Privacy Policy

1. Scope of This Policy

This Privacy Policy applies to SourceFlag's website, dashboard, hosted workspace, account services, billing flows, support communications, and related product features.

It covers information associated with:

• account registration and authentication
• uploaded solicitation files and workspace materials
• generated artifacts and source-backed outputs
• Ask/chat prompts, questions, responses, and history
• annotations, flags, checklists, and proposal drafts
• project and workspace management
• billing, checkout, subscription, customer portal, and token top-up activity
• technical logs, cookies, localStorage, and session storage
• support, administrative, and business communications

This Policy does not apply to third-party websites, services, or content that SourceFlag does not control.

U.S. Business Self-Serve Scope

Self-serve SourceFlag plans are currently offered only to U.S.-based business customers and authorized business users who are at least 18 years old. SourceFlag is not offered for consumer, personal, household, or international self-serve use at this time. Non-U.S. access, international billing, or custom international use requires written approval from SourceFlag.

2. Public and Unclassified Use Only

SourceFlag is designed for public and unclassified solicitation packages and related public and unclassified attachments only.

You must not upload, submit, paste, transmit, store, or process any of the following through SourceFlag:

• classified information
• Controlled Unclassified Information (CUI)
• Federal Contract Information (FCI)
• ITAR-controlled data
• EAR/export-controlled material
• export-controlled technical data or defense articles
• source-selection-sensitive information
• procurement-sensitive information
• non-public government or contractor information
• non-public customer capture information
• private capture material
• internal pricing strategy
• sensitive customer, competitor, subcontractor, teaming, or agency material
• regulated personal data, except ordinary account, access, billing, and business contact information needed to use the Service
• health information
• financial account information
• government identification numbers
• children's data
• biometric data
• precise location data
• malicious code or harmful content
• infringing content
• content you do not have rights to process
• any material outside SourceFlag's public/unclassified launch boundary

SourceFlag is not designed, certified, or offered as a compliance environment for classified information, Controlled Unclassified Information (CUI), Federal Contract Information (FCI), ITAR-controlled data, EAR/export-controlled material, source-selection-sensitive information, procurement-sensitive information, regulated personal data, or other restricted materials.

Customers are responsible for reviewing files before upload and ensuring that their use of SourceFlag complies with applicable laws, contract obligations, agency rules, employer policies, procurement requirements, export-control rules, and data-handling restrictions.

3. Information We Collect

3.1 Account Information

When you create or use an account, we may collect information such as:

• name
• email address
• organization or workspace name
• login and authentication information
• account status
• workspace membership
• roles and permissions
• invitation and guest access records
• communications with SourceFlag

Authentication and account-related data are handled using Supabase.

3.2 Uploaded Files and Workspace Content

SourceFlag may collect and store files and materials that you upload to a workspace, including public solicitation packages and related public/unclassified workspace content.

Uploaded files may include:

• RFPs, RFIs, RFQs, amendments, attachments, forms, Q&A documents, instructions, evaluation criteria, and other public solicitation materials
• text extracted or derived from uploaded files
• file names and metadata
• workspace labels and project settings
• annotations, flags, notes, comments, or review inputs
• library content and reusable workspace materials

Uploaded files are stored using Supabase private storage and related database services.

3.3 Generated Artifacts

SourceFlag may generate artifacts based on uploaded files, source excerpts, workspace context, and user instructions, such as:

• summaries
• compliance matrices
• requirement extractions
• checklists
• review flags
• risk notes
• source-backed answers
• proposal draft sections
• verification notes
• exported or saved workspace artifacts

Generated artifacts may be stored in your workspace so you can review, edit, download, export, or reuse them.

3.4 Ask/Chat History

When you use Ask, chat, or similar review features, SourceFlag may collect and store:

• your questions, prompts, and instructions
• AI-generated responses
• source references and citations
• conversation history
• associated workspace, file, project, and user metadata

Ask/chat history may be retained to provide continuity, allow later review, support source-backed workflows, and maintain workspace records.

3.5 Billing and Payment Information

SourceFlag uses Stripe for billing, checkout, subscriptions, customer portal access, invoices, payment processing, and AI usage packs.

SourceFlag may receive and store billing-related metadata from Stripe, such as:

• customer ID
• subscription status
• plan information
• billing interval
• invoice and payment status
• token top-up records
• billing email
• limited payment method details, such as card brand, last four digits, and expiration date
• tax, invoice, and customer portal metadata

SourceFlag does not intentionally store full payment card numbers. Payment processing is handled by Stripe.

3.6 Technical Logs and Usage Information

We may collect technical information needed to operate, secure, debug, and improve SourceFlag, such as:

• IP address
• browser and device information
• operating system
• referring page or source
• timestamps
• pages or workspace routes accessed
• API request metadata
• authentication events
• upload, extraction, processing, and job status logs
• AI usage records
• subscription and plan limit records
• error, security, and diagnostic logs

Background processing may run on Render. Website and dashboard hosting may run on Vercel. Database, authentication, and private storage may run on Supabase.

