Privacy Policy

1. Scope and Roles

This Privacy Policy applies to Propivix, our websites, and related services used by commercial and public-sector proposal teams.

For Customer Content uploaded to the platform (including RFPs, CVs, project sheets, and proposal drafts), customers generally act as the data controller or equivalent role, and Propivix acts as a processor/service provider on the customer's behalf.

2. Information We Collect

We collect information needed to provide, secure, and improve the service.

• Account and organization data: names, email addresses, organization details, roles, and authentication records.
• Customer Content: documents, text, metadata, and files you or your authorized users upload or generate in the platform.
• Usage and security telemetry: audit logs, device/browser details, IP address, access timestamps, and security events.
• Support and communications: messages, attachments, and meeting notes when you contact support, sales, or customer success.
• Cookie and similar data: session/authentication cookies and settings required for secure operation and user experience.

3. How We Use Information

We use personal information and Customer Content to operate the service, enforce security controls, and meet contractual and legal obligations.

• Provide core features such as document parsing, matching, drafting assistance, collaboration, and exports.
• Authenticate users, enforce access controls, detect abuse, and maintain auditability.
• Deliver customer support, onboarding, and service communications.
• Monitor reliability, troubleshoot incidents, and improve product performance.
• Comply with applicable laws, lawful requests, and contractual commitments.

4. Legal Bases (Where Applicable)

Depending on jurisdiction, our legal bases include performing contracts with customers, legitimate business interests (such as security and service reliability), compliance with legal obligations, and consent where legally required.

5. Data Sharing and Disclosure

We do not sell personal information. We disclose data only as needed to deliver and secure the service, or when legally required.

• Service providers and subprocessors supporting hosting, storage, authentication, analytics, communications, and AI processing.
• Professional advisors (such as legal or audit) under confidentiality obligations.
• Regulators, courts, or law enforcement where disclosure is required by law.
• Successors in a merger, acquisition, or reorganization, subject to confidentiality and lawful transfer requirements.

6. AI Processing and Model Use

AI features process prompts and Customer Content to generate outputs requested by authorized users.

Unless otherwise agreed in writing, Customer Content is processed for customer-requested operations and not used by us to create generalized customer profiles or for unrelated marketing purposes.

Customers remain responsible for reviewing AI outputs for accuracy, compliance, and suitability before external use.

7. Data Residency and Cross-Border Transfers

Propivix is designed for US data residency workflows in compliance with FISMA and FedRAMP requirements. Core storage and AI processing occur within AWS GovCloud in the United States.

Some support, monitoring, or integration functions may involve processing in other jurisdictions. Where cross-border transfers occur, we apply contractual and technical safeguards appropriate to the sensitivity of the data.

8. Security Safeguards

We implement administrative, technical, and physical safeguards designed for sensitive proposal workflows, including role-based access, tenant isolation controls, FIPS 140-2 encryption in transit, encryption at rest, audit logging, and incident response processes aligned with NIST 800-53 controls.

No method of transmission or storage is perfectly secure, but we continuously review and strengthen controls based on risk and operational requirements.

9. Retention and Deletion

We retain data for as long as needed to provide services, satisfy contractual commitments, resolve disputes, and meet legal obligations.

Customers can configure or request deletion of Customer Content and account data, subject to legal holds, fraud prevention, and required security or audit retention periods.

10. Breach and Incident Notification

If we determine a security incident has materially affected personal information under our control, we will notify affected customers without undue delay and provide information required to support their legal and contractual notification obligations, including US-CERT reporting requirements where applicable.

11. Your Privacy Choices and Rights

Subject to applicable law, individuals may have rights to request access, correction, deletion, portability, restriction, or objection regarding personal information. Customers may also request details about subprocessors and data handling commitments.

We may need to verify identity and authority before completing rights requests.

12. Children's Privacy

Propivix is a business platform and is not directed to children under 16. We do not knowingly collect personal information from children under 16.

13. Policy Updates

We may update this Privacy Policy from time to time. Material updates will be posted on this page with a revised "Last Updated" date.

14. Contact

For privacy questions, data subject requests, or enterprise data processing documentation requests (including DPA inquiries), contact us at support@propivix.com.