PROCAI

Privacy Policy

Last updated: 6 June 2026

PROCAI ("we", "us", "our") provides an AI-native procurement platform at procai.world. This page explains what data we collect, how we use it, and the choices you have.

1. Data we collect

  • Account data — name, email, organisation, and authentication tokens you provide when you sign up or sign in.
  • Procurement data — supplier records, request-for-quote (RFQ) drafts, quotations, comparison sheets, and any documents you upload.
  • Mailbox data — when you connect a Gmail, Outlook, or custom-SMTP mailbox, we store the access/refresh tokens (or SMTP credentials, encrypted at rest) needed to send RFQs from your address on your behalf.
  • Usage data — basic telemetry (page views, API call counts) used to improve the product. No third-party advertising cookies.

2. How we use Google user data

When you connect a Gmail account to PROCAI, you grant us two scopes:

  • https://www.googleapis.com/auth/gmail.send — used only to send the RFQ emails you compose in PROCAI through your own Gmail account, so that suppliers receive a message from your real address.
  • https://www.googleapis.com/auth/gmail.readonly — used only to detect delivery failures. After you send an RFQ, our automated poller scans only the automated bounce notifications in your inbox (messages from mailer-daemon / postmaster) to find addresses that could not be reached, and marks the matching recipient as "undelivered" on your RFQ dashboard. We compare a bounce only against recipients of RFQs you sent through PROCAI — never against any other message in your mailbox.

Limited Use: PROCAI's use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We do not use Gmail data to develop, improve, or train generalised AI / ML models.
  • We do not sell or share Gmail data with third parties for advertising, marketing, or any other purpose.
  • The only messages we ever read are the automated delivery-failure notifications (postmaster / mailer-daemon) needed to flag undelivered RFQs. We do not read your personal email, conversations, contacts, or any human-sent messages, and we do not access messages unrelated to RFQs you sent through PROCAI.
  • We do not retain Gmail message bodies on our servers — we keep only the metadata (subject, recipient address, sent-at, and delivered/undelivered status) needed to display your RFQ history.
  • Humans never read your Gmail data except (a) with your explicit permission when you request support, (b) when required by law, or (c) to investigate security incidents.

You may revoke PROCAI's access at any time at myaccount.google.com/permissions, or from the PROCAI dashboard (Settings → Connected mailboxes → Disconnect).

3. How we use Microsoft 365 / Outlook data

The same principles apply to Microsoft 365 mailboxes. We request Mail.Send and Mail.Read (the latter only to detect bounces from postmaster/mailer-daemon messages and update your RFQ dashboard). We do not read, store, or use any other messages in your Outlook inbox.

4. How we use custom SMTP/IMAP data

When you connect a custom-domain mailbox by SMTP/IMAP, the credentials you supply are encrypted at rest with AES-256-GCM before being persisted. The plaintext password lives in memory only for the brief window of an outbound send or IMAP poll. We never share or export these credentials.

5. Data sharing

We share data with the third-party infrastructure providers needed to operate the platform — currently: DigitalOcean (hosting), Cloudflare (DNS + CDN), Resend (outbound email infrastructure for platform-sent messages), and OpenRouter / Anthropic / Google Vertex (LLM inference for supplier-search and BOQ parsing, on the documents you submit for those features). We do not sell personal data to anyone.

6. Retention

Account, procurement, and mailbox data remain in your account until you delete it. Deleting your organisation purges all associated rows within 30 days. You may request a full export or deletion by emailing [email protected].

7. Security

Data in transit is encrypted with TLS 1.2+. SMTP/IMAP passwords are encrypted at rest with AES-256-GCM. OAuth tokens are stored in our managed PostgreSQL with column-level encryption. We follow the principle of least privilege for internal access.

8. Children

PROCAI is a B2B procurement tool and is not directed to anyone under 16.

9. Changes

We may update this policy. Material changes will be notified by email to your account address at least 14 days before they take effect.

10. Contact

Privacy questions, data export, or deletion requests: [email protected].