Privacy Policy

MNGC Group, Inc. ("MNGC", "we", "us") operates the FedBD platform at fedbd.ai (the "Service"). This Privacy Policy (the "Policy") describes how we collect, use, disclose, retain, secure, and otherwise process information when you or your organization use the Service. It applies in addition to, and is incorporated by reference into, our Terms of Use. By using the Service, you acknowledge this Policy.

1. Roles — Controller and Processor

• For information about your end users, your invitees, your Customer Data, and content you upload, MNGC acts as a processor (or, under CCPA, a service provider) on behalf of the Customer organization, which is the controller. The Customer determines the purposes and means of processing.
• For information we collect directly from account holders for our own purposes — such as billing records, login telemetry, support correspondence, marketing communications, and aggregated analytics — MNGC acts as a controller.
• If you require a Data Processing Agreement (DPA), one is available on written request to info@fedbd.ai.

2. Information We Collect

3. How We Use Information

• Provide, operate, secure, and improve the Service, including AI Outputs you request;
• Authenticate users, enforce role-based access, and detect and prevent abuse, fraud, and security incidents;
• Process payments and manage Subscriptions and AI Credits via Stripe;
• Provide customer support and communicate with you about service-related matters;
• Comply with law, respond to lawful requests, and enforce our Terms of Use;
• Generate aggregated, de-identified, anonymized analytics to monitor platform health, model accuracy, and product performance, and for any other lawful business purpose;
• Send transactional and, where permitted, product-update emails. We do not sell your personal data and we do not use it for behavioral advertising.

4. Multi-Tenancy and Data Isolation

• Invited collaboration is opt-in. A Client organization may invite a Consultancy to collaborate. The invitation creates a record in consultant_client_links. From that point, the invited Consultancy may view, edit, and act on the inviting Client's pursuits, until either party revokes the link. Either party may revoke at any time. Invitations are at the organization level, not at the per-pursuit level.
• MNGC Super Admin access. A small number of MNGC employees with the Super Admin role have technical access to all customer organizations for support, security, abuse-investigation, and operational purposes. Super Admin access is logged in the audit trail and governed by internal policy. As of the effective date of this Policy, Super Admin access is held by two MNGC personnel.
• No cross-tenant AI training. Your Customer Data is never used to train, fine-tune, or otherwise improve any AI model accessible to any other tenant or any third party.
• Embeddings. Vector embeddings derived from your Customer Data are stored against your organization and are filtered by organization on every search. They are never aggregated across tenants.

5. AI and Machine-Learning Processing

• Embedding model. The Service uses OpenAI's text-embedding-3-small model (or a successor model of comparable function) to convert your documents into vector embeddings used for similarity search and AI scoring.
• LLM providers. When you trigger AI Outputs, we route the request to one or more third-party large-language-model providers, including Anthropic (Claude family), Google (Gemini family), and OpenAI (GPT family). Routing is determined by the feature being invoked and configuration set at the platform or organization level.
• Routing channels. Calls are routed either (a) through the Emergent Universal LLM Key, which is MNGC's aggregator account with the providers, or (b) through your BYOM key if configured for your organization. We rely on the providers' published representations that prompts and outputs sent through API endpoints are not used to train their general-purpose models.
• What we send. To produce an AI Output, we may send to the chosen provider: prompt instructions, relevant excerpts of your Customer Data (e.g., requirements, capability text, RFP language), document metadata, and prior turns of conversation. We send only what is needed for the requested feature.
• Outputs. The provider returns generated text or structured data, which we present to you and may persist in your tenant for re-use, audit, and follow-up actions.
• Probabilistic output. AI Outputs are probabilistic and may contain inaccuracies, omissions, or fabrications. See Section 12 of the Terms of Use.

6. Sub-processors and Disclosure to Third Parties

We do not sell, rent, or trade personal information. We share information only with the following categories of recipients, under contractual obligations of confidentiality and security:

An updated list of material sub-processors is available on request to info@fedbd.ai.

We may also disclose information (i) to comply with applicable law, valid legal process, or a government request; (ii) to enforce our Terms of Use, protect our rights or property, or investigate fraud, abuse, or security incidents; and (iii) in connection with a merger, acquisition, financing, reorganization, or sale of all or substantially all of our assets, with notice to affected customers.

