Overview
This Privacy Policy describes how RFPHawk ("RFPHawk," "we," "us," or "our") collects, uses, discloses, and otherwise processes personal information about visitors to our websites at rfphawk.com and any subdomains (the "Sites") and users of the RFPHawk service (the "Service"). It applies to information we collect through the Sites, the Service, email and other electronic communications you exchange with us, and our advertising and marketing on third-party platforms.
By using the Sites or the Service, you acknowledge that you have read this Privacy Policy and understand how we handle your information. If you do not agree, please do not use the Sites or the Service. This Privacy Policy supplements our Terms of Service and Disclaimer.
At-a-glance summary
This is a plain-language summary. The detailed sections below control if there is any difference between this summary and the rest of the policy.
- What we collect: account information (name, email, password), business profile data (company, NAICS, regions, alerts), billing data through Stripe (we never see your card number), product usage data, and technical/device data (IP address, browser, pages viewed).
- What we use it for: running and improving the Service, billing, transactional and marketing email, security, analytics, and showing you our ads on third-party platforms.
- Who we share with: service providers that help us operate (Supabase, Stripe, Resend, Vercel, Cloudflare), analytics providers (Google Analytics, PostHog), advertising platforms (Meta, Google, LinkedIn, Microsoft), and authorities where legally required.
- What we do not do: we do not sell your personal information for money. We do not share contents of your saved RFPs, notes, or pipeline data with advertisers. We aggregate publicly-available government procurement data; we are independent and not affiliated with any government agency.
- Your rights: you can access, correct, port, or delete your account data at any time, and California, EU/UK, and several other state residents have additional formal rights described below.
Information we collect
We collect the following categories of personal information.
Account information
- Identifiers: full name, email address, password hash (we never store the plain-text password), and a unique user identifier we assign you.
- Authentication credentials: when you sign in with Google (OAuth), we receive your name, email address, and profile picture from Google. We do not receive your Google password.
Business profile information
- Company name and optional business description.
- NAICS (industry) codes you select as relevant to your business.
- States, counties, and regions you want to target.
- Keywords, saved searches, and alert preferences you configure.
- Saved RFPs, pipeline stages, internal notes, and team annotations you create inside the Service.
- Self-identified eligibility status for federal set-aside programs (8(a), HUBZone, WOSB, EDWOSB, SDVOSB, etc.) if you choose to provide it. Providing this is optional.
Billing and transaction information
When you subscribe to a paid plan, our payment processor (Stripe) collects and processes your payment information directly. We never see or store your full card number, CVV, or full bank account details. From Stripe we receive:
- Cardholder name, billing address (country, postal code), card brand, and the last four digits of your card.
- Subscription status, plan, billing schedule, and invoice history.
- Transaction amounts, refunds, chargebacks, and tax information where applicable.
Communications
- Email correspondence you send to us, including support requests and replies to our marketing or transactional emails.
- Form submissions through our contact, waitlist, and newsletter forms.
- If we record a sales or onboarding call (with your consent), the recording, transcript, and any notes.
Usage and device data
When you visit the Sites or use the Service, we and our service providers automatically collect:
- Device and connection data: IP address, user-agent string (browser type, version, operating system), device type, screen size, language preference, and approximate location (typically country and region) derived from your IP address.
- Activity data: pages you view, links you click, searches you run, filters you apply, RFPs you open, features you use, time on page, and similar diagnostics.
- Event identifiers: a server-assigned session identifier, a randomly-generated cookie identifier used for analytics, and (for users who have signed in) your account identifier.
- Referrers and UTM parameters: if you arrive at the Sites from another website, a search engine, or a paid advertisement, we may record the referring URL and any campaign tracking parameters in the URL.
- Diagnostic logs: server-side logs of HTTP requests (timestamp, URL, status code, IP, user-agent) used to operate and secure the Service.
Inferences and derived data
From the information above, we derive inferences such as your likely industry interests, content relevance scores, and product-usage patterns. We use these inferences inside the Service (for example, to rank opportunities against your profile) and in aggregate to improve the Service.
Information we do not collect
We do not intentionally collect Social Security numbers, driver's license numbers, passport numbers, biometric identifiers, precise GPS location, the contents of your communications outside the Service (such as your email inbox), or financial account numbers beyond what Stripe collects for billing. We do not knowingly collect personal information from children under 13 (see Children below).
How we collect it
We collect personal information from three sources:
- Directly from you when you create an account, fill in your business profile, save an RFP, configure an alert, subscribe to a paid plan, contact support, fill out a form, or otherwise interact with the Sites or the Service.
