Legal

Privacy Policy

Last updated: March 22, 2026 · Effective: March 22, 2026

Summary: GovEtract collects and processes business information you provide to operate the government contracting platform. We do not sell your data. We use technical and organizational safeguards intended to protect your information, restrict access to authorized personnel, and give you tools to manage your company data.

1. Who We Are

GovEtract ("GovEtract," "we," "us," or "our") operates the GovEtract platform, an AI-powered government contracting platform for small businesses across industries. We are the data controller for information collected through our platform and website.

For data protection inquiries, contact: privacy@govetract.com

2. Information We Collect

2.1 Account and Company Information

When you register, we collect your name, email address, and password. When you complete your company profile, we collect business identifiers including your legal name, EIN (Employer Identification Number), UEI (Unique Entity Identifier), CAGE code, DUNS number, entity type, business address, phone number, website, founding year, employee count, annual revenue, NAICS codes, certifications (SDVOSB, WOSB, 8(a), HUBZone), and any industry-specific compliance data you choose to provide.

2.2 Government Contracting Data

To operate the platform, we collect and process SAM.gov opportunity data (including solicitation numbers, agency names, set-aside types, NAICS and PSC codes, contract values, and response deadlines), proposal content you create or import (including RFP text, technical approaches, pricing volumes, and compliance matrices), contract records (award amounts, performance periods, contracting officer details, and CPARS ratings), and purchase order records (PO numbers, delivery dates, fulfillment status, and invoice information).

2.3 Product Catalog Data

We collect product and service information you enter into your catalog, including names, descriptions, manufacturer part numbers, NSN (National Stock Numbers), FSC/PSC codes, GSA pricing, certifications, compliance details, and inventory or fulfillment data.

2.4 Usage and Technical Data

We automatically collect browser type, operating system, IP address, server and error logs, and selected product-event records generated when you use core workflows such as onboarding, opportunity review, proposal drafting, and alert delivery. We also retain limited technical metadata needed to operate, secure, and troubleshoot AI-assisted features.

2.5 Communications

If you contact us by email or through the platform, we retain the content of those communications and your contact details to respond to your inquiries and improve support.

3. How We Use Your Information

3.1 Platform Operations

We use your data to authenticate you, operate your account, run compliance tracking, score and rank SAM.gov opportunities against your catalog and certifications, generate AI-assisted proposal drafts, track contract performance, monitor order fulfillment risk, deliver configured notifications (daily digest, compliance alerts, and order risk alerts), and send operational emails such as team invitations and proposal approval requests.

3.2 AI Processing

To power AI features, your company profile, product catalog, and contracting data may be included in prompts sent to AI model providers. See Section 6 for details on AI data handling.

3.3 Platform Improvement

We use aggregated, de-identified usage data to understand how the platform is used, prioritize features, fix bugs, and improve AI recommendations. We do not use individual company contracting data to train shared AI models.

3.4 Legal Compliance

We process data as necessary to comply with applicable laws, respond to lawful requests from government authorities, enforce our Terms of Service, and protect the rights, property, or safety of GovEtract, our users, or the public.

4. How We Share Your Information

4.1 Service Providers

We share data with trusted service providers who assist in operating the platform under confidentiality obligations. These include:

Supabase — Cloud database and authentication infrastructure (United States)
Vercel — Application hosting and edge compute (United States)
Anthropic — AI model provider for Claude (United States) — used for proposal drafting, opportunity scoring, and compliance summarization
OpenAI — AI model provider (United States, optional fallback)
Resend — Transactional email delivery (United States)
Stripe — Subscription billing, checkout, and customer billing portal (United States)
Sentry — Application error monitoring and diagnostics (United States)
Upstash — Distributed rate limiting and request-protection storage (United States)
ElevenLabs — Voice guide session infrastructure for eligible early onboarding accounts (United States)

Each provider processes data only as instructed by us and under applicable data processing agreements.

4.2 Legal Requirements

We may disclose your information when required by law, court order, or government request, or when we believe disclosure is necessary to prevent fraud, protect safety, or enforce our agreements.

4.3 Business Transfers

If GovEtract is involved in a merger, acquisition, or asset sale, your data may be transferred as part of that transaction. We will notify you via email or platform notice before your data becomes subject to a different privacy policy.

4.4 No Sale of Data

We do not sell, rent, or trade your personal information or business data to any third party for their marketing or commercial purposes. This includes not sharing your contracting data with competitors or government contractor databases.

5. Government Contracting Data

GovEtract processes sensitive government contracting information including federal registration credentials, proposal content, contract award details, and CPARS performance records. This data is handled with the following additional protections:

Access to government contracting records is restricted to authenticated users within your company account only.
We do not share your proposal content, pricing data, or competitive strategy with any other platform user, competitor, or third party outside of service delivery.
CPARS records and past performance data are stored and processed only within your company's isolated data environment.
We do not provide government agencies, contracting officers, or procurement databases access to your company data.

6. AI Data Processing

When you use AI features (proposal generation, compliance summarization, opportunity scoring, the AI assistant), relevant portions of your company profile, catalog, and activity data are included in API requests sent to AI model providers (Anthropic, OpenAI).

