Skip to content

Privacy Policy

1. Data Controller

The data controller responsible for data processing on this website is:

Julius Sorgner Hochstraße 8 35510 Butzbach Email: contact@proposalair.io Phone: +49 15255612505

2. Overview of Data Processing

2.1 Types of Data Processed

  • Identity Data (name, email address, username)
  • Contact Data (email address, phone number)
  • Content Data (proposals, project descriptions, AI chats)
  • Usage Data (access times, pages visited)
  • Technical Data (IP addresses, device information)
  • Transaction Data (contract details, payment information)
  • Signature Data (electronic signatures, timestamps)

2.2 Categories of Data Subjects

  • Users of our platform
  • Clients who receive proposals
  • Website visitors

2.3 Purposes of Processing

  • Provision of service and contract fulfillment
  • Creation and sending of proposals
  • Electronic signatures and contract conclusions
  • Payment processing
  • Customer communication
  • Security and fraud prevention
  • Compliance with legal obligations

3. Legal Basis

Processing of personal data is based on the following legal grounds:

  • Art. 6(1)(a) GDPR – Consent (e.g., for analytics cookies)
  • Art. 6(1)(b) GDPR – Contract performance (use of the service)
  • Art. 6(1)(c) GDPR – Legal obligation (retention requirements)
  • Art. 6(1)(f) GDPR – Legitimate interest (security, fraud prevention)

4. Data Collection During Website Visits

4.1 Server Log Files

When accessing our website, the following information is automatically collected:

  • IP address (anonymized after 7 days)
  • Date and time of request
  • Browser type and version
  • Operating system
  • Referrer URL (previously visited page)
  • Hostname of the accessing device

Legal Basis: Legitimate interest (Art. 6(1)(f) GDPR) Retention Period: 7-30 days

4.2 Cookies and Consent

The storage of information on end devices and access thereto is governed by § 25 TDDDG (German Telecommunications Digital Services Data Protection Act).

We use different types of cookies:

Necessary Cookies (without consent, § 25(2) TDDDG)

  • Session Cookie – Authentication and session management
  • CSRF Token – Protection against Cross-Site Request Forgery
  • Cookie Consent – Storage of your cookie preferences

Optional Cookies (with consent, § 25(1) TDDDG)

  • Analytics Cookies – Website usage statistics
  • Functional Cookies – Language settings, preferences

You can change your cookie settings at any time via the cookie banner or in your account settings. You can withdraw consent at /api/dsgvo/consent-withdraw.

5. Registration and User Account

5.1 Data Collected During Registration

  • Email address (required)
  • Name (required)
  • Username (optional)
  • Password (stored encrypted)
  • Two-factor authentication (optional)

5.2 Social Login

You can sign in using the following services:

Your name and email address are transmitted during this process.

Legal Basis: Contract performance (Art. 6(1)(b) GDPR) Retention Period: Until account deletion

6. Proposal Creation and AI Usage

6.1 Processing of Proposal Data

When creating proposals, we process:

  • Project descriptions and requirements
  • Client data (name, company, contact details)
  • Prices and terms
  • Creation and modification timestamps

6.2 AI-Powered Text Generation

Our service uses Claude by Anthropic to assist with proposal creation.

What data is transmitted to Anthropic?

To generate proposal texts, the following data is sent to the Claude API:

  • Project description and requirements (your input)
  • Project type and industry
  • Desired scope (estimated hours)
  • Client/company name (if provided in the form)
  • Selected template (template scope, if applicable)

Not transmitted: Passwords, email addresses, payment data, tax numbers, or other sensitive account data.

Processing by Anthropic

  • Server location: USA (San Francisco)
  • Transfer mechanism: Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR
  • Data retention: Anthropic uses a Zero Data Retention Policy for API requests — your inputs are not permanently stored after processing
  • No AI training: Your data is not used for training AI models (API Terms of Service)
  • Data processing: Anthropic processes the data as a data processor pursuant to Art. 28 GDPR

Data Processing Agreement: Concluded pursuant to Art. 28 GDPR Anthropic Privacy Policy: anthropic.com/privacy

Legal Basis: Contract performance (Art. 6(1)(b) GDPR) — AI generation is a core component of the service you use upon registration.

