Privacy policy

Account data. Name, email address, organization, and authentication identifiers — handled through Clerk, our identity provider.

Tenant content. The proposals, RFPs, capability profiles, and related documents you upload. Stored encrypted at rest in Cloudflare R2 and in our managed Postgres database.

Usage telemetry. Application logs, error reports (via Sentry), and aggregate usage counters needed to operate and improve the service. We do not sell or share telemetry.

To run and improve RFP engine: render the product, run the AI pipelines you trigger, send transactional email, debug errors, and bill the account. We do not train AI models on your tenant content. We do not share tenant content across tenants.

Every tenant runs in an isolated workspace enforced at the database level via Postgres Row-Level Security. Application code, AI prompts, vector searches, and exports never cross tenant boundaries.

We rely on a small number of vetted subprocessors to operate the service: Vercel (hosting), Supabase (Postgres), Cloudflare R2 (file storage), Clerk (authentication), Anthropic (AI inference), OpenAI (audio transcription and embeddings), Inngest (background jobs), and Sentry (error monitoring).

Each is bound by a data processing agreement that prohibits using your content for purposes outside the service.

We retain your tenant content for as long as your account is active. On cancellation we delete tenant content within 30 days, except where retention is required by law (audit logs are kept for one year).

Tenant content is encrypted at rest (AES-256 in Cloudflare R2 and PostgreSQL) and in transit (TLS 1.2 or higher). Tenant isolation is enforced at the database layer via Postgres Row-Level Security. Multi-factor authentication is available for all accounts.

If we discover a personal data breach affecting your tenant content, we'll notify you without undue delay and in any case within 72 hours. Full breach notification obligations are set in our Data Processing Addendum.

You can access, export, or delete your tenant content from within the application at any time. For requests we cannot fulfill in-product (e.g., third-party data subject requests), email sara@sparkdigitalinc.com.

California residents have additional rights under the CCPA / CPRA, including the right to know what personal information we collect, to delete it, and to opt out of sale or sharing. We do not sell or share personal information. EU/UK/Swiss data subjects have rights under the GDPR / UK GDPR including access, rectification, erasure, restriction, portability, and objection — see the DPA for the controller/processor framework that supports those requests.

RFP engine is a B2B tool intended for business users. The service is not directed at children under 16, and we do not knowingly collect personal information from them. If you believe a child has provided us personal information, email us and we will delete it.

We may update this Privacy Policy from time to time. If we make material changes we'll notify account-owner email addresses at least thirty (30) days before the changes take effect. The current version's effective date is shown at the top of this page.

Saibble (Sara Sheikh LLC) — Murphy, Texas. Email: sara@sparkdigitalinc.com. See also our Terms of Service and Data Processing Addendum.