Privacy Policy
Last updated: February 22, 2026 | Version 2.0
At a Glance
- Who we are: Daliio is an AI-powered procurement platform registered in Israel.
- What we collect: Account information, procurement data you upload, and usage analytics.
- AI and your data: Your data is NOT used to train our AI models unless you give separate, explicit written consent.
- Data residency: Application data is stored in the region you select (default: United States).
- We do not sell your data. We never sell personal information to third parties.
- Your rights: You can access, correct, delete, or port your data at any time.
- Security: ISO 27001 certified with AES-256 encryption at rest and TLS 1.2+ in transit.
- Contact: privacy@daliio.com for any privacy-related inquiries.
1. Introduction and Scope
This Privacy Policy describes how Daliio ("Daliio," "we," "us," or "our"), a company registered in Israel , collects, uses, discloses, and protects information in connection with our AI-powered procurement platform and related services (collectively, the "Service").
This policy applies to:
- The Daliio platform accessible at daliio.com and all associated subdomains
- All related services, APIs, and integrations
- All users, including individual users, enterprise customers, and government agency users
Controller and Processor roles: Daliio acts as a data processor for Customer Data (procurement documents, evaluation data, and other content uploaded by customers) and as a data controller for Personal Data collected through our website, platform registration, and support interactions.
Enterprise and government customers may request a Data Processing Agreement (DPA) that governs our processing of Customer Data. Please contact privacy@daliio.com for details.
2. Definitions
"Personal Data" (or "Personal Information") means any information relating to an identified or identifiable natural person, as defined under GDPR and applicable data protection laws.
"Customer Data" means procurement documents, RFP content, bid submissions, evaluation criteria, vendor information, contract data, and any other content uploaded to or created within the Service by customers.
"Processing" means any operation performed on Personal Data or Customer Data, including collection, storage, use, analysis, disclosure, and deletion.
"Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
"Controller" means the entity that determines the purposes and means of processing Personal Data.
"Processor" means the entity that processes data on behalf of a Controller.
"Sub-processor" means a third party engaged by Daliio to process Customer Data or Personal Data on behalf of our customers.
"AI Features" means the artificial intelligence and machine learning capabilities of the Service, including document analysis, scoring, evaluation, and recommendation features.
3. Information We Collect
3.1 Information You Provide Directly
- Account registration data: Name, email address, phone number, job title, and organization name
- Procurement data: RFP documents, bid submissions, evaluation criteria, vendor information, and contract data uploaded to the platform
- Communication data: Support tickets, contact form submissions, demo requests, and feedback
- Payment and billing information: Processed through our third-party payment processor; Daliio does not store full payment card details
3.2 Information Collected Automatically
- Device and browser information: User agent, IP address, device type, operating system, and browser version
- Usage data: Features used, pages visited, session duration, and interaction patterns
- Log data: Access logs, error logs, and API call logs for security and operational purposes
- Cookies and similar technologies: See Section 14 for details
3.3 Information from Third Parties
- Single sign-on (SSO) providers: If your organization uses federated authentication, we receive basic profile information from your identity provider
- Integration partners: If the platform integrates with your ERP or procurement systems, we may receive data necessary to perform the integration
- Publicly available business information: Company details from public registries and business databases to enrich vendor profiles
4. Legal Basis for Processing
Under the General Data Protection Regulation (GDPR), we process Personal Data based on the following legal grounds:
- Performance of a contract: Processing Customer Data and account information to provide the platform services as agreed in our service contract with you.
- Legitimate interests: Analytics to improve our services, fraud prevention, platform security, and business operations. We have conducted legitimate interest assessments for these processing activities.
- Consent: Marketing communications, non-essential cookies and analytics, and optional AI features where separate consent is required.
- Legal obligation: Compliance with tax obligations, regulatory requirements, and responding to lawful government requests.
Where we rely on legitimate interests, you may exercise your right to object as described in Section 11.
5. How We Use Your Information
- Service delivery: Provide and maintain the AI-powered procurement platform, process uploaded documents, generate analysis and scoring, and deliver evaluation results.
- AI-powered features: Analyze uploaded procurement documents to generate scoring, evaluations, and recommendations within your workspace. See Section 6 for details on AI data practices.
- Security and integrity: Detect and prevent fraud, unauthorized access, and abuse; maintain system integrity; perform vulnerability management.
- Communication: Send transactional emails (account confirmations, system alerts, security notifications) and respond to support requests.
- Service improvement: Analyze aggregate, de-identified usage patterns to improve platform features and performance. Individual customer data is not used for this purpose without consent.
- Legal compliance: Comply with applicable laws, respond to legal processes, and enforce our terms of service.
- Marketing (with consent only): Send promotional communications about new features or services. You can opt out at any time via the unsubscribe link in any marketing email.
6. AI and Machine Learning Transparency
6.1 How AI Features Use Your Data
Our AI features analyze Customer Data (such as RFPs, proposals, and bids) to provide scoring, evaluation, and recommendations. This processing occurs within your organization's isolated workspace.
