RFPHawk
Industries States Pricing Blog About
Log in Start free
Dashboard
IndustriesStatesPricingBlogAbout
Log in Start free
Dashboard
Legal

Privacy Policy

This policy explains what information we collect when you visit rfphawk.com or use the RFPHawk service, how we use and share that information, and the privacy rights you have under U.S. and international law.

Effective May 19, 2026
Last updated May 19, 2026

On this page

  • Overview
  • At-a-glance summary
  • Information we collect
  • How we collect it
  • How we use your information
  • Legal basis (GDPR)
  • How we share information
  • Third-party services
  • Cookies & tracking
  • Advertising & analytics
  • Your choices
  • California privacy rights
  • EU/UK privacy rights
  • Other U.S. state rights
  • Data retention
  • International transfers
  • Security
  • Children
  • Do Not Track / GPC
  • Third-party links
  • Changes to this policy
  • Contact us

Overview

This Privacy Policy describes how RFPHawk ("RFPHawk," "we," "us," or "our") collects, uses, discloses, and otherwise processes personal information about visitors to our websites at rfphawk.com and any subdomains (the "Sites") and users of the RFPHawk service (the "Service"). It applies to information we collect through the Sites, the Service, email and other electronic communications you exchange with us, and our advertising and marketing on third-party platforms.

By using the Sites or the Service, you acknowledge that you have read this Privacy Policy and understand how we handle your information. If you do not agree, please do not use the Sites or the Service. This Privacy Policy supplements our Terms of Service and Disclaimer.

At-a-glance summary

This is a plain-language summary. The detailed sections below control if there is any difference between this summary and the rest of the policy.

  • What we collect: account information (name, email, password), business profile data (company, NAICS, regions, alerts), billing data through Stripe (we never see your card number), product usage data, and technical/device data (IP address, browser, pages viewed).
  • What we use it for: running and improving the Service, billing, transactional and marketing email, security, analytics, and showing you our ads on third-party platforms.
  • Who we share with: service providers that help us operate (Supabase, Stripe, Resend, Vercel, Cloudflare), analytics providers (Google Analytics, PostHog), advertising platforms (Meta, Google, LinkedIn, Microsoft), and authorities where legally required.
  • What we do not do: we do not sell your personal information for money. We do not share contents of your saved RFPs, notes, or pipeline data with advertisers. We aggregate publicly-available government procurement data; we are independent and not affiliated with any government agency.
  • Your rights: you can access, correct, port, or delete your account data at any time, and California, EU/UK, and several other state residents have additional formal rights described below.

Information we collect

We collect the following categories of personal information.

Account information

  • Identifiers: full name, email address, password hash (we never store the plain-text password), and a unique user identifier we assign you.
  • Authentication credentials: when you sign in with Google (OAuth), we receive your name, email address, and profile picture from Google. We do not receive your Google password.

Business profile information

  • Company name and optional business description.
  • NAICS (industry) codes you select as relevant to your business.
  • States, counties, and regions you want to target.
  • Keywords, saved searches, and alert preferences you configure.
  • Saved RFPs, pipeline stages, internal notes, and team annotations you create inside the Service.
  • Self-identified eligibility status for federal set-aside programs (8(a), HUBZone, WOSB, EDWOSB, SDVOSB, etc.) if you choose to provide it. Providing this is optional.

Billing and transaction information

When you subscribe to a paid plan, our payment processor (Stripe) collects and processes your payment information directly. We never see or store your full card number, CVV, or full bank account details. From Stripe we receive:

  • Cardholder name, billing address (country, postal code), card brand, and the last four digits of your card.
  • Subscription status, plan, billing schedule, and invoice history.
  • Transaction amounts, refunds, chargebacks, and tax information where applicable.

Communications

  • Email correspondence you send to us, including support requests and replies to our marketing or transactional emails.
  • Form submissions through our contact, waitlist, and newsletter forms.
  • If we record a sales or onboarding call (with your consent), the recording, transcript, and any notes.

