared with advertisers.

7. Data Retention

We retain your data for as long as your account is active or as needed to provide you with our services. Specific retention periods:

  • Account data: Retained while your account is active. When you delete your account, personal identifiers are removed within 30 days. Anonymized aggregate records (such as bid counts for billing history) may be retained longer.
  • Bid and procurement data: Retained for the life of the organization account. Deleted organization data is purged within 60 days of account closure.
  • Uploaded files: Deleted from Cloudflare R2 within 30 days of the associated bid or attachment being deleted, or within 60 days of account closure.
  • Activity logs: Retained for 12 months for security and audit purposes, then deleted.
  • Authentication tokens: Refresh tokens expire after 7 days. Expired tokens are purged automatically by our database cleanup job.
  • Billing records: Retained for 7 years as required by applicable tax and accounting regulations.

You may request earlier deletion of your personal data at any time by contacting us at [email protected]. See Section 8 for your full rights.

8. Your Rights

Depending on where you are located, you may have some or all of the following rights regarding your personal data. We honor these rights for all users regardless of jurisdiction.

Access

You have the right to request a copy of the personal data we hold about you.

Correction

You have the right to request that we correct inaccurate or incomplete data. You can update most account and organization fields directly in the platform settings.

Deletion (Right to be Forgotten)

You have the right to request deletion of your personal data. We will honor this request within 30 days subject to our legal retention obligations (e.g., billing records).

Portability

You have the right to receive your data in a structured, machine-readable format. You can export your bids, supplier database, and evaluation data directly from the platform at any time.

Restriction

You have the right to request that we limit how we process your data in certain circumstances.

Objection

You have the right to object to processing of your personal data where we are relying on a legitimate interest as the legal basis.

Opt-out of sale (CCPA)

We do not sell personal data. California residents therefore have nothing to opt out of. We will never sell your data.

To exercise any of these rights, please email [email protected] from the email address associated with your account. We will respond within 30 days. If you are located in the European Economic Area (EEA) or United Kingdom, you also have the right to lodge a complaint with your local data protection authority.

9. International Data Transfers

i-landing is incorporated in Canada and primarily serves customers in North America. Our infrastructure is hosted in data centers located in Canada and the United States.

If you are accessing our platform from the European Economic Area (EEA), United Kingdom, or Switzerland, your personal data may be transferred to and processed in Canada or the United States. Canada has received an adequacy decision from the European Commission for commercial organizations under PIPEDA. For transfers to the United States (via Stripe, SendGrid, and Cloudflare), we rely on Standard Contractual Clauses (SCCs) or the sub-processors' own adequacy frameworks.

By using i-landing, you consent to the transfer of your information to these countries, which may have different data protection rules than your country.

10. Children's Privacy

i-landing is a B2B procurement platform intended solely for use by businesses and their employees. We do not knowingly collect personal data from anyone under the age of 18. If we become aware that a minor has provided us with personal data, we will take steps to delete that information as quickly as possible. If you believe a minor has submitted data to us, please contact us at [email protected].

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will update the effective date at the top of this page.

For material changes — those that meaningfully affect how we use your personal data — we will notify you by email at least 14 days before the change takes effect. Your continued use of i-landing after the effective date constitutes acceptance of the updated policy.

We encourage you to review this page periodically. Previous versions of this policy are available upon request.

12. Contact

If you have any questions, concerns, or requests related to this Privacy Policy or your personal data, please reach out to us:

i-landing Privacy Team

Email: [email protected]

Website: i-landing.com

We aim to respond to all privacy-related inquiries within 30 days. For EU/UK data subjects we will respond within the 30-day period required by the GDPR.

Last updated: March 1, 2025

Terms of ServiceBack to Home