Privacy Policy

1. Information We Collect

Account Information

When you create an account we collect your name and email address via Google OAuth. We do not store your Google password.

Organization & Business Data

You may provide your company name, industry, NAICS codes, and policy watchlist keywords so we can deliver relevant analyses and alerts.

Payment Information

Payments are processed by Stripe. We do not store credit card numbers. Stripe's privacy policy governs payment data.

Usage Data

We automatically collect IP addresses, browser type, pages visited, and timestamps to operate and improve the service.

File Uploads

You may upload images (PNG, JPEG, GIF, WebP), PDFs, and text/CSV files up to 10 MB per file. Uploaded files are stored in cloud storage scoped to your organization.

Grant Application Data

When you use our grant application features, we collect your interview answers, analysis of grant announcements (NOFOs), SF-424 form data, and generated application sections. We also store reusable application profile data including capability statements, key personnel, and past performance.

AI Conversations

We retain full conversation history with our AI assistant, including your messages, assistant responses, and any file attachments you include.

Website Enrichment Data

When you provide your business website URL, we may crawl it to extract publicly available business information to enrich your organization profile.

Feedback & Support Data

If you submit feedback or support requests, we collect bug reports, feature requests, the page URL where submitted, optional screenshots, and browser information.

Audit & Activity Logs

We maintain records of actions performed on the platform, including timestamps, entity references, and IP addresses for security purposes.

API Keys & Usage Data

If you use our API, we store API key metadata (name, prefix, scopes, expiration) and per-request usage data (endpoint, response time, status).

2. How We Use Your Information

• Deliver policy analyses and regulatory alerts
• Surface relevant grants and funding opportunities
• Draft grant application documents using AI based on your answers and organization profile
• Process and respond to your AI assistant conversations
• Enrich your business profile by analyzing your provided website URL
• Generate compliance reports and documents for download
• Track action items and compliance deadlines extracted from policy analyses
• Monitor your watchlist keywords against new regulatory documents
• Process payments and manage subscriptions
• Track API usage and enforce rate limits for API customers
• Send transactional emails including alerts, digests, and application notifications
• Improve and secure the platform

3. Third-Party Services

We share data with the following providers as needed to operate:

• Google — Authentication via OAuth. We receive your name and email address.
• Stripe — Payment processing and subscription management. Stripe receives your email and manages payment methods directly.
• Third-party AI providers — Content analysis, regulatory intelligence, grant application drafting, and AI assistant conversations. We send relevant organization data, document text, conversation messages, and uploaded file contents for processing. We do not permit our AI providers to use your data for model training.
• Cloud infrastructure providers — Hosting, file storage, and asynchronous job processing. Uploaded files, generated reports, and job data are stored securely.
• Analytics and error monitoring providers — Product analytics and error tracking to improve service quality. We collect page views, UI interactions (for identified users only), error reports, and performance data.
• Email delivery providers — Transactional email delivery for alerts, digests, and notifications. Provider receives recipient email and message content.
• USASpending.gov — Public federal government API for contract and award data. We query using industry codes and state information; no personal data is sent.

We do not sell your personal information to any third party. We require all service providers to maintain appropriate data protection measures.

4. AI Data Processing

We use third-party AI providers to power our analysis and assistant features. The following describes how your data is processed by these providers:

• Data sent to AI providers includes organization profile information, regulatory document text, conversation messages, uploaded file contents, and grant application data.
• We do not permit our AI providers to use your data for training their models.
• Grant application processing: your interview answers, NOFO analysis, and organization profile are processed by AI to generate draft application sections.
• AI assistant conversations may involve the AI accessing your analyses, deadlines, reports, and watchlist data on your behalf.
• Files you upload to conversations (images, PDFs, text files) are sent to our AI provider for analysis.

5. Cookies & Tracking Technologies

We use cookies and similar technologies to operate and improve the platform:

• Essential cookies — Required for authentication and session management.
• Analytics cookies — Used for product improvement, including page views and user interactions for identified users only.
• Error monitoring — May capture session replays when errors occur to help us diagnose and fix issues.
• Performance monitoring — Web analytics for monitoring application performance and reliability.

We do not use advertising or third-party tracking cookies.

6. Data Retention

We retain account data for the life of your account. If you delete your account, we remove your personal data within 30 days, except where retention is required by law. Specific retention periods by data type:

• AI conversations — Retained for the life of your account.
• Grant application data — Retained for the life of your account.
• File uploads — Retained in cloud storage for the life of your account; deleted within 30 days of account deletion.
• Audit logs — Retained for a minimum of 12 months for security purposes.
• API usage records — Retained for billing and compliance purposes.
• Generated reports and documents — Retained for the life of your account.
• Website enrichment data — Retained and may be refreshed periodically.
• Email delivery records — Retained for delivery tracking and compliance.

7. Security

We use industry-standard measures including encryption in transit (TLS 1.2+), encrypted storage, and access controls. No system is 100 % secure — please contact us immediately if you suspect unauthorized access.

• API keys are stored as hashed values, never in plain text.
• Uploaded files are stored in access-controlled cloud storage with time-limited URLs for retrieval.
• Rate limiting is enforced on API endpoints to prevent abuse.

8. Data Portability & Export

• You can export grant application drafts as Word documents (DOCX).
• Generated compliance reports are available for download as PDF files.
• You may request a complete copy of your data by contacting hello@bizmoon.ai.
• We will respond to data export requests within 30 days.

9. Your Rights

CCPA (California)

California residents may request access to, deletion of, or opt out of the sale of personal information. We do not sell personal information.

GDPR (EEA)

If you are in the European Economic Area you have the right to access, rectify, erase, restrict processing, or port your data. Our legal basis for processing is contract performance and legitimate interest.

You may also exercise your right to data portability through the export features available in the platform or by contacting us at hello@bizmoon.ai.

10. Children's Privacy

Bizmoon is not directed at anyone under 16. We do not knowingly collect data from children.

11. Changes to This Policy

We may update this policy from time to time. Material changes will be posted on this page with an updated effective date.

12. Contact Us

If you have questions about this policy, contact us at hello@bizmoon.ai.