Security and privacy
Your client material is confidential. Here is exactly how we handle it.
Last updated May 19, 2026
We do not train models on your proposals.
When you upload a past proposal, we send it to Anthropic's Claude API to analyze your writing voice and patterns. Anthropic's API has zero-day data retention by default - your text is not used to train their models. We do not sell, share, or monetize your content in any way.
Encryption
Data is encrypted in transit (TLS 1.2+) and at rest (Postgres on Supabase, AWS RDS). Files (PDFs, DOCX) are stored in Supabase Storage with private buckets and signed URLs.
Where your data lives
Application data: Supabase (US East). API processing: Anthropic (US). Email delivery: Resend (US). Payments: Stripe (US, PCI-DSS Level 1). We do not currently offer EU data residency.
Compliance posture (honest read)
We are an early-access product run by a single founder. We are not SOC 2 certified yet. We follow SOC 2 Type 1 control patterns (least-privilege access, audit logging, encryption in transit and at rest, access reviews) and plan to pursue formal certification before broad GA. If your firm requires SOC 2 from vendors today, please email and we will tell you when our audit will be complete.
What we collect
Account email and password hash (Supabase Auth; passwordless magic-link sign-in and Google SSO also supported). Proposals, engagements, time entries, invoices, and pipeline you create. Stripe customer ID after first payment. Analytics: PostHog (no third-party cookies, no advertising trackers).
Deletion
Account deletion is in-product (Settings - Delete account). All your data is purged within 30 days. Audit logs of deletion are retained for 90 days then purged.