Privacy Policy

ProposalForge ("we", "us", or "our") operates the ProposalForge platform, accessible at proposalforge.app. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our service.

We are committed to full compliance with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws. If you are located in the European Economic Area, you have specific rights described in Section 9.

By using ProposalForge, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the service.

Account Information

• →Name and email address — provided when you register or sign in with Google.
• →Profile image — imported from Google if you use Google sign-in.
• →Password — if you register with email/password, stored as a one-way bcrypt hash. We never store or see your plain-text password.
• →Sign-in provider — whether you signed up via email or Google OAuth.

Profile Data

• →Skills list — the skills you add to your profile to improve proposal generation.
• →Default resume text — the resume or bio you optionally provide for AI reference.
• →AI preferences — default proposal tone, length, and language settings.

Proposal Data

• →Job descriptions — the job posts you paste into the generator.
• →Generated proposals — the AI-written proposals generated for you.
• →Proposal metadata — score, tone, length, word count, keywords, favourite status, and outcome status (Hired/Rejected/Callback).

Email Integration (Optional)

• →Encrypted OAuth tokens — if you connect Gmail or Outlook, we store your access and refresh tokens encrypted with AES-256-GCM. We only request send-only permission and never read your emails.
• →Connected email address — the email address of your connected account.

Usage Data

• →We use Vercel Analytics for aggregated, anonymised usage statistics (page views, performance). No personally identifiable information is collected by Vercel Analytics.
• →We do not use Google Analytics, Facebook Pixel, or any third-party advertising trackers.

We use your data solely to provide and improve the ProposalForge service. Specifically:

• →To authenticate you and maintain your session securely.
• →To generate personalised proposals — your skills, resume, and job description are sent to the Groq API (Llama 3.1) to produce proposal text. See Section 5 for details.
• →To send emails on your behalf — if you connect Gmail or Outlook, we use your OAuth token to send proposals you explicitly trigger. We never send emails without your action.
• →To display your proposal history and analytics — your proposals are stored so you can reference, favourite, and track them.
• →To send transactional emails — welcome emails on signup, and future product updates if you opt in.
• →To improve the service — outcome signals (Hired/Rejected) are used to analyse which proposal styles perform best. This analysis is aggregated and never sold.

We will never sell your data. We will never use your data for advertising purposes. We will never share your resume or proposals with other users.

For users in the European Economic Area, we process your data under the following legal bases:

• →Contract performance (Art. 6(1)(b)) — processing your name, email, skills, and proposals is necessary to provide the service you signed up for.
• →Legitimate interests (Art. 6(1)(f)) — aggregated analytics and service improvement. We balance this against your privacy rights.
• →Consent (Art. 6(1)(a)) — for optional features like connecting Gmail/Outlook and receiving marketing emails. You may withdraw consent at any time.
• →Legal obligation (Art. 6(1)(c)) — where required by law, such as responding to court orders.

We use the following third-party services to operate ProposalForge. Each has their own privacy policy:

• →Groq (groq.com) — AI inference provider. Your job description, skills, and resume are sent to Groq's Llama 3.1 API to generate proposals. Groq does not train their models on API inputs. See groq.com/privacy.
• →MongoDB Atlas (mongodb.com) — cloud database provider storing your account and proposal data. Data is encrypted at rest. See mongodb.com/legal/privacy-policy.
• →Vercel (vercel.com) — hosting and edge network. Processes request logs for up to 24 hours. See vercel.com/legal/privacy-policy.
• →Resend (resend.com) — transactional email delivery for welcome emails. See resend.com/privacy.
• →Google OAuth — if you sign in with Google. We receive your name, email, and profile picture from Google. See policies.google.com/privacy.

We do not sell or rent your data to any of these providers beyond what is necessary to operate the service.

We retain your data for as long as your account is active or as needed to provide the service.

• →Account data — retained until you delete your account.
• →Proposals — retained until you delete them individually or delete your account.
• →OAuth tokens — deleted immediately when you disconnect Gmail/Outlook in Settings.
• →Backups — database backups are purged within 30 days of account deletion.
• →Logs — server request logs are retained for up to 7 days by Vercel for security purposes.

You can delete your account and all associated data at any time from Settings → Privacy → Delete your account.

ProposalForge uses minimal cookies strictly necessary to operate the service:

• →Session cookie (next-auth.session-token) — a secure, HTTP-only cookie storing your encrypted session. Required for authentication. Expires after 30 days of inactivity.
• →Theme preference (pf-theme) — stored in localStorage (not a cookie). Remembers your light/dark mode preference. No personal data.

We do not use advertising cookies, tracking pixels, or third-party analytics cookies. You do not need to accept any cookie banner to use ProposalForge.

We implement industry-standard security measures to protect your data:

• →Passwords — hashed with bcrypt (cost factor 12). We never store plain-text passwords.
• →OAuth tokens — encrypted with AES-256-GCM before storage. Decrypted only at the moment of use.
• →Transport — all traffic is encrypted via TLS 1.3.
• →Database — MongoDB Atlas encrypts data at rest using AES-256.
• →Sessions — session tokens are HTTP-only, Secure, and SameSite=Lax.

No system is 100% secure. If you discover a security vulnerability, please report it to security@proposalforge.app. We take all reports seriously and aim to respond within 48 hours.

Depending on your location, you have the following rights regarding your personal data:

• →Right to access — download all data we hold about you via Settings → Privacy → Export JSON.
• →Right to rectification — update your name, skills, and resume at any time in Settings → Profile.
• →Right to erasure ("right to be forgotten") — permanently delete your account and all data via Settings → Privacy → Delete your account.
• →Right to data portability — your export is a machine-readable JSON file you can import into other services.
• →Right to restrict processing — contact us at privacy@proposalforge.app to request restriction.
• →Right to object — you may object to processing based on legitimate interests at any time.
• →Right to withdraw consent — disconnect Gmail/Outlook at any time in Settings → Email. Unsubscribe from emails via the link in any email we send.

EU/EEA users may lodge a complaint with their local Data Protection Authority if they believe their rights have been violated. UK users may contact the ICO at ico.org.uk.

To exercise any right not covered by self-service tools, email privacy@proposalforge.app. We respond to all requests within 30 days.

ProposalForge is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact privacy@proposalforge.app and we will delete it immediately.

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• →Posting the updated policy on this page with a new "Last updated" date.
• →Sending an email notification to registered users for significant changes.

Your continued use of ProposalForge after changes are posted constitutes your acceptance of the updated policy.

For any privacy-related questions, requests, or complaints:

• →Email: privacy@proposalforge.app
• →Response time: within 30 days for GDPR requests, 48 hours for security issues
• →Postal address: Available on request