Privacy Policy
1. Introduction
Welcome to RFP-Intel ("we," "our," or "us"). RFP-Intel is a commercial SaaS platform built for government contractors and enterprise proposal teams. The product automates the full pre-award workflow, including RFP analysis, requirements extraction, compliance matrix generation, fit scoring, teaming partner recommendations, evaluation score simulation, proposal draft generation, version history tracking, and pipeline management.
This Privacy Policy explains how we collect, use, store, and share information when you access or use the RFP-Intel application ("Service"). By using the Service you agree to the practices described here. If you do not agree, please discontinue use immediately.
2. Information We Collect
2.1 Account & Identity Information
When you register or sign in using Google OAuth, we receive the following data from Google:
- Full name and display name
- Email address
- Google profile photo URL
- Google account unique identifier
We do not receive or store your Google password. Authentication tokens are managed by Passport.js and are session-scoped.
2.2 RFP & Document Content
The core purpose of RFP-Intel is to process solicitation documents you upload or paste into the Service. This content may include:
- Full text of government RFPs, RFQs, RFIs, and related solicitations
- Requirements, evaluation criteria, and compliance language extracted from those documents
- Fit-scoring inputs and proposal draft text you generate or edit within the platform
- Teaming partner notes and recommendations
2.3 Pipeline & Usage Data
The Service stores your proposal pipeline state on a per-user basis, including:
- Opportunity names, agency names, due dates, and NAICS codes
- Pipeline status (Tracking, Bid/No-Bid, Active Proposal, Submitted, Award)
- Version history of documents and analysis outputs
- Plan tier, trial status, trial start date, and feature usage counts
2.4 Automatically Collected Technical Data
When you use the Service, our servers automatically receive:
- IP address and approximate geolocation
- Browser type and operating system
- Session identifiers and OAuth tokens
- Request logs (timestamps, endpoints accessed, error codes)
3. How We Use Your Information
| Purpose | Details |
|---|---|
| Provide the Service | Process RFP documents, run AI analysis, generate compliance matrices, scoring, and proposal drafts via Anthropic's AI API. |
| Authentication | Verify your identity via Google OAuth and maintain your session securely using Passport.js. |
| Pipeline Management | Store and retrieve your per-user proposal pipeline, version history, and opportunity tracking data. |
| Plan & Trial Management | Enforce plan-based feature limits, track trial periods, and display trial banners and upgrade prompts. |
| AI-Powered Features | Send document content and prompts to Anthropic's AI API to generate analysis and drafts. See Section 6. |
| Teaming Partner Lookup | Generate SAM.gov search links based on your capability and NAICS inputs. No data is sent to SAM.gov automatically. |
| Service Improvement | Analyze aggregated, de-identified usage patterns to improve accuracy, performance, and features. |
| Legal & Compliance | Comply with applicable law, enforce our Terms of Service, and respond to legal process. |
4. Legal Bases for Processing
To the extent applicable law requires a legal basis for processing personal data, we rely on:
- Contract performance — processing necessary to deliver the Service you subscribed to
- Legitimate interests — security, fraud prevention, and service improvement
- Legal obligation — compliance with applicable law
- Consent — where you have provided it (e.g., marketing communications)
5. Data Retention
We retain your data for as long as your account is active or as needed to provide the Service. Specifically:
- Account and profile data: retained for the life of your account plus 30 days after deletion
- Pipeline and opportunity data: retained for the life of your account; exportable on request
- RFP document content and AI outputs: retained per-session unless saved explicitly to your pipeline
- Version history: retained for the life of your account
- Logs and technical data: retained for up to 90 days for security and debugging purposes
- Stripe payment records: retained as required by financial and tax law (typically 7 years)
You may request deletion of your account and associated data at any time by contacting privacy@rfp-intel.com. We will process deletion requests within 30 days.
6. Third-Party Services & Data Sharing
6.1 Anthropic (AI Processing)
All AI-powered features — including RFP analysis, requirements extraction, compliance matrix generation, fit scoring, win-probability scoring, evaluation simulation, past performance extraction, and proposal draft generation — are powered by the Anthropic API. When you use these features, the relevant document content and system prompts are transmitted to Anthropic's servers for processing.
What data is sent to Anthropic: When you trigger an AI feature, RFP-Intel transmits the text content of your uploaded document (or the relevant excerpt) together with a structured system prompt to Anthropic's API. We do not transmit your name, email address, billing information, or other account identifiers to Anthropic.
How Anthropic uses your data: Anthropic does not use data submitted via its API to train its models by default. API inputs and outputs are subject to Anthropic's Privacy Policy and Acceptable Use Policy. Anthropic may retain API request and response data for a limited period for trust, safety, and operational purposes in accordance with its policies. We recommend reviewing Anthropic's current data-handling terms at anthropic.com.