- Automatically when you visit the Sites or use the Service, through cookies, server logs, analytics SDKs, and similar technologies (see Cookies & tracking below).
- From third parties, including:
- Identity and authentication providers (e.g., Google OAuth) if you choose to sign in through them.
- Payment processors (Stripe) when you subscribe or update billing information.
- Advertising and analytics partners that may share back conversion, attribution, or matching data so we can measure the effectiveness of our marketing.
- Public records and our government data sources, which contain procurement information and agency contact information (this is not personal information about you).
How we use your information
We use personal information for the following purposes:
- Provide and operate the Service: create and authenticate your account, match RFPs against your profile and keywords, render the dashboard, deliver alerts and digests, and respond to your requests.
- Billing and account administration: process subscription payments through Stripe, send receipts and invoices, handle refunds and chargebacks, and prevent payment fraud.
- Customer support: respond to your support requests, troubleshoot issues, and follow up after a contact.
- Service improvement: understand how users engage with the Service, prioritize features, fix bugs, run A/B tests on changes, and measure performance.
- Marketing communications: send you product updates, newsletters, feature announcements, and offers — subject to your communication preferences and applicable law (see Your choices below).
- Advertising and measurement: show our advertisements to you and to audiences similar to our existing customers on third-party platforms (Meta, Google, LinkedIn, Microsoft Advertising); measure the effectiveness of our advertising; suppress ads to users who are already customers; and identify lookalike audiences. See Advertising & analytics for details.
- Security and fraud prevention: detect and prevent abuse, scraping, credential stuffing, brute-force attacks, payment fraud, and violations of our Terms of Service and Acceptable Use Policy.
- Legal and regulatory compliance: meet our obligations under tax, accounting, electronic communications, consumer protection, and other applicable laws; respond to lawful requests from courts, regulators, and government agencies; protect our rights and the rights of others; and enforce our agreements.
- Business transactions: evaluate, negotiate, or complete a merger, acquisition, financing, asset sale, reorganization, or bankruptcy. If such a transaction occurs, personal information may be transferred to the new entity.
We do not use your personal information to train third-party machine-learning models on other customers' data, sell lead lists, or enrich third-party marketing databases.
Legal basis for processing (GDPR / UK-GDPR)
If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, the GDPR or UK-GDPR requires us to identify a lawful basis for each processing activity. We rely on the following bases:
- Performance of a contract (Art. 6(1)(b)): creating and operating your account, delivering the Service you subscribed to, processing payments, and providing support.
- Legitimate interests (Art. 6(1)(f)): improving the Service, securing the Service against abuse and fraud, conducting analytics on aggregated usage, measuring the effectiveness of our marketing, and conducting direct marketing to existing customers about products and features similar to those they already use. You have the right to object to processing based on legitimate interests at any time.
- Consent (Art. 6(1)(a)): setting non-essential cookies (including analytics and advertising cookies), sending marketing emails to prospects who are not existing customers, and any other processing that requires opt-in consent under applicable law. You can withdraw consent at any time.
- Legal obligation (Art. 6(1)(c)): keeping records required by tax, accounting, anti-money-laundering, or other applicable law.
- Vital interests / public interest (Art. 6(1)(d) and (e)): rarely applicable but available in emergency situations.
We do not knowingly process special categories of personal data under Article 9 of the GDPR (such as data revealing racial or ethnic origin, religious beliefs, health data, or sex life). If you voluntarily provide such information through profile fields or free-text fields, you consent to our processing of it for the purpose you have selected.
Third-party services
The table below lists the specific third-party processors and partners we use. Each operates under its own privacy policy, linked in the rightmost column.
