Privacy Policy

Last updated: 30 April 2026

This policy explains what personal data Queriyo collects, why, and your rights under the UK GDPR and EU GDPR.

1. Who we are

The data controller is Queriyo. Contact: privacy@queriyo.com.

2. What we collect

• Account data — email, hashed password, MFA status.
• Content — documents and URLs you upload, and the embeddings we derive from them.
• Visitor questions — questions asked through your widget, the AI answer, timestamp, and a session ID.
• Billing data — handled by Stripe; we store the customer/subscription ID only.
• Technical data — IP address (for rate limiting), browser type, request logs.

3. Why we use it (lawful bases)

• To provide the Service (contract).
• To prevent abuse and secure the Service (legitimate interests).
• To comply with tax and accounting law (legal obligation).
• For optional analytics and marketing emails (consent — you can withdraw it).

4. Sub-processors

We share the minimum data needed with:

• Supabase — database, authentication, file storage.
• Anthropic — AI responses (your widget questions and document context).
• Voyage AI — vector embeddings for your documents and questions.
• Stripe — payment processing.
• Google — only if you connect Google Drive for document import.
• Our hosting and email providers.

5. International transfers

Some sub-processors are based outside the UK/EEA. Transfers are protected by Standard Contractual Clauses or equivalent safeguards.

6. Retention

• Account & content: while your account is active, then deleted within 30 days of closure.
• Visitor questions: 12 months, unless you delete sooner.
• Billing records: 7 years (legal requirement).
• Server logs: 30 days.

7. Your rights

You have the right to access, correct, delete, or export your personal data, restrict or object to processing, and lodge a complaint with the Information Commissioner's Office (UK) or your local data protection authority. Email us at privacy@queriyo.com to exercise any of these.

8. Security

We use TLS in transit, encryption at rest for sensitive tokens, row-level security in the database, and offer multi-factor authentication on accounts.

9. Cookies

See our Cookie Policy for details on cookies and similar technologies.

10. Children

The Service is not directed to children under 16.

11. Changes

We will notify you of material changes by email or in-app notice.

This is a starting template, not legal advice. Have a lawyer review before launch.