Skip to content

Subprocessors

Service providers that help operate PropoKit.

PropoKit uses selected service providers to run the app, protect accounts, process payments, send transactional emails, support connected workflows, and improve reliability.

PropoKit is operated by Denali Tech Inc.

Provider status labels

Active

Used as part of normal PropoKit operation.

Conditional

Used only when a feature is enabled, connected, or requested.

Consent-based

Used only when allowed by consent settings and only on approved surfaces.

Not active

Not currently used and should not be listed as active.

What a subprocessor is

A subprocessor is a service provider that may process information on behalf of PropoKit so we can operate the product. These providers may help with hosting, authentication, database, storage, payments, email delivery, connected integrations, diagnostics, analytics, or AI-assisted features.

The type of data processed depends on how you use PropoKit and which features are active for your account.

How to read this page

Some providers are part of the core PropoKit app. Some apply only if you use a specific feature, such as QuickBooks or AI-assisted drafting. Microsoft Clarity applies only after analytics consent. Google Analytics may load only on approved public pages under Consent Mode, with storage and reporting determined by your consent choice.

Important: check each provider's status label — Active, Conditional, Consent-based, or Not active — to see whether it applies to your account.

Current subprocessors

Each provider card below shows its purpose, status, data categories, and notes.

Firebase / Google Cloud

Purpose: Hosting, authentication, database, storage, Cloud Functions, app infrastructure, security, and product operation.

Status: Active.

Data categories: Account data, authentication data, workspace data, customer/project/proposal data, files, app settings, account-safety records, logs, and operational metadata.

Notes: Core PropoKit infrastructure.

Stripe

Purpose: Payment processing, checkout, billing portal, subscriptions, invoices, failed-payment handling, payment events, and billing support.

Status: Active when billing or checkout is used.

Data categories: Billing contact information, subscription metadata, plan state, payment event metadata, customer billing identifiers, invoices, and payment-processing data.

Notes: PropoKit should not store full payment card numbers. Payment card details are handled by the payment processor.

Intuit / QuickBooks

Purpose: QuickBooks connection, customer matching, accepted-work preparation, invoice or estimate handoff, and integration state when authorized by the user.

Status: Conditional.

Data categories: Connection state, safe sync metadata, customer matching data, accepted proposal details, line items, pricing data, and invoice/estimate handoff information.

Notes: Applies only when QuickBooks is connected or used. QuickBooks remains the accounting system of record.

Resend or transactional email provider

Purpose: Transactional email delivery, including verification, account-safety, data export, billing, support, team invite, partner application, and workflow-related emails.

Status: Active if configured for email delivery.

Data categories: Email address, sender/recipient metadata, template data needed to send the message, delivery status, and email event metadata.

Notes: Transactional emails should not include raw secrets, public export URLs, delete tokens, payment card details, or unnecessary private data.

OpenAI or approved AI provider

Purpose: AI-assisted drafting, proposal content support, scope/objective drafting, summaries, and workflow assistance where AI features are used.

Status: Conditional.

Data categories: Prompt text, business profile details, project/proposal context, user-provided text, generated output, and related request metadata.

Notes: Only the information needed for the AI-assisted feature should be sent. Do not send secrets, payment card details, QuickBooks login credentials, API keys, or unnecessary sensitive information.

Microsoft Clarity

Purpose: Public-site analytics and behavior understanding on approved public marketing pages after analytics consent.

Status: Consent-based, if enabled.

Data categories: Public-page usage data, browser/device information, interaction data, page behavior, and diagnostic metadata.

Notes: Should not run on dashboard, billing, account deletion, data export, public proposal view, auth, or private account/workflow surfaces in the current privacy model.

Google Analytics (Google LLC)

Purpose: Public-website traffic, audience, and usage measurement on approved public pages under Consent Mode.

Status: Active only on approved public website pages under Consent Mode.

Data categories: Public-page views, referral/traffic source, approximate location, browser/device information, and interaction events such as call-to-action clicks. Before consent, analytics and ad storage remain denied and only limited cookieless, aggregate measurement pings may be sent.

Notes: Accepting analytics enables additional storage and more detailed reporting. Google Analytics never runs on dashboard, billing, account deletion, data export, public proposal view, auth, or private account/workflow surfaces.

Google Ads (Google LLC)

Purpose: Paid customer acquisition and linked campaign reporting for PropoKit.

Status: Paid campaign delivery is paused. There is no standalone Google Ads pixel on site.

Data categories: Campaign/ad interaction metadata; Google Analytics 4 intent events such as start_trial_click; and a sign_up event containing only the sign-in method category after Firebase confirms a new account.

