Privacy Policy

1. Information We Collect

We collect the following types of information:

Information you provide

• Account details: name, email address, and password when you register.
• Payment information: processed securely via Stripe; we do not store full card numbers.
• Uploaded documents: files you submit for dataset generation.

Information collected automatically

• Usage data: pages visited, features used, documents processed, and API calls made.
• Device information: browser type, operating system, IP address, and general location.

2. How We Use Information

We use your information to:

• Provide, maintain, and improve the Service, including processing your documents and generating dataset content.
• Manage your account, process payments, and send transactional emails.
• Communicate with you about product updates, security alerts, and support.
• Analyse usage patterns to improve performance and user experience.
• Comply with legal obligations.

We do not use your uploaded documents or generated datasets to train AI models.

3. Data Storage and Security

Your data is stored on secure servers within the European Economic Area (EEA). We implement industry-standard security measures:

• Encryption in transit (TLS 1.3) and at rest (AES-256).
• Regular security audits and penetration testing.
• Role-based access controls for our team.
• Automated backups with 30-day retention.

4. Third-Party Services

We use the following third-party services that may process your data:

• Stripe - payment processing (PCI DSS compliant).
• Supabase - database and authentication.
• Vercel - hosting and content delivery.
• OpenRouter / OpenAI - document analysis and dataset generation (data is not retained by these providers after processing).

5. Your Rights (GDPR)

If you are in the EEA or UK, you have the following rights under the General Data Protection Regulation:

• Access - request a copy of the personal data we hold about you.
• Rectification - request correction of inaccurate data.
• Erasure - request deletion of your data (“right to be forgotten”).
• Portability - receive your data in a machine-readable format.
• Restriction - request that we limit processing of your data.
• Objection - object to processing based on legitimate interests.

To exercise any of these rights, contact us at privacy@faqai.app. We will respond within 30 days.

6. Data Retention

We retain your data for as long as your account is active. After account deletion:

• Uploaded documents and generated datasets are permanently deleted within 30 days.
• Account metadata is anonymised and retained for up to 12 months for legal compliance.
• Payment records are retained for 7 years as required by UK tax law.

7. Cookies

We use the following types of cookies:

• Essential cookies - required for authentication, security, and core functionality.
• Analytics cookies - help us understand how users interact with the Service (can be opted out).

We do not use advertising or tracking cookies. You can manage cookie preferences in your browser settings.

8. International Transfers

Your data is primarily stored within the EEA. Where data is transferred outside the EEA (e.g., to AI processing providers), we ensure adequate safeguards are in place, including:

• EU Standard Contractual Clauses (SCCs) approved by the European Commission.
• Data Processing Agreements (DPAs) with all sub-processors.
• Adequacy decisions where recognised by the European Commission or UK Government.
• Supplementary measures (encryption, access controls) where required to ensure equivalent protection.

For transfers involving non-EU/EEA recipients, we assess the data protection laws of the recipient country and apply additional safeguards as necessary to ensure your data remains protected.

9. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to Know: You can request details about the categories and specific pieces of personal information we have collected about you in the prior 12 months.
• Right to Delete: You can request deletion of your personal information. You can do this directly via Settings > Privacy in your account, or by contacting us.
• Right to Opt-Out of Sale: We do not sell your personal information to third parties. We do not share your personal information for cross-context behavioural advertising. You can manage your data sharing preferences via Settings > Privacy in your account.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.
• Right to Correct: You can request correction of inaccurate personal information via Settings > Profile or by contacting us.
• Right to Limit Use of Sensitive Information: We only use sensitive personal information as necessary to provide our services.

Categories of Personal Information Collected

• Identifiers (name, email address, IP address)
• Commercial information (subscription plan, payment history)
• Internet activity (usage data, pages visited)
• Professional information (documents uploaded for processing)

To exercise any of these rights, email privacy@faqai.app or use the self-service options in your account Settings. We will respond within 45 days as required by law. You may also designate an authorised agent to submit requests on your behalf.

10. Brazil (LGPD)

If you are located in Brazil, the Lei Geral de Proteção de Dados (LGPD) provides you with specific rights regarding your personal data. We process your data under the legal bases of contract performance, legitimate interest, and consent where applicable.

