Privacy Policy
This Privacy Policy explains how Vowpace AI (“we”, “us”) collects, uses, and protects information when you use vowpace.com. We designed Vowpace with a privacy-first posture — sensitive fields in your uploaded contracts are stripped before they are ever written to our database.
1. Information We Collect
- Account information — your name, email, plan tier, and (if you sign up with email/password) a bcrypt-hashed password. If you sign in with Google, we receive your name, email, and profile picture via Emergent-managed OAuth.
- Contract content — the text you paste or the PDF you upload for AI milestone extraction. This is stored redacted (see § 3).
- Milestone metadata — extracted names, due dates, amounts, and status you or your clients set.
- Usage signals — anonymous share-link view counts (an SHA-256 fingerprint of IP + user agent, truncated to 32 chars — not reversible) for our Pro “Deal Room analytics” feature.
- Payment records — Stripe session IDs, amounts, statuses. We do not store card numbers; those live only with Stripe.
2. Our Server-Side PII Masking Shield
Before any contract text is written to our database, our backend runs a server-side regex masking pipeline that replaces the following common sensitive patterns with the literal token [REDACTED]:
- Email addresses (any standard local@domain.tld form)
- Phone numbers — international (
+852 9123 4567), US ((555) 123-4567), and dashed local formats - Payment card numbers (13–19 digits with any separator)
- US Social Security numbers
- Passport-style identifiers (letter prefix + 6–9 digits)
- IBAN codes
- US bank routing numbers (ABA / “routing:” prefixes)
- National ID card numbers (“ID#” prefixes with 8–14 digits)
Only the redacted form is stored. Only event timelines, milestone names, and monetary values ever leave our masking layer to reach the AI extraction pipeline or MongoDB.
3. How We Use Information
- Deliver the Service — extract milestones, render dashboards, dispatch alerts.
- Send transactional email (approvals, weekly digests, password resets) via Resend.
- Optionally forward milestone events to your Slack workspace via a webhook URL you supply.
- Bill your subscription via Stripe.
- Protect the Service — rate-limit login attempts, log security-relevant events.
4. Sharing
We do not sell your data. We share only with:
- AI Core Infrastructure — secure, enterprise-grade LLM processing via encrypted gateway API (Claude Sonnet model).
- Stripe — for payments.
- Resend — for transactional email delivery.
- Slack — only if you enable a webhook and supply the URL.
- Law enforcement — only when compelled by valid legal process.
5. Retention
Redacted contract text and milestones are retained for the life of your account. On account deletion, we delete your records within 30 days, except where retention is legally required (e.g. Stripe invoice history).
6. Your Rights
You can access, export, or delete your data at any time by emailing us at support@vowpace.com. If you are in the EEA or UK, you may have additional GDPR rights (rectification, objection, portability); we honor these on written request.
7. Security
We use HTTPS across all endpoints, HttpOnly + Secure cookies for session tokens, bcrypt for password hashing, brute-force rate limiting on login and password reset endpoints (5 fails / 15 min per IP), and single-use time-limited reset tokens (1 hour).
8. Contact
Privacy questions? Reach us at support@vowpace.com.