We use API-based AI providers to generate requested outputs. How submitted data is handled is governed by those providers' current service terms and data handling commitments.
AI-generated outputs (proposals, summaries, recommendations) are stored in your account and subject to the same access controls as other platform data.
You remain solely responsible for reviewing, editing, and approving any AI-generated content before use in government submissions.

7. Data Storage and Security

Your data is stored in Supabase-managed PostgreSQL databases hosted in the United States and processed through infrastructure providers we use to operate the service. We implement safeguards that may include:

HTTPS/TLS protection for data sent between browsers and the service
Encryption-at-rest and storage security features provided by our vendors
Row-level security and company-data isolation controls where implemented
Restricted access to production systems and operational tooling
Application logging, monitoring, and routine maintenance practices
Backup and recovery features provided by our infrastructure vendors

See our Security Policy for full details on our security practices and incident response procedures.

8. Data Retention

We retain your account and company data for as long as needed to provide the service, comply with legal obligations, resolve disputes, enforce agreements, and maintain reasonable backup and recovery processes. Different categories of data may be retained for different periods based on operational need and applicable law.

Account data: Typically retained while the account is active and for a limited period afterward to support account closure, recovery, and audit needs.
Proposal and contract records: May be retained longer because they can relate to regulatory, contractual, or recordkeeping requirements.
Compliance documents: Retained according to account activity, customer instructions, and any legal or audit obligations that apply.
Usage logs: Retained for operational, debugging, and security purposes for a limited period.
Email communications: Retained as needed to provide support and maintain a record of customer communications.

After account deletion or termination, we will work to delete or anonymize active company data within a commercially reasonable period, subject to backup retention, system limitations, and any legal obligations requiring longer retention.

9. Your Privacy Rights

9.1 General Rights (All Users)

You have the right to:

Access: Request a copy of the personal data we hold about you.
Correction: Request correction of inaccurate or incomplete data.
Deletion: Request deletion of your personal data, subject to legal retention requirements.
Portability: Receive your data in a structured, machine-readable format.
Restriction: Request that we limit how we process your data in certain circumstances.

To exercise these rights, contact privacy@govetract.com. We will respond to verified requests within 30 days.

9.2 California Residents (CCPA / CPRA)

California residents have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Right to Know: The categories of personal information we collect, the purposes for collection, and the third parties with whom we share it.
Right to Delete: Deletion of personal information we have collected, subject to certain exceptions.
Right to Opt Out of Sale/Sharing: We do not sell or share personal information for cross-context behavioral advertising. No opt-out is required, but you may submit a request to confirm this at privacy@govetract.com.
Right to Correct: Correction of inaccurate personal information.
Right to Limit Sensitive Data Use: We process sensitive business identifiers (EIN, UEI, CAGE) only as necessary to provide the service.
Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

9.3 EEA / UK Residents (GDPR / UK GDPR)

If you are located in the European Economic Area or United Kingdom, we process your data under the following legal bases:

Contract performance: Processing necessary to deliver the platform services you have subscribed to.
Legitimate interests: Platform security, fraud prevention, and improving our service.
Legal obligation: Compliance with applicable laws.
Consent: Where we rely on consent (e.g., marketing communications), you may withdraw it at any time.

EEA/UK residents have the right to lodge a complaint with their local supervisory authority. For data transferred outside the EEA/UK, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission.

For EU/UK data processing inquiries, contact privacy@govetract.com. See our Data Processing Agreement for enterprise customers requiring a formal DPA.

10. Cookies and Tracking

We use cookies and similar technologies to operate the platform. For a full description of the cookies we use, their purposes, and how to control them, see our Cookie Policy.

We do not use third-party advertising cookies or cross-site tracking. We do not share your browsing behavior with advertising networks.

11. Children's Privacy

GovEtract is a business platform intended for use by companies and their authorized employees. We do not knowingly collect personal information from individuals under the age of 18. If we learn that we have collected personal information from a minor, we will delete it promptly. Contact privacy@govetract.com if you believe we have inadvertently collected such information.

12. International Data Transfers

GovEtract operates primarily in the United States. If you access the platform from outside the US, your data will be transferred to and processed in the US, where data protection laws may differ from those in your jurisdiction.

For transfers from the EEA or UK, we rely on Standard Contractual Clauses (SCCs) to provide appropriate safeguards. Copies of applicable SCCs are available upon request at privacy@govetract.com.

13. Do Not Track

We do not respond to browser-based Do Not Track (DNT) signals because we do not engage in cross-site tracking. Our platform does not serve behavioral advertising.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the updated policy on this page with a new effective date. For material changes, we will provide at least 14 days' advance notice via email or in-platform notification before changes take effect. Your continued use of the platform after the effective date constitutes acceptance of the updated policy.

15. Contact Us

For privacy questions, data requests, or to exercise your rights:

Email: privacy@govetract.com
Subject line: Privacy Request — [Your Company Name]
Response time: Within 30 days of a verified request