Privacy Policy

PlaceholderYour legal entity name (e.g., "The GovCon Advisor, Inc."), state of incorporation, principal business address, and primary contact email for privacy inquiries (e.g., privacy@yourdomain).

When you create an account or use the platform, we collect:

• Account information — name, email, password (hashed by our auth provider, Clerk).
• Workspace information — your organization name, contractor entities (Advisory tier), members you invite.
• Documents you upload — incurred cost submissions, rate disclosures, supporting documentation, and other compliance documents you choose to analyze.
• Usage data — pages viewed, features used, engagements created, analyses run.
• Billing information — handled by Stripe; we receive subscription status and metadata but do not store your full card details.

PlaceholderAdd any other categories you collect (IP addresses for security logging, support email content, survey responses, etc.).

We use the information we collect to:

• Provide, maintain, and improve the platform and its compliance tools.
• Process your uploaded documents through our AI analysis pipeline (Anthropic Claude).
• Respond to support requests and communicate about your account.
• Process payments and manage subscriptions.
• Detect, prevent, and investigate fraud or unauthorized use.

PlaceholderConfirm that you do NOT use customer documents or analysis outputs to train AI models. State explicitly here whether you do or don't, since this is a top concern for B2B / GovCon buyers.

We share information with the following third-party service providers to operate the platform. Each is contractually obligated to handle your data securely.

• Clerk — authentication and identity (email, name, hashed password).
• Supabase — database and document storage hosting (workspace data, uploaded documents).
• Anthropic — Claude AI model used to generate compliance analyses (document text sent to model; outputs returned).
• Stripe — payment processing (subscription status, billing metadata).
• Resend — transactional email (engagement-ready notifications).
• Vercel — application hosting and request routing.

PlaceholderAdd: a link to a maintained sub-processor list with the jurisdictions each operates in. Add language about how you notify customers when sub-processors change.

PlaceholderState your retention policy for: (a) account information after account closure, (b) uploaded documents (does the customer control retention via a setting? are docs deleted on engagement deletion? on account closure?), (c) analysis outputs, (d) billing records (typically retained 7 years for tax purposes).

We use commercially reasonable measures to protect your information, including:

• Encryption in transit (TLS 1.2+) for all connections to the platform.
• Encryption at rest for all database and document storage (AES-256 by our hosting providers).
• Tenant isolation — each workspace's data is logically scoped via row-level security policies.
• Role-based access controls for users within a workspace.

PlaceholderAdd: any compliance certifications you hold or plan to obtain (SOC 2 Type II, FedRAMP). Note your incident response process and breach notification timeline (typical: 72 hours from discovery for personal data; align with your DPA).

PlaceholderDescribe the rights customers have over their data: access, correction, deletion, portability, objection. Specify how to exercise each (e.g., email privacy@yourdomain). If you serve EU / UK customers, note GDPR-specific rights. If you serve California customers, note CCPA-specific rights.

PlaceholderList the cookies you use. At minimum: authentication session cookies (Clerk). Note any analytics, advertising, or tracking cookies — currently the app does not use these but flag if that changes.

PlaceholderState where your data is stored (e.g., US-based servers via Vercel and Supabase). If you serve customers outside the US, describe the legal mechanism for transfers (Standard Contractual Clauses for EU customers, etc.).

The GovCon Advisor is a B2B platform intended for finance teams at GovCon contractor businesses. The platform is not directed to children under 13 (or under 16 in the EU/UK), and we do not knowingly collect personal information from them.

PlaceholderState how you'll notify users of material changes (in-app banner, email, etc.) and the effective-date convention.

PlaceholderProvide a mailing address and email for privacy inquiries. Include a Data Protection Officer designation if applicable.