Privacy Policy
Last updated: March 2, 2026
The Short Version
GovTrove is a search tool for government contracts. We are here to provide a service, and that is all we do. Here is what that means for your data:
What we collect and why
- Your email and name — to create your account and send you alerts
- Your searches and saved opportunities — to make the product work for you
- Basic technical data (IP, browser, device) — to keep the service running and secure
- Payment info — handled entirely by Stripe. We never see your card number.
- Passwords — handled entirely by WorkOS. We never see or store them.
What we don't do
- No third-party cookies. None.
- No tracking you across other websites.
- No advertising pixels or retargeting.
- No selling, renting, or sharing your data with anyone for their own purposes. Never have, never will.
- No profiling. No behavioral advertising. No data broker nonsense.
Your control
- Delete your account and we delete your data as soon as possible (typically within 24 hours, at most 30 days).
- You can access, correct, export, or delete your data anytime — email privacy@govtrove.com.
This summary is for convenience. The full legal policy is below.
Full Legal Policy
This Privacy Policy describes how András Hinkel, operating as a Hungarian egyéni vállalkozó (sole proprietor) ("we," "us," "our"), collects, uses, and protects your personal data when you use GovTrove ("Service").
We are the data controller for the purposes of the EU General Data Protection Regulation (GDPR). We are committed to protecting your privacy and handling your data transparently.
1. Data We Collect
1.1 Account Data
When you create an account, we collect:
- Email address
- Name (if provided)
Authentication is handled by WorkOS. We do not store your password — WorkOS manages authentication credentials on our behalf.
1.2 Payment Data
If you subscribe to a paid plan, payment processing is handled entirely by Stripe. We do not receive, store, or have access to your full payment card details. Stripe provides us with limited information necessary for billing (such as the last four digits of your card, card brand, and billing address) to display in your account and for our records.
1.3 Usage Data
When you use the Service, we collect:
- Search queries you perform
- Opportunities you save or interact with
- Search profiles and alert preferences you configure
- Timestamps and frequency of your use of the Service
1.4 Technical Data
We may collect limited technical data necessary to operate and secure the Service:
- IP address
- Browser type and version
- Device type
- Pages visited and actions taken within the Service
- Error logs and performance data
1.5 Analytics
We use PostHog for product analytics within the GovTrove application. PostHog is configured with memory-only persistence — it does not use cookies or localStorage, and does not track you across websites. Events are tied to anonymous sessions by default; only after you sign in are events associated with your user profile. PostHog data is hosted in the US (PostHog US Cloud). We use PostHog to understand how features are used so we can improve the product. Autocapture is disabled — we only track specific, intentional events such as searches performed, opportunities viewed, and upgrade actions.
We do not use tracking cookies, advertising pixels, or any analytics service that profiles individual users. We do not collect data about your activity outside of GovTrove. See Section 8 (Cookies) for details.
2. Why We Collect Your Data
We use your personal data for the following purposes:
| Purpose | Data Used | Legal Basis (GDPR) |
|---|---|---|
| Provide and operate the Service | Account data, usage data | Performance of contract (Art. 6(1)(b)) |
| Process payments and manage subscriptions | Account data, payment data (via Stripe) | Performance of contract (Art. 6(1)(b)) |
| Send transactional emails (password resets, alert notifications, payment confirmations) | Email address | Performance of contract (Art. 6(1)(b)) |
| Maintain security and prevent abuse | Technical data, account data | Legitimate interest (Art. 6(1)(f)) |
| Diagnose technical issues and improve the Service | Technical data, usage data (aggregated) | Legitimate interest (Art. 6(1)(f)) |
| Comply with legal obligations (e.g., tax records, fraud prevention) | Account data, payment data | Legal obligation (Art. 6(1)(c)) |
We do not use your data for any purpose not listed above. We do not use your data for profiling or automated decision-making that produces legal or similarly significant effects.
3. We Do Not Sell Your Data
We do not sell, rent, trade, or otherwise make available your personal data to third parties for their own commercial purposes. We never have and never will. Your trust is fundamental to our business.
4. Third-Party Processors
We use the following third-party services to operate GovTrove. These services process your personal data on our behalf, under our instructions, and are bound by data processing agreements:
| Service | Purpose | Data Shared | Location |
|---|---|---|---|
| WorkOS | Authentication and user management | Email, name, login events | United States |
| Stripe (not yet active) | Payment processing | Email, name, payment details | United States |
| Amazon Web Services (AWS) | Hosting, infrastructure, email delivery (SES) | All service data | United States |
| Neon | Database hosting (PostgreSQL) | All service data | United States |
| Sentry | Error tracking and performance monitoring | Error stack traces, request metadata, IP address, browser/device info | United States |
| Cloudflare | CDN, DDoS protection, and bot management for our API | IP address, request headers, browser metadata | Global (nearest edge location) |
| Counter.dev | Privacy-focused, cookie-free page view analytics | Anonymous page view counts only (no personal data) | Germany |
We do not share your data with any other third parties. If we add new processors in the future, we will update this policy.
