Pitch Box is an AI RFP-response platform for agencies, made by Sandbox Group LLC ("we", "us"). This policy explains what information we collect, how we use it, and the choices you have — both on this website and inside the Pitch Box product. We've tried to write it the way we'd want to read it: plainly.
The short version. On this site, the only personal information we collect is what you type into the request-access form, and we use it only to talk to you about Pitch Box. Inside the product, your workspace content belongs to you: it lives in an isolated database for your workspace, we use it only to provide the service, we don't train AI models on it, and we never sell it or share it for advertising. This site sets no cookies and runs no analytics or ad trackers.
Information we collect on this website
If you submit the request-access form, we collect what you enter: your name, work email, company, and optionally your title, the kind of agency you run, and your RFP volume. We use it to respond to your request, set up your workspace, and communicate with you about Pitch Box — nothing else. No spam, no resale, no marketing lists.
These requests are stored in a private, access-controlled repository and in our hosting provider's service logs. If you'd like your request deleted, email us (below) and we'll remove it.
This website sets no cookies and uses no analytics, advertising, or tracking scripts. Like most websites, our hosting provider keeps standard server logs (IP address, request time, user agent) for security and operations. Page fonts are delivered by Google Fonts, which means Google's servers see your IP address when the font files load.
Information in the Pitch Box product
When your agency uses Pitch Box, you bring content into your workspace: RFP documents, drafted responses, case studies, knowledge-base entries, brand assets and design systems, and profiles of the people involved in your pursuits (for example, a buying committee's names, titles, and priorities, or contacts imported from your CRM). This is your content. We process it solely to provide the product's features — parsing, drafting, scoring, compiling — and for no other purpose.
- Workspace isolation. Each customer workspace runs as its own deployment with its own dedicated database. Your content is never commingled with another customer's.
- Access. Workspaces are password-protected. Access to production systems is limited to Sandbox Group operators, used for support and operations only.
- No training. We do not train AI models on your content, and the AI providers we use do not train their models on API data under their commercial terms (see below).
- No selling, ever. We do not sell personal information and we do not share it for cross-context behavioral advertising.
How AI processing works
Pitch Box's core features send content to AI providers to do their work: RFP text and your grounding materials go to Anthropic (Claude) for parsing, drafting, and scoring, and, if you use generated section imagery, style and prompt data goes to fal.ai. Both are used via commercial APIs under terms which provide that API inputs and outputs are not used to train their models. AI-generated content in Pitch Box is always marked for human review — imported facts land unverified, generated imagery requires approval, and unverified material warns before it ships.
Integrations you choose to connect
HubSpot, Slack, and Google Drive integrations are off until you connect them. OAuth is brokered by Nango; access tokens are held by Nango and never stored in your workspace's application or database. When you pull data from a connected tool (a deal's contacts, a Drive document), it lands in your workspace like anything else you add — reviewable, and removable. When you push to a connected tool (say, sharing a compiled response to Slack), that content passes to a channel you chose. Disconnecting an integration stops all access.
Who processes data on our behalf
| Provider | What it does | What it touches |
|---|---|---|
| Render | Application hosting (US) | All application traffic and service logs |
| Neon | Managed Postgres | Your workspace's dedicated database |
| Anthropic | AI drafting, parsing, scoring | RFP text and grounding content you process |
| fal.ai | AI imagery (only if used) | Image prompts and brand style data |
| Nango | OAuth broker (only if you connect a tool) | Integration access tokens |
| GitHub | Operational storage | Access requests; product feedback notes |
| Google Fonts | Font delivery on this website | IP address and user agent on font load |
| Forge Intelligence | Brand-intelligence briefs | The public domain names you profile |
Connected tools you opt into (HubSpot, Slack, Google Drive) process data per your own agreements with them.
Cookies
This website sets none. The Pitch Box product sets exactly one cookie after you sign in — a strictly-necessary session cookie that keeps you logged in. There are no tracking, analytics, or advertising cookies anywhere.
Retention and deletion
Access requests are kept while we're in conversation with you and deleted on request. Workspace content is kept for the life of your subscription. When a workspace ends — or whenever you ask — we delete the workspace and its database. You can export your workspace's content at any time; ask us or use the built-in export.
Your rights
Wherever you are, you can ask us to access, correct, export, or delete personal information we hold about you, and we'll honor it. If you're in a jurisdiction with specific privacy rights (like the GDPR or the CCPA), those rights apply to how we handle your data, and this is the address to exercise them: hello@pitch-box.ai. One note for agencies: your workspace may contain personal information about third parties you added (like committee contacts) — for that content, you're the controller and we're your processor; we act on it per your instructions.
Security
All traffic is encrypted in transit (TLS). Workspaces are isolated per customer with dedicated databases. Secrets and credentials are held in a managed vault, never in code or in your workspace's database. We don't process payment card data. No system is perfectly secure, but if we ever learn of a breach affecting your data, we'll notify you promptly.
Children
Pitch Box is a business product and is not directed at anyone under 16. We don't knowingly collect information from children.
Changes to this policy
If our practices change, we'll update this page and revise the effective date above. Material changes affecting customer workspaces will be communicated directly.
Contact
Questions, requests, or concerns: hello@pitch-box.ai.