Usage and device data

When you visit the Sites or use the Service, we and our service providers automatically collect:

  • Device and connection data: IP address, user-agent string (browser type, version, operating system), device type, screen size, language preference, and approximate location (typically country and region) derived from your IP address.
  • Activity data: pages you view, links you click, searches you run, filters you apply, RFPs you open, features you use, time on page, and similar diagnostics.
  • Event identifiers: a server-assigned session identifier, a randomly-generated cookie identifier used for analytics, and (for users who have signed in) your account identifier.
  • Referrers and UTM parameters: if you arrive at the Sites from another website, a search engine, or a paid advertisement, we may record the referring URL and any campaign tracking parameters in the URL.
  • Diagnostic logs: server-side logs of HTTP requests (timestamp, URL, status code, IP, user-agent) used to operate and secure the Service.

Inferences and derived data

From the information above, we derive inferences such as your likely industry interests, content relevance scores, and product-usage patterns. We use these inferences inside the Service (for example, to rank opportunities against your profile) and in aggregate to improve the Service.

Information we do not collect

We do not intentionally collect Social Security numbers, driver's license numbers, passport numbers, biometric identifiers, precise GPS location, the contents of your communications outside the Service (such as your email inbox), or financial account numbers beyond what Stripe collects for billing. We do not knowingly collect personal information from children under 13 (see Children below).

How we collect it

We collect personal information from three sources:

  1. Directly from you when you create an account, fill in your business profile, save an RFP, configure an alert, subscribe to a paid plan, contact support, fill out a form, or otherwise interact with the Sites or the Service.
  2. Automatically when you visit the Sites or use the Service, through cookies, server logs, analytics SDKs, and similar technologies (see Cookies & tracking below).
  3. From third parties, including:
    • Identity and authentication providers (e.g., Google OAuth) if you choose to sign in through them.
    • Payment processors (Stripe) when you subscribe or update billing information.
    • Advertising and analytics partners that may share back conversion, attribution, or matching data so we can measure the effectiveness of our marketing.
    • Public records and our government data sources, which contain procurement information and agency contact information (this is not personal information about you).

How we use your information

We use personal information for the following purposes:

  • Provide and operate the Service: create and authenticate your account, match RFPs against your profile and keywords, render the dashboard, deliver alerts and digests, and respond to your requests.
  • Billing and account administration: process subscription payments through Stripe, send receipts and invoices, handle refunds and chargebacks, and prevent payment fraud.
  • Customer support: respond to your support requests, troubleshoot issues, and follow up after a contact.
  • Service improvement: understand how users engage with the Service, prioritize features, fix bugs, run A/B tests on changes, and measure performance.
  • Marketing communications: send you product updates, newsletters, feature announcements, and offers — subject to your communication preferences and applicable law (see Your choices below).
  • Advertising and measurement: show our advertisements to you and to audiences similar to our existing customers on third-party platforms (Meta, Google, LinkedIn, Microsoft Advertising); measure the effectiveness of our advertising; suppress ads to users who are already customers; and identify lookalike audiences. See Advertising & analytics for details.
  • Security and fraud prevention: detect and prevent abuse, scraping, credential stuffing, brute-force attacks, payment fraud, and violations of our Terms of Service and Acceptable Use Policy.
  • Legal and regulatory compliance: meet our obligations under tax, accounting, electronic communications, consumer protection, and other applicable laws; respond to lawful requests from courts, regulators, and government agencies; protect our rights and the rights of others; and enforce our agreements.
  • Business transactions: evaluate, negotiate, or complete a merger, acquisition, financing, asset sale, reorganization, or bankruptcy. If such a transaction occurs, personal information may be transferred to the new entity.

We do not use your personal information to train third-party machine-learning models on other customers' data, sell lead lists, or enrich third-party marketing databases.

