Privacy Policy

Last updated: June 26, 2026 · Effective date: June 26, 2026

    Plain English summary: PitchFlow reads Upwork job pages so you don't have to copy-paste. We store only the profile data you type in Settings. We never sell your data. We never read your messages, proposals, or other Upwork content beyond the current job page.
  

1. Who we are

PitchFlow ("we", "us", "our") is a Chrome browser extension and accompanying web service operated by Ludovic Bribaud. Our registered contact email is hello@pitchflow.work.

2. What data we collect

2.1 Data you provide voluntarily

Profile information — your name, professional headline, skills, bio, hourly rate, and "why me" paragraph entered in the extension Settings. This data is sent to our API to generate proposals.
Account information — your Google account email address and display name, obtained only when you choose to sign in via Google OAuth.

2.2 Data collected automatically

Job page content — the title and description text of the Upwork job page currently open in your browser tab, read only when you click "Refresh from page" or "Generate proposal". This content is sent to our API solely to generate your proposal and is not stored permanently.
Usage metrics — the number of proposals generated per month, used exclusively to enforce the free-plan quota and the Pro subscription limit.
Server logs — standard HTTP request logs (IP address, timestamp, endpoint) retained for up to 30 days for security and debugging purposes.

2.3 Data we do NOT collect

We do not read your Upwork messages, bids, earnings, or any page content other than the job currently open.
We do not track your browsing history or activity outside of Upwork.
We do not collect payment card numbers — payments are processed directly by Stripe.

3. How we use your data

To generate AI-powered proposal text tailored to your profile and the job description.
To authenticate you and maintain your account session.
To enforce subscription quotas and process payments via Stripe.
To send transactional emails (account confirmation, quota alerts) via Resend. You may opt out at any time by emailing us.
To improve the quality of proposal generation (aggregated, anonymised signals only).

4. Legal basis for processing (GDPR)

For users in the European Economic Area, our legal bases are:

Contract performance — processing your profile data to deliver the proposal generation service you signed up for.
Legitimate interests — server logs for security; aggregated analytics to improve the service.
Consent — marketing emails (you may withdraw at any time).

5. Data sharing and third parties

We do not sell, rent, or share your personal data with third parties for their own marketing purposes. We share data only with the following service providers, bound by data processing agreements:

OpenAI — receives the job description and your profile to generate proposal text. OpenAI's Privacy Policy applies.
Stripe — processes subscription payments. Stripe's Privacy Policy applies.
Resend — delivers transactional emails. Resend's Privacy Policy applies.
Railway / cloud hosting provider — hosts our API server within the European Union or United States.

6. Data retention

Profile data is retained as long as your account is active. You may delete your account and all associated data at any time by emailing hello@pitchflow.work.
Job description content used for generation is not stored permanently after the response is returned.
Server logs are purged after 30 days.

7. Your rights

Depending on your jurisdiction, you have the right to:

Access, correct, or delete your personal data.
Object to or restrict certain processing.
Request a portable copy of your data.
Withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any right, email hello@pitchflow.work. We respond within 30 days.

8. Cookies and local storage

The extension uses chrome.storage.local to store your profile settings and authentication token locally on your device. No third-party cookies are set. Our landing page (pitchflow.work) does not currently use analytics cookies.

9. Security

All data is transmitted over HTTPS/TLS. Authentication tokens are short-lived JWTs stored only in extension local storage. We do not store passwords. Stripe handles all payment card data and is PCI-DSS Level 1 certified.

10. Children

PitchFlow is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a notice in the extension. The "Last updated" date at the top of this page reflects the most recent revision.

12. Contact

For any privacy-related questions or requests:

Email: hello@pitchflow.work
Website: https://pitchflow.work