Legal

Privacy Policy

Effective: March 6, 2026

Plain-Language Summary

✓We collect only what we need to operate the platform: your account information, the opportunity data you enter, and basic usage analytics.

✓We do not sell your data. We have never sold personal information and have no plans to do so.

✓Your pipeline data is yours. The RFP opportunities, compliance notes, and bid strategies you enter are treated as confidential business information.

✓We use Supabase for data storage and standard SaaS infrastructure. We do not host personally identifiable information on third-party ad networks.

✓You can delete your account and data at any time by contacting us.

RFP Command ("we," "us," or "our") operates the RFP Command platform, accessible at rfpcommand.com and associated subdomains (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By using RFP Command, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

Information We Collect

Account Information

When you register for an account, we collect:

Data Type	Examples	Purpose
Name	First and last name	Account identification and personalization
Email address	work@yourcompany.com	Account login, notifications, and support
Password	Stored as a bcrypt hash — never in plaintext	Authentication
Organization name	Your business name	Team workspace identification
Billing information	Credit card (last 4 digits only), billing address	Paid plan processing via Stripe — we do not store full card numbers

Pipeline & Opportunity Data

The core of RFP Command is your bid pipeline. Information you enter into the Service — including opportunity titles, solicitation numbers, agency names, contract values, compliance notes, bid decisions, tags, and any other data you input — is stored on our servers on your behalf. This data is your data. We treat it as confidential business information and do not use it for any purpose other than providing the Service to you.

Usage & Analytics Data

We automatically collect certain technical information when you use the Service:

Log data: IP address, browser type, pages visited, timestamps, and referring URLs.

Device information: Operating system, screen resolution, and browser version.

Usage patterns: Which features you use, how frequently, and general navigation paths — used only to improve the Service.

We use privacy-respecting analytics (not Google Analytics by default) and do not build individual behavioral profiles for advertising purposes.

Communications

If you contact us for support or send us feedback, we retain the content of that communication and your contact information to respond and to improve the Service.

How We Use Your Information

We use the information we collect for the following purposes:

Providing the Service: Operating your account, storing your pipeline data, processing payments, and delivering core platform functionality.

Authentication and security: Verifying your identity, detecting fraud or abuse, and enforcing our Terms of Service.

Communications: Sending transactional emails (account confirmations, password resets, billing receipts). We may also send product update emails — you can unsubscribe from these at any time.

Product improvement: Analyzing aggregated, anonymized usage patterns to improve features, fix bugs, and prioritize development. We never analyze your specific pipeline data for this purpose.

Customer support: Responding to your questions, requests, and feedback.

Legal compliance: Meeting our legal obligations, resolving disputes, and enforcing our agreements.

We do not use your pipeline data to train AI models, build competitive intelligence products, or for any purpose other than operating the Service on your behalf.

Information Sharing and Disclosure

We do not sell, trade, or rent your personal information to third parties. We may share your information only in the following limited circumstances:

Service Providers (Sub-processors)

Provider	Purpose	Data Shared
Supabase	Database hosting and authentication	Account data and pipeline data — stored in US-based servers
Stripe	Payment processing	Billing information — RFP Command never stores full card numbers
Vercel	Application hosting and CDN	Request logs and IP addresses
Resend / similar	Transactional email delivery	Email address and message content for emails you trigger

All service providers are contractually bound to use your data only to provide services to us and to protect it in accordance with applicable law.

Team Members

If you use RFP Command as part of an organizational account, your account information and the pipeline data you enter is visible to other members of your team workspace that you or your administrator have authorized.

Legal Requirements

We may disclose your information if required by law, subpoena, court order, or governmental authority, or when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.

Business Transfers

If RFP Command is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and/or prominent notice on the Service before your information is transferred and becomes subject to a different privacy policy.

Data Retention

We retain your personal information for as long as your account is active or as needed to provide you the Service. Specifically:

Active accounts: Account data and pipeline data are retained while your account remains active.

After cancellation: We retain your data for 90 days following account cancellation to allow for account recovery. After 90 days, your data is permanently deleted from our systems.

Billing records: We retain transaction records for 7 years as required for tax and accounting purposes. This includes your name, email, and transaction amounts — not your pipeline data.

