RFP Forge AI Back to home

Privacy Policy

Last updated: June 13, 2026

This Privacy Policy describes how RFP Forge AI ("RFP Forge AI", "we", "us", or "our") collects, uses, discloses, and safeguards information when you visit our website, create an account, or use our AI-assisted RFP analysis and proposal generation service (the "Service"). By using the Service you agree to the practices described here. If you do not agree, do not use the Service.

1. Information we collect

1.1 Information you provide

  • Account data: name, email address, password hash, organization, and billing contact.
  • Proposal content: RFP documents, project briefs, interview answers, knowledge base assets (past proposals, case studies, bios, pricing), and any other content you upload or generate in the Service.
  • Payment data: processed by our payment processor (Stripe). We receive transaction metadata (plan, amount, status) but never store full card numbers.
  • Support communications: messages you send to support or feedback channels.

1.2 Information collected automatically

  • Usage data: pages visited, features used, character counts processed, timestamps, errors, and performance metrics.
  • Device and log data: IP address, browser type, operating system, referring URLs, and session identifiers.
  • Cookies and similar technologies: strictly necessary cookies for authentication and session management, plus limited analytics cookies. We do not use third-party advertising cookies.

2. How we use information

  • Operate, maintain, and improve the Service, including AI proposal generation, compliance extraction, Q&A, and exports.
  • Authenticate users, manage subscriptions, process payments, and enforce usage quotas.
  • Send transactional messages (account, billing, security, service updates). Marketing emails only with your consent and with one-click unsubscribe.
  • Detect, prevent, and respond to fraud, abuse, security incidents, and violations of our Terms.
  • Comply with legal obligations and enforce our agreements.

3. AI processing of your content

The Service uses large language models and other AI systems to analyze RFPs, extract requirements, draft proposal sections, and fill compliance gaps. To do this, your prompts, uploaded documents, knowledge base assets, and generated outputs are transmitted to our AI infrastructure providers for inference.

  • No training on your content. We do not use your proposal content, prompts, or outputs to train, fine-tune, or improve any general-purpose AI model, and we contractually require our AI sub-processors to do the same.
  • Zero-retention inference where available. We prefer AI providers and routes that offer zero-data-retention or short retention windows for abuse monitoring only.
  • AI outputs may be inaccurate. AI-generated text can be incomplete, biased, or wrong. You are responsible for reviewing every AI output before relying on it or submitting it to a buyer.
  • Sensitive data. Do not upload information you are not authorized to share with a cloud AI service, including export-controlled material, classified data, or personal health information beyond what is necessary.

4. Legal bases for processing (EEA / UK)

  • Contract: to provide the Service you have signed up for.
  • Legitimate interests: to secure the Service, prevent abuse, and improve product quality.
  • Consent: for optional analytics, marketing emails, and any feature that explicitly asks for consent.
  • Legal obligation: for tax, accounting, and lawful requests.

5. How we share information

We do not sell personal information. We share data only with:

  • Sub-processors that operate the Service on our behalf under written data-processing terms, including: hosting (Cloudflare), database, authentication and storage (Supabase), payments (Stripe), AI inference (Lovable AI Gateway and the underlying model providers it routes to), and transactional email.
  • Your organization administrators on team or business plans, who may view usage, members, and shared content within their workspace.
  • Authorities or third parties when required by law, to enforce our rights, or to protect the safety of users.
  • Successors in a merger, acquisition, or asset sale, subject to this Policy.

6. International data transfers

Your data may be processed in countries other than your own, including the United States and the European Union. Where required, we rely on Standard Contractual Clauses, the UK IDTA, or other lawful transfer mechanisms.

7. Data retention

  • Account, project, and proposal content is retained while your account is active.
  • You can delete projects and knowledge assets at any time; deletions propagate to backups within 30 days.
  • If you close your account, we delete or anonymize personal data within 90 days, except where retention is required by law (e.g., billing records).
  • Aggregated, non-identifiable analytics may be retained indefinitely.

8. Security

We use industry-standard technical and organizational measures including encryption in transit (TLS), encryption at rest, row-level security in our database, scoped service credentials, least-privilege access, audit logging, and regular dependency scanning. No system is perfectly secure; please use a strong, unique password and enable any available account protections.

9. Your rights

Depending on your jurisdiction (GDPR, UK GDPR, CCPA/CPRA, and similar laws), you may have the right to:

  • Access the personal information we hold about you.
  • Correct inaccurate or incomplete information.
  • Delete your information, subject to legal exceptions.
  • Restrict or object to certain processing.
  • Receive a copy of your information in a portable format.
  • Withdraw consent where processing is based on consent.
  • Lodge a complaint with your local data protection authority.
  • For California residents: opt out of "sharing" for cross-context behavioral advertising — we do not do this.

To exercise these rights, contact us at the email below. We may verify your identity before acting on a request.

10. Children

The Service is not directed to children under 16, and we do not knowingly collect personal information from them. If you believe a child has provided us data, contact us and we will delete it.

11. Automated decision-making

We do not use your personal data for automated decisions producing legal or similarly significant effects on you. AI-assisted drafting and scoring are intended as decision support; a human always remains in control of what is sent to a buyer.

12. Changes to this Policy

We may update this Policy from time to time. Material changes will be notified by email or in-app notice at least 14 days before they take effect. The "Last updated" date above reflects the most recent revision.

13. Contact

Questions about this Policy or our privacy practices? Email privacy@rfpforge.ai. For EEA/UK residents, this address also serves as our data protection contact.

This Privacy Policy is provided for informational purposes and does not constitute legal advice. Consult counsel for compliance with laws applicable to your business.