How ProJobCalc handles your data.

Your proposals, clients, estimates, and brand profile live in a managed Postgres database we run on Vercel’s US-East region. Auth supports magic-link email and password sign-in; password accounts store bcrypt hashes only, never plaintext. Payments run through Stripe; we never see your customers’ card numbers. We do not sell or share your data with advertisers, ever.

• Proposals, clients, estimates, expenses: Postgres on Vercel (Neon-managed, US-East). Encrypted at rest by the storage provider; encrypted in transit via TLS to and from our servers.
• Brand assets (logos): Vercel Blob storage. Public URLs by design — the logo is rendered on every proposal PDF you send.
• Voice estimator transcripts: Held in memory during the call. The structured estimate is stored with your other estimates; the raw audio is discarded after transcription unless you explicitly save the transcript.
• Payment data: Stripe holds the card. We see only the subscription status, the last 4 digits of the card brand (e.g. “Visa ending in 4242”), and your invoice history. We have no ability to charge your card outside the published $19/mo or $49/mo plans.

• The email you signed up with (it’s your account).
• Your saved proposals, estimates, clients, expenses, and brand profile. Your account, your data — we’ll hand you a JSON export on request.
• Aggregate usage telemetry (proposals_created, voice_calls, upgrade_cta_clicked) — used to know which features are useful, never joined with personal data for advertising.
• Your IP, user-agent, and Vercel-edge geo header on web requests — kept in HTTP access logs for 30 days and used only for fraud / abuse review.

• Your customers’ payment card numbers. Stripe holds those. We see only Stripe’s tokenized references.
• Anything you don’t put in. Your tax records on your accountant’s server, your QuickBooks data, your bank account balances — we have no integration that pulls those without your explicit connection.
• Customer behavior on your client portal. We log that a proposal was opened (a tracking pixel), not what the customer’s screen looks like, keystrokes, or session replay.

• Public integration metadata is metadata only. The integration manifest and OpenAPI spec describe routes, event names, sample payloads, and signing conventions. They do not expose customer records, proposal data, invoices, or account secrets.
• Authenticated app routes require a signed-in user. Proposal, invoice, voice, and dashboard endpoints are currently protected by the same session checks as the product UI. API-key access for Zapier, Make, n8n, Pipedream, and private backend automations is documented as planned, not treated as live until keys can be issued and revoked per account.
• Webhook receivers should verify signatures. The documented convention is HMAC-SHA256 over timestamp.delivery_id.raw_body with a 300-second replay window, x-projobcalc-signature: v1=<hex>,x-projobcalc-timestamp, x-projobcalc-delivery, and x-projobcalc-event headers.
• No accounting or CRM data is pulled by default. QuickBooks, HubSpot, Google Sheets, Slack, and similar tools only receive or return data when you explicitly connect a workflow. See the integrations overview for the current compatibility map and recipes.

• The AI Bid Proposal Generator sends the project description + your brand profile + line items you typed to Anthropic Claude via the Vercel AI Gateway. The model returns formatted proposal copy in seconds.
• What goes to the model: what you typed — project scope, client name, your company name. That’s it. We don’t add your past proposals, your full client roster, or anything from other accounts.
• What does NOT go to the model: your expenses, your tax data, your Stripe payouts, other users’ data.
• Training: Anthropic does not train on data submitted via the paid API by default. We use the paid API.
• Voice estimator: Same story. The audio goes to a speech-to-text provider for transcription, the transcript goes to Claude to extract structured line items. Both providers are under data-processing agreements that prohibit training on the inputs.

• Stripe — billing & payments. PCI DSS compliant; the source of truth for subscription state.
• Resend — transactional email delivery. Receives the recipient address + email body of mails we send.
• Anthropic (via Vercel AI Gateway) — AI proposal generation, voice estimator parsing.
• Twilio — voice estimator call routing when used in truck mode.
• Vercel — hosting, edge functions, Blob storage, Postgres (Neon-managed).
• Google Analytics 4 — aggregate traffic metrics on the public marketing pages only (not on the signed-in dashboard or proposal portal).

We do not use any data-broker / lookup providers, advertising attribution platforms, fingerprinting libraries, or session replay tools.

• Active accounts: we keep your data for the life of the account.
• Cancelled subscriptions: your account reverts to Free; data stays. Re-subscribing snaps you back in.
• Deleted accounts: on request to mitch@mitchreise.com we hard-delete your row + cascade everything you own within 7 days. Stripe records of past transactions are retained for tax / audit purposes per US tax law.
• HTTP access logs: 30 days, rolling.

• Account takeover: magic-link sign-in avoids password reuse risk for users who choose it. Password sign-in stores bcrypt hashes only; sessions are HTTP-only, signed, and rotate.
• Database breach: data is encrypted at rest by the provider; backups are encrypted; the auth layer is separate from the data layer.
• Tenant bleed: every Prisma query is user-scoped via session check; we run row-level tests on every code change to catch leaks before deploy.

Honest list. ProJobCalc is not magic.

• Compromised endpoint. If your laptop has malware, your session cookie is in scope.
• Shared mailbox compromise. The magic link lands in your inbox. Anyone with mailbox access can sign in. Use 2FA on your email account.
• Your customers’ mailbox. Proposal links you send sit in your customers’ inboxes. We can’t protect that side.
• Operator (us) compromise. We have access to your data the same way every SaaS operator does. Our mitigations: small team, no offshore contractors, least-privilege production access, no production data on laptops.

Email mitch@mitchreise.com with the subject “ProJobCalc security”. We respond within 48 hours. We don’t run a paid bounty yet — we’re a small operation — but credible reports are acknowledged publicly on this page once fixed (with your permission).

For data-export, account-deletion, or general privacy questions, the same address.

Standard responsible-disclosure metadata is also published at /.well-known/security.txt.