Last updated: 24.04.2026
SIA Sorsera ("Sorsera", "we", "us", or "our"), registration number 40203272683, registered at Liliju iela 20, Mārupe, Mārupes nov., LV-2167, Latvia, is committed to protecting the privacy of our users. This Privacy Notice outlines the information we collect, how it is used, and the steps we take to protect your privacy in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Latvian data protection law.
1. Data Controller
SIA Sorsera acts as the data controller for the personal data described in this notice. Where we process personal data on behalf of our clients (organisations using our platform), we act as a data processor under a separate Data Processing Agreement.
2. Information We Collect
As a collaboration and communication platform for organisations, we collect and process personal data while providing our services. This information may include your name, email address, telephone number, job title, and other contact information. We may also collect information about your use of our platform, such as the procurement, sales, RFI, and other projects in which you participate, as well as technical data (IP address, browser type, device identifiers, access logs) and usage data generated through your interaction with the platform.
User-Uploaded Content. Our platform allows users to upload documents such as requests for proposals (RFX), tenders, technical specifications, proposals, and other free-form files ("User Content"). Sorsera stores this User Content on behalf of the uploading organisation but does not systematically review, scan, or classify the contents of uploaded files. Users and their organisations are solely responsible for ensuring that any personal data contained within User Content is uploaded in compliance with applicable data protection laws, including obtaining any necessary consents or establishing an appropriate legal basis before upload.
3. Legal Basis for Processing
We process your personal data on one or more of the following legal bases under Article 6(1) GDPR:
(a) Contract performance — processing necessary to provide you with access to our platform and deliver the services your organisation has contracted for.
(b) Legitimate interests — processing necessary for our legitimate business interests (e.g., platform improvement, security monitoring, fraud prevention), provided these interests are not overridden by your rights.
(c) Consent — where you have given specific consent, for example for receiving marketing communications or for certain AI-assisted processing activities. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
(d) Legal obligation — processing necessary to comply with applicable laws, regulations, or court orders.
(e) Explicit consent (Article 9(2)(a) GDPR) — where special category data is processed and no other Article 9(2) exception applies, processing is carried out only on the basis of the data subject's explicit consent, obtained and documented by the uploading organisation as data controller.
4. Use of Information
The information we collect is used to provide you with access to our platform and to facilitate communication and collaboration between public and private sector organisations. For example, we may use your information to send you marketing communications or to inform you about updates to our services, active market research, price surveys, and other projects conducted on our platform.
5. Special Category Data
Sorsera does not intentionally collect or request special categories of personal data as defined in Article 9 GDPR (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, or data concerning a person's sex life or sexual orientation).
However, we recognise that User Content uploaded to our platform — such as procurement documents related to healthcare, social services, or public safety — may incidentally contain special category data. In such cases:
(a) The uploading organisation acts as the data controller for that special category data and bears responsibility for establishing a valid legal basis under Article 9(2) GDPR (such as explicit consent of the data subjects, or substantial public interest under Union or Member State law) before uploading such content.
(b) Sorsera processes this data solely as a data processor on the uploading organisation's instructions, under the terms of the applicable Data Processing Agreement.
(c) We strongly recommend that users redact or anonymise special category data from uploaded documents wherever possible before uploading them to the platform.
(d) Sorsera does not use special category data contained in User Content for AI training, profiling, automated decision-making, or any purpose beyond storing and serving it to authorised users within the uploading organisation's account.
6. Artificial Intelligence and Automated Processing
Sorsera uses artificial intelligence ("AI"), machine learning, and automated processing technologies to enhance and deliver our services. This may include, but is not limited to:
Matching and recommending relevant tenders, procurement opportunities, and projects to users based on their profiles, activity history, and stated preferences.
Analysing and categorising submitted documents, proposals, and project data to improve search, classification, and retrieval.
Generating summaries, insights, and analytics from platform data to support user decision-making.
Detecting anomalies, potential fraud, or misuse to maintain platform integrity and security.
Improving platform functionality, user experience, and service quality through pattern analysis on aggregated and, where necessary, individual usage data.
