Privacy Policy

Last updated: April 12, 2026

This Privacy Policy describes how Qvero AI, Inc. ("Qvero", "we", "us", or "our") collects, uses, and protects your information when you use the Qvero platform ("Service").

1. Information We Collect

Account Information

When you create an account, we collect your email address, name, and password (stored as a bcrypt hash — we never store plaintext passwords). If you sign up via OAuth (Google, GitHub), we receive your name, email, and profile photo from the provider.

Usage Data

We collect information about how you use the Service, including: AI model usage (model, token counts, credits consumed), features accessed, automations created and run, and integration connections. This data is used for billing, product improvement, and abuse prevention.

Conversation Data

Messages you send to and receive from the AI assistant are stored in your account. This data is encrypted at rest and accessible only to you (and organization members, if applicable).

Third-Party Integration Data

When you connect integrations (Google Ads, Meta, Mailchimp, etc.), we access data from those platforms using OAuth tokens you authorize. We access this data in real-time to serve your requests and do not permanently store third-party marketing data. OAuth tokens are stored encrypted.

Billing Information

If you subscribe to a paid plan, we collect billing address, company name, and tax ID for invoicing. Payment processing is handled by our payment processor — we do not store credit card numbers.

2. How We Use Your Information

• Provide the Service — process your requests, run automations, connect integrations
• Billing — calculate credit usage, generate invoices, process payments
• Security — detect and prevent fraud, abuse, and unauthorized access
• Improvement — analyze aggregated, anonymized usage patterns to improve the Service
• Communication — send account notifications, billing alerts, and service updates

3. What We Do NOT Do

• We do not train AI models on your data
• We do not sell your personal information to third parties
• We do not share your data with advertisers
• We do not use your marketing data for our own marketing purposes
• We do not store third-party platform data beyond what is needed to serve your request

4. AI and LLM Providers

The Service uses third-party LLM providers (xAI, OpenAI, Anthropic, Google) to process AI requests. When you send a message to the AI assistant:

• Your message (after Secret Protection redaction) is sent to the selected LLM provider
• LLM providers process your request according to their own privacy policies and data handling terms
• We select providers that do not train on API inputs by default
• Secret Protection automatically detects and redacts sensitive data (API keys, passwords, tokens) before content reaches any LLM provider

5. Secret Protection

Qvero includes a built-in Secret Protection system that:

• Automatically scans all outgoing prompts for sensitive patterns (API keys, passwords, tokens, credentials)
• Redacts detected secrets before they are sent to LLM providers
• Logs redaction events for your review (without storing the actual secret values)

While we make commercially reasonable efforts to detect sensitive data, no automated system is perfect. You should avoid intentionally including highly sensitive credentials in prompts.

6. Data Sharing

We share your data only in the following circumstances:

• LLM Providers — message content (after redaction) is sent to AI providers to process your requests
• Payment Processors — billing information is shared with our payment processor
• Legal Requirements — when required by law, subpoena, or legal process
• Safety — to prevent fraud, abuse, or threats to safety

7. Data Retention

• Account Data — retained while your account is active. Deleted within 30 days of account deletion.
• Conversation History — retained while your account is active. You can delete individual sessions at any time.
• Usage and Billing Data — retained for up to 7 years for tax and legal compliance.
• Integration Tokens — deleted when you disconnect an integration or delete your account.

8. Data Security

• All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
• Passwords are stored using bcrypt with salt
• OAuth tokens and API keys are encrypted with application-level encryption
• Database access is restricted and audited
• We conduct regular security reviews

9. Your Rights

You have the right to:

• Access your data through the settings panel or by contacting us
• Export your data in a portable format
• Delete your account and all associated data
• Correct inaccurate personal information
• Object to processing of your data for specific purposes

To exercise these rights, contact us at privacy@qvero.ai.

10. GDPR — European Economic Area (EEA) Residents

If you are located in the European Economic Area (EEA), the United Kingdom (UK), or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR):

Legal Basis for Processing

We process your personal data under the following legal bases:

• Contract Performance (Art. 6(1)(b)) — to provide the Service, manage your account, process billing, and execute your AI assistant and automation requests
• Legitimate Interest (Art. 6(1)(f)) — for security, fraud prevention, product improvement, and usage analytics
• Consent (Art. 6(1)(a)) — where you have explicitly opted in (e.g., marketing communications)
• Legal Obligation (Art. 6(1)(c)) — to comply with tax, accounting, and regulatory requirements

Your GDPR Rights

In addition to the rights listed in Section 9, you have the right to:

• Data Portability (Art. 20) — receive your personal data in a structured, machine-readable format
• Restriction of Processing (Art. 18) — request that we limit how we use your data
• Withdraw Consent (Art. 7(3)) — withdraw consent at any time where processing is based on consent
• Lodge a Complaint — with your local Data Protection Authority (DPA) if you believe we have violated your data protection rights

International Transfers

Your data may be transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the legal mechanism for such transfers, ensuring an adequate level of data protection.

Data Protection Officer

For GDPR-related inquiries, contact our data protection team at privacy@qvero.ai.

11. CCPA — California Residents

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) grant you additional rights:

Categories of Personal Information Collected

• Identifiers — name, email address, account credentials
• Commercial Information — billing history, plan selection, credit usage
• Internet/Electronic Activity — usage logs, AI model interactions, feature usage patterns
• Professional/Employment Information — business name, role (if provided)

Your CCPA Rights

• Right to Know — request the categories and specific pieces of personal information we have collected
• Right to Delete — request deletion of personal information, subject to legal exceptions
• Right to Correct — request correction of inaccurate personal information
• Right to Non-Discrimination — we will not discriminate against you for exercising your CCPA rights

Do Not Sell or Share My Personal Information

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. We do not use or disclose sensitive personal information for purposes other than providing the Service.

How to Exercise Your Rights

Submit a verifiable consumer request by emailing privacy@qvero.ai. We will verify your identity and respond within 45 days.

12. Data Processing Agreement (DPA)

For Enterprise customers who require a Data Processing Agreement under GDPR Article 28, we offer a DPA that covers:

• Scope and purpose of data processing
• Sub-processor disclosures (LLM providers, infrastructure providers)
• Data breach notification procedures (72-hour notification)
• Data deletion and return obligations
• Security measures and audit rights

To request a DPA, contact legal@qvero.ai.

13. Cookies

We use essential cookies for authentication and session management. We do not use advertising or tracking cookies. We do not use third-party analytics services that track individual users.

14. Children

The Service is not intended for users under 18 years of age. We do not knowingly collect information from children.

15. International Data Transfers

Your data may be processed in the United States and other countries where our service providers operate. For EEA/UK transfers, we use Standard Contractual Clauses (see Section 10). For all other jurisdictions, we ensure appropriate safeguards are in place.

16. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notification at least 30 days before changes take effect.

17. Contact Us

For privacy-related questions or requests:

• Email: privacy@qvero.ai
• Mail: Qvero AI, Inc., Attn: Privacy, [Address TBD]