Under the LGPD, you have the right to:

• Confirmation and Access - confirm whether we process your data and access a copy of it.
• Correction - request correction of incomplete, inaccurate, or outdated data.
• Anonymisation, Blocking, or Deletion - request anonymisation, blocking, or deletion of unnecessary or excessively processed data.
• Portability - request the transfer of your personal data to another service provider.
• Deletion - request deletion of data processed with your consent.
• Information - be informed about third parties with whom we share your data.
• Revocation of Consent - withdraw consent at any time where processing is based on consent.

To exercise your LGPD rights, email dpo@faqai.app. You may also file a complaint with the Autoridade Nacional de Proteção de Dados (ANPD).

11. Canada (PIPEDA)

If you are located in Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) governs how we collect, use, and disclose your personal information.

• Consent - we collect and process your personal information with your knowledge and consent, except where permitted by law.
• Access - you may request access to the personal information we hold about you and be informed of how it has been used and to whom it has been disclosed.
• Correction - you may challenge the accuracy and completeness of your personal information and have it amended.
• Withdrawal of Consent - you may withdraw consent at any time, subject to legal or contractual restrictions.

To exercise your rights or file a complaint, contact us at dpo@faqai.app. You also have the right to file a complaint with the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca.

12. Australia (APPs)

If you are located in Australia, the Australian Privacy Principles (APPs) under the Privacy Act 1988 apply to your personal information. We comply with the following obligations:

• Collection Notice - we only collect personal information that is reasonably necessary for providing our services, and we inform you of the purpose of collection.
• Access and Correction - you may request access to and correction of the personal information we hold about you.
• Cross-Border Disclosure - before disclosing personal information overseas (e.g., to AI processing providers), we take reasonable steps to ensure the recipient complies with the APPs.
• Data Quality - we take reasonable steps to ensure personal information we collect is accurate, up-to-date, and complete.

To exercise your rights, email dpo@faqai.app. You may also file a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

13. South Africa (POPIA)

If you are located in South Africa, the Protection of Personal Information Act (POPIA) provides you with rights regarding your personal information. We process your information in accordance with the conditions for lawful processing under POPIA.

• Access - you may request confirmation of whether we hold personal information about you and request access to it.
• Correction or Deletion - you may request correction or deletion of personal information that is inaccurate, irrelevant, excessive, or outdated.
• Objection - you may object to the processing of your personal information on reasonable grounds.
• Data Portability - you may request your personal information in a machine-readable format.

To exercise your rights, email dpo@faqai.app. You may also file a complaint with the Information Regulator at justice.gov.za/inforeg.

14. Singapore (PDPA)

If you are located in Singapore, the Personal Data Protection Act (PDPA) governs the collection, use, and disclosure of your personal data.

• Consent - we collect, use, and disclose your personal data only with your consent or as permitted under the PDPA.
• Access - you may request access to and information about how we have used or disclosed your personal data within the past year.
• Correction - you may request correction of errors or omissions in your personal data.
• Withdrawal of Consent - you may withdraw consent for the collection, use, or disclosure of your personal data, subject to legal or contractual obligations.
• Data Portability - you may request a copy of your data in a commonly used machine-readable format.

To exercise your rights, email dpo@faqai.app. You may also file a complaint with the Personal Data Protection Commission (PDPC) at pdpc.gov.sg.

15. Japan (APPI)

If you are located in Japan, the Act on the Protection of Personal Information (APPI) applies to the handling of your personal information.

• Purpose Specification - we specify the purpose of use of your personal information and do not handle it beyond the scope necessary for that purpose.
• Disclosure - you may request disclosure of the personal information we hold about you.
• Correction and Deletion - you may request correction, addition, or deletion of your personal information if it is inaccurate.
• Cessation of Use - you may request that we stop using or delete your personal information if it is being handled in violation of the APPI.
• Cross-Border Transfer - where your personal information is transferred outside Japan for processing (e.g., to AI providers), we ensure the recipient maintains equivalent protection standards.

To exercise your rights, email dpo@faqai.app. You may also contact the Personal Information Protection Commission (PPC) at ppc.go.jp.

16. International Users

FAQai.app serves users worldwide. In addition to the specific regional frameworks detailed above, we are committed to respecting the highest applicable standard of data protection regardless of your location. Where your local data protection laws provide additional rights not covered by the frameworks listed above, we will honour those rights upon request.

If you have questions about how your local laws apply to your data, please contact us at dpo@faqai.app.

17. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us:

• Email: privacy@faqai.app
• Data Protection Officer: dpo@faqai.app
• Phone: +44 7778 208203
• Address: FAQai Ltd, London, United Kingdom

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.