Steinlog
Privacy Policy
Last updated: 21 June 2026
This policy describes how Steinlog — a service for preparing bids in EU public construction procurement — processes the personal data of users of the application available at steinlog.dagodigital.com. Persistent data is stored exclusively in data centres within the European Union.
1. Data controller
The data controller is Dago Digital Michał Walpole-Skwarczyński, a sole proprietorship registered in Poland (the CEIDG business register), at ul. Prezydenta Lecha Kaczyńskiego 10E/11, 80-373 Gdańsk, Poland. NIP 9570839810, EU VAT PL9570839810.
For data-protection matters: michal@dagodigital.com, phone +48 789 360 379. We have not appointed a data protection officer; please use the address above for any GDPR matter.
2. What data we process and why
- Account and authentication — name, business email, hashed password and organisation membership; to create and operate your account, sign in and provide the service.
- Uploaded content — tender documents, bills of quantities, attachments and other bid materials, which may contain personal data; to provide the bid-room, readiness-gate and signing features.
- Consortium collaboration — information about who shared what, and a provenance log (audit log); for traceability and evidence.
- X-ray search — text from your uploaded documents is processed for hybrid search (embeddings) and AI answers within the relevant bid.
- Communications and notifications — email address and message content; to handle requests, invitations, sign-in links and service notices.
- Technical data and security — IP address, timestamps and event logs; to ensure security, integrity and diagnostics.
3. Legal bases (GDPR)
- Art. 6(1)(b) GDPR — performance of the service contract and pre-contractual steps;
- Art. 6(1)(f) GDPR — our legitimate interest: security and integrity of the service, managing the B2B relationship, and establishing or defending legal claims;
- Art. 6(1)(c) GDPR — legal obligations (including tax and accounting).
4. Data within your documents — processing on your behalf
Personal data contained in the documents you upload (e.g. your employees, consortium partners or subcontractors) is processed on your behalf and on your instructions. To that extent you remain the controller and Steinlog acts as a processor within the meaning of Art. 28 GDPR, under a data-processing agreement we provide on request at michal@dagodigital.com.
5. Sub-processors and recipients
We use trusted providers acting on our behalf. We do not sell personal data. Current list of sub-processors:
| Provider | Purpose | Location |
|---|---|---|
| Vercel Inc. | Application hosting and delivery | USA / EU |
| Neon Inc. | Hosted database (accounts, tender content) | EU |
| Amazon Web Services (Amazon SES, Amazon S3) | Transactional email and file storage | EU |
| Cloudflare, Inc. | Object storage and real-time collaboration | EU |
| Mistral AI | OCR / text extraction from documents | France (EU) |
| Voyage AI | Document embeddings for search | USA |
| xAI (Grok) | AI answers in X-ray search | USA / EU |
6. Where data is stored and transfers
All persistent data — database and uploaded files — is stored exclusively in data centres within the EU. Our database (Neon) and file storage (Cloudflare R2, Amazon S3) are pinned to EU regions.
Some AI features (search embeddings and AI answers) use providers that may process data outside the EEA (including in the USA). These providers process the data only to return a result; the results we retain are stored in our EU database. Such transfers rely on appropriate safeguards under Art. 46 GDPR — primarily the European Commission's Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework.
7. Retention
We keep data no longer than necessary: account and content data for the duration of use and a reasonable period afterwards; billing data for statutory retention periods; security logs for a limited period. When an account is deleted we erase or anonymise the data unless the law requires us to keep it.
8. Cookies
The website uses no analytics or advertising cookies. The application uses only a strictly necessary session cookie for sign-in and account operation, which requires no consent. We use no third-party tracking tools.
9. Your rights
You have the right to:
- access your data and obtain a copy,
- rectification, erasure or restriction of processing,
- object to processing based on legitimate interest,
- data portability,
- lodge a complaint with a supervisory authority — the Polish authority (PUODO, ul. Stawki 2, 00-193 Warsaw) or the authority where you live or work.
To exercise your rights, write to michal@dagodigital.com.
10. Security
We apply technical and organisational measures appropriate to the risk, including transport encryption, organisation-based access control and separation of data between the parties to a bid. More on our approach: steinlog.dagodigital.com/security.
11. Changes
We may update this policy. The version published on this page, with its date, is the one that applies.