Support communications: Retained for up to 3 years to maintain service quality and resolve recurring issues.

To request early deletion of your account and data, contact us at the address in Section 11.

Security

We implement industry-standard technical and organizational security measures to protect your information:

Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.

Encryption at rest: Database contents are encrypted at rest by our hosting provider (Supabase / AWS).

Row-level security: Our database uses row-level security (RLS) policies that enforce that users can only access data belonging to their own organization.

Password hashing: Passwords are hashed using bcrypt and are never stored or logged in plaintext.

Access controls: Internal access to production systems is limited to essential personnel and requires multi-factor authentication.

No method of electronic transmission or storage is 100% secure. While we use commercially reasonable means to protect your information, we cannot guarantee absolute security. If you believe your account has been compromised, contact us immediately at hello@rfpcommand.com.

Cookies and Tracking Technologies

We use cookies and similar technologies to operate and improve the Service. We do not use advertising cookies or third-party tracking pixels.

Cookie Type	Purpose	Can You Opt Out?
Session cookies	Maintain your logged-in state while using the Service	No — required for the Service to function
Preference cookies	Remember your settings (e.g., dashboard filters)	Yes — clearing cookies removes these
Analytics cookies	Understand aggregate usage patterns to improve the Service	Yes — contact us to opt out

We do not use Google Analytics, Facebook Pixel, or other advertising network trackers. We have no advertising business model.

Your Rights and Choices

Depending on your location, you may have rights regarding your personal information. We honor these rights regardless of whether applicable law requires it:

Access: You can request a copy of the personal information we hold about you.

Correction: You can update your account information directly in the platform or request corrections to information you cannot update yourself.

Deletion: You can request deletion of your personal information. We will delete it within 30 days, subject to our retention obligations described in Section 4.

Data portability: You can export your pipeline data from the platform at any time in CSV format. You can also request a machine-readable export of all data associated with your account.

Opt out of marketing communications: Every marketing email we send includes an unsubscribe link. You can also opt out by updating your notification preferences in the platform settings.

Restrict processing: In certain circumstances, you may request that we restrict the processing of your personal information.

To exercise any of these rights, contact us at hello@rfpcommand.com. We will respond within 30 days. We will never discriminate against you for exercising your privacy rights.

California Residents (CCPA)

Under the California Consumer Privacy Act, California residents have additional rights including the right to know, right to delete, and right to opt out of the sale of personal information. We do not sell personal information. To submit a CCPA request, use the contact information in Section 11.

Virginia, Colorado, Connecticut Residents

Residents of Virginia (VCDPA), Colorado (CPA), and Connecticut (CTDPA) have similar rights to access, correct, delete, and obtain a copy of their data. To exercise these rights, contact us at hello@rfpcommand.com.

Children's Privacy

RFP Command is a professional business tool and is not directed to individuals under the age of 18. We do not knowingly collect personal information from anyone under 18. If we become aware that we have inadvertently collected personal information from a minor, we will delete it promptly. If you believe we have collected information from a minor, please contact us at hello@rfpcommand.com.

Third-Party Links

The Service may contain links to third-party websites or services — for example, links to SAM.gov, state procurement portals, or SBA resources. These sites have their own privacy policies, and we are not responsible for their practices. We encourage you to review the privacy policies of any third-party sites you visit. The inclusion of a link does not imply our endorsement of that site or its privacy practices.

Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

Update the effective date at the top of this page.

Send a notification email to all registered users at least 14 days before the changes take effect.

Display a prominent notice in the platform dashboard.

Your continued use of the Service after the effective date of a revised policy constitutes acceptance of the updated policy. If you do not agree to the updated policy, you should stop using the Service and may request account deletion.

Contact Us

If you have questions about this Privacy Policy, wish to exercise your rights, or need to report a security concern, please contact us:

Privacy inquiries: hello@rfpcommand.com

Security reports: hello@rfpcommand.com

General support: hello@rfpcommand.com

Mailing address: RFP Command · [KWill Ventures, 660 Quince Orchard Road #1130, MD, Gaithersburg , 20878]

We aim to respond to all privacy-related inquiries within 5 business days and will complete all data requests within 30 days.