Privacy Policy

<!-- TODO: Review by counsel required before production launch. Draft generated 2026-04-21. -->

# Privacy Policy

**Last updated:** 2026-04-21

This Privacy Policy describes what information Federal AI Intelligence
("we," "us") collects about you, how we use it, and who we share it
with when you use the Federal AI Intelligence service (the "Service").

We run a small, US-focused SaaS. We collect only what's needed to
operate the Service, bill you, and debug issues — nothing more.

## 1. Information We Collect

### Information you provide

- **Account information.** Email address. Optionally a display name.
- **Authentication information.** Hashed password (we never see or
  store your plaintext password). Email-verification and password-reset
  tokens, used once and expired.
- **Billing information.** If you subscribe, payment details go
  directly to Stripe; we receive a customer/subscription ID and the
  last four digits of your card, never the full number.
- **Content you create in the Service.** Notes, favorites, pipeline
  statuses, saved searches, emails captured via the "Checkout opens at
  launch" waitlist.

### Information collected automatically

- **Usage analytics.** Via PostHog: which pages you view, which
  filters you apply, which opportunities you open. No free-text
  content is sent to PostHog — events are structured.
- **Error data.** Via Sentry: stack traces when the app crashes,
  request IDs, and non-identifying context. We configure Sentry with
  `send_default_pii: false` so browser form values are not sent.
- **Server logs.** HTTP method, path, status code, timestamp, IP
  address, user-agent. Retained 30 days.
- **Cookies and local storage.** We use an authentication JWT (stored
  in `localStorage`) and analytics cookies set by PostHog. We do not
  use third-party advertising cookies.

### Information we do not collect

- We do not ask for or store Social Security numbers, government IDs,
  or background-check information.
- We do not sell any data to data brokers or advertisers.
- We do not use tracking pixels or ad-retargeting tools.

## 2. How We Use Information

- **Operate the Service.** Authenticate you, render your dashboard,
  send saved-search alerts and weekly digests you opted into, process
  payments, enforce demo-tier limits.
- **Communicate.** Transactional email (verification, password reset,
  billing receipts, alerts you subscribed to). Occasional product
  announcements. You can unsubscribe from announcements without
  losing transactional email.
- **Improve the Service.** Aggregate usage analytics help us
  understand what's useful. We don't target or profile individual
  users.
- **Debug.** When you report a bug, we may correlate your account
  email with recent error reports to reproduce the problem.
- **Comply with law.** Respond to lawful requests from government
  authorities. We publish no warrant canary; assume we cooperate with
  valid U.S. legal process.

## 3. Third Parties We Share Data With

We use a small number of well-known vendors. We share the minimum
data needed for each to do its job.

| Vendor | What we share | Purpose |
|---|---|---|
| **Stripe** | Email + billing details you provide | Subscription billing |
| **Resend** | Email address + message contents | Transactional email delivery |
| **Sentry** | Error stack traces + request metadata (no form values) | Crash reporting |
| **PostHog** | Structured event data keyed by user ID | Product analytics |
| **Cloudflare** | Request metadata (IP, user-agent, path) | DNS + DDoS protection |
| **DigitalOcean** | All application data (hosted infrastructure) | Hosting |

Each vendor has its own privacy policy. We do not sell or rent your
information to anyone.

We may share data in response to lawful legal process (subpoena, court
order, valid law-enforcement request) where we are legally required to
do so. We will attempt to notify you before disclosure unless the
request prohibits notification.

## 4. Data Retention

- **Account data** (email, notes, favorites, pipeline statuses, saved
  searches) is retained while your account is active and for 90 days
  after you delete it or cancel. After that, we permanently delete
  identifying information.
- **Server logs** (HTTP access logs, error logs) are retained 30 days.
- **Database backups** are retained 14 days locally and (post-launch)
  potentially longer off-site per Sprint 3 plans.
- **Billing records** are retained per U.S. tax requirements, typically
  7 years. Billing records are held by Stripe and referenced by our
  customer/subscription IDs only.
- **Anonymized analytics** (aggregated, non-identifying) may be
  retained indefinitely.

## 5. Your Rights

You can at any time:

- **Access.** Request a copy of the personal data we hold about you.
- **Correct.** Fix inaccuracies by editing your profile or emailing
  support@REPLACE_DOMAIN.
- **Delete.** Request deletion of your account and data. Once the
  90-day wind-down passes, identifying information is irrecoverable.
- **Export.** Request a machine-readable copy of your notes,
  favorites, pipeline statuses, and saved searches.
- **Opt out.** Unsubscribe from product announcements via the link
  in any announcement email. Transactional email (verification,
  password reset, billing) continues as long as your account is
  active.

Send any of these requests to support@REPLACE_DOMAIN. We aim to
respond within 30 days.

## 6. Security

- Passwords are hashed with bcrypt before storage. We never see or
  store your plaintext password.
- Email-verification and password-reset tokens are single-use, random
  256-bit strings with short expiry windows (24 hours for verify,
  1 hour for reset).
- All traffic between your browser and the Service uses HTTPS.
- We run a nightly SQLite backup with 14-day retention.
- Our authentication endpoints are rate-limited to deter credential
  stuffing.

No system is perfectly secure. If a breach affects your data, we will
notify you at the email on file within 72 hours of confirming the
scope.

## 7. Children

The Service is not directed to children under 13 and we do not
knowingly collect information from them. If you believe a child has
created an account, email support@REPLACE_DOMAIN and we will delete
it.

## 8. International Users

The Service is operated from the United States. If you access it from
outside the United States, your information will be transferred to,
stored in, and processed in the United States.

We do not currently target users in the European Union. If you are an
EU resident and use the Service anyway, we will honor the rights
above and respond to written requests sent to support@REPLACE_DOMAIN.

## 9. Changes

We may update this Privacy Policy. For material changes we will email
registered users at least 30 days in advance. Non-material clarifications
(fixing typos, adding a new vendor to the table above) may take effect
immediately and will be reflected in the "Last updated" date.

## 10. Contact

Questions about this Privacy Policy: support@REPLACE_DOMAIN.