| Vendor | Purpose | Categories shared | Their policy |
|---|---|---|---|
| Supabase | Database, authentication, file storage | Account, profile, usage data | supabase.com/privacy |
| Stripe | Payment processing, billing, fraud detection | Name, email, billing address, card data, transaction history (paid plans only) | stripe.com/privacy |
| Vercel | Hosting, edge delivery, serverless functions | Request metadata (IP, user-agent, URL) | vercel.com/legal/privacy-policy |
| Cloudflare | CDN, DDoS protection, bot mitigation | Request metadata (IP, user-agent, URL) | cloudflare.com/privacypolicy |
| Resend | Transactional & marketing email delivery | Email address, message contents, delivery diagnostics | resend.com/legal/privacy-policy |
| Google Analytics (GA4) | Product analytics, traffic measurement | Pseudonymized usage data, truncated IP, device data, cookie identifier | policies.google.com/privacy |
| PostHog | Product analytics, session diagnostics, A/B testing | Pseudonymized usage data, feature interactions, device data | posthog.com/privacy |
| Google (OAuth) | Authentication ("Sign in with Google") | Email, name, profile picture (only if you choose Google sign-in) | policies.google.com/privacy |
| Google Ads | Search and display advertising, conversion tracking | Device data, conversion events, advertising identifier | policies.google.com/privacy |
| Meta (Facebook / Instagram) | Advertising, conversion measurement, audience matching | Device data, page-view events, conversion events, hashed email (for Custom Audiences) | facebook.com/privacy/policy |
| B2B advertising, conversion measurement, audience matching | Device data, page-view events, conversion events, hashed email | linkedin.com/legal/privacy-policy | |
| Microsoft Advertising | Bing search advertising, conversion measurement | Device data, conversion events | privacy.microsoft.com/privacystatement |
| Browserbase | Server-side anti-bot bypass for our data ingestion (does not handle user data) | None of your personal data; only government source pages | browserbase.com/privacy |
| GitHub | Source code repository, CI/CD orchestration | None of your personal data in normal operation | github.com/site-policy/privacy |
We update this list when we add or remove a vendor that processes personal information. The "Last updated" date at the top of this policy reflects when the list was last reviewed.
Advertising & analytics
We use both first-party analytics (to understand and improve the Service) and third-party advertising tags (to market the Service to potential customers). This section describes those activities in detail and how you can opt out.
Analytics
We use Google Analytics 4 and PostHog to understand how visitors discover, navigate, and use the Sites and Service. Analytics platforms receive pseudonymized usage data (page-view events, click events, feature interactions), device data (user-agent, screen size, language), and a randomly-generated cookie identifier. We have configured Google Analytics to truncate IP addresses on collection in regions where that is required.
You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on, and you can request that PostHog stop tracking your account by emailing privacy@rfphawk.com.
Advertising
We advertise the Service on Meta (Facebook and Instagram), Google (Search, YouTube, and the Display Network), LinkedIn, and Microsoft Advertising (Bing). To do this, we embed the following measurement technologies on the Sites:
- Meta Pixel — measures conversions and supports Custom Audiences and Lookalike Audiences on Meta platforms.
- Google Ads conversion tag and Google Ads remarketing tag.
- LinkedIn Insight Tag.
- Microsoft Advertising UET (Universal Event Tracking) tag.
These technologies share with the respective advertising platform a record that you visited a page on our Sites or completed a conversion event (such as creating an account), along with device data and any platform-issued advertising identifier already present in your browser. For Custom Audience matching, we may also share hashed (one-way encrypted) email addresses of existing customers so the platform can suppress ads to them or find similar audiences. We do not share the contents of your saved RFPs, your business notes, your pipeline data, or any payment information with any advertising platform.
Under California law, the operation of these tags may qualify as "sharing" of personal information for cross-context behavioral advertising. You have the right to opt out — see California privacy rights.
You can also opt out of interest-based advertising on a cross-industry basis through the following industry programs (note these opt-outs are stored as cookies and may need to be reset if you change browsers or clear cookies):
- Digital Advertising Alliance (DAA)
- Network Advertising Initiative (NAI)
- DAA Canada (AdChoices)
- European Interactive Digital Advertising Alliance (EDAA)
Mobile users can opt out of cross-app advertising tracking through their device settings (iOS: Settings → Privacy & Security → Apple Advertising → Personalized Ads; Android: Settings → Privacy → Ads).
Your choices
You have the following choices regardless of where you live:
- Access & correction: view and edit your account information at any time from Settings inside the app. To request a copy of all personal information we hold about you, email privacy@rfphawk.com.
- Account deletion: delete your account and the personal information associated with it from Settings → Account → Delete account, or by emailing privacy@rfphawk.com. We complete deletion within 30 days, subject to the retention exceptions described in Data retention.
- Email preferences: opt out of marketing emails using the "unsubscribe" link in any marketing email or from Settings → Notifications. Transactional emails (account, security, billing, legal) will continue while you have an active account.
- Cookie preferences: open the cookie banner or "Cookie preferences" link in the footer to adjust analytics and advertising cookies. You can also use the industry opt-outs linked in Advertising & analytics.
- Withdraw consent: where we rely on your consent to process personal information, you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
California privacy rights (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"), gives you specific rights regarding your personal information. This section is our "Notice at Collection" and our annual disclosure required by the CCPA/CPRA.