3.7 Cookies, localStorage, and Session Storage

SourceFlag may use cookies, localStorage, session storage, and similar technologies for product functionality, including:

• keeping you signed in
• maintaining session state
• remembering workspace or interface preferences
• supporting security and authentication
• enabling checkout, subscription, and customer portal flows
• operating the website and dashboard

SourceFlag does not currently use third-party advertising cookies. SourceFlag does not sell personal information or customer workspace content.

If SourceFlag embeds walkthrough videos using YouTube's privacy-enhanced embed mode, YouTube or Google may process information according to their own settings and policies when you interact with the embedded video.

3.8 Communications

If you contact SourceFlag, we may collect:

• your email address
• message contents
• support request details
• billing inquiry details
• administrative or business communication records

SourceFlag uses Google Workspace for business email and administrative communications.

4. How We Use Information

SourceFlag uses information to:

• provide, operate, and maintain the hosted workspace
• authenticate users and manage accounts
• manage workspaces, roles, projects, and guest access
• store uploaded files and workspace content
• process uploaded public/unclassified solicitation materials
• generate source-backed outputs and artifacts
• provide Ask/chat functionality
• create checklists, compliance-style outputs, review flags, draft sections, and exportable artifacts
• manage subscriptions, checkout, billing, customer portal access, invoices, payments, and AI usage packs
• monitor plan limits, workspace limits, user limits, and AI usage
• communicate about accounts, billing, support, product updates, legal notices, and administrative matters
• monitor reliability, security, abuse, and system performance
• debug errors and improve product functionality
• enforce the public/unclassified-use-only boundary, Terms of Service, and acceptable use rules
• comply with legal, accounting, tax, security, and contractual obligations

5. AI Processing

SourceFlag uses the OpenAI API to provide AI-assisted processing.

Depending on the feature used, SourceFlag may send the following to the OpenAI API:

• text extracted from uploaded public/unclassified solicitation files
• selected file excerpts or source passages
• user prompts, questions, and instructions
• prior Ask/chat context, when needed for the feature
• generated outputs, intermediate results, or formatting instructions
• limited metadata needed to operate the request

SourceFlag uses AI processing for extraction, summarization, grounded Ask, citations, drafting support, review flags, verification support, and artifact generation.

AI output may be incomplete, inaccurate, outdated, incorrectly cited, or misapplied. Users are responsible for verifying all outputs against source documents and their own requirements.

SourceFlag does not sell customer workspace content. SourceFlag does not use customer workspace content to train SourceFlag-owned foundation models. SourceFlag uses managed AI providers to operate product features, and provider handling is governed by their applicable terms, settings, and agreements.

Customers are responsible for ensuring that content submitted for AI processing is permitted under this Policy, the Terms of Service, applicable laws, contract obligations, and organizational policies.

6. Service Providers

SourceFlag uses service providers to operate the Service. These providers may process information as needed to provide services to SourceFlag and according to applicable agreements, configurations, and legal requirements.

Current service providers and data flows include the providers listed below. See the Subprocessors page for detailed provider notes and data categories.

SourceFlag does not authorize service providers to sell customer workspace content.

7. No Sale of Personal Information or Workspace Content

SourceFlag does not sell personal information.

SourceFlag does not sell customer workspace content, uploaded files, generated artifacts, Ask/chat history, prompts, messages, annotations, proposal drafts, exports, or source-backed outputs.

SourceFlag also does not use customer workspace content for third-party advertising.

8. Sharing and Disclosure

SourceFlag may share information in the following limited circumstances.

8.1 With Service Providers

We share information with the providers listed above as needed to operate SourceFlag.

8.2 Within Your Workspace

Workspace content may be visible to users who have access to the same workspace, depending on their role, permissions, and workspace configuration.

Workspace owners and administrators are responsible for managing access to workspace content.

8.3 For Billing and Account Administration

Billing-related information may be shared with Stripe to manage checkout, subscriptions, customer portal access, invoices, payments, failed payments, tax records, and AI usage packs.

8.4 For Legal, Security, and Compliance Reasons

We may disclose information if reasonably necessary to:

• comply with law, legal process, subpoenas, court orders, or government requests
• enforce the Terms of Service or other agreements
• protect SourceFlag, users, customers, service providers, or the public
• investigate abuse, fraud, security incidents, or policy violations
• respond to disputes, claims, or legal obligations

8.5 In Business Transactions

If CodeArtisans LLC, SourceFlag, or related assets are involved in a merger, acquisition, financing, reorganization, sale of assets, change of control, bankruptcy, or similar transaction, information may be disclosed or transferred as part of that transaction, subject to appropriate protections.

