Compliance & Privacy

Built for GDPR and designed with privacy in mind.

We design our platform with privacy and compliance at the foundation. Whether you're in the EU or anywhere else, we respect your data rights and follow strict data protection principles.

GDPR Compliance

The General Data Protection Regulation (GDPR) is Europe's data protection law, but we apply its principles globally. GDPR gives you control over your data and requires us to be transparent about what we collect and why.

What Data We Collect

We only collect what's necessary to provide the AI chatbot service:

Account Information
  • Your name
  • Email address
  • Organization/company name
  • Login credentials (securely stored)
Content You Upload
  • Documents and files you upload
  • Chatbot configurations
  • Custom instructions
  • Knowledge base content
Usage Information
  • Number of queries made
  • Response times (for performance)
  • Error logs (system-level only)
  • Login activity
Billing Information
  • Subscription plan details
  • Payment method (via Stripe)
  • Billing address
  • Invoice history
What We Don't Collect: We don't track your browsing outside our platform. We don't sell or share your data with advertisers. We don't use hidden tracking cookies.

How We Use Your Data

We process your data only for these specific purposes:

  • To Power Your Chatbot: Your uploaded files are used to train your specific AI assistant to answer questions based on your content.
  • To Manage Your Account: We use your email and name to identify you and communicate important service updates.
  • To Process Payments: Your billing information is used to charge your subscription (handled securely by Stripe).
  • To Improve Service Quality: We track system performance (not content) to fix bugs and improve speed.
  • To Provide Support: If you contact us for help, we use your information to assist you.
We Never: Sell your data. Use your data to train AI for other customers. Share your content with third parties for marketing. Access your files without your permission.

Your Data Rights

Under GDPR and other privacy laws, you have specific rights over your data. We make it easy to exercise these rights.

Right to Access

You can request a copy of all data we have about you.

How: Email us or use the "Export My Data" button in your account settings.

Right to Correction

You can update or correct your personal information anytime.

How: Edit your profile directly in account settings.

Right to Deletion (Right to be Forgotten)

You can request that we permanently delete all your data.

How: Contact us to request account deletion. We'll wipe everything within 30 days.

Right to Data Portability

You can download your data in a machine-readable format to take elsewhere.

How: Use the "Export My Data" feature to get a ZIP file of your content.

Right to Restrict Processing

You can ask us to temporarily stop using your data while you dispute something.

How: Contact our support team with your request.

Right to Object

You can object to certain types of data processing.

How: Contact us to discuss your concerns.

Response Time: We respond to all data rights requests within 30 days, as required by GDPR.

Data Minimization

We follow the principle of data minimization: collect only what's needed, keep it only as long as necessary.

How Long We Keep Data:
  • Account Data: Kept as long as your account is active. Deleted within 30 days of account closure.
  • Uploaded Files: Kept until you delete them or close your account.
  • System Logs: Automatically purged after 90 days (we keep only what's needed for debugging).
  • Billing Records: Kept for 7 years for tax/legal compliance, then permanently deleted.
  • Backups: Encrypted backups are kept for 30 days for disaster recovery, then automatically deleted.

Third-Party Services We Use

We work with carefully selected partners to provide our service. All partners are GDPR-compliant and meet our security standards.

Service Purpose Data Shared
Amazon Web Services (AWS) Cloud hosting, file storage, user authentication Uploaded files, account data
Google Cloud (Gemini API) AI processing and file search (RAG) Files you upload, chatbot queries
Stripe Payment processing Billing details, payment method
Amazon SES Transactional emails (password resets, notifications) Email address, name
Note: We have Data Processing Agreements (DPAs) with all major providers to ensure GDPR compliance.

International Data Transfers

Some of our service providers (like AWS and Google) operate globally. When data moves between regions, we ensure it's protected:

  • EU Customers: We can host your data exclusively in EU regions (AWS eu-west-1 Ireland) to meet data residency requirements.
  • Standard Contractual Clauses (SCCs): We use EU-approved contracts for data transfers outside the EU.
  • Encryption Everywhere: All data transfers are encrypted in transit, regardless of location.

Questions or Concerns?

General Inquiries

For questions about our privacy practices or to exercise your data rights:

Email: privacy@quixoo.ai

Data Processing Agreement (DPA)

Enterprise customers can request a signed DPA for compliance:

Email: legal@quixoo.ai

Learn More About Our Security

Discover how we protect your data at the technical level.

View Security Details Data Protection Info