Privacy Policy — PropFlow

1. Introduction

PropFlow ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service. We comply with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth).

2. Information We Collect

2.1 Information You Provide

Account information: name, email address, password (hashed)
Business information: business name, logo, service type, hourly rate, address
Proposal content: client names, email addresses, project details, pricing
Payment information: processed by Stripe — we do not store credit card numbers

2.2 Information Collected Automatically

Usage data: pages visited, features used, proposal analytics
Device information: browser type, operating system, IP address
Proposal view tracking: when clients view proposals, we collect IP address, user agent, and viewing duration to provide analytics to proposal senders

3. How We Use Your Information

To provide and maintain the Service
To process payments via Stripe
To send transactional emails (proposal notifications, payment confirmations)
To provide proposal view analytics to account holders
To generate AI-powered proposals (your brief is sent to Anthropic's API for processing)
To improve the Service and develop new features
To comply with legal obligations

4. AI Processing

When you use our AI proposal generation feature, your project brief and business context are sent to Anthropic's Claude API for processing. Anthropic's data handling is governed by their own privacy policy and terms. We do not use your proposal content to train AI models.

5. Third-Party Services

We share data with the following service providers:

Supabase: database hosting and authentication (data stored in Australia/US)
Stripe: payment processing (PCI DSS compliant)
Anthropic: AI proposal generation
Resend: transactional email delivery
Vercel: application hosting

6. Proposal View Tracking

When a client views a proposal sent through PropFlow, we collect:

IP address and approximate location
Browser and device information
Time of viewing and duration
Sections of the proposal viewed

This information is provided to the proposal sender to help them understand client engagement. Proposal recipients are notified of tracking via a notice on the proposal page.

7. Data Retention

Active accounts: data retained while account is active
Deleted accounts: data deleted within 30 days of account deletion
Payment records: retained for 7 years as required by Australian tax law
Proposal view data: retained for 12 months, then anonymised

8. Your Rights

Under Australian privacy law, you have the right to:

Access the personal information we hold about you
Request correction of inaccurate information
Request deletion of your account and associated data
Complain to the Office of the Australian Information Commissioner (OAIC) if you believe we have breached the APPs

9. Data Security

We implement industry-standard security measures including:

Encryption in transit (TLS/SSL) and at rest
Row-level security on all database tables
Secure authentication via Supabase Auth
Environment variables for all secrets (never committed to code)
Regular security updates and dependency monitoring

10. Cookies

We use essential cookies for authentication and session management. We use privacy-friendly analytics (PostHog/Plausible) that do not require cookie consent banners in most jurisdictions. We do not use advertising cookies or sell data to advertisers.

11. Children's Privacy

PropFlow is not intended for users under 18. We do not knowingly collect information from children.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email. The "Last updated" date at the top indicates the most recent revision.

13. Contact Us

For privacy inquiries or to exercise your rights, contact us at: privacy@propflow.io

You may also contact the Office of the Australian Information Commissioner at www.oaic.gov.au.