Categories of personal information collected, disclosed, and shared
In the past 12 months we have collected the following statutory categories of personal information. We disclose each category to service providers as needed to operate the Service. Categories marked "Shared" are also disclosed to advertising partners for cross-context behavioral advertising. We have not sold personal information for monetary consideration.
| Category | Examples | Collected | Disclosed | Shared |
|---|---|---|---|---|
| A. Identifiers | Name, email, IP, cookie identifier | Yes | Yes | Yes (cookie identifier, IP) |
| B. Customer records (CA Civil Code §1798.80) | Name, billing address, payment data | Yes | Yes (Stripe) | No |
| C. Protected classifications | Race, religion, age, sex | No | No | No |
| D. Commercial information | Subscription, transaction history | Yes | Yes | No |
| E. Biometric information | Fingerprints, faceprints | No | No | No |
| F. Internet / network activity | Pages viewed, links clicked, searches | Yes | Yes | Yes |
| G. Geolocation | Approximate country/region from IP | Yes (coarse) | Yes | Yes (coarse) |
| H. Sensory data | Audio, video, etc. | No | No | No |
| I. Professional / employment | Company, job role, business profile | Yes | Yes | No |
| J. Education information | Education records | No | No | No |
| K. Inferences | Industry interests, product-use patterns | Yes | Limited | No |
Sensitive personal information
We do not knowingly collect "sensitive personal information" as defined by the CCPA/CPRA (such as government identifiers, financial account credentials, precise geolocation, racial or ethnic origin, religious beliefs, union membership, genetic data, health data, or sex life data). If you choose to provide set-aside eligibility information (such as 8(a), HUBZone, or veteran/woman-owned status) in your profile, we use it only to filter opportunities for you inside the Service; we do not share it with advertising partners and we do not use it to infer protected characteristics.
Your CCPA/CPRA rights
- Right to know what categories and specific pieces of personal information we have collected, the sources, the purposes, and the third parties with whom we have shared it.
- Right to delete personal information we have collected, subject to certain statutory exceptions.
- Right to correct inaccurate personal information.
- Right to opt out of sale or sharing of your personal information for cross-context behavioral advertising. We do not sell personal information for money, but our use of advertising pixels constitutes "sharing" under CPRA — you can opt out using the link below.
- Right to limit use and disclosure of sensitive personal information — we do not use sensitive personal information for purposes that would require this right, but the right is available.
- Right to non-discrimination for exercising any of these rights. We will not deny service, charge different prices, or provide a different level of quality because you exercised a right.
- Right to designate an authorized agent to make a request on your behalf.
How to exercise these rights
- Right to know / access / port: email privacy@rfphawk.com with subject line "California Right to Know" and include the email address associated with your account.
- Right to delete: delete your account from Settings, or email the address above with subject line "California Right to Delete."
- Right to correct: edit your profile from Settings, or email the address above.
- Right to opt out of sale or sharing ("Do Not Sell or Share My Personal Information"): use the Do Not Sell or Share My Personal Information page, which is also linked in the site footer. We honor the Global Privacy Control (GPC) signal as an opt-out request — see Do Not Track / GPC.
We verify identity by matching the email used to contact us against the email on the account. We respond to verifiable requests within 45 days; complex requests may take up to an additional 45 days, in which case we will notify you.
"Shine the Light" disclosure
California Civil Code §1798.83 (the "Shine the Light" law) permits California residents to request information about disclosures of personal information to third parties for their direct marketing purposes. We do not disclose personal information to third parties for their own direct marketing purposes.
EU / UK privacy rights (GDPR)
If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights under the GDPR or UK-GDPR:
- Right of access to your personal data.
- Right to rectification of inaccurate personal data.
- Right to erasure ("right to be forgotten").
- Right to restriction of processing.
- Right to data portability in a structured, commonly-used, machine-readable format.
- Right to object to processing based on legitimate interests, including direct marketing.
- Right not to be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects. RFPHawk does not make legally-binding decisions about you using automated processing.
- Right to withdraw consent at any time where we rely on consent.
- Right to lodge a complaint with your local supervisory authority. In the UK, that is the Information Commissioner's Office (ICO); in the EU, see the European Data Protection Board directory.
To exercise any of these rights, email privacy@rfphawk.com. We do not have a EU representative under Article 27 GDPR appointed at this time because we do not target the offering of goods or services to data subjects in the EU and do not engage in monitoring of behavior taking place in the EU. We will appoint a representative if our processing activities change.
Other U.S. state rights
Residents of certain other U.S. states have similar rights under their respective consumer privacy laws. These include but are not limited to: Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Iowa (ICDPA), Indiana (ICDPA), Tennessee (TIPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), New Hampshire, New Jersey, Delaware, Minnesota, Maryland, and others.
The rights generally available include:
- Right to confirm whether we process your personal data and to access it.
- Right to correct inaccuracies.
