Privacy Policy

Account information: Name and email address, provided through our authentication provider (Clerk).

Organization data: Company name, team members, and subscription details.

Uploaded documents: Purchasing quotes, vendor documents, and other procurement files you upload to the Service.

Usage data: Pages visited, features used, and interaction patterns to improve the Service.

We use your data to:

• Provide the Service — process documents with AI, generate analytics, and display dashboards
• Manage your subscription and billing
• Send transactional emails (trial reminders, subscription updates, security alerts)
• Improve the Service using aggregated, anonymized usage patterns

We use the following third-party services to operate Purchasing Notebook:

• Clerk — Authentication and user management
• Stripe — Payment processing and subscription billing
• Anthropic (Claude) — AI document processing and data extraction
• Amazon Web Services (S3) — Secure document storage
• Turso — Per-tenant isolated database hosting
• Resend — Transactional email delivery
• Vercel — Application hosting and first-party performance analytics

On public marketing pages only (home page, pricing, contact, terms, privacy, sign-up, get-started), and subject to your cookie consent, we also use the following advertising and analytics providers:

• Google Analytics 4 and Google Ads (Google LLC / Google Ireland Limited) — Measures visits to our marketing pages, attributes sign-ups to advertising campaigns, and powers conversion reporting. We use Google’s Enhanced Conversions feature, which sends a SHA-256 hash of your email address to Google so that signup conversions can be matched to ad clicks. We enable IP anonymization on Google Analytics and run Google Consent Mode v2 so that no advertising or analytics cookies are set until you accept. Google Privacy Policy.
• LinkedIn Insight Pixel (LinkedIn Ireland Unlimited Company) — Measures visits to our marketing pages and sign-up conversions attributed to LinkedIn advertising campaigns. We use a server-side 1×1 image pixel only — we do not load LinkedIn’s full Insight Tag JavaScript, so no page content is scraped from your browser. The pixel is only loaded on public marketing pages and only after you accept advertising cookies. LinkedIn Privacy Policy.

Important: None of these advertising or analytics providers operate inside the authenticated application. Your uploaded documents, extracted procurement data, vendor names, part numbers, and any other tenant data are never sent to Google, LinkedIn, or any other ad network.

Each provider processes data in accordance with their own privacy policies. We select providers that maintain industry-standard security practices and, where required, have signed Data Processing Addenda with us.

Each organization’s data is stored in an isolated database. There is no cross-tenant data access. Documents are stored in Amazon S3 with server-side encryption. All data is encrypted in transit via TLS.

We implement access controls, audit logging, and security best practices to protect your data.

We do not sell your personal data or procurement data. We do not share individually identifiable data with third parties except as required to operate the Service (see Third-Party Services above) or as required by law.

We may use anonymized, aggregated data for product improvement and industry benchmarking. This data cannot be traced back to any individual or organization.

Active subscription: Data is retained for the duration of your subscription.

After cancellation: Data is retained for 90 days to allow for reactivation.

Deletion: After the 90-day retention period, a final warning email is sent. Data is permanently deleted 30 days after the warning. Deletion is irreversible.

You have the right to:

• Access — Request a copy of your data
• Export — Download your data in standard formats (CSV)
• Correction — Update inaccurate information
• Deletion — Request permanent deletion of your data and account
• Opt-out — Unsubscribe from non-essential emails

To exercise any of these rights, contact support@purchasingnotebook.com.

Essential cookies (always on): We use essential cookies required for authentication (provided by Clerk) and session management. These cookies are strictly necessary to deliver the Service and do not require consent under GDPR Art. 6(1)(f) or the ePrivacy Directive Art. 5(3) “strictly necessary” exception.

Analytics and advertising cookies (opt-in only): On our public marketing pages only, and only with your prior consent, we set analytics and advertising cookies on behalf of the third-party providers listed in Section 3 (Google Analytics 4, Google Ads, LinkedIn). These cookies measure marketing performance, power conversion reporting, and build audience segments for retargeting.

Your choice: On your first visit, we show a cookie banner asking you to accept or reject non-essential cookies. We implement Google Consent Mode v2, which means that until you accept, no analytics or advertising cookies are set and only cookieless signals are sent to Google. You can change your decision at any time by clearing your browser storage for this site or by contacting us at support@purchasingnotebook.com.

No tracking inside the application: Analytics and advertising cookies are never loaded inside the authenticated application. Once you sign in, only essential session cookies are active.

For visitors in the European Economic Area, the United Kingdom, and Switzerland, we rely on the following legal bases under Article 6 of the GDPR:

• Contract (Art. 6(1)(b)): Account creation, subscription management, document processing, and other activities necessary to deliver the Service.
• Legitimate interest (Art. 6(1)(f)): Security monitoring, fraud prevention, product improvement using aggregated data, and transactional emails.
• Consent (Art. 6(1)(a)): Analytics and advertising cookies on public marketing pages (Google Analytics, Google Ads, LinkedIn). You may withdraw consent at any time.
• Legal obligation (Art. 6(1)(c)): Retention of billing and tax records as required by applicable law.

EEA/UK/Swiss residents also have the right to lodge a complaint with their local data protection authority.

Purchasing Notebook is operated from the United States. Several of our service providers (Google, LinkedIn, Stripe, AWS, Anthropic, Clerk, Vercel, Resend) are based in or transfer data to the United States. Where personal data is transferred from the EEA, UK, or Switzerland to the United States, we rely on the European Commission’s Standard Contractual Clauses (SCCs) and, where applicable, the EU–US Data Privacy Framework.

We may update this Privacy Policy from time to time. Material changes will be communicated with at least 30 days’ notice via email to organization admins. The “Last updated” date at the top reflects the most recent revision.

Questions about this Privacy Policy? Contact us at support@purchasingnotebook.com.

Sierra PLM LLC