Sorsera's AI and automated processing features do not intentionally process special category data as defined in Article 9 GDPR. Where User Content may contain such data, AI features operate on metadata and non-sensitive fields only, unless the uploading organisation has explicitly enabled enhanced processing and established a valid Article 9(2) legal basis.
How we safeguard your rights in AI processing:
We conduct Data Protection Impact Assessments (DPIAs) before deploying new AI features that involve significant processing of personal data. We apply data minimisation principles, ensuring AI systems process only the data necessary for their defined purpose. Where AI processing produces outputs that significantly affect you (e.g., automated eligibility decisions), you have the right under Article 22 GDPR to request human review of the decision, to express your point of view, and to contest the outcome. AI models are trained and validated with appropriate technical safeguards, including, where applicable, pseudonymisation and anonymisation. We do not sell your personal data to third parties for their own AI training purposes.
7. Data Security and Information Security Management
We take the security of your personal information seriously and have implemented a comprehensive information security management system aligned with ISO/IEC 27001 standards. Our measures include:
Encryption of personal data in transit (TLS 1.2+) and at rest.
Role-based access controls ensuring only authorised personnel access personal data on a need-to-know basis.
Continuous monitoring, vulnerability scanning, and penetration testing of our systems.
Regular internal and external audits of our security controls and processes.
Employee security awareness training and binding confidentiality obligations.
Business continuity and disaster recovery planning to ensure data availability.
Documented incident management procedures, including root-cause analysis and corrective action.
8. Sub-Processors
We engage third-party service providers (sub-processors) to help deliver our services. All sub-processors are bound by data processing agreements that require them to process personal data only in accordance with our instructions and to maintain appropriate security measures. A list of our current sub-processors is available upon request by contacting us at info@sorsera.com.
9. International Data Transfers
Your personal data is primarily stored and processed within the European Economic Area (EEA). Where we transfer personal data outside the EEA, we ensure appropriate safeguards are in place in accordance with Chapter V of the GDPR. These safeguards include European Commission adequacy decisions, Standard Contractual Clauses (SCCs), or other approved transfer mechanisms. You may request a copy of the relevant safeguards by contacting us.
10. Data Retention
We retain your personal information for as long as necessary to fulfil the purposes for which it was collected, to comply with legal obligations, and to establish, exercise, or defend legal claims. Retention periods are determined based on the nature of the data, the purpose of processing, and applicable legal requirements. When personal data is no longer required, it is securely deleted or anonymised.
11. Cookies and Tracking Technologies
Our platform uses cookies and similar technologies to ensure functionality, analyse usage, and improve your experience. For details on which cookies we use and how to manage your preferences, please refer to our Cookie Policy available on the platform.
12. Your Data Protection Rights
Under the GDPR, you have the following rights:
Right of access — to obtain confirmation of whether we process your data and to receive a copy of it. Right to rectification — to have inaccurate personal data corrected. Right to erasure — to request deletion of your personal data where there is no compelling reason for its continued processing. Right to restriction — to request that we limit processing in certain circumstances. Right to data portability — to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller. Right to object — to object to processing based on legitimate interests or for direct marketing purposes. Rights related to automated decision-making — to not be subject to decisions based solely on automated processing that produce legal or similarly significant effects, and to request human intervention where such processing occurs.
To exercise these rights, contact us at info@sorsera.com or +371 29 360 595.
13. Data Protection Officer
The person responsible for data protection is Georgs Vardanjans. Email: georgs.vardanjans@sorsera.com Phone: +371 29 360 595
14. Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by Article 33 GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will notify affected individuals without undue delay in accordance with Article 34 GDPR.
15. Supervisory Authority
You have the right to lodge a complaint with a supervisory authority. The competent authority for Latvia is:
Data State Inspectorate (Datu valsts inspekcija) Address: Elijas iela 17, Riga, LV-1050, Latvia Website: www.dvi.gov.lv Email: pasts@dvi.gov.lv
16. Changes to this Privacy Notice
We may update this Privacy Notice from time to time to reflect changes to our privacy practices, legal requirements, or our services. We will notify you of any material changes by posting the revised notice on our platform and, where appropriate, by emailing registered users. We encourage you to review this notice periodically.
17. Contact Us
If you have any questions or concerns about our privacy practices, please contact us at info@sorsera.com or +371 29 360 595.