Customer Data is NOT used to train, improve, or fine-tune Daliio's AI models unless you provide separate, explicit written consent.
6.2 Third-Party AI Providers
Certain AI features are powered by third-party large language model providers. When Customer Data is transmitted to these providers for processing:
- Data is encrypted in transit using TLS 1.2 or higher
- We maintain data processing agreements with all AI model providers
- AI model providers are contractually prohibited from retaining Customer Data or using it for model training
- Processing is performed in accordance with our sub-processor obligations (see Section 16)
6.3 Automated Decision-Making
Our AI provides recommendations and analysis to assist procurement decisions but does not make binding procurement decisions autonomously. Human review is always part of the decision-making process. You have the right to request human review of any AI-generated output.
6.4 Opt-Out
Customers can opt out of specific AI features while continuing to use the core platform. Enterprise and government customers can configure AI feature availability at the organization level. Contact your account manager or privacy@daliio.com to adjust AI feature settings.
7. Information Sharing and Disclosure
7.1 Circumstances of Disclosure
- With customer authorization: Sharing within your organization as directed by your account administrator
- Service providers and sub-processors: With third parties under written data processing agreements with equivalent data protection obligations (see Section 16)
- Legal requirements: In response to lawful requests from government authorities, subpoenas, court orders, or to comply with applicable laws
- Business transfers: In connection with a merger, acquisition, or sale of assets, with commitment to maintain equivalent data protections and advance notification to affected customers
- Aggregated and de-identified data: We may share aggregate, anonymized insights that cannot identify any individual or organization
7.2 What We Do NOT Do
- We do not sell Personal Data to any third party, for any purpose.
- We do not share Customer Data between customers. Each customer's data is isolated.
- We do not use Customer Data for advertising purposes.
8. International Data Transfers
Daliio is headquartered in Israel. Application data is stored in the region selected by the customer, with the default region being the United States.
Israel adequacy decision: The European Commission has recognized Israel as providing an adequate level of data protection.
For EEA, UK, and Swiss data subjects: Where data is transferred outside of adequacy jurisdictions, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission, supplemented by additional technical and organizational measures in accordance with the Schrems II decision.
Data residency for government customers: Government and regulated-industry customers may require data to remain within specific geographic boundaries. We support data residency configurations as agreed in individual contracts. Contact your account manager to discuss data residency requirements.
All transfers to sub-processors in other jurisdictions are covered by equivalent contractual protections.
9. Data Retention
We retain data for the minimum period necessary to fulfill the purposes described in this policy. Specific retention periods by data category:
| Data Category | Retention Period |
|---|---|
| Account data | Duration of service relationship + 3 years for legal/tax obligations |
| Customer Data (procurement documents) | Duration of subscription; deleted within 90 days of account termination unless legally required or customer-requested otherwise |
| Usage and analytics data | 24 months in identifiable form; aggregated/anonymized data may be retained indefinitely |
| Communication data (support tickets) | 3 years after resolution |
| Log data | 12 months for security and operational purposes |
| Billing data | As required by applicable tax law (typically 7 years) |
| AI processing artifacts | Intermediate AI processing data is deleted within 30 days of processing completion |
Data is securely deleted using industry-standard methods. Customers may request earlier deletion subject to legal retention obligations by contacting privacy@daliio.com.
10. Data Security
10.1 Certifications and Standards
- ISO 27001 certified: Our information security management system is independently audited and certified to ISO/IEC 27001 standards
10.2 Technical Measures
- AES-256 encryption at rest for all stored data
- TLS 1.2+ encryption in transit for all data transmissions
- Role-based access control (RBAC) with least-privilege principles
- Multi-factor authentication (MFA) for platform access
- Regular vulnerability scanning
- Secure software development lifecycle (SDLC) with code review
- Logging, monitoring, and anomaly detection
10.3 Organizational Measures
- Employee background checks and confidentiality agreements
- Regular security awareness training
- Documented incident response procedures
- Business continuity and disaster recovery plans
10.4 Security Documentation
Enterprise and government customers may request our ISO 27001 certificate, penetration test summary, and completed security questionnaires under NDA. Contact security@daliio.com for details.
11. Your Rights (EEA, UK, and Switzerland)
If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights under the GDPR:
- Right of access: Request a copy of your Personal Data that we hold
- Right to rectification: Correct inaccurate or incomplete Personal Data
- Right to erasure: Request deletion of your Personal Data ("right to be forgotten")
- Right to restriction of processing: Restrict the processing of your Personal Data in certain circumstances
- Right to data portability: Receive your Personal Data in a structured, commonly used, and machine-readable format
- Right to object: Object to processing based on legitimate interests or direct marketing
- Rights related to automated decision-making: Right not to be subject to decisions based solely on automated processing (see Section 6.3)
- Right to withdraw consent: Where processing is based on consent, you may withdraw at any time without affecting the lawfulness of prior processing
How to exercise your rights: Contact us at privacy@daliio.com. We will respond within 30 days of receiving your request, extendable by 60 days for complex requests.
