Legal

Privacy Policy

Last updated 2026-05-25 · pending legal review

1. Who we are

European Defense Exchange ("EDE", "we") is a B2B defense and security marketplace operated by the EDE consortium. Contact for privacy matters: privacy@mapleai.io.

2. What we collect

• Company data — legal name, trading name, registration number, VAT, NCAGE, jurisdiction, registered address, sector and capability data.
• Contact data — full name, role, business email, phone of the person submitting an application or operating a vendor account.
• Beneficial-owner data — names, ownership percentage, nationality, PEP status, as required for compliance.
• Documents — incorporation certificates, ISO certifications, export licenses, insurance, test reports.
• Activity data — submission and approval timestamps, sanctions-screening results, RFQ history.
• Technical data — IP address, browser, request logs for rate-limiting and abuse prevention.

3. Why we collect it (legal basis)

• Contract — to assess and onboard you as a vendor and to operate the marketplace.
• Legal obligation — sanctions, dual-use, and beneficial-owner screening required under EU and member-state law.
• Legitimate interest — fraud prevention, security, and to improve the platform.
• Consent — for optional marketing communications (you can withdraw at any time).

4. Who we share data with (processors)

We only share what is necessary, on data-processing agreements where applicable.

• Supabase (EU-region database) — application data hosting.
• Resend — transactional email delivery.
• OpenSanctions — sanctions and PEP screening.
• Public business registries (KRS, ARES, Companies House, INSEE, SAM.gov, VIES) — to verify your registration.
• Netlify — hosting and edge delivery.
• Procurion — tender automation engine (post-launch).

We do not sell your data. We do not share it for advertising.

5. How long we keep it

Active member data is retained while your account is active. Approved-submission archives are kept for 7 years for compliance traceability. Rejected or withdrawn applications are kept for 1 year and then deleted unless we are legally required to keep them longer (e.g., sanctions hits).

6. Your rights (EEA / UK GDPR)

• Request a copy of your data — email privacy@mapleai.io and we will respond within 30 days.
• Correct inaccurate data.
• Request deletion, subject to compliance retention obligations.
• Object to processing or withdraw consent.
• Lodge a complaint with your national data protection authority (in Poland: UODO).

7. Where data is stored

Primary database in the EU. Some processors (Resend, OpenSanctions, public registries) may process data in the US or third countries under standard contractual clauses.

8. Security

Transport encryption (TLS 1.2+), encryption at rest, row-level access control, principle of least privilege for staff, signed and short-lived session tokens. We are not yet ISO 27001 certified.

9. Changes

We may update this policy. Material changes will be emailed to active vendors. The current version is always available at this URL.

Read alongside our Terms of Service. Questions: privacy@mapleai.io.