gpupartner.com — privacy

Privacy policy

Draft — counsel review pending. The summary below describes current practices; the formal policy is being prepared.

What we collect

Account data (name, email, OAuth profile fragments) via Auth.js. RFQ submissions you create. Contact data you provide for quote routing. Server-side request metadata (IP address, user-agent) attached to audit-log entries for security and dispute resolution.

Cookies and storage

One session cookie (authjs.session-token) for authentication. Optionally a PostHog distinct-id cookie for product analytics — opt out at /settings/privacy. Payload CMS sets its own session cookie for staff use of the admin shell. Local-storage entries from PostHog when not opted out.

Third-party processors

Resend (transactional email), PostHog (product analytics — opt-out available), Sentry (error reporting — server-side only, with PII redaction), AWS S3 (data export bundles for GDPR Article 15 requests), Inngest (background-job orchestration). Data flows are limited to what each integration requires.

Your rights

You can export every record we hold about you (GDPR Article 15) and request anonymization (Article 17, 7-day cancellation window) from /settings/privacy. Transactional records (RFQs, contracts, audit log) are retained per legal obligation under Article 17(3)(b)/(e) after anonymization.

Contact

Questions: hello@gpupartner.com.