Privacy Policy

The data controller is Instaprice ("we", "us"), operated from France. You can contact us at [email protected] for any privacy-related question, including to exercise your rights below.

We are below the threshold that would require us to appoint a Data Protection Officer under Article 37 of the GDPR. The controller is the single point of contact for privacy matters.

We collect only what we need to operate the Service:

• Email address (at sign-up). Used to identify your account, send you the magic link to sign in, and contact you about your account when needed. Legal basis: performance of our contract with you (Article 6(1)(b) GDPR).
• Project descriptions and pricing inputs you paste in. Whatever you put in the proposal box — including the body of client emails you choose to paste, your own notes, your estimated price, your experience level, and the client market — is sent to our LLM providers (see sub-processors below) and stored in our database against your proposal. Legal basis: performance of our contract with you.
• Edits and revisions to the proposal. We persist the items, addons, descriptions, and prices you edit on the proposal page so you can come back to them. Legal basis: performance of our contract with you.
• Payment metadata (via Stripe). We do not store card details. Stripe gives us back a Stripe customer id, the plan you bought, and the date of payment; we keep those alongside your account. Legal basis: performance of our contract with you, plus our legitimate interest in fraud prevention and accounting compliance (Article 6(1)(b) and (f) GDPR).
• Basic request logs (via Vercel). Standard server logs (IP address, user agent, timestamp, path) for security and operational debugging. Legal basis: our legitimate interest in keeping the Service running and secure (Article 6(1)(f) GDPR).
• Optional feedback you submit through the in-app widget. Forwarded to our private Discord channel along with the proposal id and page URL, so we can investigate. Legal basis: your consent in submitting the form, plus our legitimate interest in improving the Service.

We do not collect special-category data on purpose, and we ask that you do not paste it into the Service.

• Proposals. Kept indefinitely while your account is active. On account deletion, your proposals are deleted with the account.
• Anonymous proposals (created before sign-up). Kept indefinitely. They do not contain your email or any identifier tied to you unless you later claim them by signing in from the same browser.
• Magic-link tokens (auth_tokens). Stored as a SHA-256 hash, expire 15 minutes after creation, and are single-shot. Stale rows may be cleaned up periodically.
• Sessions. Sessions last up to 30 days from sign-in and are stored only in a signed httpOnly cookie on your device — there is no server-side sessions table.
• Payment records and invoices. Retained as long as required by French and EU tax and accounting law (typically 10 years).
• Server logs. Retained per Vercel's default retention.

To delete your account, email [email protected]. We will action the request within 30 days, as required by Article 12 of the GDPR. Records we are legally required to keep (such as invoices for tax purposes) will be retained for the statutory period.

We use the following sub-processors to operate the Service. They process your data on our behalf, under contract, and only for the purposes listed below.

Important: anything you paste into the proposal box is sent to a third-party LLM provider for analysis. That includes client emails or notes you paste in. If a brief contains personal data of a third party (e.g. your client's name, contact details, or project details), you should make sure you have the right to share it before pasting.

Several of our sub-processors are located in the United States. Transfers of personal data outside the European Economic Area are covered by the European Commission's Standard Contractual Clauses, together with each provider's own data protection commitments. By using the Service, you acknowledge that your data will be transferred to and processed in those countries.

Under the GDPR and French law, you have the right to:

• access the personal data we hold about you;
• have inaccurate data corrected;
• have your data deleted, subject to retention obligations we cannot override;
• receive your data in a portable, machine-readable format;
• object to processing based on legitimate interest, and withdraw any consent you previously gave;
• ask us to restrict processing while we resolve a dispute;
• lodge a complaint with the French data protection authority, the CNIL, at www.cnil.fr.

To exercise any of these rights, email [email protected] from the address on your account. We may need to verify your identity before acting on a request.

We use a small set of cookies, all first-party:

• Essential session cookie (session) — set after you sign in. Signed and httpOnly. Required to keep you signed in. Lifetime: up to 30 days.
• Cookie preferences (cookie_consent) — remembers whether you accepted or declined non-essential cookies. Lifetime: 1 year.

Essential cookies are always on; we cannot run the Service without them. The cookie banner only governs future non-essential cookies (we have not yet wired any). You can change your choice at any time from the cookie preferences panel.

We apply standard practices for a service of our size: TLS in transit; signed httpOnly session cookies; SHA-256 hashed magic-link tokens (raw tokens never reach the database); vendor-managed databases with restricted credentials; and logging on key events. No system is perfectly secure, and we do not guarantee that ours is.

The Service is intended for adults (16+). We do not knowingly collect personal data from children. If you believe a child has provided us with their data, contact us and we will delete it.

We may update this policy. For material changes, we will notify active accounts by email at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the latest revision.

For privacy questions or to exercise your rights, email [email protected].