How we use AI
ReqFit uses AI to do one thing well: compare your proposal against the requirements in an RFP and show you where the gaps are.
It reads both documents, maps your responses to individual requirements, scores your coverage, and produces a structured report, usually in a few minutes. No prompt engineering, no manual setup, no training required.
Here is what the AI does, what happens to your data, and how we approach AI regulation.
What the AI does
ReqFit's AI reads your proposal and the RFP side by side. It works through the requirements in the RFP, checks whether your proposal addresses each one, and rates the strength of your coverage. Where it finds a gap, it tells you which requirement is affected and what is missing.
The output is a structured report you can act on, share with your team, or attach to an internal sign off.
ReqFit reviews; it does not write. It does not draft your proposal, suggest replacement copy, or make the decision for you. It checks requirement coverage, not creativity: it does not assess or score your creative concept, design, visual presentation, or writing style, and it does not predict whether you will win. Those judgements remain entirely yours. The final check on accuracy and completeness before you submit is always a human one, and we say so in the product and in every report.
What happens to your data
We keep as little as possible, and we are precise about what that means.
Your uploaded RFP and proposal are processed in memory to generate your report, then cleared from runtime memory once the report is delivered. We do not keep a copy of your source documents, and we do not retain the text of your documents in our logs.
We retain one thing by design: the structured list of requirements extracted from your RFP. It is held against your account so that if you re-run a review on an improved proposal, it is measured against exactly the same baseline. You can remove it at any time by deleting your account, which clears all retained data.
Your completed reports stay in your account for 90 days, viewable and downloadable as PDF or Word throughout, after which they are deleted automatically. You can delete any report yourself at any point within that window.
Your documents are never used to train AI models, ours or anyone else's. They are never sold or shared, and they are never visible to other users. ReqFit staff do not access your document content; the pipeline runs without human review.
Payments are handled by Paddle, our merchant of record. ReqFit never sees or stores your payment details.
Full detail is in our Privacy Policy, our UK GDPR statement, our Data Processing Agreement, and our Acceptable Use Policy.
AI regulation
AI regulation is moving quickly, and we take it seriously.
EU AI Act
The EU AI Act classifies AI systems by risk: unacceptable, high, limited, and minimal. The high-risk categories cover uses such as recruitment, credit scoring, law enforcement, and critical infrastructure.
ReqFit does not fall into any high-risk category. It is a business productivity tool that analyses documents and produces a review report. It does not make decisions about people, assess creditworthiness, or process biometric data. Under the Act's framework, it sits in the limited or minimal risk tier.
Where the Act does place obligations on us, we meet them. It requires that users know when they are interacting with AI, and ReqFit makes that clear at every stage, from the product description to the report itself. Our Terms include an explicit AI output disclaimer, and our data handling is designed to exceed what the Act expects for a tool at our risk level.
UK regulation
The UK is developing its AI framework through a principles-based approach rather than a single statute. We monitor it closely and align our practices with the core principles of transparency, fairness, and accountability that underpin it.
What this means for your procurement team
If you are evaluating ReqFit against internal compliance or procurement requirements, the short version is:
- ReqFit is not classified as high risk under the EU AI Act.
- Source documents are processed in memory and not retained; the extracted requirements list is retained against your account and cleared on account deletion; reports are kept for 90 days.
- No customer data is used to train AI models.
- AI involvement is disclosed transparently throughout the product.
- Payments are handled by a PCI-compliant merchant of record.
- Our standard Data Processing Agreement is published at /dpa and applies automatically on account creation; a bilateral signed copy is available for enterprise procurement on request to security@reqfit.com.
Technical safeguards
ReqFit runs on Google Cloud Vertex AI with encryption in transit (TLS 1.3) and at rest (AES-256). Documents are processed in isolated sessions with no cross-contamination between users, and no document content is written to our logs.
We operate on a review-based model. You pay for what you use, there are no long-term contracts, and your first review is free so you can see exactly what you get before spending anything.
For the full picture, see our Security and data handling page.