Legal

Privacy Policy

Last updated: July 6, 2026

1. Information We Collect

Information you provide:

  • Account information (email, name, company name)
  • Company profile data (logo, website, services, hourly rate)
  • Client information (name, company, email, phone)
  • Proposal content (meeting notes, generated proposals, templates)
  • Digital signatures (name, email, signature image)

Information collected automatically:

  • Device information (browser type, operating system)
  • Usage data (pages visited, features used, time spent)
  • IP address and approximate location
  • Cookies and similar tracking technologies

2. How We Use Your Information

  • To provide and improve the Service
  • To generate AI-powered proposals based on your inputs
  • To send transactional emails (proposal notifications, signature confirmations)
  • To process payments via Paddle (our Merchant of Record)
  • To analyze usage patterns and improve the product (via PostHog analytics)
  • To provide customer support
  • To send product updates and marketing communications (with your consent)

3. AI Data Processing

When you generate a proposal, the meeting notes and context you provide are sent to our AI provider (OpenAI) for processing.

  • Used solely to generate your proposal content
  • Not used to train public AI models
  • Processed in accordance with OpenAI's data processing agreement
  • Not stored by the AI provider beyond the request lifecycle

4. Payments & Financial Data

All payment processing is handled by Paddle.com (our Merchant of Record). We do not store your credit card details, bank information, or other financial data directly. Paddle processes payments in accordance with PCI-DSS standards.

5. Data Sharing

We do not sell your personal data. We share data only with trusted service providers:

  • Paddle — payment processing
  • OpenAI — AI proposal generation
  • Resend — transactional email delivery
  • Supabase — database hosting and authentication
  • Vercel — application hosting
  • PostHog — product analytics (anonymized)

6. Data Retention

  • Active accounts: Data retained as long as your account is active
  • Cancelled accounts: Data retained for 30 days, then permanently deleted
  • Deleted content: Archived items soft-deleted, permanently removed within 30 days
  • Backups: Encrypted backups retained for disaster recovery (max 90 days)

7. Your Rights

  • Access your personal data at any time
  • Export your data (PDF, CSV, JSON)
  • Correct inaccurate information
  • Delete your account and all associated data
  • Opt out of marketing communications
  • Withdraw consent for data processing
  • Lodge a complaint with a supervisory authority

8. Cookies

We use essential cookies for authentication and session management. We use analytics cookies (PostHog) to understand product usage. You can disable non-essential cookies in your browser settings without affecting core functionality.

9. Security

We implement industry-standard security measures including encryption in transit (TLS 1.3), encryption at rest, secure authentication (Supabase Auth with bcrypt hashing), Row Level Security (RLS) on all database tables, and regular security reviews. However, no method of internet transmission is 100% secure.

10. Children's Privacy

PosalFlow is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If we learn we have collected data from a child under 18, we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email at least 14 days before taking effect. Your continued use constitutes acceptance of the updated policy.

12. Contact

For privacy questions, data requests, or to exercise your rights, contact us at support@posalflow.com. We aim to respond within 5 business days.