Legal

Privacy Policy

Effective July 3, 2026

Pitch Box is an AI RFP-response platform for agencies, made by Sandbox Group LLC ("we", "us"). This policy explains what information we collect, how we use it, and the choices you have — both on this website and inside the Pitch Box product. We've tried to write it the way we'd want to read it: plainly.

The short version. On this site, the only personal information we collect is what you type into the request-access form, and we use it only to talk to you about Pitch Box. Inside the product, your workspace content belongs to you: it lives in an isolated database for your workspace, we use it only to provide the service, we don't train AI models on it, and we never sell it or share it for advertising. This site sets no cookies and runs no analytics or ad trackers.

Information we collect on this website

If you submit the request-access form, we collect what you enter: your name, work email, company, and optionally your title, the kind of agency you run, and your RFP volume. We use it to respond to your request, set up your workspace, and communicate with you about Pitch Box — nothing else. No spam, no resale, no marketing lists.

These requests are stored in a private, access-controlled repository and in our hosting provider's service logs. If you'd like your request deleted, email us (below) and we'll remove it.

This website sets no cookies and uses no analytics, advertising, or tracking scripts. Like most websites, our hosting provider keeps standard server logs (IP address, request time, user agent) for security and operations. Page fonts are delivered by Google Fonts, which means Google's servers see your IP address when the font files load.

Information in the Pitch Box product

When your agency uses Pitch Box, you bring content into your workspace: RFP documents, drafted responses, case studies, knowledge-base entries, brand assets and design systems, and profiles of the people involved in your pursuits (for example, a buying committee's names, titles, and priorities, or contacts imported from your CRM). This is your content. We process it solely to provide the product's features — parsing, drafting, scoring, compiling — and for no other purpose.

How AI processing works

Pitch Box's core features send content to AI providers to do their work: RFP text and your grounding materials go to Anthropic (Claude) for parsing, drafting, and scoring, and, if you use generated section imagery, style and prompt data goes to fal.ai. Both are used via commercial APIs under terms which provide that API inputs and outputs are not used to train their models. AI-generated content in Pitch Box is always marked for human review — imported facts land unverified, generated imagery requires approval, and unverified material warns before it ships.

Integrations you choose to connect

HubSpot, Slack, and Google Drive integrations are off until you connect them. OAuth is brokered by Nango; access tokens are held by Nango and never stored in your workspace's application or database. When you pull data from a connected tool (a deal's contacts, a Drive document), it lands in your workspace like anything else you add — reviewable, and removable. When you push to a connected tool (say, sharing a compiled response to Slack), that content passes to a channel you chose. Disconnecting an integration stops all access.

Who processes data on our behalf

ProviderWhat it doesWhat it touches
RenderApplication hosting (US)All application traffic and service logs
NeonManaged PostgresYour workspace's dedicated database
AnthropicAI drafting, parsing, scoringRFP text and grounding content you process
fal.aiAI imagery (only if used)Image prompts and brand style data
NangoOAuth broker (only if you connect a tool)Integration access tokens
GitHubOperational storageAccess requests; product feedback notes
Google FontsFont delivery on this websiteIP address and user agent on font load
Forge IntelligenceBrand-intelligence briefsThe public domain names you profile

Connected tools you opt into (HubSpot, Slack, Google Drive) process data per your own agreements with them.

Cookies

This website sets none. The Pitch Box product sets exactly one cookie after you sign in — a strictly-necessary session cookie that keeps you logged in. There are no tracking, analytics, or advertising cookies anywhere.

Retention and deletion

Access requests are kept while we're in conversation with you and deleted on request. Workspace content is kept for the life of your subscription. When a workspace ends — or whenever you ask — we delete the workspace and its database. You can export your workspace's content at any time; ask us or use the built-in export.

Your rights

Wherever you are, you can ask us to access, correct, export, or delete personal information we hold about you, and we'll honor it. If you're in a jurisdiction with specific privacy rights (like the GDPR or the CCPA), those rights apply to how we handle your data, and this is the address to exercise them: hello@pitch-box.ai. One note for agencies: your workspace may contain personal information about third parties you added (like committee contacts) — for that content, you're the controller and we're your processor; we act on it per your instructions.

Security

All traffic is encrypted in transit (TLS). Workspaces are isolated per customer with dedicated databases. Secrets and credentials are held in a managed vault, never in code or in your workspace's database. We don't process payment card data. No system is perfectly secure, but if we ever learn of a breach affecting your data, we'll notify you promptly.

Children

Pitch Box is a business product and is not directed at anyone under 16. We don't knowingly collect information from children.

Changes to this policy

If our practices change, we'll update this page and revise the effective date above. Material changes affecting customer workspaces will be communicated directly.

Contact

Questions, requests, or concerns: hello@pitch-box.ai.