9. Customer Responsibilities

Customers and users are responsible for:

• ensuring that uploaded materials are public and unclassified
• excluding classified information, CUI, Federal Contract Information (FCI), ITAR-controlled data, EAR/export-controlled material, source-selection-sensitive information, procurement-sensitive information, non-public government or contractor information, private capture material, internal pricing strategy, sensitive customer/subcontractor/teaming material, regulated personal data, and other prohibited materials
• obtaining any permissions required to upload, process, store, share, or export materials
• managing workspace users, roles, guest access, and permissions
• reviewing AI-generated outputs before relying on them
• verifying source citations, requirements, deadlines, and solicitation interpretations
• complying with procurement rules, confidentiality obligations, employer policies, contract requirements, export-control rules, privacy obligations, and applicable laws
• deleting files, artifacts, or chat history when they are no longer needed

SourceFlag is a review workspace and does not replace legal, compliance, procurement, capture, pricing, export-control, security, or proposal-management review.

10. Retention and Deletion

SourceFlag retains information for as long as reasonably necessary to provide the Service, maintain accounts, operate workspaces, comply with legal obligations, resolve disputes, enforce agreements, and protect security.

10.1 Workspace Content

Uploaded files, generated artifacts, Ask/chat history, annotations, proposal drafts, review flags, and project records may remain in your workspace until:

• you delete them
• a workspace owner or administrator deletes them
• your account or workspace is deleted
• retention is otherwise required or limited by your plan, agreement, applicable law, billing needs, security needs, or dispute-resolution needs

10.2 Account Data

Account information may be retained while your account is active and for a reasonable period after deletion to support security, legal, accounting, audit, fraud-prevention, and dispute-resolution needs.

10.3 Billing Records

Billing metadata, invoices, subscription records, payment status, customer portal records, token top-up records, and related records may be retained as required for tax, accounting, fraud prevention, legal compliance, and business records.

Some billing records may remain in Stripe even after a SourceFlag account or workspace is deleted.

10.4 Logs

Technical logs may be retained for security, debugging, reliability, fraud prevention, abuse prevention, legal compliance, and operational purposes. Log retention periods may vary depending on the type of log and operational need.

10.5 Backups

Deleted information may remain in backups or archival systems for a limited period before being overwritten or removed according to backup practices, unless longer retention is required for legal, security, billing, tax, accounting, fraud-prevention, or dispute-resolution reasons.

10.6 Deletion Requests

For access, deletion, correction, or privacy questions, email privacy@sourceflagworkspace.com. We may need to verify your identity and account authority before processing requests.

Some information may not be deleted immediately or completely where retention is required for legal, tax, accounting, security, fraud-prevention, billing, dispute-resolution, or legitimate business purposes.

If your request relates to a workspace controlled by an organization, SourceFlag may direct the request to the workspace owner or administrator.

11. Security

SourceFlag uses technical, administrative, and organizational measures designed to protect information, including private storage, authentication controls, access controls, and secure service-provider configurations.

However, no hosted service, transmission method, storage system, or AI processing workflow can be promised to be perfectly secure. Customers should not upload materials outside SourceFlag's permitted public/unclassified boundary.

12. International Processing

SourceFlag and its service providers may process information in the United States and other locations where they or their infrastructure operate. Data protection laws in those locations may differ from the laws where you are located.

By using SourceFlag, you understand that information may be processed by SourceFlag and its service providers in accordance with this Policy and applicable agreements.

13. Privacy Rights

Depending on where you live, you may have privacy rights regarding your personal information, such as the right to:

• request access to personal information
• request correction of inaccurate personal information
• request deletion of personal information
• object to or restrict certain processing
• request a copy of personal information in a portable format
• opt out of certain types of processing, where applicable
• appeal a privacy request decision, where applicable

SourceFlag does not sell personal information or customer workspace content.

To make a privacy request, contact privacy@sourceflagworkspace.com.

We may need to verify your identity and account authority before fulfilling a request. If your request relates to a workspace controlled by an organization, we may direct the request to the workspace owner or administrator.

14. Children's Privacy

SourceFlag is a business SaaS product and is not directed to children.

SourceFlag is not intended for users under 18, and users must not upload children's personal information. If you believe a child's personal information has been submitted to SourceFlag, contact privacy@sourceflagworkspace.com.

15. Cookies and Choices

You may be able to control cookies through your browser settings. Blocking or deleting cookies, localStorage, or session storage may affect login, authentication, checkout, customer portal access, workspace access, and product functionality.

Because SourceFlag does not currently use third-party advertising cookies, there is no advertising-cookie preference center at this time.

16. Changes to This Policy

SourceFlag may update this Privacy Policy from time to time. When we make changes, we will update the effective date above.

If changes are material, SourceFlag may provide additional notice, such as through the website, dashboard, account email, or other reasonable means.

Continued use of SourceFlag after an updated Policy becomes effective means the updated Policy applies to your use of the Service.

17. Contact

For privacy questions, requests, or concerns, contact: