Privacy Policy

This Privacy Policy explains how Cyntrica LLC (“GovConHelp”, “we”, “us”) collects, uses, and shares information when you use the GovConHelp web application and related services (collectively, the “Service”).

If you have questions about this Policy or your data, contact us at [email protected].

1. Scope & key terms

This Policy applies to all use of the Service, including the marketing website at govconhelp.com, the signed-in web application, transactional emails we send, and customer support channels.

It does not apply to:

• Government data sources we lookup on your behalf (e.g. SAM.gov, USAspending) — those are governed by their own terms.
• Third-party services we integrate with (e.g. Stripe for payments, Anthropic and OpenAI for AI processing) — each operates under its own privacy policy. See §5.
• Third-party websites you reach via links from our Service.

Throughout this Policy:

• “Personal Information” means information that identifies, relates to, or could reasonably be linked with you.
• “Workspace Content” means data you or your team upload, type, or generate inside the Service — RFP documents, company profiles, capabilities, past performance, personnel records, proposals, drafts, and similar.
• “Account” means the user record we maintain for you under your email address.

2. Information we collect

2.1 Account information

When you create an Account, you provide:

• Email address (required)
• Password (stored only as a salted hash — we never see the plaintext)
• Display name and optional avatar URL (you provide these from the profile page)
• Two-factor authentication credentials (if you enroll a TOTP authenticator)

2.2 Workspace Content you provide

The Service is a tool for managing federal contracting workflows. You upload, enter, and generate:

• Company profile data — legal name, UEI, CAGE code, NAICS codes, address, contact information, certifications, capabilities, personnel, past performance, partners.
• Source RFP documents — solicitation PDFs you upload to be analyzed.
• Proposal drafts — text generated by AI and edited by you.
• Cost and pricing data — labor categories, rates, escalations.
• Form data — values used to fill federal forms (SF-330, SF-1449, etc.).
• Support tickets — messages you write to our support team.

You retain ownership of all Workspace Content. We process it on your behalf solely to provide the Service.

2.3 Payment information

Subscription payments are handled by Stripe, Inc. We never see or store your full payment card number. Stripe provides us with a customer identifier and metadata necessary to invoice you (last four digits, card brand, billing address, plan details).

2.4 Usage and technical data

We automatically collect:

• Server logs — request paths, HTTP status codes, timestamps, user-agent string, IP address.
• AI usage logs — for each AI call: which feature triggered it, model used, token counts, estimated cost, duration, success/error status. Used for billing reconciliation and abuse detection.
• Audit log — login events, login failures, password changes, impersonation events (staff support), and consequential mutations on tracked records.
• Email delivery events — when we send you transactional email (invites, password resets, billing receipts), our email vendor returns delivery / bounce / open events.

2.5 Cookies and similar technologies

We use a small set of cookies:

We do not use third-party advertising, marketing, or analytics cookies on the signed-in application. If we add an analytics tool to the marketing website in the future, we will update this table and the subprocessor list before doing so.

3. How we use information

We use the information described above to:

• Provide the Service — authenticate you, host your Workspace Content, run AI analysis on uploaded RFPs, generate drafts, fill forms, surface opportunities, etc.
• Bill you — calculate subscription fees, AI usage caps, and proposal credits.
• Send transactional email — team invites, password resets, billing receipts, alerts for stuck or failed background jobs, deprecation digests for staff.
• Provide customer support — read your support tickets and look up your account for troubleshooting. When necessary to reproduce an issue you have reported, a member of our staff may use our impersonation tool to view the application as your user. Impersonation sessions are read-only by default (write access requires a separate, explicit toggle), every session is recorded in the audit log, and the audit log is available to your Account owner on request.
• Improve the product — aggregate usage statistics to understand which features are used; debug application errors from server-side logs.
• Detect abuse — block suspicious sign-up patterns, enforce rate limits, investigate misuse.
• Comply with law — respond to lawful requests, enforce our Terms, protect against fraud.

