ProposalKit
← Back to Home

Privacy Policy

Last Updated: April 17, 2026

This Privacy Policy explains what information Oldfire OÜ ("we", "us") collects when you use ProposalKit (the "Service"), how we use it, who we share it with, and what rights you have. We've tried to write this in plain English — where legal terms appear, we've kept them to a minimum.

By using ProposalKit you agree to the practices described here. If you don't, please stop using the Service.

Who we are

Oldfire OÜ
J. Pärna 1, Tallinn, Estonia
Registration: 14744856

We are the data controller for personal data processed through ProposalKit. For any privacy-related question, write to privacy@proposalkit.io .

The short version

  • We collect what we need to run the Service — your account details, the proposals you create, and a record of who accepted them.
  • Payments are handled by Paddle. We never see or store your card details.
  • We use a small number of sub-processors (listed below) to host, send email, authenticate you, and understand how the Service is used. We don't sell your data or share it for advertising.
  • You can export or delete your data at any time from your account settings, or by emailing us.

What data we collect

Account data

When you sign up we collect your name, email address, and (via our authentication provider WorkOS) basic identity information such as your profile image. If you choose to fill out your sender profile, we also store your business name, contact email, phone number, and website.

Proposal content

Everything you put into a proposal — text, pricing tables, images, client names, cover details, sender details — is stored so we can show it back to you and to the people you share it with. Images and file uploads are stored in Cloudflare R2. You own this content (see our Terms).

Acceptance records

When a recipient accepts one of your proposals through its public share link, we record the acceptance along with the recipient's IP address, user-agent string, the time of acceptance, and an immutable snapshot of the proposal as it appeared at that moment. This acceptance record is legal evidence that the proposal was accepted and is retained as such — see "How long we keep data" below.

Usage and diagnostic data

When you (or a recipient) access the Service, our servers automatically log the IP address of the request, the page or endpoint accessed, the time of the request, the user-agent, and error information. We use this to keep the Service running, investigate bugs, detect abuse, and rate-limit public endpoints.

Analytics

On the marketing website only, we use Microsoft Clarity to see how visitors interact with pages (heatmaps, anonymised session recordings). Clarity is loaded only if you accept analytics cookies via the cookie banner. Inside the app itself, and on public share pages, we do not run Clarity.

Payment data

If you subscribe, our payment processor Paddle collects and processes your billing information as the merchant of record. ProposalKit receives only a subscription status, plan, and customer identifier from Paddle — never card numbers.

How we use your data

  • To provide the Service — creating, editing, sharing, and tracking proposals; handling acceptance; showing you your dashboard.
  • To authenticate you — via WorkOS, so we know which account is making a request.
  • To communicate with you — transactional email (account notices, trial reminders, proposal-activity alerts, receipts) sent through Postmark.
  • To operate and improve the Service — logs, error reports, and (on the marketing site only) analytics.
  • To protect the Service and its users — detecting abuse, enforcing rate limits, investigating incidents.
  • To comply with law — when we are legally required to retain or disclose information.

Legal basis (GDPR)

We process most of the data above because it is necessary to perform the contract we have with you (providing the Service). We rely on our legitimate interest to keep the Service secure, to investigate bugs and abuse, and to retain acceptance records as proof of agreement. Where we use optional analytics cookies on the marketing site, we rely on your consent, which you can withdraw at any time through the cookie banner.

Sub-processors

We use the following third parties to deliver the Service. Each processes personal data only on our behalf and under a data processing agreement.

  • Paddle (Paddle.com Market Ltd, UK) — subscription billing and payment processing, as merchant of record.
  • WorkOS (WorkOS, Inc., USA) — user authentication and identity.
  • Postmark (ActiveCampaign, USA) — transactional and broadcast email delivery.
  • Cloudflare (Cloudflare, Inc., USA) — CDN, Workers compute, and R2 object storage for images and file uploads.
  • Railway (Railway Corp, USA) — hosted Postgres database.
  • Microsoft Clarity (Microsoft Corporation, USA) — marketing-site analytics; loaded only with consent.
  • Pushover (Superblock LLC, USA) — internal notifications to the founder (e.g. new signups, critical errors). No customer content is sent.

We will update this list if we add, remove, or replace a sub-processor. Material changes will be reflected in the "Last Updated" date at the top of this page.

International transfers

Several of our sub-processors are located outside the European Economic Area, mostly in the United States. Where that is the case we rely on the Standard Contractual Clauses approved by the European Commission, together with the additional safeguards each provider offers, to protect your data in transit and at rest.

How long we keep data

  • Account data and proposals: for as long as your account exists. When you close your account, we delete them within 30 days, except where we are legally required to keep them longer.
  • Acceptance records: retained for the lifetime of the proposal plus a reasonable period afterwards, because they are legal evidence that a proposal was accepted. Even if you close your account, we may retain anonymised acceptance records to defend against legal claims.
  • Billing records: retained by Paddle and by us for the period required by tax and accounting law (typically seven years in Estonia).
  • Server logs and diagnostic data: retained for a short rolling window (typically 30–90 days) and then deleted, except where we need them longer to investigate a specific incident.
  • Marketing-site analytics: retained by Microsoft Clarity according to its own retention schedule.

Your rights

If the GDPR applies to you, you have the right to:

  • access the personal data we hold about you;
  • have it corrected if it's wrong;
  • have it deleted ("right to be forgotten") where we have no overriding reason to retain it;
  • export your proposal content in a portable format;
  • object to or restrict certain kinds of processing, including any processing based on legitimate interest;
  • withdraw consent for optional analytics at any time;
  • lodge a complaint with your local data-protection authority — in our case, the Estonian Data Protection Inspectorate (aki.ee).

You can act on most of these rights directly from your account settings. For anything else, email privacy@proposalkit.io and we will respond within 30 days.

Cookies and similar technologies

Inside the ProposalKit app we use only the cookies and local storage that are strictly necessary to keep you signed in and remember your preferences. We do not run advertising or cross-site tracking cookies anywhere in the product.

On the marketing website (ProposalKit.io) we additionally offer optional analytics cookies (Microsoft Clarity). You can accept, reject, or change your choice at any time through the cookie banner.

Public proposal share pages set no analytics or tracking cookies.

Security

We use commercially reasonable technical and organisational measures to protect your data — encrypted transport (HTTPS), encrypted storage, short-lived authenticated tokens, role-based access to our infrastructure, and rate limiting on public endpoints. No system is ever 100% secure, and we can't promise absolute security, but we take it seriously and will notify affected users if we become aware of a breach involving their personal data.

Children

ProposalKit is a business tool and is not intended for anyone under 16. We do not knowingly collect personal data from children. If you believe a child has provided us data, please contact us and we will delete it.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time. When we do, we'll update the "Last Updated" date above. If the change is material we'll also notify active users by email.

Contact us

For any question about this Privacy Policy, or to exercise your rights, email privacy@proposalkit.io.