Privacy Policy

Effective Date: 18 March 2026 · Last Updated: 18 March 2026

WinsProposal ("we", "us", "our") is operated by Polsia Inc. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our AI proposal generation service at winsproposal.com.

This policy complies with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and India's Digital Personal Data Protection Act 2023 (DPDPA).

1. Data Controller

WinsProposal (operated by Polsia Inc.) is the data controller for the personal data processed through this service.

Contact: privacy@winsproposal.com

2. Data We Collect

Data Type	What We Collect	Lawful Basis	Retention
Account Data	Email address, name, hashed password	Contract performance	Until account deletion
Proposal Content	RFP text you upload, AI-generated proposals, knowledge base entries	Contract performance	Until account deletion
Usage Data	Daily proposal generation counts, feature usage	Legitimate interest (rate limiting, product improvement)	Until account deletion
Payment Data	Subscription status and plan type. Card details are held solely by Stripe/Razorpay.	Contract performance	Active subscription + 7 years (financial records)
Analytics Data	Anonymous visitor ID, page views	Consent	90 days
Consent Records	Cookie and marketing preferences, timestamps	Legal obligation	Duration of account + 3 years

3. How We Use Your Data

Providing the service: Generating AI proposals, storing your knowledge base, tracking usage limits
Account management: Authentication, subscription management, billing
Product improvement: Aggregated, anonymised analytics to improve features (only with consent)
Legal compliance: Maintaining records required by law, responding to lawful requests

We do not sell your personal data. We do not use your proposal content to train AI models.

4. AI Processing

When you generate a proposal, your RFP text and knowledge base context are sent to our AI provider (OpenAI) for processing. This data is:

Transmitted over encrypted connections (TLS 1.2+)
Not used by the AI provider to train their models (per our data processing agreement)
Not stored by the AI provider beyond the API request lifecycle

5. Data Processors (Sub-processors)

Processor	Purpose	Location	Safeguards
OpenAI	AI proposal generation	United States	Standard Contractual Clauses (SCCs)
Neon	Database hosting	United States / EU	SCCs, SOC 2
Render	Application hosting	United States	SCCs, SOC 2
Stripe	Payment processing (USD)	United States / EU	PCI DSS Level 1, SCCs
Razorpay	Payment processing (INR)	India	PCI DSS Level 1

6. International Data Transfers

Your data may be transferred to and processed in the United States. For transfers from the UK/EEA, we rely on:

Standard Contractual Clauses (SCCs) as approved by the UK ICO and European Commission
Data processing agreements with all sub-processors
Additional technical measures including encryption at rest and in transit

You can set your preferred data region in your account settings. While we cannot guarantee data will only be stored in that region (due to our infrastructure architecture), we use this preference to optimise data handling where possible.

7. Your Rights

Under UK GDPR / EU GDPR, you have the following rights:

Right	Description	How to Exercise
Access	Request a copy of all your personal data	App Settings → Export Data, or `GET /api/gdpr/export`
Rectification	Correct inaccurate personal data	Edit your profile in the app
Erasure	Delete your account and all associated data	App Settings → Delete Account, or `DELETE /api/gdpr/account`
Data Portability	Receive your data in a machine-readable format (JSON)	App Settings → Export Data
Withdraw Consent	Change cookie and marketing preferences at any time	Cookie banner → Preferences
Object	Object to processing based on legitimate interest	Email privacy@winsproposal.com
Complaint	Lodge a complaint with a supervisory authority	UK: ico.org.uk

We will respond to all data rights requests within 30 days. Data export and deletion are available instantly through the app.

8. Cookies and Local Storage

Essential (Always Active)

wp_token — JWT authentication token (localStorage)
wp_lang — Language preference (localStorage)
wp_cookie_consent — Your consent preferences (localStorage)

Analytics (Requires Consent)

polsia_vid — Anonymous visitor ID for page view analytics (localStorage)

We do not use third-party tracking cookies. The analytics beacon only fires after you grant analytics consent.

9. Data Security

Passwords are hashed using bcrypt (10 rounds)
All data transmitted over HTTPS (TLS 1.2+)
Database connections use SSL encryption
Payment data is handled exclusively by PCI-compliant processors
JWT tokens expire after 30 days

10. Data Retention

Active accounts: Data retained for the duration of your account
Deleted accounts: All personal data erased immediately. A minimal deletion audit record (email + timestamp) is retained for 3 years for legal compliance.
Analytics data: 90-day rolling window
Financial records: 7 years after subscription ends (legal requirement)

11. Children

WinsProposal is not directed at individuals under 16. We do not knowingly collect data from children. If you believe we have collected data from a child, please contact us immediately.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or an in-app notice. The "Last Updated" date at the top reflects the most recent revision.

13. Contact Us

For privacy-related inquiries, data requests, or complaints:

Email: privacy@winsproposal.com
Data Protection Authority (UK): Information Commissioner's Office (ICO)