This policy explains what information Strategic Pursuit collects when you use our website and product, why we collect it, who processes it on our behalf, how long we keep it, and the choices and rights you have. We wrote it to be read, not endured — plain language first, with the formal detail where it matters.
1.Who we are
Strategic Pursuit is a federal-funding intelligence product operated by DuBois Company (“Strategic Pursuit,” “we,” “us”). Strategic Pursuit is a DuBois Company Practice. For the purposes of applicable data-protection law, we are the controller of the personal information described in this policy.
Contact for privacy questions: privacy@strategicpursuit.ai · A postal mailing address is available on request at that address.
2.The short version
We collect the account and usage data needed to run the product, bill you, and keep it secure — nothing we don't use. We don't sell your personal information. The federal data inside a dossier comes from official public sources, not from you. You can access, correct, export, or delete your account data by emailing privacy@strategicpursuit.ai. The detail is below.
3.Information we collect
We collect the following categories of information.
Information you give us
- Account and identity — name, work email, password (stored only as a salted hash, never in plaintext), and, if you sign in with Google, the basic profile and email your Google account shares with us.
- Organization — your tenant/firm or institution name, your segment selection (civil firm, higher-ed, or both), team-member invitations you send, and the role assigned to each member.
- Billing — handled by Stripe. We receive a customer identifier, plan, billing status, and billing-period dates from Stripe; we do not receive or store your full card number.
- Run inputs — the entity you ask us to analyze (a U.S. city or a degree-granting institution). This is the name of a public entity, not personal information about you. We retain run inputs and the resulting dossiers under your tenant so your saved history works.
Information collected automatically
- Usage and product telemetry — runs started, run type ([CITY] / [INST]), feature use, and aggregate counts used to enforce plan limits and our 30-runs-per-hour throttle.
- Device and log data — IP address, browser/user-agent, timestamps, and error logs, used for security, rate-limiting, and debugging.
- Analytics — see Section 6 (Cookies and analytics). Analytics load only when enabled and, in consent-required regions, only after you consent.
What we do NOT collect
- We do not ingest student-level records. The higher-ed dossier uses only publicly posted Federal Student Aid (FSA) aggregate data — never NSLDS or any student-level data.
- We do not collect special-category personal data, and we ask you not to submit it through the product.
4.How we use information
We use the information above only to:
- provide, operate, and secure the product (including authenticating you, enforcing email verification, and running rate limits);
- generate, stream, and store your dossiers and run history;
- process payments, manage your subscription, and prevent billing fraud (via Stripe);
- send transactional messages you need — verification, password reset, invitations, billing notices, and service notices (via Resend);
- measure and improve the product in aggregate; and
- comply with law and enforce our Terms of Service.
Where a legal basis is required (e.g. under the GDPR/UK GDPR), we rely on: performance of our contract with you (operating the product and billing); our legitimate interests (security, fraud prevention, product improvement); your consent (analytics cookies where required); and legal obligation (tax and records). We do not use your data to train third-party AI models, and we do not sell your personal information.
5.Service providers and subprocessors
We share personal information with a small set of vetted service providers (subprocessors) strictly to operate the product. Each is bound by contract to process data only on our instructions. We do not sell your data and we do not share it for cross-context behavioral advertising.
| Subprocessor | Role | Data it processes |
|---|---|---|
| Vercel | Application hosting and edge delivery | Request/log data, IP, served content. |
| Neon | Managed Postgres database | Account, tenant, run history, usage, and billing-state records. |
| Stripe | Payment processing and subscription billing | Billing identity, card data (held by Stripe, not by us), plan and payment status. |
| Anthropic | AI model that orchestrates the research loop | The entity name and intermediate research context for a run. We do not send your account credentials or billing data to the model, and dossier facts are re-fetched server-side from official sources rather than trusted as model output. |
| Optional sign-in (OAuth) and, when enabled, Google Analytics 4 | For OAuth: the profile/email you authorize; for GA4: see Section 6. | |
| Resend | Transactional email delivery | Recipient email and message content for verification, reset, invitation, and billing notices. |
The authoritative, dated list of subprocessors — including any added after this policy's effective date — lives on our Security & Trust page at /security. Federal data sources that populate a dossier (for example Census ACS, USAspending, OpenFEMA, Grants.gov, IPEDS, NSF, NIH RePORTER) are official public sources we query on your behalf; they are documented there as well.
