Privacy Policy
Last updated: June 16, 2026
1. Introduction
LoopWork Labs (“we,” “our,” or “us”) operates Pitchwright, an AI-powered proposal generation platform for independent consultants and small consulting firms (“the Service”). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use Pitchwright.
By creating an account or using the Service, you agree to this Privacy Policy. If you do not agree, please do not use Pitchwright.
We process personal data on the following legal bases: (a) contract performance — to create and maintain your account and deliver the Service; (b) legitimate interests — to operate, secure, and improve Pitchwright, and to detect misuse; and (c) consent — for optional analytics collection and AI feature use.
2. Information We Collect
Account & Profile Data
When you register and set up your Pitchwright account, we collect:
- Name, email address, and password (stored as a secure hash — never in plaintext)
- Company name, consulting type, and professional bio
- Brand assets: logo image, brand colors, and preferred fonts
- Stripe customer ID and, if you accept payments through proposals, your Stripe Connect account identifier
Proposal & Client Data
When you create proposals, we store the content you provide on your behalf, including:
- Generated and edited proposal text, pricing tables, and scope sections
- Your clients’ names, companies, and email addresses (as entered by you)
- Electronic signature data when a proposal is signed
- Payment amounts and payment status for proposals that include in-proposal billing
Meeting notes, transcripts, and other source material you submit for AI generation are not stored by us.They are transmitted to our AI provider to produce a draft (see Section 4) and are discarded after processing — only the resulting proposal content you choose to keep is saved to your account.
Usage & Analytics Data
We collect information about how you use the Service, including:
- Pages visited and features used (via PostHog)
- Event metadata such as proposal generation time and export actions — we do not send proposal body text to our analytics provider
- Error events and your user identifier (via Sentry) to diagnose bugs — no proposal content is included in error reports
Proposal Tracking Data (Non-User Recipients)
When your clients view a proposal you have sent, we automatically collect data about that viewing session. Proposal recipients are third parties who have not agreed to our Terms of Service. We collect this data to verify delivery, provide you with proposal analytics, and detect unauthorized access:
- IP address of the viewer
- Device and browser information
- Time spent viewing each proposal section
- View, forward, sign, and payment events with timestamps
This data is made available to you in your proposal analytics dashboard. Viewer tracking data is retained for 90 days, after which it is permanently deleted. There is no opt-out mechanism for proposal recipients, as tracking is inherent to the proposal delivery feature. If you share a proposal with a recipient who objects to this tracking, you should not use the Pitchwright delivery feature for that proposal.
Technical & Session Data
We automatically collect standard technical information: IP address, browser type, operating system, referring URLs, and session authentication cookies necessary to keep you logged in.
3. How We Use Your Information
We use the information we collect to:
- Provide, operate, and improve the Pitchwright Service
- Generate and refine proposals using AI (see Section 4)
- Send transactional emails such as proposal delivery, signature notifications, and billing receipts
- Process subscription billing and proposal payments via Stripe
- Monitor service health, diagnose errors, and ensure security
- Communicate material changes to these policies
- Comply with legal obligations
We do not sell your personal information or use it for behavioral advertising.
4. AI Processing Disclosure
Pitchwright’s core feature — AI proposal generation — requires sending your input data to third-party AI providers. By using AI generation features, you consent to this transmission. If you do not consent, you may not use the AI generation or refinement features.
- Anthropic (Claude API):Meeting notes, client context, and existing proposal content you submit for generation or refinement are transmitted to Anthropic’s API. We transmit this content only to produce your draft and do not retain the submitted notes or transcripts in our systems after processing. Anthropic does not use API inputs to train its models by default under its API usage policy. Anthropic’s data handling is governed by the Anthropic Privacy Policy and API Usage Policy.
- OpenAI (Embeddings API): Semantic search of your reusable content library is a planned, optional feature that is not currently enabled. While it is disabled, no content-library text is sent to OpenAI. If we enable it, the text of the content-library entries you choose to search would be sent to OpenAI’s embeddings API to power that search, and we will update this policy and the sub-processor list below before that happens. OpenAI does not use API inputs to train its models by default under its API usage terms. OpenAI’s data handling is governed by the OpenAI Privacy Policy.
Do not input confidential client information, trade secrets, or personally identifiable information you are not authorized to share with these third-party providers. We recommend reviewing Anthropic’s and OpenAI’s privacy policies before submitting sensitive content.
5. Information Sharing & Sub-processors
We share your information only with service providers necessary to operate Pitchwright. We do not sell your data to third parties. We require sub-processors to maintain appropriate data protection standards consistent with this Privacy Policy. Our current sub-processors include:
- Supabase — database hosting and authentication — Privacy Policy
- Vercel — application hosting and edge infrastructure — Privacy Policy
- Anthropic — AI proposal generation (Claude API) — Privacy Policy
- OpenAI— content library embeddings for semantic search (planned; not currently enabled) — Privacy Policy
- Stripe — subscription billing and in-proposal payment processing — Privacy Policy
- Resend — transactional email delivery — Privacy Policy
- PostHog — product analytics (event metadata only; no proposal body text) — Privacy Policy
- Sentry — error monitoring (user ID and error context only; no proposal content) — Privacy Policy
We may disclose information if required by law, legal process, or to protect the rights, property, or safety of LoopWork Labs, our users, or the public.
6. Data Retention & Your Rights
We retain your account data and proposal content for as long as your account is active. When you delete a proposal it is soft-deleted (marked inactive) and will be permanently purged after 30 days. Proposal viewer tracking data is retained for 90 days.
