Privacy Policy

We collect and store the following categories of data when you use WinPath:

• Account information: Email address, hashed password (managed by Supabase Auth), and account creation timestamp.
• Pursuit data: Opportunity titles, agencies, contract values, capture stages, RFP dates, incumbent names, set-aside types, notes, and next steps that you input.
• Contact records: Names, roles, agencies, relationship status, and notes for contacts you create within the platform.
• Uploaded RFP documents: Files you upload for AI-assisted analysis, stored in Supabase Storage.
• Usage and technical logs: Activity log entries (actions taken within the app), session information, and error logs for debugging.
• SAM.gov cache: Opportunity and contact data fetched from SAM.gov and cached in our sam_cache table with a 24-hour TTL.
• Opportunity search cache: SAM.gov search results cached in our sam_search_cache table with a 7-day TTL.
• Legal acceptance records: A record of your acceptance of our Terms of Service and Privacy Policy, including version number, timestamp, IP address, and browser user-agent.

WinPath uses AI to generate capture intelligence, briefings, summaries, and analysis. When you request AI-powered features, relevant data (opportunity details, RFP text, activity history) is transmitted to the following AI providers:

• Anthropic: Processes text via the claude-sonnet-4-6 (intelligence and briefings) and claude-haiku-4-5 (extraction and classification) models. One Anthropic API key covers both models.
• OpenAI:Generates vector embeddings via the text-embedding-3-small model. Embeddings are stored in Supabase’s pgvector extension for semantic search.

AI outputs may be inaccurate, incomplete, or fabricated. We do not guarantee the correctness of any AI-generated content. Always verify AI outputs against official sources before acting on them.

We do NOT train public AI models on your data. Your pursuit data, documents, and inputs are used solely to generate responses for your account and are not used to improve or train Anthropic or OpenAI foundation models for public use.

WinPath is built on the following security architecture:

• Supabase RLS: Row-Level Security is enforced on every database table. Users can only access their own rows.
• Supabase Auth: Authentication is managed by Supabase, which hashes passwords using bcrypt. WinPath never stores plaintext passwords.
• Environment variables: All API keys (Anthropic, OpenAI, SAM.gov, Stripe, Resend) are stored exclusively as server-side environment variables. No API keys are exposed to the browser or committed to source code.
• TLS in transit: All data transmitted between your browser, Vercel (hosting), and Supabase is encrypted via TLS.
• Vercel hosting: The application is hosted on Vercel’s edge infrastructure with DDoS protection and managed TLS.

We do not sell your data. We do not sell, rent, or trade your personal information or pursuit data to third parties for advertising or marketing purposes.

We share data only with the following service processors, as required to operate the platform:

• Supabase — database storage, authentication, and file storage
• Vercel — application hosting and edge delivery
• Stripe — payment processing. Stripe stores your card data; WinPath does not have access to your full card number, CVV, or bank details.
• Resend — transactional email delivery (welcome emails, notifications) from team@winpathgov.com
• Anthropic — AI inference (text sent to Claude models for analysis)
• OpenAI — vector embeddings (text sent for embedding generation)
• SAM.gov API — federal procurement data retrieval (your keyword/agency search terms are included in API requests)
• USASpending.gov API — federal award data retrieval

We may also disclose your information (a) as required by law, regulation, or legal process; (b) to enforce our Terms of Service; or (c) to protect the rights, property, or safety of WinPath, our users, or the public.

In the event of a data security breach that affects your personal information, we will notify you at your registered email address within the timeframes required by applicable state and federal law. Notification of a breach is not an admission of liability or wrongdoing.

• Account and pursuit data: Retained for the duration of your active subscription. Upon account deletion, your data is removed within 30 days from active storage.
• Database backups: Supabase retains point-in-time backup snapshots for up to 90 days. Your data may persist in backups for up to 90 days after deletion from the live database.
• Cache data: SAM.gov results in sam_cache expire within 24 hours; search cache in sam_search_cache expires within 7 days. These caches are automatically purged.
• Deletion: To delete your account and all associated data, navigate to Settings → Danger Zone. You may also request deletion by emailing team@winpathgov.com.

You have the following rights with respect to your personal data:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete personal data.
• Deletion: Request deletion of your account and associated data.
• Export: Request an export of your pursuit data in a portable format.

To exercise any of these rights, contact team@winpathgov.com. We will respond within 30 days.

Depending on your state of residence, you may have additional privacy rights under the following laws:

• California: California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA)
• Virginia: Consumer Data Protection Act (CDPA)
• Colorado: Colorado Privacy Act (CPA)
• Connecticut: Connecticut Data Privacy Act (CTDPA)

To exercise rights under any applicable state privacy law, contact team@winpathgov.com.

Note: WinPath is not FedRAMP authorized and is not designed for use with CDI, CUI, or CMMC-regulated data. Do not use WinPath to process any data subject to ITAR, DFARS 252.204-7012, or similar controlled data requirements.

• Session cookies: WinPath uses session cookies required for Supabase authentication. These cookies are strictly necessary and cannot be disabled without breaking login functionality.
• localStorage: We use browser localStorage solely for UI state — including onboarding progress and recent search parameters. No personal data or pursuit content is stored in localStorage.
• No advertising cookies: WinPath does not use advertising, analytics, or behavioral tracking cookies. We do not track you across other websites.

We may update this Privacy Policy from time to time. When we do, we will increment the version number, update the effective date, and display a notification banner within the WinPath application. Continued use of the platform after the effective date constitutes your acceptance of the updated policy.

For privacy-related questions, requests, or concerns, contact us at team@winpathgov.com.