Privacy Policy · RFP Tree

Section 1 / What we collect

The data we have on you.

1.1 Account data

When you sign up, we collect your email address. That's it. We don't ask for name, phone, company, or anything else as part of sign-up. Magic-link authentication means we don't store a password.

1.2 Billing data

If you upgrade to a paid tier, Stripe collects your card details, billing address, and payment history. We do not see or store your card number. Stripe gives us a customer ID, your tier, and your subscription status, which we store alongside your email so we know what you've paid for.

1.3 Usage data

We log basic usage to operate and improve the service: search queries, which opportunities you viewed or saved, which filters you applied, the pages you visited inside RFP Tree, your IP address, your browser user agent, and timestamps. We tie these logs to your account when you're signed in. When you're not signed in, we keep them anonymous.

1.4 Content you submit

When you save opportunities to your tree, annotate a pipeline, or add notes against an opportunity (paid-tier features), that content is stored in our database alongside your account and is treated as your data. Free accounts cannot save, add, or annotate; they only view the rotating pre-curated set.

1.5 Estate data

Your Estate (my_estate.html) lives in your browser's IndexedDB. It never leaves your device unless you turn on cloud sync. If you do enable cloud sync, we store an encrypted copy. We do not decrypt it, read it, or train AI on it.

1.6 What we don't collect

We don't track you across the web. We don't use third-party advertising cookies. We don't fingerprint your device. We don't read your Estate. We don't store anything sensitive that you didn't enter yourself.

Section 2 / How we use it

What the data is for.

Sign you in via magic-link email
Bill you if you're on a paid tier, and route you to the right tier features
Show you the opportunities you saved, the searches you ran, and the alerts you set
Detect abuse like multi-account free-trial circumvention, scraping, or shared logins
Improve the product by looking at aggregate usage patterns (which features get used, which don't)
Send service-related emails like sign-in links, billing receipts, and important account notices

We do not use your data to train AI models, build profiles to sell to third parties, or share with advertisers.

Section 3 / Who we share with

The four vendors that touch your data.

We use four third-party services to operate. Each one sees a specific slice of your data, and only what it needs to do its job.

Vendor	What they see	Why
Supabase	Email, account metadata, saved opportunities, subscription tier, usage logs	Hosts our authentication and primary database. Data centers in the US.
Stripe	Card details, billing address, payment history (we don't see the card)	Processes payments and manages subscriptions. Returns a customer ID and tier status to us.
Resend	Your email address and the content of magic-link / billing / service emails we send	Delivers transactional email. Sender identity is `auth@rfptree.com` for sign-in mail and `info@rfptree.com` for support.
Cloudflare	IP address, request headers, page paths (standard CDN logs)	Serves the site, protects against DDoS, and caches static assets.

We never sell your data. We never share it with advertisers. We may disclose data when legally required (subpoena, court order) or when we have a good-faith belief disclosure is necessary to protect a user, a third party, or us.

Section 4 / Cookies

What runs in your browser.

We use cookies and browser storage for two purposes: keeping you signed in, and remembering your local preferences.

Supabase auth cookies hold your signed-in session. They expire when you sign out or after a period of inactivity.
Local storage and IndexedDB hold your Estate, draft pipeline state, saved searches, and UI preferences. This data lives on your device, not on our servers.
Cloudflare cookies may be set as part of bot-protection and performance optimization. These are operational, not tracking.

We don't use third-party advertising cookies. We don't run analytics scripts that profile you across other sites.

Section 5 / Your rights

What you can ask us to do.

See what we have on you. Email info@rfptree.com; we'll send the data tied to your account.
Export it. Saved opportunities and pipeline data are exportable from your account dashboard. Estate data exports from your browser without involving us.
Correct it. Update your email or other account fields from the account page. For anything you can't change in-app, write us.
Delete it. Email info@rfptree.com with the subject "Delete my account." We close the account and delete account-resident data within 30 days. Anonymous logs and de-identified abuse-detection logs may be retained longer.
Stop receiving emails. Service-related emails (sign-in links, billing receipts) are required while you have an account. The optional newsletter has an unsubscribe link in every issue.

Honest disclosure

This policy describes what we actually do. We are not making formal claims of GDPR or CCPA compliance. If your jurisdiction grants you rights beyond what's listed here and you'd like to exercise them, write us and we'll do our best to honor the request.

Section 6 / Data retention

How long we keep things.

Active accounts: we keep your data as long as your account is open.
Free-tier inactivity: if you don't sign in for 18 months, we may close the account and delete the data after warning you by email.
After cancellation of a paid subscription: account-resident data stays exportable for 30 days, then we delete it. The account itself drops to free tier.
After account deletion: account-resident data is deleted within 30 days. De-identified usage logs and abuse-detection logs may be retained for up to 24 months for security purposes.
Stripe payment records: retained per Stripe's policy and applicable financial-records law (typically seven years).

Section 7 / Changes to this policy

If we update this page.

We may update this policy. The "Last updated" date at the top of the page reflects the most recent version. For material changes (anything that broadens the data we collect or how we use it), we'll email you and give you 30 days' notice before the change takes effect. Continued use after the effective date means you accept the new policy.

Section 8 / Contact

Privacy questions.

Write info@rfptree.com. We try to respond within one business day. For data-deletion requests, use the subject "Delete my account" so it routes correctly. For general privacy questions, "Privacy" in the subject is fine.