Privacy Policy

1. Introduction

PropVox ("we," "our," or "us") provides an AI-powered proposal management platform. By accessing or using our website and services, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

3. How We Use Your Information

We use the information we collect for various business purposes, including to:

• Provide, operate, and maintain our Services.
• Improve, personalize, and expand our Services.
• Understand and analyze how you use our Services.
• Develop new products, services, features, and functionality.
• Communicate with you, either directly or through one of our partners, including for customer service, to provide you with updates and other information relating to the website, and for marketing and promotional purposes.
• Process your transactions and manage your orders.
• Find and prevent fraud.

6. Data Sharing & Disclosure

We may share your information in the following situations:

• Service Providers: We may share your data with third-party vendors, service providers, contractors, or agents who perform services for us or on our behalf and require access to such information to do that work (e.g., payment processing, data analysis, email delivery, hosting services).
• Business Transfers: We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.
• Legal Requirements: We may disclose your information where we are legally required to do so to comply with applicable law, governmental requests, a judicial proceeding, court order, or legal process.

7. Data Retention

We will only keep your personal information for as long as it is necessary for the purposes set out in this privacy policy, unless a longer retention period is required or permitted by law (such as tax, accounting, or other legal requirements). When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize such information, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.

8. Data Security

We have implemented appropriate technical and organizational security measures designed to protect the security of any personal information we process. However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorized third parties will not be able to defeat our security, and improperly collect, access, steal, or modify your information.

9. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal data:

• Right to Access: You have the right to request copies of your personal data.
• Right to Rectification: You have the right to request that we correct any information you believe is inaccurate.
• Right to Erasure: You have the right to request that we erase your personal data, under certain conditions.
• Right to Restrict Processing: You have the right to request that we restrict the processing of your personal data.
• Right to Data Portability: You have the right to request that we transfer the data that we have collected to another organization, or directly to you.

To exercise these rights, please contact us at jtpatt03@gmail.com.

10. Children's Privacy

Our Services are not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided us with personal information, we will take steps to delete such information.

11. International Transfers

Your information, including personal data, may be transferred to — and maintained on — computers located outside of your state, province, country, or other governmental jurisdiction where the data protection laws may differ than those from your jurisdiction. By using our Services, you consent to the transfer of your information to the United States and other countries where our servers are located.

12. Changes to This Policy

We may update this privacy policy from time to time. The updated version will be indicated by an updated "Revised" date and the updated version will be effective as soon as it is accessible. We encourage you to review this privacy policy frequently to be informed of how we are protecting your information.

14. Breach Notification Procedures

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay. Notifications will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.

15. Data Processing Agreements

We maintain Data Processing Agreements (DPAs) with all third-party processors that handle personal data on our behalf. These agreements ensure compliance with GDPR Article 28 and include provisions for data security, confidentiality, breach notification, and data subject rights. DPAs are reviewed annually and updated as needed.

16. Subprocessor List

The following third-party subprocessors process personal data on our behalf:

• Stripe — Payment processing (billing data, subscription status)
• OpenAI — AI proposal generation (proposal content, no direct PII)
• Anthropic — AI proposal generation (proposal content, no direct PII)
• Google AI — AI analysis and scoring (proposal content, no direct PII)
• Resend — Transactional email delivery (email addresses, notification content)
• Microsoft — OAuth authentication (authentication tokens)
• GitHub — OAuth authentication and project import (authentication tokens, project data)
• Slack — Workspace notifications (notification content, channel identifiers)

17. AI Processing & Human Oversight

PropVox uses artificial intelligence to generate proposal content, including executive summaries, client proposals, audience variants, impact analyses, timeline suggestions, and scoring assessments. This section describes our AI processing practices in accordance with ISO 42001.

17.1 What AI Processes

• Proposal Content Generation — Technical input is processed to generate executive summaries and client-facing proposals. Client email addresses and phone numbers are never sent to AI providers.
• Audience Variants — Proposals are tailored for different stakeholder perspectives (e.g., executive, technical, financial).
• Impact Analysis — AI analyzes proposals to identify potential impacts, risks, and decision points.
• Audience Scoring — AI evaluates proposal content for tone alignment, readability, and audience fit.
• Timeline Generation — AI suggests project timelines based on proposal scope.

17.2 AI Providers & Data Handling

We use OpenAI, Anthropic (Claude), and Google (Gemini) as AI providers. All three providers maintain zero-data-retention (ZDR) policies for API usage — your proposal content is processed in real-time and is never used to train their models. We maintain Data Processing Agreements with all AI providers. PII (email addresses, phone numbers) is stripped from content before AI processing.

17.3 Consent & Opt-Out

Before your content is processed by AI, you must provide explicit consent. Consent can be granted or revoked at any time from your workspace settings. Workspace administrators can disable AI features entirely or selectively disable specific AI capabilities. Revoking AI consent does not affect previously generated content.

17.4 Human Oversight

All AI-generated content is clearly labeled with disclosure badges. Content is always presented for human review before finalization — no AI output is sent to clients without user approval. Users can override AI-generated content at any time, and all overrides are logged in the audit trail. We track the degree of human modification to AI content as evidence of meaningful oversight.

17.5 AI Governance

Enterprise workspaces have access to a full AI Governance Dashboard with system registry, audit trails, risk registers, incident management, and compliance reporting. For more details, see our AI Responsible Use Policy.

18. Subject Access Requests (SAR)

You may submit a Subject Access Request to obtain a copy of all personal data we hold about you. Requests can be made through our in-app data export feature at Settings > Privacy > Export Data, or by contacting our Data Protection Officer at jtpatt03@gmail.com. We will respond to SARs within 30 days of receipt. If the request is complex, we may extend this period by up to 60 additional days, with notification.