7. Electronic Signatures

7.1 Signature Processing

When clients electronically sign a proposal, we collect:

  • Signer's name
  • Signer's email address
  • Signature (drawn or typed)
  • Timestamp of signing
  • IP address (for evidence purposes)
  • Browser information (User-Agent)
  • Document hash at time of signature

Legal Basis:

  • Art. 6(1)(b) GDPR – Contract performance (signature as part of the contract)
  • Art. 6(1)(f) GDPR – Legitimate interest (IP address and browser information for evidence preservation, fraud prevention, and proof of contractual terms in case of disputes)

Retention Period:

  • Signed contracts and associated audit data (including IP addresses): 10 years after contract conclusion (German Commercial Code §257)
  • After the retention period expires, IP addresses will be anonymized or deleted

7.2 Security Measures for Signatures

  • Signatures are stored encrypted with AES-256-GCM
  • Integrity verification through cryptographic hashes
  • Document hash to prove immutability

8. File Uploads

8.1 Profile Pictures and Logos

When uploading images, they are:

  • Validated for file type and content (magic byte verification)
  • Automatically re-encoded to remove hidden data
  • Stored with server-side encryption (AES-256)
  • Placed in isolated tenant folders

Allowed File Types: JPEG, PNG, WebP, GIF Maximum File Size: 5 MB

Legal Basis: Contract performance (Art. 6(1)(b) GDPR)

9. Payment Processing

9.1 Stripe — Subscription Payments

Payments for your platform subscriptions (Starter, Pro) are processed through Stripe, Inc.. Your payment data is transmitted directly to Stripe:

  • Name and billing address
  • Payment method information
  • Transaction data

Data Processing Agreement: Concluded pursuant to Art. 28 GDPR Privacy Policy: stripe.com/privacy Location: USA (DPF certified)

Legal Basis: Contract performance (Art. 6(1)(b) GDPR)

9.2 Stripe Connect — Payment Processing for Proposals

Freelancers can enable a payment collection feature on their proposals. Processing is handled via Stripe Connect (Standard). Proposal Air acts as a Stripe platform account; the actual payment is routed to the freelancer's connected Stripe account.

For Freelancers (Account Holders)

When connecting your Stripe account via Stripe Connect, you submit data directly to Stripe, Inc. (identity verification, bank details, tax information). This data is subject exclusively to Stripe's own onboarding process and privacy terms. Proposal Air only receives the connection status (connected/not connected) and the Stripe account ID.

For Clients (Proposal Recipients)

When a freelancer has enabled the payment option on a proposal, the following payment data is collected after electronic signature:

  • Cardholder name and billing address
  • Payment method information (transmitted directly to Stripe, never stored on Proposal Air servers)
  • Transaction amount and payment status
  • IP address (for fraud prevention by Stripe)

Payment processing takes place through a secure Stripe Checkout session. Proposal Air does not store any complete card data, only the transaction status, Stripe session ID, and optionally a receipt URL.

Legal Basis: Art. 6(1)(b) GDPR — Contract performance (processing the agreed payment between freelancer and client) Data Processing Agreement: Concluded with Stripe pursuant to Art. 28 GDPR Stripe Privacy Policy: stripe.com/privacy Stripe Connected Account Agreement: stripe.com/connect-account/legal Location: USA (DPF certified)

10. Email Sending

We use Resend Inc. as an external service provider for sending emails:

  • Transactional Emails (registration, password reset)
  • Proposal Notifications (sent, accepted, rejected)
  • Payment Notifications (payment received to freelancer, payment confirmation to client)
  • Reminders (expiring proposals, payment reminders)

Email address, name, and message content are transmitted to Resend.

Data Processing Agreement: Concluded pursuant to Art. 28 GDPR Privacy Policy: resend.com/legal/privacy-policy Location: USA (SCCs as transfer mechanism)

Legal Basis: Contract performance (Art. 6(1)(b) GDPR)

11. Hosting and Infrastructure

11.1 Vercel (Hosting)

Our website is hosted by Vercel Inc.:

  • Server location: EU (Frankfurt)
  • DPF certified for data transfer to the USA
  • Data Processing Agreement concluded

Privacy Policy: vercel.com/legal/privacy-policy

11.2 Vercel Analytics (Web Analytics)

We use Vercel Analytics to analyze website usage. This service is only activated with your consent (analytics cookies in the cookie banner).

  • Data collected: Page views, referrer, device type, operating system, browser, geographic location (country/region)
  • No personal identifiers: Vercel Analytics operates without personal identifiers and does not set its own cookies
  • Server location: EU (Frankfurt)
  • Data Processing Agreement: Concluded pursuant to Art. 28 GDPR

Legal Basis: Consent (Art. 6(1)(a) GDPR) Privacy Policy: vercel.com/legal/privacy-policy

11.3 Sentry (Error Monitoring)

We use Sentry (Functional Software, Inc.) for application error monitoring and resolution.

