propcraftBack to site

Legal

Privacy Policy

Last updated May 12, 2026.

1. Who runs PropCraft

PropCraft is operated by an independent business based in Baku, Azerbaijan. We're the data controller for the account information you give us. For the content of proposals you send to your clients, you are the data controller and PropCraft acts as a data processor on your behalf.

Contact for any privacy question: akorecebov@gmail.com.

2. What we collect

We collect only what we need to run the Service:

  • Account data: your name, email, password hash, workspace name, optional brand assets (logo, colors). You provide this when you sign up.
  • Proposal content: everything you put into a proposal, including any client data you choose to add (name, email, phone, company, notes). This is your content. We process it on your behalf so the Service can work.
  • View tracking: when a public proposal link is opened, we record the timestamp, section-level dwell time, scroll depth, approximate country and device type derived from IP and user agent. We do not set third-party tracking cookies on the public proposal view.
  • Signatures: when a client signs a proposal we record their typed name, email, IP address, and timestamp as a legal audit trail.
  • Payments: when a client pays via Stripe, Stripe collects the card details directly. PropCraft never sees or stores card numbers. We store the Stripe payment ID, amount, and status so we can show you what happened.
  • Operational data: server logs, error reports, and performance metrics that help us keep the Service running. These contain IP addresses and request paths and are retained for up to 90 days.

3. Why we use it

We use your data to provide and improve the Service: to render proposals, send transactional email (notifications, password resets, signed-confirmation receipts), keep view and signature audit trails, run payment flows through Stripe, and protect the Service from abuse.

We do not sell your data. We do not use your proposal content to train AI models. We do not run advertising on PropCraft.

4. Where your data lives

Application data is stored in a Supabase Postgres database hosted on AWS in the EU (eu-west-3, Paris). Uploaded images and brand assets are stored in Supabase Storage in the same region.

5. Subprocessors

We use a small number of vendors to run the Service. Each one processes only the data needed for their role:

  • Supabase (database, storage, auth) — EU.
  • Stripe (payment processing for your clients) — global.
  • Unosend (transactional email delivery).
  • Vercel (web hosting and edge network) — global.
  • Sentry (optional error tracking, only if a DSN is configured) — EU/US.

If we add a subprocessor we'll update this list. Material changes will be announced by email at least 14 days in advance.

6. Cookies

PropCraft uses a small number of strictly-necessary cookies: session cookies to keep you logged in, a locale cookie to remember your language, and CSRF protection cookies. We don't use advertising, analytics, or cross-site tracking cookies. The public proposal view (the link you share with clients) sets no cookies.

7. Your rights

Under the GDPR and similar laws, you have the right to access, correct, export, restrict, and delete your data. PropCraft makes two of these self-serve:

  • Export all your data as JSON from Settings → Export your data.
  • Delete your account from Settings → Danger zone. Deletion is permanent and cascades through your workspace, proposals, clients, signatures, and view records. Backups containing your data are purged within 30 days.

For anything else (correction, restriction, objection, complaint), email akorecebov@gmail.com and we'll respond within 30 days. EU residents may also lodge a complaint with their local data-protection authority.

8. Data retention

We keep account data and proposal content for as long as your account is active. View-tracking records and signature audit trails are retained for the life of the proposal and for 7 years after acceptance to support the legal validity of the signed contract.

When you delete your account, primary records are removed immediately. Backup copies are rotated out within 30 days. Operational logs roll off automatically within 90 days.

9. International transfers

Some subprocessors (Stripe, Unosend, Vercel, Sentry) may process data outside the EU. Where required, transfers rely on the European Commission's Standard Contractual Clauses or an equivalent legal mechanism. We don't transfer data to jurisdictions known to lack adequate protection.

10. Children

PropCraft is a tool for businesses. It is not designed for, and should not be used by, anyone under 16. If we learn we've collected data from a child under 16 we'll delete it.

11. Security

All traffic to PropCraft is encrypted in transit (TLS). Database access is gated by row-level security policies so each workspace sees only its own data. Passwords are stored as bcrypt hashes, never in plaintext. We don't store credit-card numbers; they never touch our servers.

No system is unbreakable. If we discover a breach affecting your data, we'll notify you and the relevant authority within 72 hours as required by the GDPR.

12. Changes to this Policy

We may update this Policy as the product or our subprocessors change. Material changes will be announced by email to active workspaces at least 14 days before they take effect. The “Last updated” date at the top reflects the current version. See also our Terms of Service.