Privacy Policy

Kedros Solution is the legal entity operating Proparion. For privacy questions, write to hello@proparion.com. Under India's Digital Personal Data Protection Act, 2023 (DPDP Act), we act as the Data Fiduciary for personal data we collect from you.

We collect three categories of data:

• Account data — name, email, profile picture (if you sign in with Google), organisation name, role, and authentication tokens. Provided by you at sign-up; required to operate the Service.
• Customer content — past proposals, RFPs you upload, drafted answers, edits, branding assets (logo, colours), and any text you generate using the Service. We treat your content as confidential and never use it to train shared AI models.
• Usage and device data — pages viewed, features used, IP address, browser, device type, timestamps. Used for product analytics, security, and abuse prevention. Cookies and similar identifiers (e.g. Google Analytics 4) collect this data.

• Deliver the Service — index your proposals, draft answers to RFPs, run compliance checks, generate exports, send transactional emails (welcome, drafts-ready, invoices).
• Operate the business — billing, subscription management, customer support, fraud and abuse detection.
• Improve the product — aggregate, anonymised usage statistics. We do not look at your customer content for product improvement except when you explicitly grant access for a support ticket.
• Communicate with you — service announcements (always), marketing updates (only if you opt-in via signup or a separate consent).
• Comply with law — meet legal obligations and respond to lawful requests from authorities.

We process personal data only on these grounds:

• Performance of contract — to deliver the Service you signed up for.
• Consent — for non-essential cookies, marketing emails, and any optional features you opt into.
• Legitimate interests — for security, fraud prevention, and aggregate analytics.
• Legal obligation — for tax records, lawful government requests, and required disclosures.

We share strictly the data necessary with these third-party service providers, all under data-protection agreements:

• Supabase (database, authentication, file storage) — hosted in the AP-South-1 region (Mumbai).
• Vercel (web hosting, edge functions, CDN).
• OpenAI (AI drafting, extraction, embeddings). We use the OpenAI API with data-not-used-for-training terms. Your content is sent to OpenAI's servers only at drafting time and is not retained beyond 30 days for abuse monitoring.
• Inngest (background job orchestration) — only metadata, never document contents.
• Dodo Payments (payments) — Merchant of Record; handles GST collection and remittance. We do not store your full card number; Dodo holds payment instruments under PCI-DSS.
• Google Gmail SMTP (transactional email delivery).
• Google Analytics 4 (anonymised usage analytics; IP addresses are masked).
• Crisp (in-app live chat support).
• LlamaCloud (PDF parsing for uploaded proposals; documents are processed and deleted within 24 hours of parsing).

Up-to-date list maintained at this URL. We will give 30 days notice before adding a new subprocessor that processes customer content.

Primary storage is in Mumbai (AP-South-1) via Supabase. Some processing (AI inference, edge serving) may transit through OpenAI and Vercel data centres in the United States and Europe. For all such transfers we rely on Standard Contractual Clauses or equivalent safeguards.

• Account data — for the life of your account plus 12 months after deletion (for invoice / dispute retention).
• Customer content — until you delete it or close your account. Deleted content is purged from active stores within 30 days and from backups within 90 days.
• Usage logs — 13 months in aggregated form; IP-linked logs are kept 90 days for security investigations.
• Billing records — 7 years (Indian tax-law requirement).

Subject to applicable law (DPDP Act 2023 in India, GDPR if you are in the EU/UK, equivalent local laws elsewhere), you have the right to:

• Access the personal data we hold about you.
• Correct any inaccuracies.
• Erase your data ("right to be forgotten").
• Export your data in a portable format.
• Restrict or object to certain processing.
• Withdraw consent at any time.
• Lodge a complaint with the Indian Data Protection Board (once operational) or your local supervisory authority.

To exercise any of these, email hello@proparion.com with the subject "Data Request" and we'll respond within 30 days.

We protect your data with:

• TLS 1.2+ in transit; AES-256 at rest (Supabase + Vercel defaults).
• Per-tenant isolation via Postgres Row-Level Security — your content is never queryable by another customer.
• HTTP security headers (CSP, HSTS preload, X-Frame-Options, etc.) and 2-year HSTS.
• Audit logs of every state-changing action (upload, edit, export, share, delete).
• Standard-Webhooks signature verification for billing events.

Despite our safeguards no system is perfectly secure. If you discover a vulnerability, report it to hello@proparion.com with subject "Security" and we'll respond within 48 hours.

We use a minimal set of cookies:

• Essential — authentication session, CSRF token. Cannot be disabled without breaking the Service.
• Analytics — Google Analytics 4 with IP anonymisation. We honour Do-Not-Track and Global Privacy Control (GPC) signals — when your browser sends either, the GA tag is suppressed for your session. No proposal or RFP content is ever sent to GA.
• In-app support chat — our first-party Pari chat widget stores a conversation token in your browser only if you start a chat. No third-party chat cookies are set.

Proparion is a B2B service intended for users aged 18 and above. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

We may update this Policy as the Service evolves. Material changes will be communicated via in-app notice or email at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.

In compliance with Section 8(9) of the Digital Personal Data Protection Act, 2023, the following officer handles data protection grievances and Data Principal requests for Proparion:

Grievance Officer: Shivam Kedia
Entity: Kedros Solution
Email: hello@proparion.com (subject: "Grievance")
Response SLA: within 30 days of receipt, per DPDP Act 2023 / GDPR Article 12(3).

If you are not satisfied with our response, you may escalate to the Indian Data Protection Board (once operational) or your local supervisory authority (e.g. ICO for the UK, EU DPAs).

Kedros Solution
Email: hello@proparion.com
Website: www.proparion.com