Privacy Policy

Last updated: March 31, 2026

This Privacy Policy describes how Capacaro LLC("Company", "we", "us", or "our") collects, uses, and protects your information when you use the AgentRFP platform ("Service").

1. Information We Collect

Account Information

When you register, we collect your name, email address, and organization name. If you sign in via SSO (Google, Microsoft, Okta), we receive your name and email from the identity provider.

Content You Upload

This includes RFP documents, knowledge base files, and any text you enter into the Service. This content is stored in your organization's isolated database and storage environment.

API Keys

When you provide API keys for AI providers (Anthropic, OpenAI, Google), they are encrypted at rest and used solely to make API calls on your behalf. We never log, share, or access your keys for any other purpose.

Usage Data

We collect basic usage data including login timestamps, feature usage patterns, and error logs. This data is used solely to maintain and improve the Service.

2. How We Use Your Information

• To provide and maintain the Service
• To authenticate your identity and manage your account
• To process your content through AI providers as you direct
• To send service-related communications (account alerts, security notices)
• To improve the Service based on aggregated, anonymized usage patterns

We do NOT:

• Use your content to train AI models
• Share your content with other customers
• Sell your personal information to third parties
• Access your content except as needed to provide the Service

3. AI Provider Data Handling

When you use AI features, your content is sent to the AI provider associated with your API key:

• Anthropic (Claude): Commercial API terms include zero data retention (ZDR). Your data is not stored by Anthropic and is not used for model training.
• OpenAI (GPT):API data is not used for training by default on paid tiers. Review OpenAI's data usage policies for your specific plan.
• Google (Gemini):Paid API usage is covered by Google Cloud's data processing terms. Review Google's AI data governance for your specific agreement.

We recommend reviewing your AI provider's data processing terms to ensure they meet your organization's requirements.

4. Data Storage & Security

• Infrastructure: Hosted on Vercel (SOC 2 Type II) and Supabase (SOC 2 Type II)
• Database: PostgreSQL with Row Level Security (RLS) enforcing organization-level isolation
• Encryption: TLS 1.2+ in transit, AES-256 at rest
• API Keys: Encrypted at rest, never logged or exposed client-side
• File Storage: Isolated per organization in Supabase Storage with access policies
• Audit Trail: All significant actions are logged with user, timestamp, and details

5. Data Retention

Your data is retained for as long as your account is active. Upon account deletion or termination, we will delete all your data (including uploaded files, RFP content, answers, and knowledge base materials) within 30 days. Audit logs may be retained for up to 90 days for security purposes.

6. Third-Party Services

We use the following third-party services to operate the platform:

• Supabase: Database, authentication, and file storage
• Vercel: Application hosting and deployment
• AI Providers: Anthropic, OpenAI, Google (as selected by you via BYOK)

Each third-party service has its own privacy policy. We select providers that maintain industry-standard security certifications.

7. Your Rights

Depending on your jurisdiction, you may have the following rights:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate personal data
• Deletion: Request deletion of your personal data and account
• Export: Request an export of your data in a portable format
• Objection: Object to processing of your personal data

To exercise any of these rights, contact us at info@agentrfp.ai.

8. Cookies

We use essential cookies for authentication and session management. We do not use tracking cookies, advertising cookies, or third-party analytics cookies. Session cookies are httpOnly and secure.

9. Children's Privacy

The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children.

10. International Data Transfers

Your data may be processed in the United States where our infrastructure providers operate. By using the Service, you consent to the transfer of your data to the United States. We ensure appropriate safeguards are in place for international transfers.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notification at least 30 days before they take effect. The "Last updated" date at the top indicates the most recent revision.

12. Contact

For questions about this Privacy Policy or to exercise your data rights, contact us at:
Capacaro LLC
Email: info@agentrfp.ai