Legal basis for processing (GDPR / UK-GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, the GDPR or UK-GDPR requires us to identify a lawful basis for each processing activity. We rely on the following bases:

  • Performance of a contract (Art. 6(1)(b)): creating and operating your account, delivering the Service you subscribed to, processing payments, and providing support.
  • Legitimate interests (Art. 6(1)(f)): improving the Service, securing the Service against abuse and fraud, conducting analytics on aggregated usage, measuring the effectiveness of our marketing, and conducting direct marketing to existing customers about products and features similar to those they already use. You have the right to object to processing based on legitimate interests at any time.
  • Consent (Art. 6(1)(a)): setting non-essential cookies (including analytics and advertising cookies), sending marketing emails to prospects who are not existing customers, and any other processing that requires opt-in consent under applicable law. You can withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c)): keeping records required by tax, accounting, anti-money-laundering, or other applicable law.
  • Vital interests / public interest (Art. 6(1)(d) and (e)): rarely applicable but available in emergency situations.

We do not knowingly process special categories of personal data under Article 9 of the GDPR (such as data revealing racial or ethnic origin, religious beliefs, health data, or sex life). If you voluntarily provide such information through profile fields or free-text fields, you consent to our processing of it for the purpose you have selected.

How we share information

We share personal information with the following categories of recipients. Specific current vendors are listed in Third-party services.

  • Service providers (processors): companies that perform services for us under written agreements that limit their use of personal information to providing services to us. These include hosting, database, payment processing, email delivery, analytics, customer support tooling, error monitoring, and content delivery.
  • Advertising partners: when you visit the Sites we share certain device and usage data with advertising platforms (Meta, Google, LinkedIn, Microsoft Advertising) to deliver our advertising, measure conversion, suppress ads to existing customers, and identify lookalike audiences. Under the California Consumer Privacy Act, certain of these activities may be considered "sharing" of personal information for cross-context behavioral advertising — see California privacy rights for the opt-out path.
  • Analytics providers: services that help us understand how the Sites and Service are used (Google Analytics, PostHog), as further described in Advertising & analytics.
  • Professional advisors: attorneys, accountants, auditors, insurers, and other professional advisors, as needed for the operation of our business.
  • Authorities and parties to legal proceedings: law enforcement, courts, regulators, and other government agencies when required by law, subpoena, court order, or other lawful request, or to protect our rights, your safety, or the safety of others, or to investigate fraud.
  • Successors in interest: parties to a merger, acquisition, financing, divestiture, restructuring, dissolution, or other business transaction involving transfer of some or all of our assets, in which personal information is typically one of the transferred assets.
  • With your consent or at your direction: for example, if you ask us to share information with a teammate, integration partner, or third party.

We do not sell your personal information for money. However, certain disclosures to our advertising partners may qualify as a "sale" or "sharing" under California law and as a "targeted advertising" disclosure under other state laws. See California privacy rights and Other U.S. state rights for opt-out procedures.

Third-party services

The table below lists the specific third-party processors and partners we use. Each operates under its own privacy policy, linked in the rightmost column.

Vendor Purpose Categories shared Their policy
Supabase Database, authentication, file storage Account, profile, usage data supabase.com/privacy
Stripe Payment processing, billing, fraud detection Name, email, billing address, card data, transaction history (paid plans only) stripe.com/privacy
Vercel Hosting, edge delivery, serverless functions Request metadata (IP, user-agent, URL) vercel.com/legal/privacy-policy
Cloudflare CDN, DDoS protection, bot mitigation Request metadata (IP, user-agent, URL) cloudflare.com/privacypolicy
Resend Transactional & marketing email delivery Email address, message contents, delivery diagnostics resend.com/legal/privacy-policy
Google Analytics (GA4) Product analytics, traffic measurement Pseudonymized usage data, truncated IP, device data, cookie identifier policies.google.com/privacy
PostHog Product analytics, session diagnostics, A/B testing Pseudonymized usage data, feature interactions, device data posthog.com/privacy
Google (OAuth) Authentication ("Sign in with Google") Email, name, profile picture (only if you choose Google sign-in) policies.google.com/privacy
Google Ads Search and display advertising, conversion tracking Device data, conversion events, advertising identifier policies.google.com/privacy
Meta (Facebook / Instagram) Advertising, conversion measurement, audience matching Device data, page-view events, conversion events, hashed email (for Custom Audiences) facebook.com/privacy/policy
LinkedIn B2B advertising, conversion measurement, audience matching Device data, page-view events, conversion events, hashed email linkedin.com/legal/privacy-policy
Microsoft Advertising Bing search advertising, conversion measurement Device data, conversion events privacy.microsoft.com/privacystatement
Browserbase Server-side anti-bot bypass for our data ingestion (does not handle user data) None of your personal data; only government source pages browserbase.com/privacy
GitHub Source code repository, CI/CD orchestration None of your personal data in normal operation github.com/site-policy/privacy

