Privacy Policy - RFPHawk

Overview

RFPHawk is a tool that helps small businesses find government contract opportunities. To do that, we need a little information from you \u2014 your email, your company, and the industries and regions you care about. That\u2019s it. We don\u2019t build advertising profiles, we don\u2019t cross-reference third-party data, and we don\u2019t follow you around the web.

This policy explains what we collect, why we collect it, and what we\u2019ll never do with it. If anything here is unclear, email privacy@rfphawk.com and we\u2019ll explain in plain English.

What we collect

We collect only what you give us and what\u2019s necessary to run the service.

Account information

Name \u2014 so we can address you in emails.
Email address \u2014 for login, alerts, and account notices.
Password hash \u2014 we never store your plain-text password.

Profile information

Company name and optional business description.
NAICS codes you select as relevant to your business.
States / regions you want to target.
Keywords and alert preferences you configure.
Saved RFPs, pipeline stages, and notes you create inside the app.

Billing information (Pro subscribers only)

When you subscribe to Pro, our payment processor (Stripe) handles your card details directly. We never see or store your full card number. From Stripe we receive only: last four digits, card brand, billing country, subscription status, and invoice history.

Minimal technical logs

To keep the service running and diagnose problems, our servers log basic request metadata: IP address, user-agent string, timestamp, and the URL you requested. These logs are automatically deleted after 30 days and are never combined with your profile for marketing purposes.

What we don\u2019t collect

To make this concrete, here\u2019s what you will not find in our database:

No cross-site tracking pixels, no Facebook Pixel, no TikTok Pixel.
No ad-network cookies or third-party advertising identifiers.
No device fingerprinting beyond a basic user-agent string for debugging.
No location tracking beyond the coarse country derived from your IP.
No scraping of your contacts, calendar, or anything outside RFPHawk.
No integrations that read your email or Google Drive.

How we use your data

Three purposes, no others.

To run the service. We match opportunities against your NAICS codes, states, and keywords. We send the email alerts you asked for. We authenticate you when you log in.
To bill you (Pro only). We charge your card on the subscription schedule you picked and send you receipts.
To fix bugs and respond to support requests. If you email us, we read the email. If something breaks, we look at logs to understand why.

We do not use your data to train machine-learning models on other customers, sell lead lists, or enrich third-party marketing databases.

Third parties

We keep our vendor list short and only use service providers that are contractually bound to protect your data.

Vendor	What they do	What we share
Supabase	Database + auth hosting	All account + profile data (encrypted at rest)
Stripe	Payment processing	Name, email, card details (Pro subscribers only)
Resend	Transactional email delivery	Email address + message contents
Cloudflare	CDN + DDoS protection	Request metadata (IP, user-agent)

We do not share your data with any party not listed above. If we ever add a new vendor that processes personal data, we\u2019ll update this page and notify you by email.

Cookies

We use the minimum necessary cookies and nothing more:

Session cookie \u2014 keeps you logged in. Expires when you log out or after 30 days of inactivity.
Theme preference (rfphawk_theme) \u2014 remembers whether you picked dark or light mode. Stored in localStorage, not a cookie. Never sent to our servers.
CSRF token \u2014 a security token to prevent cross-site request forgery. Expires with your session.

No analytics cookies, no tracking pixels. You won\u2019t see a cookie consent banner because we don\u2019t set the kind of cookies that require one.

Your rights

You have the right to:

Access the data we have about you. Download everything from Settings \u2192 Privacy \u2192 Export data.
Correct any inaccurate information. Edit your profile directly in the app.
Delete your account and all associated data. One click from Settings \u2192 Danger Zone. Completed within 30 days.
Object to any processing we do. Email us and we\u2019ll work it out.
Port your data to another service. The export is a standard JSON file.

These rights apply to everyone, not just EU or California residents. We think they\u2019re basic decency. If you\u2019re in the EU (GDPR), UK (UK-GDPR), or California (CCPA/CPRA), you also have formal regulatory complaint channels \u2014 though we\u2019d rather resolve issues directly first.

Security

We encrypt data in transit (TLS 1.2+) and at rest (AES-256 via Supabase). Passwords are hashed with bcrypt. Only a small number of engineers have production database access, and all access is logged.

No system is perfectly secure, but if a breach ever affects your data, we\u2019ll notify you by email within 72 hours of discovery and explain what happened and what we\u2019re doing about it.

For more detail on our security practices, see our security page.

Children

RFPHawk is a business tool. It is not directed at children under 13 and we do not knowingly collect information from them. If you believe a child has provided us information, email privacy@rfphawk.com and we will delete it.

Changes to this policy

If we update this policy, we\u2019ll change the "Last updated" date at the top and, for any material change, send an email to active accounts at least 14 days before the change takes effect. We won\u2019t apply new privacy-reducing changes retroactively to data you already shared.

Contact us

Privacy questions, data requests, or complaints:

Email: privacy@rfphawk.com
Mail: RFPHawk, Privacy Team, [mailing address pending]

We aim to respond to all privacy requests within 5 business days.