4. AI processing

GovConHelp is an AI-powered tool. To provide AI features (RFP analysis, drafting, win-theme generation, compliance matrix extraction, form auto-fill, NAICS suggestion, etc.), portions of your Workspace Content are sent to one or more third-party AI providers for processing.

4.1 Providers we use

4.2 Training and retention

Both providers offer commercial API terms that, as of the effective date, state that prompts and completions sent via the paid API are not used to train their models. Each provider may retain API requests for a limited period for abuse-monitoring purposes. Refer to the providers' own privacy policies for current details:

• Anthropic Privacy Policy
• OpenAI Privacy Policy

4.3 What you should NOT upload

5. Third parties & subprocessors

We do not sell your Personal Information. We share data with the following service providers ("subprocessors") strictly as needed to operate the Service:

We do not share Personal Information with advertisers, data brokers, or other third parties for their independent commercial use. We may disclose information if required by law, court order, or to enforce our Terms.

6. Data retention

We retain different categories of data for different periods:

• Active Account & Workspace Content — for as long as your Account is active.
• Soft-deleted records — companies, proposals, and similar records you delete from the application are flagged as deleted and hidden from your view for a 30-day grace window, then permanently removed by an automated purge job.
• Account deletion — when you delete your Account from the profile page, your personally-identifying data is removed and your owned workspace data is deleted within 30 days. Some records may persist longer where required by law (e.g. tax/invoice records held by Stripe for the period required by their applicable regulations).
• Audit log — retained for 365 days for security investigation purposes.
• Server logs — retained for 90 days for abuse monitoring and debugging, then deleted.
• AI usage records — the metered usage rows we generate when you run an AI task (model, token counts, cost, timestamp, the task that triggered the call) are retained for billing reconciliation and aggregate analytics. We do not retain the prompt or response payloads after the request completes.
• Email delivery events — retained for 30 days by our email vendor.

7. Security

We use industry-standard administrative, physical, and technical safeguards to protect your information. See our separate Security Policy for the specifics of what we currently implement. No method of internet transmission or electronic storage is 100% secure, and we cannot guarantee absolute security.

8. Your rights

Depending on where you live, you may have rights regarding your Personal Information. We provide the following to all users:

California residents (CCPA / CPRA): you have additional rights including the right to know the categories of Personal Information we collect, the categories of sources, the business purpose for collection, and the categories of third parties with whom we share Personal Information. The above table summarizes those points; the full categorical disclosures are available on request.

Do Not Sell or Share My Personal Information. We do not sell your Personal Information and we do not share it for cross-context behavioral advertising. We therefore do not currently offer or require a "Do Not Sell or Share" opt-out mechanism. If our practices change, we will update this Policy, post the required opt-out link, and honor Global Privacy Control (GPC) signals.

EU / UK residents (GDPR / UK GDPR): our legal bases for processing are contract performance (operating the Service you signed up for), legitimate interests (product improvement, fraud prevention), and consent (for optional features). You have the right to lodge a complaint with your local data protection authority.

9. International transfers

Our infrastructure is operated in United States. Our subprocessors are primarily based in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States or other jurisdictions where our subprocessors operate. We rely on appropriate transfer mechanisms (e.g. Standard Contractual Clauses) where required.

10. Children's information

The Service is intended for business users involved in federal contracting. It is not directed to children under 16, and we do not knowingly collect Personal Information from children. If you believe a child has provided us Personal Information, please contact us and we will delete it.

11. Changes to this Policy

We may update this Policy from time to time. When we do, we will update the “Last updated” date at the top. If changes are material, we will notify Account holders by email at least 30 days before the changes take effect. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.

12. Contact

If you have questions about this Policy, your data, or wish to exercise any right above, contact:

• Privacy contact: [email protected]
• Postal mail: Cyntrica LLC, 8 The Green Suite #8346, Dover, DE 19901
• General support: /support/ (signed-in users)