We update this list when we add or remove a vendor that processes personal information. The "Last updated" date at the top of this policy reflects when the list was last reviewed.

Cookies & tracking

We and our service providers use cookies, local storage, pixels, web beacons, software development kits (SDKs), and similar tracking technologies (collectively, "cookies") to operate the Service, remember your preferences, conduct analytics, secure the Service, and deliver and measure advertising.

Categories of cookies we use

  • Strictly necessary: required to operate the Service. Includes your authenticated session cookie, CSRF (cross-site request forgery) tokens, and the cookie consent state itself. These cannot be disabled.
  • Functional: remember preferences you set, such as your dark/light theme. Some are stored in localStorage rather than as cookies.
  • Analytics: let us understand how visitors discover and use the Service so we can improve it. Includes Google Analytics 4 and PostHog identifiers and a randomly-generated cookie identifier we assign on first visit.
  • Advertising: let us deliver and measure our advertising on third-party platforms. Includes the Meta Pixel, Google Ads conversion tags, LinkedIn Insight Tag, and Microsoft Advertising UET tag.

Your cookie choices

Where required by law (including the EU, UK, and Switzerland), we ask for your consent before setting analytics or advertising cookies. You can change your cookie preferences at any time through the cookie banner or by clicking the "Cookie preferences" link in the footer of any page. You can also disable cookies through your browser settings — but doing so may break parts of the Service that depend on the strictly-necessary category.

For California residents, this policy section also serves as a disclosure of our use of tracking technologies that may constitute "sharing" of personal information for cross-context behavioral advertising. See California privacy rights.

Advertising & analytics

We use both first-party analytics (to understand and improve the Service) and third-party advertising tags (to market the Service to potential customers). This section describes those activities in detail and how you can opt out.

Analytics

We use Google Analytics 4 and PostHog to understand how visitors discover, navigate, and use the Sites and Service. Analytics platforms receive pseudonymized usage data (page-view events, click events, feature interactions), device data (user-agent, screen size, language), and a randomly-generated cookie identifier. We have configured Google Analytics to truncate IP addresses on collection in regions where that is required.

You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on, and you can request that PostHog stop tracking your account by emailing privacy@rfphawk.com.

Advertising

We advertise the Service on Meta (Facebook and Instagram), Google (Search, YouTube, and the Display Network), LinkedIn, and Microsoft Advertising (Bing). To do this, we embed the following measurement technologies on the Sites:

  • Meta Pixel — measures conversions and supports Custom Audiences and Lookalike Audiences on Meta platforms.
  • Google Ads conversion tag and Google Ads remarketing tag.
  • LinkedIn Insight Tag.
  • Microsoft Advertising UET (Universal Event Tracking) tag.

These technologies share with the respective advertising platform a record that you visited a page on our Sites or completed a conversion event (such as creating an account), along with device data and any platform-issued advertising identifier already present in your browser. For Custom Audience matching, we may also share hashed (one-way encrypted) email addresses of existing customers so the platform can suppress ads to them or find similar audiences. We do not share the contents of your saved RFPs, your business notes, your pipeline data, or any payment information with any advertising platform.

Under California law, the operation of these tags may qualify as "sharing" of personal information for cross-context behavioral advertising. You have the right to opt out — see California privacy rights.