Notes: start_trial_click records landing intent or a CTA click, not a completed signup, trial, or purchase. sign_up counts email/password accounts only after email verification and Google/Microsoft accounts only when Firebase reports a new federated user; it does not include the account email, name, or user ID. The signup event is not yet a proven primary Google Ads import, so paid delivery remains paused. Ad landings may use /?intent=start_trial. Standalone remarketing tags are not installed on site today.

Sentry or diagnostics provider

Purpose: Browser or server diagnostics, error monitoring, reliability investigation, and performance troubleshooting if enabled.

Status: Conditional.

Data categories: Error information, browser/device metadata, route/page context, stack traces, and diagnostic metadata.

Notes: Should be configured to avoid unnecessary private data, tokens, passwords, payment details, QuickBooks credentials, export links, delete links, and private proposal/customer content.

Firebase Performance Monitoring (Google LLC)

Purpose: Reliability/performance diagnostics on the signed-in workspace app — measuring page-load and key workflow durations (such as opening the product library or generating a proposal) to find and fix slow paths.

Status: Active on the signed-in workspace as a legitimate-interest reliability tool.

Data categories: Anonymous timing measurements (durations), coarse browser/device and network-type metadata, and an anonymous installation identifier. No request URLs, request/response bodies, proposal content, customer content, or account-safety content.

Notes: Automatic instrumentation (page and network-request capture) is disabled; only custom duration traces are sent. Runs on the workspace only, never on the public proposal view, billing, export, delete, or account-safety surfaces.

PostHog or product analytics provider

Purpose: Product analytics or event forwarding if configured.

Status: Conditional; not active unless configured and used.

Data categories: Product usage events, browser/device metadata, route/page context, and analytics metadata.

Notes: Not active unless product analytics forwarding is configured.

Providers not currently active

PropoKit should not list advertising or retargeting providers as active unless they are actually installed, configured, disclosed, and consented where required.

  • Google Tag Manager.
  • Meta Pixel.
  • TikTok Pixel.
  • LinkedIn Ads Insight Tag.
  • Public coupon or affiliate tracking platforms.
Important: if marketing tags are added later, the Cookie Notice, Privacy Policy, consent behavior, and this Subprocessors page should be updated before they are used.

Data categories providers may process

Depending on the feature, subprocessors may process different categories of data.

Account data

Name, email, user ID, account access state, role, plan state, and authentication metadata.

Business profile data

Company name, logo, business contact details, address, website, terms, and proposal defaults.

Customer and project data

Customer names, contact details, project names, notes, files, project status, and related job information.

Proposal data

Proposal sections, products and services, pricing, terms, versions, PDFs, email drafts, signing links, status, and accepted-work details.

Billing data

Plan, subscription status, billing event metadata, payment processor identifiers, invoices, and cancellation state.

Integration data

QuickBooks connection state, safe sync metadata, customer or item matching information, and accepted-work handoff data.

Support data

Support messages, feedback, problem reports, safe screenshots or attachments, and communication history.

Analytics and diagnostics data

Browser, device, page, error, performance, consent, and telemetry information where enabled and allowed.

Feature-based providers

Some providers are only involved when you use a specific feature.

  • If you use billing or checkout, Stripe may process billing-related data.
  • If you connect QuickBooks, Intuit may process connected workflow data.
  • If you use AI-assisted drafting, the AI provider may process the prompt and related proposal context.
  • Google Analytics may process limited cookieless aggregate pings on approved public pages while analytics and ad storage are denied; accepting analytics enables additional storage and reporting.
  • If you accept analytics, Microsoft Clarity may process public-page analytics data on approved public website pages.
  • Google Ads paid campaign delivery is paused. Linked reporting may include GA4 start_trial_click intent and Firebase-confirmed sign_up events, but the signup import is not yet proven and no standalone Ads pixel is installed.
  • If diagnostics are enabled, Sentry or similar tools may process error and reliability data.
  • Firebase Performance Monitoring (Google LLC) processes anonymous timing measurements on the signed-in workspace to help keep the app fast and reliable.

Security and privacy expectations

PropoKit expects subprocessors to support the operation of the product without unnecessary exposure of private information. PropoKit should avoid sending secrets, raw tokens, payment card details, QuickBooks credentials, private keys, data-export links, delete-account links, or unnecessary customer/proposal content to providers that do not need them.

  • Passwords.
  • Payment card numbers.
  • QuickBooks login credentials.
  • OAuth tokens.
  • API keys.
  • Delete-account confirmation links.
  • Data-export download links.
  • Private keys.
  • Unnecessary private customer data.

Changes to subprocessors

PropoKit may update this page when service providers are added, removed, renamed, replaced, or materially changed. When a change affects how personal or business data is processed, PropoKit should update related privacy and cookie disclosures where appropriate.

The “Last updated” date shows when this page was most recently changed.

Questions

If you have questions about PropoKit subprocessors, connected services, privacy, or data handling, contact PropoKit Support.

support@propokit.com