Privacy Policy

We collect three categories of information: account & identity data (name, email, organization name, hashed password, single-sign-on identifiers where used); Customer Data (the clients, contacts, pitches, reports, agents, and prompts you create or upload); and usage metadata (pages viewed, features used, AI call counts and token totals, error logs). We also receive limited billing information from Stripe (last 4 digits of your card, billing address, invoice history) — we never see or store raw payment card numbers.

We use your information to: (a) operate, maintain, and improve the Service; (b) authenticate you, enforce security, and prevent abuse; (c) process billing and comply with legal obligations; (d) send transactional messages (billing, security, product changes); (e) with your permission, send product updates and tips. We do not sell your personal data. We do not use your Customer Data, AI prompts, or AI responses to train our own or any third party's foundation models.

Customer Data is stored on Supabase in the US (AWS us-east-1). In transit, data is encrypted with TLS 1.2+; at rest, data is encrypted with AES-256. We enforce per-organization isolation via Row-Level Security policies on every customer table, scoped access tokens with short expiry, webhook signature verification, audit logging on administrative actions, and a least-privilege default for personnel access.

When you generate a pitch, converse with an agent, or run a report, we send the relevant Customer Data (your prompt and the context you attach) to Anthropic's Claude API. Under our contract with Anthropic, your inputs and the model's outputs are not used to train foundation models. Anthropic retains data only as needed for abuse monitoring (currently up to 30 days, per their policy).

We engage a small number of third-party providers to deliver the Service — including Supabase (database), Vercel (hosting), Anthropic (AI), Stripe (billing), Resend (email), Upstash (rate limiting), Sentry (error tracking), and PostHog (analytics, opt-in only). The full and up-to-date list lives at /subprocessors. We require each to meet protections materially equivalent to the commitments in our Data Processing Addendum.

We use strictly-necessary cookies to keep you signed in and to guard against CSRF attacks — these cannot be disabled without breaking the product. With your consent (via the cookie banner) we also use PostHog to understand how people use the Service so we can improve it. You can change your choice at any time by clearing the prplus.consent.analytics.v1 entry in your browser's local storage, or by emailing privacy@prplus.io.

Our infrastructure is hosted in the United States. If you access the Service from the European Economic Area, United Kingdom, or Switzerland, your Personal Data will be transferred to the United States and processed there. Where such transfers involve data subject to GDPR, they are governed by the EU Standard Contractual Clauses (2021/914, Module Two: Controller to Processor) between you (the controller) and VenatoPRO LLC (the processor).

Depending on your jurisdiction you may have the right to access, correct, delete, port, restrict the processing of, or object to the processing of your Personal Data, and to withdraw consent at any time. For account or team-member data you can self-serve most of these actions from the settings page. For anything else (including deletion of historical logs), email privacy@prplus.io and we will respond within 30 days. California residents have additional rights under the CCPA / CPRA, including the right to know categories of personal information collected and the right to opt out of the sale or sharing of personal information (we do not sell or share Personal Data as those terms are defined in the CCPA).

We retain Customer Data for as long as your account is active. On termination, your workspace becomes read-only for 30 days so you can export; after 30 days, Customer Data is deleted from production systems, with residual data removed from backup rotation within a further 30 days. We retain account and billing records for the period required by law (typically 7 years for financial records). Error and security logs are retained for up to 90 days for incident response purposes.

The Service is not directed at children under 16, and we do not knowingly collect Personal Data from children under 16. If you believe we have collected information from a child under 16, please contact privacy@prplus.io and we will delete it promptly.

If we become aware of a security incident affecting your data, we will notify you without undue delay and in any event within 48 hours, in accordance with our Data Processing Addendum. Suspected security issues can be reported to security@prplus.io.

We may update this Privacy Policy from time to time. For material changes we will provide reasonable advance notice (typically email to the organization owner and an in-product banner). The “Last updated” date at the top of this page reflects the current version.