You can also opt out of interest-based advertising on a cross-industry basis through the following industry programs (note these opt-outs are stored as cookies and may need to be reset if you change browsers or clear cookies):

  • Digital Advertising Alliance (DAA)
  • Network Advertising Initiative (NAI)
  • DAA Canada (AdChoices)
  • European Interactive Digital Advertising Alliance (EDAA)

Mobile users can opt out of cross-app advertising tracking through their device settings (iOS: Settings → Privacy & Security → Apple Advertising → Personalized Ads; Android: Settings → Privacy → Ads).

Your choices

You have the following choices regardless of where you live:

  • Access & correction: view and edit your account information at any time from Settings inside the app. To request a copy of all personal information we hold about you, email privacy@rfphawk.com.
  • Account deletion: delete your account and the personal information associated with it from Settings → Account → Delete account, or by emailing privacy@rfphawk.com. We complete deletion within 30 days, subject to the retention exceptions described in Data retention.
  • Email preferences: opt out of marketing emails using the "unsubscribe" link in any marketing email or from Settings → Notifications. Transactional emails (account, security, billing, legal) will continue while you have an active account.
  • Cookie preferences: open the cookie banner or "Cookie preferences" link in the footer to adjust analytics and advertising cookies. You can also use the industry opt-outs linked in Advertising & analytics.
  • Withdraw consent: where we rely on your consent to process personal information, you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

California privacy rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"), gives you specific rights regarding your personal information. This section is our "Notice at Collection" and our annual disclosure required by the CCPA/CPRA.

Categories of personal information collected, disclosed, and shared

In the past 12 months we have collected the following statutory categories of personal information. We disclose each category to service providers as needed to operate the Service. Categories marked "Shared" are also disclosed to advertising partners for cross-context behavioral advertising. We have not sold personal information for monetary consideration.

Category Examples Collected Disclosed Shared
A. IdentifiersName, email, IP, cookie identifierYesYesYes (cookie identifier, IP)
B. Customer records (CA Civil Code §1798.80)Name, billing address, payment dataYesYes (Stripe)No
C. Protected classificationsRace, religion, age, sexNoNoNo
D. Commercial informationSubscription, transaction historyYesYesNo
E. Biometric informationFingerprints, faceprintsNoNoNo
F. Internet / network activityPages viewed, links clicked, searchesYesYesYes
G. GeolocationApproximate country/region from IPYes (coarse)YesYes (coarse)
H. Sensory dataAudio, video, etc.NoNoNo
I. Professional / employmentCompany, job role, business profileYesYesNo
J. Education informationEducation recordsNoNoNo
K. InferencesIndustry interests, product-use patternsYesLimitedNo

Sensitive personal information

We do not knowingly collect "sensitive personal information" as defined by the CCPA/CPRA (such as government identifiers, financial account credentials, precise geolocation, racial or ethnic origin, religious beliefs, union membership, genetic data, health data, or sex life data). If you choose to provide set-aside eligibility information (such as 8(a), HUBZone, or veteran/woman-owned status) in your profile, we use it only to filter opportunities for you inside the Service; we do not share it with advertising partners and we do not use it to infer protected characteristics.

Your CCPA/CPRA rights

  • Right to know what categories and specific pieces of personal information we have collected, the sources, the purposes, and the third parties with whom we have shared it.
  • Right to delete personal information we have collected, subject to certain statutory exceptions.
  • Right to correct inaccurate personal information.
  • Right to opt out of sale or sharing of your personal information for cross-context behavioral advertising. We do not sell personal information for money, but our use of advertising pixels constitutes "sharing" under CPRA — you can opt out using the link below.
  • Right to limit use and disclosure of sensitive personal information — we do not use sensitive personal information for purposes that would require this right, but the right is available.
  • Right to non-discrimination for exercising any of these rights. We will not deny service, charge different prices, or provide a different level of quality because you exercised a right.
  • Right to designate an authorized agent to make a request on your behalf.