7. Data Retention and Deletion

• Documents and pursuit content. Each tenant has a configurable auto-purge retention period. The default is ten (10) days; the configurable minimum is three (3) days. Documents older than the configured period are automatically purged from active storage. You will receive in-product warnings two (2) days and one (1) day before scheduled deletion. Auto-purge can be disabled in tenant settings, in which case content persists until you delete it or your account is terminated.
• Archive vs delete. Pursuits placed into the "Archive" state are soft-deleted and preserved indefinitely (no auto-purge), unless and until you hard-delete them or the account is terminated. Archived data continues to count for storage purposes and remains accessible to authorized users in the originating tenant.
• Account data on termination. On termination of your Subscription, Customer Data is retained for up to thirty (30) days in active systems, during which you may submit a written export request. After that period, Customer Data may be deleted from active systems. Backups containing residual data may persist for up to ninety (90) additional days under standard backup-rotation policies.
• Audit logs and security records may be retained for up to seven (7) years for security, legal, and compliance purposes.
• AI Credits ledger and billing records are retained as long as required for tax, accounting, audit, and legal purposes (typically seven (7) years).
• Aggregated/anonymized analytics persist indefinitely, do not identify any individual or tenant, and are not subject to deletion requests.
• Stripe-held data is governed by Stripe's retention policies, not ours.

8. Security

We implement administrative, technical, and physical safeguards designed to protect information against unauthorized access, alteration, disclosure, or destruction. Current controls include:

• Encryption in transit via HTTPS/TLS 1.2+ for all client-server traffic.
• Encryption at rest for the underlying database (MongoDB Atlas managed encryption) and for sensitive secrets, including BYOM API keys (Fernet-encrypted).
• Authentication. Passwords are hashed using bcrypt. JWT session tokens are issued via HttpOnly; Secure; SameSite=None cookies. The token bearer is not exposed to client-side JavaScript.
• Role-based access control (RBAC). Every API call is server-side gated by role and organization. Cross-tenant access is denied by default.
• Audit logging of authentication events, role changes, deletions, and billing actions.
• Stop-loss controls on autonomous-agent endpoints and AI-credit consumption to mitigate runaway use.
• Vendor diligence. Sub-processors are selected for and contractually bound by industry-standard security practices.

No system is perfectly secure. You are responsible for protecting your account credentials and for promptly notifying info@fedbd.ai of any suspected unauthorized access. To the extent any provision of applicable law requires us to notify you of a personal-data breach, we will do so as required by that law.

9. Cookies and Local Storage

• Essential cookies. A single first-party authentication cookie carrying a JWT session token (HttpOnly; Secure; SameSite=None) is used to keep you signed in. This cookie is essential for the Service to operate and is not subject to consent in jurisdictions that exempt strictly necessary cookies.
• Local storage. The Service uses browser localStorage only for non-sensitive UI state — for example, a cached profile snapshot to speed up page loads, feature-override flags, and recent navigation hints. Authentication tokens are not stored in localStorage.
• We do not use third-party advertising cookies. We do not participate in cross-site behavioral advertising networks.
• Cloudflare may set technical cookies (e.g., __cf_bm) used solely for bot management and security. These are also strictly necessary.

10. International Data Transfers

The Service is operated from the United States. Information you submit will be processed in the United States and may be processed in other countries where our sub-processors operate. By using the Service, you acknowledge and agree to the transfer of your information to the United States and other jurisdictions, which may have data-protection laws different from those of your jurisdiction. Where required, we rely on appropriate transfer mechanisms (such as the EU Standard Contractual Clauses) for transfers from the European Economic Area, the United Kingdom, or Switzerland.

11. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Access — receive a copy of personal information we hold about you;
• Correction — request correction of inaccurate or incomplete information;
• Deletion — request deletion, subject to our retention obligations and legitimate-interest grounds;
• Restriction / Objection — restrict or object to certain processing, where applicable;
• Portability — receive personal information in a structured, commonly used, machine-readable format;
• Withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing prior to withdrawal;
• Lodge a complaint — with a competent supervisory authority.

For Customer Data under our processor role, please direct rights requests to your organization (the controller). MNGC will assist controllers in responding to data-subject requests as required under applicable law.

California (CCPA/CPRA). California residents have the right to request disclosure of categories and specific pieces of personal information collected, sold, or shared in the prior 12 months; the right to deletion; the right to correct inaccurate information; the right to limit use of sensitive personal information; and the right to non-discrimination for exercising these rights. We do not sell or "share" (as defined under CPRA for cross-context behavioral advertising) personal information.

EEA / UK / Switzerland (GDPR / UK GDPR / FADP). Our legal bases for processing include performance of a contract, our legitimate interests in operating and improving the Service and securing it against abuse, your consent (where solicited), and compliance with legal obligations.

To exercise any right, contact info@fedbd.ai. We may need to verify your identity and the scope of your request before responding.

12. Children's Privacy

The Service is intended for business use by adults. We do not knowingly collect personal information from children under 16. If you believe a child has provided us personal information, please contact info@fedbd.ai and we will promptly delete it.

13. Marketing Communications

We may send you product-update emails. You can opt out at any time via the unsubscribe link in any commercial email or by contacting info@fedbd.ai. Transactional, billing, security, and service-critical emails are not opt-outable while you maintain an account.

14. Changes to this Policy

We may update this Policy from time to time. The effective date at the top will reflect the latest revision. Material changes will be notified in-product or by email. Continued use of the Service after the effective date constitutes acceptance of the revised Policy.