1. Data controller
The controller is Studio Imagine, Dhaka, Bangladesh. Inquiries: privacy@notish.app. Verified requests answered within 30 days.
2. What we collect
2.1 At signup
- Email (required) — authentication, weekly digest, service-critical contact.
- Name (optional) — personalization.
- User type (Individual / Firm / Both).
- Firm name (optional) — stored for your reference; not displayed publicly.
- Phone (optional in v1; required at paid-tier launch).
2.2 Through use
- Declared interests — categories, sources, keywords, min amount.
- Tracker activity — your private opportunity history and notes.
- Waitlist signals — intent + price-slider value per locked feature.
- Communications — emails or feedback you send.
2.3 Automatically
- Account events, usage data, device/browser data.
- Browser fingerprint — non-reversible hash; solely for duplicate-account detection. Cannot identify you outside Notish; not shared with third parties.
- Behavioral signals at signup — form-fill timing for automation detection. Discarded after 90 days unless flagged.
- Coarse geolocation from IP for source eligibility.
- Cookies and local storage — Section 9.
2.4 From third parties
- Google OAuth — email + basic profile. We don't receive contacts, calendar, files.
- Payment processors (future) — subscription status, last-4, billing country.
2.5 What we don't collect
Government IDs, full card details, microphone/camera/contacts/ calendar/files, broker data, advertising tracking pixels.
3. How we use it
| Purpose | Basis |
|---|---|
| Authenticate, run your account | Contract |
| Deliver relevant opportunities | Contract |
| Email digest + web push | Contract |
| Proposal tracker | Contract |
| Aggregate bid intelligence | Legitimate interest |
| Anti-abuse / fraud detection | Legitimate interest |
| Operate, debug, improve | Legitimate interest |
| Legal / regulatory compliance | Legal obligation |
We do not use personal data for marketing nurture sequences, retention blasts, re-engagement, or cross-selling.
4. Bid intelligence aggregation
4.1 Three anonymized counts per opportunity: viewed by N users, N marked interested, N claim to have submitted.
4.2 Aggregate counts only — no identities, amounts, or content. DB-side function returning counts, not user lists.
4.3 Below a 500-user per-category threshold, aggregates hidden. Threshold waived during the 2-month beta from launch.
4.4 Your individual interaction history is never displayed to other users.
4.5 Falsified self-reporting patterns may lose bid-intelligence access; human-reviewed.
5. Who we share with
Service providers — Supabase (auth, DB, storage), Vercel (frontend), Resend (email), Sentry (errors), Plausible/PostHog (analytics, no cookies), GitHub Actions/Coolify (scrapers). Each receives minimum data needed.
Authentication providers — Google (if you use Google sign-in).
Future payment processors — Stripe / SSLCommerz, for paid tiers.
Source portals — see our server IP only, not your identity.
Legal disclosure — only with valid court orders or government demands. Where lawful, we'll notify you first.
Business transfer — to a successor entity bound by this Policy or successor substantially as protective.
We don't sell personal data, rent contact lists, share with advertisers, or share individual user data with other Notish users.
6. International transfers
Cloud infrastructure may host data in Singapore, Mumbai (AWS), or other regions selected by Supabase / Vercel. Standard data-processing agreements with all processors. EU SCCs or equivalents adopted where required as we expand.
7. Retention
| Data | Retention |
|---|---|
| Active account data | Lifetime of account |
| Tracker history | Lifetime unless deleted |
| Bid intelligence aggregates | Indefinite (anonymized) |
| Waitlist signals | Until paid launch, then anonymized |
| IP logs | 12 months |
| Fingerprint hash | 24 months or until deletion |
| Signup behavioral timing | 90 days unless flagged |
| Email delivery logs | 90 days |
| Audit log | Indefinite (security) |
| Backups | Rolling 30 days |
| Deleted account data | 14 days + max 30 days backup |
8. Your rights
Access: Settings → Privacy → Download my data exports CSV.
Correction: Most data editable from Settings.
Deletion: Settings → Privacy. Final after 14-day grace.
Object to legitimate-interest processing: Write to privacy@notish.app.
Withdraw consent: Push from Settings → Notifications.
Portability: CSV export is machine-readable.
Supervisory authority complaint: Available in your country.
9. Cookies
- Auth cookies (HttpOnly, Secure, SameSite=Lax) — keep you signed in.
- Theme preference (local storage).
- Onboarding state (local storage).
- PWA install state (local storage).
No marketing or advertising cookies. No cross-site tracking.
10. Security
TLS everywhere, encryption at rest, Row-Level Security, audited admin access, secure auth tokens, regular dependency updates. Breach notification within 72 hours where law requires. Concerns: security@notish.app.
11. Automated decision-making
Relevance scoring is rule-based filtering by your declared preferences. Anti-abuse flagging uses fingerprint / IP / timing signals but suspension and termination are never solely automated — every flag is human-reviewed.
12. Children's privacy
Notish is for adult professionals. Not directed at under-18s. We don't knowingly collect from under-18s.
13. Changes to this Policy
"Last updated" reflects revisions. Material changes get 30 days' notice. Continued use after the effective date = acknowledgment.
14. Contact
15. Jurisdiction-specific notices
Bangladesh: compliance with ICT Act and successor legislation.
EEA / UK / Switzerland: GDPR-equivalent rights honored (Section 8). Legal bases in Section 3.
India: DPDP Act 2023 acknowledged. Rights via privacy@notish.app.
Elsewhere: Mandatory local protections apply where they cannot be excluded by contract.
This Privacy Policy is intended to be read alongside the Terms of Service. Where the two conflict, the Privacy Policy controls for personal information.