How to exercise these rights

  • Right to know / access / port: email privacy@rfphawk.com with subject line "California Right to Know" and include the email address associated with your account.
  • Right to delete: delete your account from Settings, or email the address above with subject line "California Right to Delete."
  • Right to correct: edit your profile from Settings, or email the address above.
  • Right to opt out of sale or sharing ("Do Not Sell or Share My Personal Information"): use the Do Not Sell or Share My Personal Information page, which is also linked in the site footer. We honor the Global Privacy Control (GPC) signal as an opt-out request — see Do Not Track / GPC.

We verify identity by matching the email used to contact us against the email on the account. We respond to verifiable requests within 45 days; complex requests may take up to an additional 45 days, in which case we will notify you.

"Shine the Light" disclosure

California Civil Code §1798.83 (the "Shine the Light" law) permits California residents to request information about disclosures of personal information to third parties for their direct marketing purposes. We do not disclose personal information to third parties for their own direct marketing purposes.

EU / UK privacy rights (GDPR)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights under the GDPR or UK-GDPR:

  • Right of access to your personal data.
  • Right to rectification of inaccurate personal data.
  • Right to erasure ("right to be forgotten").
  • Right to restriction of processing.
  • Right to data portability in a structured, commonly-used, machine-readable format.
  • Right to object to processing based on legitimate interests, including direct marketing.
  • Right not to be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects. RFPHawk does not make legally-binding decisions about you using automated processing.
  • Right to withdraw consent at any time where we rely on consent.
  • Right to lodge a complaint with your local supervisory authority. In the UK, that is the Information Commissioner's Office (ICO); in the EU, see the European Data Protection Board directory.

To exercise any of these rights, email privacy@rfphawk.com. We do not have a EU representative under Article 27 GDPR appointed at this time because we do not target the offering of goods or services to data subjects in the EU and do not engage in monitoring of behavior taking place in the EU. We will appoint a representative if our processing activities change.

Other U.S. state rights

Residents of certain other U.S. states have similar rights under their respective consumer privacy laws. These include but are not limited to: Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Iowa (ICDPA), Indiana (ICDPA), Tennessee (TIPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), New Hampshire, New Jersey, Delaware, Minnesota, Maryland, and others.

The rights generally available include:

  • Right to confirm whether we process your personal data and to access it.
  • Right to correct inaccuracies.
  • Right to delete personal data.
  • Right to data portability.
  • Right to opt out of targeted advertising, the sale of personal data, and certain types of profiling.
  • Right to appeal an adverse decision on a rights request.

To exercise these rights, email privacy@rfphawk.com and identify the state of which you are a resident. We respond within the timelines required by the applicable state law (typically 45 days, with one possible 45-day extension). If we decline a request, you may appeal by replying to our response email with the subject line "Appeal."

Data retention

We retain personal information only as long as we have a legitimate need:

  • Account & profile data: while your account is active and for up to 90 days after deletion, after which it is purged from active systems. Encrypted backups containing this data are rotated out within 180 days.
  • Billing & tax records: retained for the period required by tax, accounting, and anti-money-laundering law (typically 7 years).
  • Server access logs: 30 days, except where retained longer for security investigations.
  • Analytics data: retained by Google Analytics and PostHog according to their default retention settings (typically 14–26 months for event-level data, longer for aggregated reports).
  • Marketing email records: retained for as long as you remain subscribed, plus a suppression list of unsubscribed addresses retained indefinitely to honor your opt-out (as permitted by CAN-SPAM).
  • Records related to legal claims: retained until the relevant limitations period expires.

After the applicable retention period, we delete or anonymize personal information so that it can no longer be associated with you.

International data transfers

RFPHawk is operated from the United States. The personal information we collect is stored and processed in the United States and in any other country where our service providers maintain facilities. If you are located outside the United States, your personal information will be transferred to and processed in the United States, which may not provide the same level of data protection as your country of residence.