Right to lodge a complaint: You have the right to lodge a complaint with your local data protection supervisory authority. A list of EU supervisory authorities is maintained by the European Data Protection Board.
12. Government and Public Sector Provisions
Daliio is committed to supporting government and public sector customers with their unique compliance and data protection requirements:
- Regulatory compliance readiness: We support compliance with government-specific requirements including the Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS) as applicable to individual contracts.
- Data segregation: Government customer data can be segregated from commercial customer data where required by contract or regulation.
- Authority to Operate (ATO): We support government customers' ATO processes by providing necessary security documentation, architecture diagrams, and control implementation details.
- Data sovereignty: Government customers may specify data residency requirements to ensure data remains within designated geographic boundaries.
- Audit rights: Government customers may exercise audit rights as defined in their service agreements, subject to reasonable scheduling and confidentiality obligations.
For government-specific procurement inquiries, please contact privacy@daliio.com with the subject line "Government Inquiry."
13. Cookies, Tracking, and Analytics
14.1 Types of Cookies
- Strictly necessary cookies: Session management, authentication, and security. These do not require consent.
- Analytics cookies: Google Analytics (GA4) is used to understand usage patterns. Analytics cookies are loaded only after you provide explicit consent via our cookie banner.
- Functional cookies: Your cookie consent preference is stored locally to remember your choice across sessions.
14.2 Your Choices
- Our cookie banner provides accept and decline options before any analytics cookies are loaded
- You can adjust your browser settings to block or delete cookies
- You can install the Google Analytics opt-out browser add-on
14.3 Do Not Track
We honor Do Not Track (DNT) browser signals. When DNT is enabled, we do not load analytics or tracking technologies beyond those strictly necessary for the Service to function.
We do not use advertising or marketing cookies.
14. Data Processing Agreements
Daliio offers a Data Processing Agreement (DPA) to enterprise and government customers, aligned with GDPR requirements. The DPA covers:
- Scope and purpose of data processing
- Sub-processor management and notification obligations
- Data breach notification timelines and procedures
- Audit rights for customers
- Data deletion and return obligations upon contract termination
- Liability and indemnification provisions
- Standard Contractual Clauses (SCCs) for international transfers where required
To obtain our DPA, contact privacy@daliio.com.
15. Sub-Processors
We engage the following categories of sub-processors to deliver and support the Service:
- Cloud infrastructure: Hosting and data storage services
- AI model providers: Large language model providers for AI-powered analysis features
- Analytics: Website and platform usage analytics
- Email and communication: Transactional email delivery and customer notifications
- Customer support: Support ticketing and communication tools
A detailed list of current sub-processors with their names, purposes, and locations is available upon request. Contact privacy@daliio.com to receive the current sub-processor list.
Notification of changes: We provide customers with at least 30 days advance notice before engaging a new sub-processor. Customers may object to a new sub-processor within 15 days of notification. If an objection cannot be resolved, the customer may terminate the affected services.
16. Incident Response and Breach Notification
In the event of a confirmed data breach affecting your Personal Data or Customer Data:
- GDPR notification: We will notify affected customers and the relevant supervisory authority within 72 hours of becoming aware of a breach, as required by GDPR
Breach notifications will include: the nature of the breach, categories and approximate number of records affected, likely consequences, and measures taken to address the breach and mitigate potential harm.
Security incident contact: Report security concerns to security@daliio.com. For urgent matters, include "URGENT" in the subject line.
17. Children's Privacy
The Service is designed for business use and is not directed to children under 13 years of age (or under 16 in the European Union). We do not knowingly collect Personal Data from children. If we become aware that a child has provided us with Personal Data, we will take steps to delete such information promptly. If you believe a child has provided us with Personal Data, please contact us at privacy@daliio.com.
18. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. For material changes, we will provide notice through:
- Email notification to registered users
- Prominent notice on the platform
- At least 30 days advance notice before material changes take effect
Continued use of the Service after the effective date of changes constitutes acceptance of the updated policy.
Version History
- Version 2.0 — February 22, 2026: Comprehensive update for enterprise and government compliance (GDPR, AI transparency, security certifications)
- Version 1.0 — August 19, 2025: Initial privacy policy
19. Contact Information
Privacy Inquiries
Email: privacy@daliio.com
For general privacy questions, data subject requests, and DPA inquiries
Data Protection Officer
Email: privacy@daliio.com
For GDPR-specific inquiries and supervisory authority communications
Security Incidents
Email: security@daliio.com
For reporting security vulnerabilities and data breach concerns
Mailing Address
Daliio
Israel
Registered office
For EU data subjects: You have the right to lodge a complaint with your local data protection supervisory authority if you believe your data protection rights have been violated.