5. International Data Transfers
We are based in Hungary (EU), but our infrastructure and processors are located in the United States. Your personal data is transferred to the United States for processing.
These transfers are protected by appropriate safeguards as required by the GDPR:
- Our US-based processors are certified under the EU-U.S. Data Privacy Framework (DPF), and/or
- We rely on Standard Contractual Clauses (SCCs) approved by the European Commission.
You can request more information about the specific safeguards in place by contacting us at privacy@govtrove.com.
6. Data Retention
We retain your personal data for as long as you maintain an active account with us.
If you delete your account:
- Your account data, saved searches, and usage data are deleted from our systems as soon as practicable, typically within 24 hours and no later than 30 days.
- Stripe retains financial transaction records as required by law (tax and accounting obligations). This is a legal obligation we cannot override, but we inform you of it here for transparency.
- Backup copies may persist for up to 90 days before being automatically purged.
Aggregated, anonymized data that cannot identify you may be retained indefinitely for service improvement purposes.
7. Your Rights Under GDPR
As an EU-based data controller, we provide the following rights to all users, regardless of your location:
- Access: You can request a copy of all personal data we hold about you.
- Rectification: You can ask us to correct inaccurate data or complete incomplete data.
- Erasure ("Right to be Forgotten"): You can ask us to delete your personal data. We will comply unless we have a legal obligation to retain it.
- Data Portability: You can request your data in a structured, commonly used, machine-readable format.
- Restriction: You can ask us to restrict processing of your data in certain circumstances.
- Objection: You can object to processing based on legitimate interest. We will stop processing unless we have compelling legitimate grounds.
- Withdraw Consent: Where processing is based on consent, you can withdraw it at any time. This does not affect the lawfulness of processing before withdrawal.
To exercise any of these rights, contact us at privacy@govtrove.com. We will respond within 30 days as required by GDPR.
If you are unsatisfied with our response, you have the right to lodge a complaint with:
Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH)
(Hungarian National Authority for Data Protection and Freedom of Information)
Address: 1055 Budapest, Falk Miksa utca 9-11.
Website: https://naih.hu
Email: ugyfelszolgalat@naih.hu
8. Cookies and Local Storage
GovTrove does not use cookies for authentication or tracking. Instead, we store authentication tokens in your browser's localStorage to maintain your signed-in session. This data stays on your device and is not sent to third parties.
We also store minor user preferences (such as sort order and page size) in localStorage for convenience.
We do not use:
- Analytics or tracking cookies
- Advertising or retargeting cookies
- Third-party cookies
- Any cookies or storage mechanisms that track your behavior across other websites
Cloudflare, which proxies our API traffic, may set strictly necessary cookies (such as __cf_bm) for bot detection purposes. These are first-party, short-lived cookies required for security and are not used for tracking.
9. Data Security
We implement appropriate technical and organizational measures to protect your personal data, including:
- All data in transit is encrypted using TLS/HTTPS.
- Authentication is managed by WorkOS, a dedicated identity provider with industry-standard security practices.
- Database access is restricted to our backend services and is not publicly accessible.
- Payment data is handled by Stripe, a PCI DSS Level 1 certified payment processor.
- We do not store passwords — authentication credentials are managed entirely by WorkOS.
No system is perfectly secure. If you become aware of any security issue related to your account, please notify us immediately at privacy@govtrove.com.
10. Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will:
- Notify the Hungarian data protection authority (NAIH) within 72 hours of becoming aware of the breach, as required by GDPR.
- Notify you without undue delay if the breach is likely to result in a high risk to your rights and freedoms.
- Document the breach and the measures taken in response.
11. Children
GovTrove is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will delete it promptly. If you believe a child has provided us with personal data, please contact us at privacy@govtrove.com.
12. U.S. State Privacy Laws
While we are an EU-based company subject to GDPR, we recognize that some of our users may be located in U.S. states with their own privacy laws (such as California's CCPA/CPRA).
For clarity:
- We do not sell your personal information.
- We do not share your personal information for cross-context behavioral advertising.
- We do not use sensitive personal information for purposes beyond what is necessary to provide the Service.
If you are a U.S. resident and wish to exercise privacy rights under your state's law, you may contact us at privacy@govtrove.com and we will honor your request consistent with applicable law.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by sending an email to the address associated with your account at least 30 days before the changes take effect. The "Last updated" date at the top of this policy reflects the most recent revision.
14. Contact
If you have questions about this Privacy Policy or how we handle your data, contact us at:
Data Controller: András Hinkel
Email: privacy@govtrove.com
Website: https://govtrove.com
For GDPR-related inquiries, you may also contact the Hungarian data protection authority (NAIH) at the address listed in Section 7.