RFI Hawk

Privacy Policy

Operated by Salian Defense Inc.
Effective Date: February 2026 | Last Updated: April 2026

1. Information We Collect

Account Information:

Name, email address, company name
Password (stored as a one-way cryptographic hash; we cannot read your password)

Company Profile Data:

NAICS codes, keywords, set-aside qualifications
UEI (Unique Entity Identifier) and CAGE code
Company website, description, and geographic preferences
Grant funding categories and eligibility preferences

Facility Clearance and Compliance Data (if you choose to provide it):

Facility clearance level and safeguarding level
Key management personnel names, titles, citizenship, and clearance levels
Facility Security Officer (FSO) and Insider Threat Program contact information
Foreign Ownership, Control, or Influence (FOCI) status
Sponsoring agency and contract references
CMMC assessment level and compliance status

Uploaded Documents:

Proposals, contracts, award letters, capability statements, and other government contracting documents you choose to upload
Document metadata extracted through processing (page count, section types, keywords)

Usage Data:

Features used, pages visited, actions taken within the platform
AI token consumption and usage patterns
Search queries and scoring interactions

Payment Information:

Payment processing is handled entirely by Stripe. We do not store, process, or have access to your credit card numbers.
We store your Stripe customer ID and subscription status for billing management.

Contact Preferences:

Email communication preferences (product updates, opportunity alerts, marketing)
SMS consent status (if provided)

2. How We Use Your Information

Provide the Service: Score opportunities, analyze documents, generate proposals, and deliver platform features.
Process Payments: Manage subscriptions, token purchases, and billing through Stripe.
Transactional Emails: Send account verification, password reset, payment receipts, and service-critical notifications. These are sent without opt-in as they are required for service operation.
Product Communications: Send new feature announcements, platform tips, and improvement updates only if you have opted in.
Marketing Communications: Send promotional offers, webinars, and partner content only if you have explicitly opted in.
Opportunity Alerts: Send email notifications about matching opportunities only if you have opted in and configured alert preferences.
Platform Improvement: Use anonymized, aggregated usage data to improve platform features and performance.

We do NOT:

Sell personal data to third parties
Share uploaded documents with other users
Use uploaded documents to train AI models
Use advertising networks, tracking pixels, or data brokers

3. Communication Consent

We comply with the Telephone Consumer Protection Act (TCPA) and CAN-SPAM Act. Our communication categories are:

Transactional Emails (no opt-in required):

Account verification and password reset
Payment receipts and billing notifications
Security alerts and service-critical updates

Product Updates (opt-in at registration):

New feature announcements
Platform improvements and tips
Can unsubscribe at any time via Settings or one-click unsubscribe link

Opportunity Alerts (opt-in at registration):

Notifications when new matching opportunities are found
Scoring updates and deadline reminders
Configurable from Settings; can disable at any time

Marketing Communications (explicit opt-in required):

Promotional offers, webinars, partner content
Separate opt-in checkbox required
Can unsubscribe at any time

SMS/Text Messages (explicit opt-in required):

Sent only with explicit consent via separate checkbox
Message and data rates may apply
Reply STOP to opt out at any time
Separate from email consent

Every non-transactional email includes an unsubscribe link. Unsubscribe is processed immediately. No login required. You can update all communication preferences at any time from your account Settings page.

4. Cookies and Tracking

We use essential cookies to operate the Service:

Session Cookie: Maintains your login session. Required for the Service to function.
CSRF Token: Protects against cross-site request forgery attacks. Required for security.
Privacy Preference: Stored locally in your browser to remember that you acknowledged this policy.

We do not use third-party analytics cookies, advertising cookies, or tracking pixels. We do not participate in cross-site tracking or ad networks.

5. Data Storage and Security

All data is stored on US-based servers.
Passwords are hashed using industry-standard PBKDF2-SHA256 algorithms. We cannot reverse or read your password.
Sensitive fields (such as two-factor authentication secrets) are encrypted at rest using AES-256-GCM authenticated encryption.
Uploaded documents are stored with per-user access controls. Only you (and platform administrators for support purposes) can access your documents. Your proposal data, documents, and company profiles are logically isolated from other users.
Database backups are encrypted.
All data transmission uses HTTPS/TLS encryption. HTTP Strict Transport Security (HSTS) is enforced.
Cross-Site Request Forgery (CSRF) protection is enabled on all form submissions.
Rate limiting is applied to login attempts and API endpoints to prevent abuse.
Security headers (Content Security Policy, X-Frame-Options, X-Content-Type-Options) are enforced on all responses.
We enforce single-session licensing to prevent unauthorized concurrent access to your account.

6. Data Retention

Active Accounts: Data is retained for the duration of your active account.
Cancelled Accounts: Account data is retained for 30 days after cancellation to allow for reactivation, then permanently deleted.
Uploaded Documents: Deleted within 30 days of account cancellation.
Token Usage Logs: Retained for 12 months for billing and audit purposes.
Consent Audit Logs: Retained indefinitely as required for TCPA/CAN-SPAM compliance. These records are never deleted.
Anonymized Analytics: Retained indefinitely as they cannot be traced to individual users.

7. Third-Party Services

We use the following third-party services to operate the platform:

Stripe: Payment processing. Stripe handles all credit card data under their own privacy policy. We never see or store your card number.
Anthropic (Claude API): AI-powered proposal drafting, analysis, and compliance checking. We send opportunity text (public procurement data) and your prompts/proposal content for AI processing. Anthropic does not use customer inputs or outputs to train models. Data is not retained beyond the API request lifecycle, per Anthropic's data processing terms.
Groq: Fast AI inference for lightweight analysis tasks. Same data scope as Anthropic. Groq does not retain user data beyond request processing.
Supabase: OAuth authentication for social login (Google, Microsoft, GitHub, Apple). Only the OAuth redirect flow is used; no user content is stored in Supabase.
SendGrid: Transactional email delivery (password resets, opportunity alerts, account notifications). We send recipient email addresses and email content to SendGrid for delivery.
Railway: Cloud hosting infrastructure. Our application and database run on US-based Railway servers (AWS-backed infrastructure).
Government Data Sources: SAM.gov, USASpending.gov, Grants.gov, SBIR.gov, FPDS, DARPA, DIU, NSTXL, and agency forecast data. These are public data sources. No user data is sent to these services; we only submit search queries.

We do not use advertising networks, social media tracking pixels, or data brokers.

8. Your Rights

You have the following rights regarding your personal data:

Access: Request a copy of all data we hold about you.
Correction: Update or correct inaccurate information through your account Settings.
Deletion: Request deletion of your account and all associated data.
Export: Request a downloadable copy of your data before account deletion.
Opt-Out: Unsubscribe from any non-essential communications at any time through Settings or one-click unsubscribe links.

To exercise any of these rights, contact us at support@rfihawk.com. We will respond to all privacy requests within 30 days.

9. Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that a user is under 18, we will take steps to delete their account and data.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify existing users via email and update the "Last updated" date at the top of this page. Your continued use of the platform after changes constitutes acceptance of the updated policy.

11. Contact

For privacy-related questions, data requests, or concerns:

Email: privacy@rfihawk.com
Company: Salian Defense Inc.