Data minimization: RFP-Intel sends only the document content necessary to fulfill each specific AI request. We do not batch or aggregate your documents for purposes unrelated to the feature you are actively using.
Sensitive document notice: Because document content is transmitted to Anthropic's servers, you should not upload documents containing classified information, Controlled Unclassified Information (CUI), or other material subject to special handling requirements unless your organization has independently determined that this processing arrangement is compliant. See Section 11 for additional government contractor guidance.
6.2 Google (OAuth Authentication)
We use Google OAuth 2.0 via Passport.js for user authentication. Google receives login event data per its own Privacy Policy. We do not share your RFP content or pipeline data with Google.
6.3 Stripe (Payment Processing)
Subscription billing is handled by Stripe, Inc. When you subscribe to a paid plan, payment information is collected and stored by Stripe directly. We do not store credit card numbers or full payment credentials. Stripe's processing is governed by the Stripe Privacy Policy.
6.4 SAM.gov
The teaming partner recommendation feature generates hyperlinks to SAM.gov search queries based on NAICS codes and capability keywords you provide. Clicking those links directs you to the SAM.gov website. No data is automatically transmitted to SAM.gov by RFP-Intel.
6.5 Hosting & Infrastructure
The Service is deployed on Replit infrastructure. Replit may have access to server-level data as part of providing compute and hosting services. See Replit's Privacy Policy for details.
6.6 No Sale of Personal Data
We do not sell, rent, or trade your personal information to third parties for their own marketing or commercial purposes.
7. Cookies & Session Management
RFP-Intel uses session cookies to maintain your authenticated state after Google OAuth login. These cookies are:
- Session-scoped (expire when your browser session ends) or short-lived
- Necessary for Service functionality; they are not used for advertising
- Managed via Express session middleware on the server side
We do not use third-party advertising cookies or cross-site tracking technologies. You may disable cookies in your browser, but doing so will prevent you from remaining logged in.
8. Data Security
We implement reasonable technical and organizational safeguards to protect your information, including:
- HTTPS/TLS encryption for all data in transit between your browser and our servers
- OAuth 2.0 authentication (no password storage)
- Session token management via Passport.js
- Per-user data isolation in our JSON-based pipeline storage
- Access controls limiting data access to authorized personnel
No method of electronic transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. In the event of a data breach that affects your rights, we will notify affected users as required by applicable law.
9. Your Rights & Choices
Depending on your jurisdiction, you may have the following rights regarding your personal data:
| Right | How to Exercise |
|---|---|
| Access | Request a copy of the personal data we hold about you. |
| Correction | Request correction of inaccurate or incomplete data. |
| Deletion | Request deletion of your account and associated data. |
| Portability | Request your pipeline data in a machine-readable format (JSON export). |
| Restriction | Request that we limit processing of your data in certain circumstances. |
| Objection | Object to processing based on legitimate interests. |
| Withdraw Consent | Where processing is based on consent, withdraw it at any time without affecting prior processing. |
To exercise any of these rights, contact us at privacy@rfp-intel.com. We will respond within 30 days. We may request verification of your identity before processing your request.
10. Children's Privacy
RFP-Intel is a business-to-business SaaS platform intended for use by professionals. The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a minor, please contact us immediately at privacy@rfp-intel.com and we will delete such data promptly.
11. Government Contractor Considerations
RFP-Intel is specifically designed for government contractors. If you upload or analyze solicitation documents, please be aware of the following:
- Classified Information: Never upload classified information into RFP-Intel. The Service is not authorized to process classified material at any level.
- Proprietary Teaming Information: Information about potential teaming partners that you enter is stored only within your account and is not shared with other users.
- ITAR/EAR: Users are responsible for ensuring their use of RFP-Intel complies with applicable export control regulations.
12. International Data Transfers
RFP-Intel is operated in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States. By using the Service, you consent to this transfer. We take steps to ensure that such transfers comply with applicable data protection laws.
13. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
- Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you.
- Right to Delete: You may request deletion of personal information we have collected, subject to certain exceptions.
- Right to Correct: You may request correction of inaccurate personal information.
- Right to Opt Out of Sale: We do not sell personal information. You therefore have no need to opt out.
- Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
To submit a CCPA request, contact privacy@rfp-intel.com. We will respond within 45 days, with an extension of up to 45 additional days where reasonably necessary.
14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Update the "Last Updated" date at the top of this Policy
- Display a notice within the Service
- Send an email notification to your registered email address for significant changes
Your continued use of the Service after the effective date of any updated Policy constitutes your acceptance of the changes. If you do not agree to the updated Policy, you must discontinue use and may request account deletion.
15. Contact Us
| Field | Details |
|---|---|
| privacy@rfp-intel.com | |
| Product | RFP Intelligence Agent |
| Company | RFP-Intel, Inc. |
| Mailing Address | Washington, D.C., United States |