For transfers of personal data from the European Economic Area, the United Kingdom, or Switzerland to the United States, we rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses (SCCs) and the UK Addendum to the SCCs where applicable. We expect our principal service providers (Supabase, Stripe, Vercel, Cloudflare, Resend, Google, Meta, LinkedIn, Microsoft) to maintain their own transfer mechanisms (including the EU–U.S. Data Privacy Framework, Standard Contractual Clauses, and Binding Corporate Rules, as applicable to each).

Security

We use reasonable and industry-standard administrative, technical, and physical safeguards to protect personal information, including:

  • Encryption in transit (TLS 1.2 or higher) and at rest (AES-256 via Supabase storage).
  • Hashed passwords (bcrypt) — we never store plain-text passwords.
  • Row-level security policies in our database to enforce tenant isolation.
  • Least-privilege production database access, limited to a small set of authorized engineers, with all access logged.
  • Multi-factor authentication on administrative consoles (database, payments, hosting, source control, DNS).
  • Automated dependency-vulnerability scanning and periodic security review.

No system is perfectly secure. If a security incident affects your personal information, we will notify affected users by email within 72 hours of confirming the incident, and we will provide a description of what happened, what data was affected, and what we are doing to remediate. See our Security page for our broader security roadmap.

Children's privacy

The Service is a business tool for adults. It is not directed at children under 13 and we do not knowingly collect personal information from children under 13, as defined by the Children's Online Privacy Protection Act (COPPA), or from children under 16, as defined by the GDPR for the EU. If we learn that we have collected personal information from a child without verifiable parental consent, we will delete that information. If you believe a child has provided us personal information, contact us at privacy@rfphawk.com.

Do Not Track / Global Privacy Control

We do not respond to "Do Not Track" browser signals because there is no consistent industry standard for how to honor them. We do honor the Global Privacy Control ("GPC") signal as an opt-out of sale and sharing under CCPA/CPRA and equivalent state laws. When we detect a GPC signal in your browser, we will treat it as a verified request to stop sharing your personal information with advertising partners, for the duration of that browser session and any future sessions from the same browser, without further action on your part.

Third-party links

The Service contains links to government procurement portals, agency websites, and other third-party sites, and our advertising on third-party platforms may link to the Service. We are not responsible for the privacy practices of any website we link to or that links to us. We encourage you to read the privacy policy of every website you visit.

Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other reasons. When we make changes, we will update the "Last updated" date at the top of the policy. For material changes (such as a new category of data collected, a new purpose of processing, or a new category of recipients), we will provide additional notice — for example, an in-app banner or an email to active accounts — at least 14 days before the change takes effect. We will not apply privacy-reducing changes retroactively to data you shared with us before the change.

Contact us

Privacy questions, rights requests, complaints, or anything else covered by this policy:

  • Email: privacy@rfphawk.com
  • Mail: RFPHawk, Privacy Team, [mailing address pending]

We aim to respond to all privacy inquiries within 5 business days and to formal rights requests within the timelines required by applicable law (45 days under CCPA/CPRA and most U.S. state laws; one month under GDPR).

This policy uses plain language wherever possible. Where any provision must use legal terminology to be effective, we still try to explain it in context. If anything is ambiguous, assume the more privacy-protective interpretation — that is what we will do.

Newsletter

RFP intel in your inbox.

A weekly digest of fresh government contracts in your sectors. No spam, unsubscribe anytime.

RFPHawk

Government contract discovery, matched to your business.
Stop scrolling SAM.gov. Start choosing contracts.

Product

  • Features
  • Pricing
  • Browse RFPs
  • Changelog
  • Get started

Resources

  • Blog
  • Industries
  • States
  • Data sources
  • Guide: Finding RFPs
  • NAICS codes guide
  • SAM.gov guide

Company

  • About
  • Press & media kit
  • Contact
  • Security
  • Privacy
  • Do Not Sell or Share
  • Terms
  • Acceptable use
  • Disclaimer

© 2026 RFPHawk. All rights reserved.

All systems operational

RFPHawk is an independent third-party service. Not affiliated with, endorsed by, or sponsored by the U.S. federal government or any state or local government agency. SAM.gov, agency names, and other government program names are the property of their respective owners. Full disclaimer.