  • Purpose: Detection, diagnosis, and resolution of technical errors and performance issues
  • Data collected: Error messages, stack traces, browser information, operating system, IP address (truncated), device type, timestamps
  • No content data: Your proposals, invoices, or other business data are not transmitted to Sentry
  • Location: San Francisco, USA
  • Transfer mechanism: EU-US Data Privacy Framework (DPF)
  • Data Processing Agreement: Concluded pursuant to Art. 28 GDPR
  • Retention period: 90 days

Legal Basis: Legitimate interest (Art. 6(1)(f) GDPR) — ensuring the functionality and security of our service Privacy Policy: sentry.io/privacy

11.4 Supabase (Database)

Our database is hosted by Supabase Inc.:

  • Server location: EU (Ireland, AWS eu-west-1)
  • Data Processing Agreement concluded
  • Data is stored encrypted (Encryption at Rest)

Privacy Policy: supabase.com/privacy

12. Your Rights

12.1 Overview of Your Rights

| Right | GDPR Article | Implementation | |-------|--------------|----------------| | Access | Art. 15 | /api/dsgvo/data-export | | Rectification | Art. 16 | /api/dsgvo/data-rectify | | Erasure | Art. 17 | /api/dsgvo/data-delete | | Restriction | Art. 18 | Contact us | | Notification obligation | Art. 19 | Automatic upon rectification/erasure | | Data Portability | Art. 20 | /api/dsgvo/data-export | | Objection | Art. 21 | Contact us | | Withdrawal of Consent | Art. 7(3) | /api/dsgvo/consent-withdraw |

12.2 Automated Rights Exercise

You can exercise your rights independently through your user account:

Data Export:

POST /api/dsgvo/data-export

Exports all your personal data as a JSON file.

Account Deletion:

POST /api/dsgvo/data-delete
Body: { "confirmation": "DELETE_MY_ACCOUNT" }

Deletes your account and all associated data.

Consent Withdrawal:

POST /api/dsgvo/consent-withdraw
Body: { "consentTypes": ["analytics", "functional"] }

12.3 Right to Complain

You have the right to lodge a complaint with a data protection supervisory authority. The competent authority depends on your place of residence.

13. Data Security

We implement extensive technical and organizational measures:

13.1 Technical Measures

  • TLS 1.3 Encryption for all data transfers
  • AES-256-GCM Encryption for sensitive data (signatures)
  • Secure Password Storage with modern hash algorithms
  • Two-Factor Authentication optionally available
  • Rate Limiting for protection against brute-force attacks
  • CSRF Protection for all forms
  • Content Security Policy (CSP) against XSS attacks
  • Regular Security Updates

13.2 Organizational Measures

  • Access restrictions based on need-to-know principle
  • Regular employee training
  • Documented processes for data protection incidents

13.3 Data Breach Notification (Art. 33/34 GDPR)

In the event of a personal data breach, we follow this procedure:

  1. Internal Detection and Assessment: Security incidents are detected through automated monitoring (security event logging, anomaly detection) and manual review. Each incident is immediately assessed for severity and scope.

  2. Notification to Supervisory Authority (Art. 33 GDPR): If a data breach is likely to result in a risk to the rights and freedoms of natural persons, we report it within 72 hours of becoming aware to the competent data protection supervisory authority. The notification includes: nature of the breach, affected data categories and approximate number of affected individuals, likely consequences, and countermeasures taken.

  3. Notification of Affected Individuals (Art. 34 GDPR): If the breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay by email about the nature of the breach, potential impact, and measures we have taken.

  4. Documentation: All data breaches are fully documented, including all facts, effects, and remedial measures taken, regardless of whether a reporting obligation exists.

Competent Supervisory Authority: The Hessian Commissioner for Data Protection and Freedom of Information Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Germany Phone: +49 611 1408-0 Email: poststelle@datenschutz.hessen.de

14. Retention Period and Deletion

| Data Category | Retention Period | Legal Basis | |---------------|------------------|-------------| | User Account | Until deletion | Contract performance | | Proposals (unsigned) | Until deletion | Contract performance | | Signed Contracts | 10 years | German Commercial Code §257 | | E-Signatures | 10 years | German Commercial Code §257 | | Payment Transactions | 10 years | German Commercial Code §147(1) | | Server Logs | 7-30 days | Legitimate interest | | Sessions | Automatic expiration | Contract performance | | AI Chats | Until deletion | Contract performance |

15. Data Transfer to Third Countries

Some of our service providers are located outside the EU/EEA:

| Service | Country | Safeguard | |---------|---------|-----------| | Vercel | USA | EU-US Data Privacy Framework (DPF) | | Sentry | USA | EU-US Data Privacy Framework (DPF) | | Stripe | USA | EU-US Data Privacy Framework (DPF) | | Anthropic | USA | Standard Contractual Clauses (SCCs) | | Resend | USA | Standard Contractual Clauses (SCCs) |

Transfers are made on the basis of adequacy decisions (Art. 45 GDPR) or Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR.

16. Minors

Our service is intended for businesses and business customers. Persons under 16 years of age may not use our service.

17. Changes to This Privacy Policy

We reserve the right to adapt this privacy policy as necessary to comply with changed legal requirements or when changes to the service occur. The current version can always be found on this page.

Registered users will be notified by email of material changes.

18. Contact

For questions about data protection, please contact:

Privacy Inquiries: Email: support@proposalair.io

Last Updated: March 2026 Version: 2.5