SourceFlag

Privacy Policy

Last updated: April 25, 2026

This Privacy Policy explains how SourceFlag collects, uses, shares, and protects information when you visit our website or use our hosted proposal response workspace. This policy is a launch-aligned working draft and should be reviewed by counsel before public release.

1. Product and Data Boundary

SourceFlag is intended for public and unclassified solicitation packages only. Do not upload or enter classified information, Controlled Unclassified Information (CUI), ITAR-controlled data, EAR-controlled data, export-controlled materials, non-public customer capture information, internal pricing strategy, or other sensitive materials outside the permitted launch boundary.

2. Information We Collect

We may collect the following categories of information:

  • Account and contact details, such as name, email address, company name, role, and workspace membership.
  • Billing metadata, such as plan, subscription status, invoices, payment status, and purchase history.
  • Workspace and project content, including project names, files, annotations, checklist items, proposal drafts, library entries, and exports.
  • Uploaded public solicitation files and related attachments that you choose to process in the Service.
  • Generated artifacts, Ask messages, chat history, prompts, responses, citations, and workflow activity.
  • Usage, device, and log data, such as browser type, IP address, timestamps, feature usage, error logs, and security events.
  • Support and communications data, such as messages you send to us, onboarding notes, and feedback.

3. How We Use Information

We use information to:

  • Operate, maintain, secure, and improve the hosted workspace.
  • Store and process uploads, generated artifacts, Ask threads, citations, checklists, drafts, exports, and library content.
  • Provide AI-assisted Ask, drafting, review, summarization, extraction, and workflow features.
  • Authenticate users, enforce workspace access, protect tenant boundaries, and prevent misuse.
  • Process billing, subscriptions, token balances, top-ups, invoices, and account administration.
  • Communicate about the Service, onboarding, support, security notices, billing, and product updates.
  • Monitor reliability, investigate errors, debug issues, and improve product performance.
  • Comply with legal obligations, enforce terms, prevent fraud, and protect users and the Service.

4. AI and Service Providers

SourceFlag may use service providers to operate the product and process information on our behalf. These providers may include OpenAI for AI processing, Supabase for authentication, database, and storage, Vercel for web hosting, DigitalOcean for worker infrastructure, Stripe for billing, Resend for email, and Better Stack for monitoring, logging, and alerts.

We provide service providers with information needed to perform their services. Their processing is governed by their agreements and policies. SourceFlag does not sell personal information.

5. Sharing and Disclosure

We may disclose information:

  • To authorized users inside the same workspace based on their roles and permissions.
  • To service providers that help us operate, secure, support, bill, monitor, and improve the Service.
  • To comply with law, legal process, security requirements, or enforceable government requests.
  • To protect SourceFlag, our users, the Service, or third parties from fraud, abuse, security incidents, or legal risk.
  • In connection with a merger, acquisition, financing, reorganization, or sale of assets, subject to appropriate safeguards.

6. Retention and Deletion

We retain workspace data while the account or workspace remains active so users can continue to access projects, files, Ask history, artifacts, exports, annotations, and related workflow records. On verified request or account closure, we will delete or export workspace data where commercially reasonable, subject to backup retention, legal obligations, security logs, fraud prevention, dispute resolution, and legitimate business needs.

Some logs, billing records, security records, and backup copies may be retained for a limited period after deletion from active systems. Service providers may maintain separate retention practices described in their own policies or agreements.

7. Security

We use commercially reasonable administrative, technical, and organizational safeguards designed to protect information. No method of transmission, storage, or processing is perfectly secure, and we cannot guarantee absolute security.

8. Customer Responsibilities

You are responsible for deciding what to upload, managing workspace access, keeping credentials secure, reviewing AI-assisted output, and ensuring that your use of the Service complies with applicable laws, procurement rules, agency instructions, and your own confidentiality obligations.

9. Privacy Rights

Depending on where you live, you may have rights to request access, correction, deletion, portability, or restriction of certain personal information. You may also have rights related to sale or sharing of personal information. SourceFlag does not sell personal information.

To exercise privacy rights, contact us using the contact method below. We may need to verify your identity and authority before fulfilling a request. Counsel should confirm any state-specific rights language, required request methods, and notice-at-collection wording before public launch.

10. Children

The Service is intended for business users and is not directed to children. Do not use the Service if you are under the age required to enter into these terms in your jurisdiction.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be posted on this page or communicated through a reasonable product or account notice.

12. Counsel Review Placeholders

  • Legal entity: [confirm legal entity name before public launch].
  • Official privacy email: [confirm privacy contact email].
  • Mailing address: [confirm mailing address].
  • State-specific privacy rights language: [confirm applicability and final wording].
  • Additional processor or subprocessors list: [confirm public vendor list before launch].

13. Contact Us

Questions about this Privacy Policy or privacy requests may be sent to SourceFlag at [confirm official privacy contact email].