Privacy Policy

1. Information We Collect

We collect three categories of information:

Account Information (registered users only)

When you sign in with Google, we receive your name, email address, and a stable Google account identifier (the "sub" field from the Google ID token). We do not receive your Google password, payment methods, contacts, calendar, or any other Google data beyond what is strictly required to identify you between sessions. The Google sub-identifier is used as the primary key for your usage records in our database.

Proposal Inputs

When you generate a proposal, the form fields you fill in (industry, your name or business name, client name, scope of work, budget, and timeline) are transmitted to our API and forwarded to the Google Gemini API for processing. These inputs are not stored on our servers — they exist only in the request lifecycle and the response is returned directly to your browser. We do not retain the contents of the proposals you generate.

Usage Data

We collect aggregate usage data necessary to operate the service: counts of proposals generated per user per month (to enforce the free-tier limit of 5 proposals per calendar month), HTTP request metadata such as user-agent and approximate geographic region (for abuse prevention), and standard server logs that may include IP addresses and request timestamps. Server logs are retained for up to 30 days and then deleted. We do not link IP addresses to individual user accounts in our application database.

Feedback You Submit

If you submit feedback through the in-app Feedback button or send email to one of our contact addresses, we receive the content of your message, the email address you provide (if any), and the timestamp. Feedback messages are stored in our database indefinitely so we can act on them, identify patterns, and follow up with you if you opted in. You can request deletion of your feedback at any time.

2. How We Use Information

We use the information we collect for the following purposes:

• Service delivery. To generate the proposals you request, manage your account, enforce the free-tier usage limit, and provide customer support when you contact us.
• Abuse prevention. To detect and prevent fraudulent use, rate-limit abuse, automated scraping, and security incidents.
• Service improvement. To analyze aggregate usage patterns, identify common failure modes, and prioritize product improvements. This analysis is performed on aggregated, anonymized data rather than individual records.
• Communication. To respond to your inquiries, send service-related notifications (e.g., security alerts, material changes to terms), and — only if you explicitly opt in — send occasional product updates.
• Legal compliance. To comply with applicable laws, respond to lawful requests from authorities, enforce our Terms of Service, and protect the rights and safety of ProposalKit, our users, and the public.

3. How We Share Information

We do not sell, rent, or trade your personal information to third parties for marketing or advertising purposes. We share information only with the third-party service providers required to operate ProposalKit:

• Google (Gemini API). Your proposal inputs are sent to the Google Gemini API to generate the proposal text. Google's handling of this data is governed by their Privacy Policy and the Gemini API terms. According to Google's documentation, paid Gemini API inputs are not used to train their models; free-tier inputs may be used for service improvement. We use the paid API tier where applicable.
• Google (Sign-In with Google). If you choose to sign in, Google processes your authentication and shares your basic profile information with us. You can revoke this connection at any time in your Google Account settings.
• Cloudflare. Our application is hosted on Cloudflare Pages, and our rate-limit data is stored in Cloudflare KV. Cloudflare may process request metadata (IP, user-agent, headers) as part of standard CDN and security operations, governed by Cloudflare's Privacy Policy.
• Resend. Feedback submissions trigger email notifications via the Resend API. Resend processes the email content and delivery metadata in accordance with Resend's Privacy Policy.
• Legal requirements. We may disclose information if required by applicable law, subpoena, court order, or other legal process, or if we believe in good faith that disclosure is necessary to protect rights, property, or safety.

4. Cookies, Local Storage, and Similar Technologies

ProposalKit uses minimal client-side storage to operate the service. We do not use third-party advertising cookies, tracking pixels, or cross-site analytics tools.

• Authentication cookie. When you sign in with Google, we set a secure HTTP-only JWT cookie (named per NextAuth conventions) to keep you signed in across requests. The cookie is set with the SameSite=Lax attribute and Secure flag, and is encrypted using the AUTH_SECRET key.
• Session storage. Guest users have a short marker in their browser session storage (key: pk:guest_used) used to track whether the one-per-session free generation has been used. Session storage clears automatically when you close the browser tab.
• Local storage. We save your most recently generated proposal in browser local storage (key: pk:last_proposal) so that it survives a page refresh. This data is stored only on your device, expires after 24 hours, and is never transmitted to our servers.
• Theme preference. Your light/dark theme preference is saved in local storage (key: theme) to remember your selection across sessions.

You can clear all client-side storage by clearing your browser's site data for proposalkit.pages.dev. Doing so will sign you out and remove your saved theme preference and last-generated proposal.

5. Data Retention

We retain different categories of data for different periods, based on the minimum necessary to provide the service:

• Generated proposal content: Not stored on our servers. The proposal is returned to your browser and may be saved locally for 24 hours (see section 4).
• Usage counts: Monthly proposal counts in Cloudflare KV expire and are reset on the 1st of each calendar month UTC.
• Account records: Retained while your account is active. Deleted within 30 days of a verified deletion request, except where retention is required by law.
• Server logs: Retained for up to 30 days for security and abuse prevention purposes, then automatically purged.
• Feedback submissions: Retained indefinitely so we can act on product feedback. Deleted on request.

6. Your Rights (GDPR, CCPA, and Other Privacy Laws)

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Right of access. You can request a copy of the personal data we hold about you.
• Right to rectification. You can request correction of inaccurate or incomplete data.
• Right to erasure ("right to be forgotten"). You can request deletion of your account and associated data. We honor verified deletion requests within 30 days.
• Right to data portability. You can request your data in a machine-readable format.
• Right to object. You can object to certain types of processing, including any use of your data for direct marketing (we do not currently send marketing emails).
• Right to withdraw consent. Where processing is based on consent (e.g., optional newsletter signup), you can withdraw that consent at any time.
• Right to lodge a complaint. If you believe your privacy rights have been violated, you can file a complaint with your local data protection authority. For EU residents, see the list of national supervisory authorities.

To exercise any of these rights, reach us through the contact page (the in-app Feedback button goes straight to our inbox) and reference the email address associated with your account. We will verify your identity before fulfilling the request and will respond within 30 days.

7. Children's Privacy

ProposalKit is not directed to children under 16, and we do not knowingly collect personal information from children under 16. If you believe a child under 16 has provided us with personal information, please email us and we will delete the information promptly.

8. International Data Transfers

ProposalKit is operated from infrastructure provided by Cloudflare, which uses a global network. Your data may be processed in locations outside your country of residence, including the United States. By using the service, you consent to the transfer of your data to these locations. Where required by law, we rely on standard contractual clauses or other approved transfer mechanisms to protect your data during international transfers.

9. Security

We take reasonable technical and organizational measures to protect your information, including HTTPS encryption in transit, HTTP-only and Secure cookies, encrypted storage of API keys and secrets, and regular review of access controls. However, no transmission over the internet is 100% secure, and we cannot guarantee absolute security. You are responsible for keeping your Google account credentials safe and for promptly notifying us of any suspected unauthorized access.

10. Changes to This Policy

We may update this Privacy Policy from time to time as the service evolves. When we make material changes, we will update the "Last updated" date at the top of this page and, for registered users, send an email notification if the changes materially affect how we process your data. Continued use of the service after the effective date of the changes constitutes your acceptance of the revised policy.

11. Contact Us

For privacy-specific questions, data requests, or to exercise your rights under this policy, reach us through the contact page — the in-app Feedback button delivers straight to our inbox. We aim to respond to all privacy inquiries within 5 business days.