- Right to delete personal data.
- Right to data portability.
- Right to opt out of targeted advertising, the sale of personal data, and certain types of profiling.
- Right to appeal an adverse decision on a rights request.
To exercise these rights, email privacy@rfphawk.com and identify the state of which you are a resident. We respond within the timelines required by the applicable state law (typically 45 days, with one possible 45-day extension). If we decline a request, you may appeal by replying to our response email with the subject line "Appeal."
Data retention
We retain personal information only as long as we have a legitimate need:
- Account & profile data: while your account is active and for up to 90 days after deletion, after which it is purged from active systems. Encrypted backups containing this data are rotated out within 180 days.
- Billing & tax records: retained for the period required by tax, accounting, and anti-money-laundering law (typically 7 years).
- Server access logs: 30 days, except where retained longer for security investigations.
- Analytics data: retained by Google Analytics and PostHog according to their default retention settings (typically 14–26 months for event-level data, longer for aggregated reports).
- Marketing email records: retained for as long as you remain subscribed, plus a suppression list of unsubscribed addresses retained indefinitely to honor your opt-out (as permitted by CAN-SPAM).
- Records related to legal claims: retained until the relevant limitations period expires.
After the applicable retention period, we delete or anonymize personal information so that it can no longer be associated with you.
International data transfers
RFPHawk is operated from the United States. The personal information we collect is stored and processed in the United States and in any other country where our service providers maintain facilities. If you are located outside the United States, your personal information will be transferred to and processed in the United States, which may not provide the same level of data protection as your country of residence.
For transfers of personal data from the European Economic Area, the United Kingdom, or Switzerland to the United States, we rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses (SCCs) and the UK Addendum to the SCCs where applicable. We expect our principal service providers (Supabase, Stripe, Vercel, Cloudflare, Resend, Google, Meta, LinkedIn, Microsoft) to maintain their own transfer mechanisms (including the EU–U.S. Data Privacy Framework, Standard Contractual Clauses, and Binding Corporate Rules, as applicable to each).
Security
We use reasonable and industry-standard administrative, technical, and physical safeguards to protect personal information, including:
- Encryption in transit (TLS 1.2 or higher) and at rest (AES-256 via Supabase storage).
- Hashed passwords (bcrypt) — we never store plain-text passwords.
- Row-level security policies in our database to enforce tenant isolation.
- Least-privilege production database access, limited to a small set of authorized engineers, with all access logged.
- Multi-factor authentication on administrative consoles (database, payments, hosting, source control, DNS).
- Automated dependency-vulnerability scanning and periodic security review.
No system is perfectly secure. If a security incident affects your personal information, we will notify affected users by email within 72 hours of confirming the incident, and we will provide a description of what happened, what data was affected, and what we are doing to remediate. See our Security page for our broader security roadmap.
Children's privacy
The Service is a business tool for adults. It is not directed at children under 13 and we do not knowingly collect personal information from children under 13, as defined by the Children's Online Privacy Protection Act (COPPA), or from children under 16, as defined by the GDPR for the EU. If we learn that we have collected personal information from a child without verifiable parental consent, we will delete that information. If you believe a child has provided us personal information, contact us at privacy@rfphawk.com.
Do Not Track / Global Privacy Control
We do not respond to "Do Not Track" browser signals because there is no consistent industry standard for how to honor them. We do honor the Global Privacy Control ("GPC") signal as an opt-out of sale and sharing under CCPA/CPRA and equivalent state laws. When we detect a GPC signal in your browser, we will treat it as a verified request to stop sharing your personal information with advertising partners, for the duration of that browser session and any future sessions from the same browser, without further action on your part.
Third-party links
The Service contains links to government procurement portals, agency websites, and other third-party sites, and our advertising on third-party platforms may link to the Service. We are not responsible for the privacy practices of any website we link to or that links to us. We encourage you to read the privacy policy of every website you visit.
Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other reasons. When we make changes, we will update the "Last updated" date at the top of the policy. For material changes (such as a new category of data collected, a new purpose of processing, or a new category of recipients), we will provide additional notice — for example, an in-app banner or an email to active accounts — at least 14 days before the change takes effect. We will not apply privacy-reducing changes retroactively to data you shared with us before the change.
Contact us
Privacy questions, rights requests, complaints, or anything else covered by this policy:
- Email: privacy@rfphawk.com
- Mail: RFPHawk, Privacy Team, [mailing address pending]
We aim to respond to all privacy inquiries within 5 business days and to formal rights requests within the timelines required by applicable law (45 days under CCPA/CPRA and most U.S. state laws; one month under GDPR).