Privacy policy.
Augur is built around the procurement contractor’s data, not around marketing surveillance. This policy describes what we collect, why we collect it, who we share it with (very few people), and the rights you have over it.
1. What we collect
Account information
When an administrator creates an account for you, or when you bootstrap the first admin on a fresh deployment, we store: your work email address, a salted PBKDF2 hash of your password (never the password itself), your role (admin or operator), your account status, and a timestamp of your last login.
Search preferences
We store the search-profile preferences you enter under My settings: default NAICS codes, default PSC codes, score-boost keywords, and any preferred-agency list. This is data you typed in yourself; we use it only to apply your defaults when you open the Search tab.
Watchlist
The team watchlist you build inside the app stores the solicitation identifiers, titles, agencies, and metadata you choose to track. This data originates from public SAM.gov listings; we store it inside your deployment because tracking decisions are private to your team.
Session data
When you sign in we create a session record containing: a SHA-256 hash of the session token, your user ID, the issuance and expiry timestamps, and a CSRF token used for double-submit verification. We never store the raw session token; only its hash.
Audit log
Every authentication event, password change, role change, and watchlist mutation is recorded in an activity log. Each entry contains: timestamp, actor (email at time of event), action, optional detail, target user (for administrative actions), IP address, and user agent. Administrators on your team can read this log; we use it only for security and audit purposes.
SAM.gov request metadata
When you run a search, the request is proxied through our infrastructure to api.sam.gov. We do not log the queries themselves; the request goes through the proxy only so we can attach the team’s SAM.gov API key on the server side rather than exposing it to the browser. SAM.gov applies its own logging on its end.
2. What we do NOT collect
- We do not run third-party analytics. No Google Analytics, no Segment, no Mixpanel, no Heap, no Hotjar, no FullStory.
- We do not run third-party advertising trackers. There are no ads in the product and no ad pixels on the marketing site.
- We do not use your content to train AI models for other customers or third parties.
- We do not collect device fingerprints beyond the IP and user agent already recorded in the audit log.
- We do not require or process any cookies beyond the
auth_sessionandcsrf_tokencookies necessary to keep you signed in.
3. Cookies
| Name | Purpose | Type | Expiry |
|---|---|---|---|
auth_session |
Authenticates your signed-in session. | Strictly necessary · HttpOnly · Secure · SameSite=Strict | 30 days, sliding |
csrf_token |
Double-submit CSRF protection on state-changing requests. | Strictly necessary · Secure · SameSite=Strict | 30 days, sliding |
Both cookies are strictly necessary for the Service to function and are exempt from consent requirements under common privacy frameworks (e.g. ePrivacy Article 5(3) exemption for cookies strictly necessary for a service explicitly requested by the user).
4. Where your data lives
Augur runs on Cloudflare. Application logic executes on Cloudflare
Workers / Pages Functions distributed across Cloudflare’s global
edge. Persistent data (users, sessions, audit log, team watchlist)
is stored in Cloudflare D1, an edge-replicated SQLite database. The
primary region is configurable per-deployment; most U.S. customers
run in wnam (Western North America) or enam
(Eastern North America).
Each customer deployment is logically isolated; one team’s D1 database is never queried by another team’s Worker. There is no cross-customer model training, ever.
5. Who we share data with
We share your data only with sub-processors strictly necessary to run the Service:
| Sub-processor | Purpose | Data shared |
|---|---|---|
| Cloudflare, Inc. | Hosting (Pages, Workers, D1), DNS, TLS, DDoS mitigation | All Service data, processed under Cloudflare’s DPA |
| GSA / SAM.gov | Public procurement data source | Search queries you initiate (no PII attached at the protocol level) |
| Google Fonts | Web font delivery for marketing pages and login | IP address, user agent (handled by Google per their policy) |
We do not sell your data. We do not share your data with advertisers, data brokers, or marketing platforms. Government legal-process requests are reviewed on a case-by-case basis and we will notify affected customers before complying unless legally prohibited.
6. Retention
- Account records are retained for as long as the account is active, plus 30 days after deletion for audit purposes, after which they are permanently removed.
- Session records expire automatically after 30 days of inactivity and are garbage-collected opportunistically.
- Audit log entries are retained for one year by default. Customers may configure longer retention to meet their own compliance posture.
- Watchlist content persists until you remove it.
7. Your rights
Depending on where you live, you may have rights under the EU General Data Protection Regulation (GDPR), the UK Data Protection Act, the California Consumer Privacy Act (CCPA / CPRA), or similar laws, including the rights to access, rectify, port, restrict, or delete your data, and to object to its processing.
To exercise any of these rights, email privacy@augurai.app. We respond to verifiable requests within 30 days. We do not charge a fee for reasonable requests.
8. Security
Passwords are stored as PBKDF2-SHA-256 hashes with per-user salts and 100,000 iterations. Session tokens are stored as SHA-256 hashes; the raw token only exists in your HttpOnly, Secure, SameSite=Strict cookie. All communication runs over TLS 1.2+. See our Security page for full details on the platform’s security posture and our responsible disclosure policy.
9. Children
The Service is not directed at children under 16 and we do not knowingly collect data from them. If you believe a child has provided data, email privacy@augurai.app and we will delete it.
10. International transfers
Cloudflare operates a global edge network. If you access the Service from outside the U.S., your data may be processed in the U.S. or other countries where Cloudflare maintains infrastructure. Transfers are governed by the Cloudflare DPA, which incorporates EU Standard Contractual Clauses where applicable.
11. Changes to this policy
We may update this policy from time to time. Material changes will be announced via the Service or by email at least 30 days before they take effect.
12. Contact
Privacy questions or requests: privacy@augurai.app
Data Protection Officer: Augur AI, Inc., Attn: DPO, Delaware, USA.