This product uses the Grants.gov API but is not endorsed or certified by the U.S. Department of Health and Human Services.
We may also disclose information when required by law, to protect our rights or users' safety, or in connection with a merger or acquisition (with notice to you where required).
6.Cookies and analytics (GA4 consent)
We use a small number of cookies and similar technologies:
- Strictly necessary — authentication, session, and security cookies that keep you signed in and protect the product. These cannot be turned off without breaking the service.
- Analytics — when Google Analytics 4 is enabled, it helps us understand aggregate usage so we can improve the product. GA4 loads after the page is interactive and never blocks the experience. In regions that require consent (for example the EU/UK under ePrivacy/GDPR, and where applicable under U.S. state law), analytics cookies load only after you consent through our cookie banner, and you can change your choice at any time by clearing this site's saved consent in your browser, which re-opens the banner. Where analytics are not enabled, no analytics script or cookie loads at all.
Your browser's “Do Not Track” / Global Privacy Control signal is honored as an opt-out of non-essential analytics where applicable. We do not use cookies for cross-site advertising.
7.Data retention
We keep personal information only as long as we need it for the purposes above.
- Account and tenant data — for the life of your account, then deleted or anonymized within 90 days of account closure, unless we must keep it longer for legal, tax, or audit reasons.
- Dossiers and run history — retained under your tenant so your saved history works; deleted with your account or on request.
- Billing records — retained as required by tax and accounting law (typically 7 years).
- Logs and security data — retained for 12 months, then rotated out.
- Backups — purged on a rolling cycle; deleted data persists in backups only until the backup ages out.
8.Your rights and choices
Depending on where you live, you may have the right to access, correct, delete, port, or restrict the processing of your personal information, to object to certain processing, and to withdraw consent. Specifically:
- Access and export — request a copy of the account data we hold about you.
- Correction — fix inaccurate information (you can edit much of it in Settings).
- Deletion — close your account and request deletion of your personal data.
- Opt out — turn off non-essential analytics cookies at any time.
- No sale / no sharing — we do not sell or share personal information for cross-context behavioral advertising, so there is nothing to opt out of there.
To exercise any right, email privacy@strategicpursuit.ai. We will verify your request and respond within the time the law requires (generally 30–45 days). You may also authorize an agent to act for you. We will not discriminate against you for exercising a right. If you are in the EEA/UK and believe we've mishandled your data, you may lodge a complaint with your supervisory authority — though we'd appreciate the chance to resolve it first.
9.International transfers, children, and security
International transfers. We and our subprocessors operate primarily in the United States. Where we transfer personal data out of the EEA/UK, we rely on appropriate safeguards such as the EU Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable).
Children. Strategic Pursuit is a business tool intended for professional users. It is not directed to children and we do not knowingly collect personal information from anyone under 16. (Note: although we serve degree-granting institutions, we never collect student-level data — see Section 3.)
Security. We protect your data with encryption in transit, hashed passwords, least-privilege access, and the controls described on our Security & Trust page at /security. No system is perfectly secure, but we treat trust as something enforced, not promised.
10.Changes and contact
Changes to this policy. We may update this policy as the product and the law evolve. When we make a material change, we'll update the effective date above and, where required, notify you by email or in-product before it takes effect.
Contact. Questions, requests, or concerns? Email privacy@strategicpursuit.ai (a postal address is available on request). We read these.
Strategic Pursuit — A DuBois Company Practice.