If you close your account, you may request deletion of your data by emailing hello@pitchwright.io. We will process deletion requests within 30 days, subject to legal hold obligations (e.g., records required for tax or legal purposes).
Data Portability: You have the right to request a copy of your personal data in a portable format (CSV or JSON). Requests will be fulfilled within 30 days at no charge. Email hello@pitchwright.io with “Data Export Request” in the subject line.
7. Business Transfers
In the event of a merger, acquisition, reorganization, or sale of all or substantially all of our assets, your personal data may be transferred to the acquiring entity. We will require the acquiring entity to honor the obligations in this Privacy Policy. If the data practices materially change as a result of such a transaction, we will notify affected users by email at least 30 days in advance and provide an opportunity to request deletion of your data before the change takes effect.
8. Security
We implement industry-standard safeguards including:
- Encryption in transit via HTTPS with HSTS enforced
- Row-level security on all database tables limiting data access to the owning account
- Session cookies set with
Secure,HttpOnly, andSameSiteattributes - Rate limiting on authentication and sensitive endpoints
No method of transmission over the internet is 100% secure. We cannot guarantee absolute security, but we take reasonable precautions to protect your information.
9. Data Breach Notification
In the event of a confirmed data breach that affects your personal information, we will:
- Notify affected individuals without unreasonable delay, and no later than 30 days following our discovery of the breach
- Provide notice via email to the address associated with your account, including: the nature of the breach, the categories of data compromised, the steps we are taking to address it, and recommended steps you can take to protect yourself
- Notify the Texas Attorney General if Texas residents’ data is affected, and notify other applicable state attorneys general as required by their respective breach notification laws
If you believe your account has been compromised, contact us immediately at hello@pitchwright.io.
10. Cookies
Pitchwright uses the following cookies:
- Authentication cookies (required): Set by Supabase to maintain your login session. These are necessary for the Service to function.
- Analytics cookies(optional): Set by PostHog to collect product usage event data. You can opt out by enabling the “Do Not Track” setting in your browser, or by emailing hello@pitchwright.io to be excluded from analytics tracking.
- Payment cookies: Set by Stripe when you interact with payment features. Governed by Stripe’s cookie policy.
Do Not Track:Some browsers include a “Do Not Track” (DNT) signal. Pitchwright currently does not alter its data collection practices in response to DNT signals. To opt out of PostHog analytics specifically, use the method described above.
11. California Residents
If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives you the rights described below and requires us to disclose the categories of personal information we collect.
Categories of Personal Information We Collect
In the past 12 months we have collected the following categories of personal information. We collect each category from you directly, automatically through your use of the Service, or from your clients’ interactions with proposals you send, and we disclose it for business purposes to the sub-processors listed in Section 5:
- Identifiers — your name, email address, account login credentials, IP address, and Stripe customer ID.
- Commercial information — your subscription tier, billing records, and proposal payment status; disclosed to Stripe for payment processing.
- Internet or network activity — pages visited, features used, device and browser information, and proposal viewing events; disclosed to PostHog and Sentry as described above.
- Professional or employment information — your company name, consulting type, and professional bio, used to personalize AI generation.
- Client and third-party information you submit — the names, email addresses, and any other identifiers contained in the meeting notes, transcripts, and proposal content you enter.
- Electronic signature data — the signature image and audit-trail metadata (timestamp, IP address, document hash) captured when a proposal is signed.
AI-processed content:The meeting notes, transcripts, and other source material you submit for AI generation — including any personal information about your clients contained in them — are transmitted to our AI sub-processor (Anthropic) to produce your draft and are not retained by us after processing. Only the client names, email addresses, and finished proposal content you choose to save are stored in your account. We collect account login credentials, which California law treats as sensitive personal information; we use and disclose sensitive personal information only to provide the Service and do not use it for purposes that would trigger a right to limit under the CPRA.
Your California Rights
You have the following rights, which you may exercise free of charge:
- Right to Know: You may request disclosure of the personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share it.
- Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
- Right to Correct: You may request correction of inaccurate personal information.
- Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
We do not sell personal information as defined by the CCPA, and we do not share personal information with third parties for cross-context behavioral advertising.
California “Shine the Light” (Cal. Civ. Code §1798.83): We do not disclose personal information to third parties for their direct marketing purposes. California residents may request confirmation of this policy by emailing hello@pitchwright.io with “Shine the Light Request” in the subject line. We will respond within 30 days.
To submit any California privacy request, email hello@pitchwright.io with “California Privacy Request” in the subject line. Because Pitchwright operates exclusively online, email is our designated method for submitting requests.
Verification & authorized agents: To protect your data, we will verify your identity before fulfilling a request by matching the information you provide against our records, and we may decline a request we cannot reasonably verify. You may use an authorized agent to submit a request on your behalf; we may require the agent to provide proof of your written authorization and may still verify your identity directly. We will respond within 30 days; if we need more time (up to the limit permitted by the CCPA), we will tell you why.
12. Children’s Privacy
Pitchwright is not directed to children under the age of 13. We do not knowingly collect personal information from children. If you believe a child under 13 has provided us with personal information, please contact us and we will delete it promptly. Users between 13 and 17 years of age must have parental or guardian consent before using Pitchwright.
13. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will notify you by email at least 14 days before the change takes effect. The “Last updated” date at the top of this page reflects the most recent revision. Continued use of the Service after the effective date constitutes acceptance of the updated policy.
14. Contact Us
For questions, concerns, or data requests related to this Privacy Policy, please contact LoopWork Labs at: