Privacy Policy

Effective Date: September 24, 2025

1. INTRODUCTION AND SCOPE

1.1 About This Policy

QUINTIX AI INC. (“Company,” “we,” “us,” or “our”) is committed to protecting your privacy and personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website (https://quintix.ai), artificial intelligence services, consulting services, software-as-a-service offerings, mobile applications, and any other services or products we provide (collectively, the “Services”).

1.2 Scope and Application

This Privacy Policy applies to:

  • Visitors to our website and marketing properties
  • Users of our Services, including free and paid tiers
  • Individuals who communicate with us
  • Participants in our educational programs and events
  • Beta testers and preview program participants

1.3 Data Controller vs. Data Processor

We act in different capacities depending on the context:

  • As Controller: When you interact directly with us (website visits, direct accounts, support requests)
  • As Processor: When processing personal data on behalf of business customers who use our Services
  • As Sub-processor: When our business customers resell or integrate our Services

When acting as a processor, we handle personal data according to our customers’ instructions and applicable data processing agreements.

1.4 Updates to This Policy

We may update this Privacy Policy from time to time. The “Effective Date” indicates the last revision. We will notify you of material changes through the Services or by email.

2. INFORMATION WE COLLECT

2.1 Information You Provide Directly

Account and Identity Data

  • Full name, username, and title
  • Email address and phone number
  • Company name and business address
  • Job role and department
  • Government-issued ID (only when legally required)

Financial and Billing Data

  • Payment card information (processed by our payment providers)
  • Billing address
  • Purchase history and subscription details
  • Tax identification numbers where required

Content and Interaction Data

  • Prompts, queries, and instructions you submit to our AI Services
  • Files, documents, code, and datasets you upload
  • Feedback, ratings, and survey responses
  • Support tickets and communication records
  • Training data you explicitly authorize for model improvement
  • Testimonials and case study information

Professional Services Data

  • Project requirements and specifications
  • Consulting engagement records
  • Custom development requests
  • Training and workshop participation

Biometric Data (if explicitly provided for specific features)

  • We do not currently collect biometric identifiers
  • Should we introduce biometric features, we will update this policy and obtain explicit consent
  • Any biometric data would be stored encrypted and deleted upon account termination

2.2 Information Collected Automatically

Technical and Device Data

  • IP address and approximate geolocation
  • Device type, operating system, and browser information
  • Unique device identifiers
  • Screen resolution and browser settings
  • Language and timezone preferences

Usage and Analytics Data

  • Pages visited and features accessed
  • Click paths and interaction patterns
  • Session duration and frequency
  • Search queries within our Services
  • Error logs and diagnostic information
  • Performance metrics and system events

AI Service Interaction Data

  • API calls and usage patterns
  • Token consumption and computational resource usage
  • Model selection and parameters
  • Safety filter triggers and content moderation events
  • Prompt injection attempts and security events

2.3 Information from Third Parties

Authentication Providers

  • Profile information from single sign-on providers (Google, Microsoft, etc.)
  • Authentication tokens and session data

Payment Processors

  • Transaction confirmations and payment status
  • Fraud risk scores and verification results

Business Partners

  • Referral information from partners
  • Integration data from connected services
  • Co-marketing campaign participation

Public Sources

  • Publicly available business information
  • Professional networking profiles
  • Company registry information

3. LEGAL BASIS FOR PROCESSING (WHERE APPLICABLE)

Under privacy laws like GDPR and Quebec Law 25, we must have a legal basis for processing personal data:

3.1 Contract Performance

We process data to fulfill our contractual obligations when you:

  • Create an account and use our Services
  • Purchase subscriptions or credits
  • Engage us for consulting or professional services

3.2 Legitimate Interests

We process data based on legitimate interests for:

  • Improving and securing our Services
  • Preventing fraud and abuse
  • Direct marketing to existing customers (with opt-out)
  • Internal analytics and business intelligence
  • Legal claims establishment and defense

3.3 Legal Obligations

We process data to comply with:

  • Tax and accounting requirements
  • Court orders and legal process
  • Regulatory investigations
  • Data breach notifications
  • Audit and compliance requirements

3.4 Consent

We obtain consent for:

  • Marketing communications to non-customers
  • Use of cookies and tracking technologies (where required)
  • Training AI models on your content (opt-in only)
  • Processing sensitive personal data
  • Testimonials and case studies

3.5 Vital Interests

In rare cases, we may process data to protect vital interests, such as preventing imminent harm.

4. HOW WE USE YOUR INFORMATION

4.1 Service Delivery and Operations

  • Providing, maintaining, and improving our Services
  • Processing transactions and managing subscriptions
  • Authenticating users and managing accounts
  • Delivering customer support and responding to inquiries
  • Sending service-related communications

4.2 AI and Machine Learning

  • Operating our AI Services and processing your requests
  • Implementing safety filters and content moderation
  • Detecting and preventing prompt injection attacks
  • Improving model performance (only with explicit opt-in consent)
  • Evaluating AI safety and alignment
  • Generating aggregated insights about AI usage patterns

Important: We do NOT use your prompts, content, or outputs to train our AI models unless you explicitly opt-in through your account settings. This setting is disabled by default.

4.3 Security and Safety

  • Detecting and preventing fraud, abuse, and security incidents
  • Monitoring for unauthorized access attempts
  • Investigating violations of our Terms & Conditions
  • Implementing rate limiting and resource protection
  • Maintaining audit logs and security records

4.4 Communications and Marketing

  • Sending product updates and feature announcements
  • Providing educational content and resources
  • Marketing our Services (with appropriate consent/opt-out)
  • Conducting surveys and collecting feedback
  • Personalizing your experience

4.5 Legal and Compliance

  • Meeting legal, tax, and regulatory obligations
  • Responding to legal requests and court orders
  • Establishing, exercising, or defending legal claims
  • Conducting internal audits and compliance reviews
  • Maintaining records as required by law

4.6 Business Intelligence

  • Analyzing usage patterns and trends
  • Measuring Service performance and reliability
  • Conducting research and development
  • Creating aggregated and anonymized datasets
  • Business planning and forecasting

5. AI-SPECIFIC PRIVACY PRACTICES

5.1 Prompt and Output Processing

  • Temporary Processing: Prompts are processed in memory to generate responses
  • Default No Training: Your prompts and outputs are NOT used for model training by default
  • Opt-in Training: If you enable training in settings, we may use your data to improve our models
  • Retention Period: Prompts/outputs retained for 30 days for safety and quality, then deleted unless you opt-in to training

5.2 AI Safety and Moderation

We implement automated and manual reviews to:

  • Prevent generation of harmful content
  • Detect attempts to compromise AI safety
  • Identify potential misuse patterns
  • Comply with content policies

Safety-related data may be retained longer for security purposes.

5.3 Third-Party AI Providers

When using optional AI features powered by third parties:

  • We use various third-party AI services to provide certain features
  • These providers have their own data processing and privacy practices
  • Where technically feasible, we configure providers with data retention off
  • We maintain a list of AI sub-processors at https://quintix.ai/sub-processors

5.4 Automated Decision-Making

Our AI Services involve automated processing that may produce legal or significant effects. You have the right to:

  • Request information about how automated decisions are made
  • Express your point of view about decisions
  • Request human review where technically feasible
  • Opt-out of certain automated processing where applicable

Note that some automated decisions (such as content filtering or safety measures) are integral to the Services and cannot be reversed after the fact.

6. COOKIES AND TRACKING TECHNOLOGIES

6.1 Types of Cookies We Use

We use Cookiebot as our consent management platform to help you control your cookie preferences.

Essential Cookies (Always Active)

  • Session management and authentication
  • Security tokens and CSRF protection
  • Load balancing and service routing
  • User preferences and settings
  • Basic analytics for website operation and security
  • Retention: Session or up to 1 year

Marketing Cookies (Consent Required)

  • Conversion tracking for advertising
  • Remarketing and audience building
  • Social media integration
  • Campaign attribution
  • Retention: Up to 2 years

6.2 Managing Cookies

You can control cookies through:

6.3 Do Not Track Signals

We do not currently respond to Do Not Track signals. However, you can use our cookie preferences and opt-out mechanisms.

6.4 Pixels and Web Beacons

We may use invisible pixels in emails to:

  • Confirm email delivery and opening
  • Measure engagement with our communications
  • Improve email relevance

7. INFORMATION SHARING AND DISCLOSURE

7.1 Service Providers

We share data with trusted service providers for:

Infrastructure and Hosting

  • Cloud computing services (AWS, Google Cloud)
  • Content delivery networks
  • Database and storage providers

Business Operations

  • Payment processors (Stripe, PayPal)
  • Email and communication services
  • Customer support platforms
  • Analytics and monitoring tools

Professional Services

  • Legal advisors and auditors
  • Accounting and tax professionals
  • Insurance providers
  • Consultants under confidentiality agreements

All service providers are bound by data protection agreements and can only use your data to provide services to us.

7.2 Business Transfers

If we’re involved in a merger, acquisition, asset sale, or bankruptcy:

  • Your information may be transferred as part of the transaction
  • We’ll notify you before your information becomes subject to different privacy policies
  • You may have the right to object to such transfers

7.3 Legal Disclosures

We may disclose information when required to:

  • Comply with legal obligations or court orders
  • Respond to lawful government requests
  • Protect our rights, property, or safety
  • Prevent fraud or cybersecurity threats
  • Enforce our Terms & Conditions

7.4 Consent-Based Sharing

With your explicit consent, we may share:

  • Success stories and use cases with additional details beyond testimonials
  • Aggregated or anonymized data for research
  • Information with partners for joint offerings

7.5 Testimonials

If you provide testimonials about our Services, they become our property as outlined in our Terms & Conditions. We may use and share these testimonials in our marketing materials without further consent.

7.6 What We DON’T Do

  • We do NOT sell your personal information
  • We do NOT share data for cross-context behavioral advertising without consent
  • We do NOT provide government agencies with direct access to our systems
  • We do NOT share your AI prompts/outputs with other customers

8. INTERNATIONAL DATA TRANSFERS

8.1 Data Locations

Your data may be processed in:

  • Canada
  • United States
  • Other jurisdictions where our sub-processors operate

8.2 Transfer Safeguards

When transferring data internationally, we implement appropriate safeguards as required by applicable law. This may include contractual protections and security measures appropriate to the sensitivity of the data and the destination country.

8.3 Your Rights Regarding Transfers

You may request information about:

  • Countries where your data is processed
  • Security measures we implement for international transfers

9. DATA SECURITY

9.1 Technical Safeguards

  • Encryption: TLS 1.2+ in transit, AES-256 at rest
  • Access Controls: Role-based access, principle of least privilege
  • Authentication: Multi-factor authentication required for sensitive operations
  • Network Security: Firewalls, intrusion detection, DDoS protection
  • Application Security: Input validation, output encoding, CSRF protection

9.2 Organizational Safeguards

  • Personnel: Background checks, confidentiality agreements, security training
  • Policies: Information security policy, incident response procedures
  • Vendor Management: Security assessments, contractual protections
  • Physical Security: Secured facilities, access controls, environmental protection
  • Business Continuity: Backup procedures, disaster recovery planning

9.3 Operational Safeguards

  • Vulnerability Management: Regular scanning, responsible disclosure program
    • Critical vulnerabilities: Patched within 7 days
    • High vulnerabilities: Patched within 14 days
    • Medium and lower priorities: Risk-based remediation
  • Logging and Monitoring: Security event logging, anomaly detection for operational and compliance purposes
  • Change Management: Code review, testing, deployment controls
  • Secrets Management: Vault systems, key rotation

9.4 Incident Response

In case of a data breach:

  • We will notify affected individuals within 72 hours (where feasible)
  • We will notify relevant supervisory authorities as required
  • We will document the incident and remediation measures
  • We will implement measures to prevent recurrence

9.5 Security Limitations

While we implement industry-standard security, no system is 100% secure. You play a role in security by:

  • Using strong, unique passwords
  • Enabling multi-factor authentication
  • Keeping your devices secure
  • Promptly reporting suspicious activity

10. DATA RETENTION

10.1 Retention Principles

We retain personal data only as long as necessary to:

  • Provide Services you’ve requested
  • Comply with legal obligations
  • Resolve disputes and enforce agreements
  • Pursue legitimate business interests

10.2 Specific Retention Periods

Account Data

  • Active accounts: Retained while account is active
  • Deleted accounts: Removed within 30 days (except as legally required)

Financial Records

  • Transaction records: 7 years (tax requirements)
  • Payment methods: Until updated or account closed

AI Service Data

  • Prompts/outputs (no training): 30 days for safety and service quality
  • Prompts/outputs (training opted-in): Indefinitely for model improvement
  • Safety/security events: Retained as needed for security purposes
  • API logs: Retained as needed for operational and billing purposes

Communications

  • Support tickets and email correspondence: Retained indefinitely
  • Marketing preferences and consent records: Retained indefinitely
  • Email tracking and analytics data: Retained indefinitely

Technical Data

  • Security logs: Retained as needed for security and compliance purposes
  • Performance metrics: Retained as needed for service improvement
  • Error logs: Retained as needed for debugging and service quality

Legal Holds

  • Data subject to legal holds or investigations: As required

10.3 Deletion Procedures

When retention periods expire or upon valid deletion requests:

  • Production systems: Immediate deletion or anonymization
  • Backups: Removed in next backup rotation cycle (maximum 90 days)
  • Archives: Deleted or returned as applicable

11. YOUR PRIVACY RIGHTS

11.1 Universal Rights

Regardless of location, you can:

  • Access your personal data and receive a copy
  • Correct inaccurate or incomplete information
  • Delete your data (subject to legal requirements)
  • Object to certain processing activities
  • Withdraw consent where processing is consent-based
  • Lodge complaints with supervisory authorities

11.2 Jurisdiction-Specific Rights

California (CCPA/CPRA)

  • Know what personal information we collect, use, and share
  • Opt-out of sale/sharing (we don’t sell, but you can opt-out of sharing)
  • Non-discrimination for exercising privacy rights
  • Correction of inaccurate information
  • Limit use of sensitive personal information

Quebec (Law 25)

  • Data portability in commonly used format
  • Right to de-indexing in certain cases
  • Right to know about automated decisions
  • Right to confidentiality incident notifications

Other Jurisdictions We respect privacy rights under applicable laws in all jurisdictions where we operate.

11.3 How to Exercise Your Rights

Submit Requests

  • Email: privacy@quintix.ai
  • Mail:
    Attn: Privacy Officer
    1255 Peel St, Suite 1000, Montreal, QC H3B 2T9

Verification Process

  • We verify identity before processing requests
  • May request additional information for verification
  • Use authorized agents with proper documentation

Response Timeline

  • Acknowledgment: Promptly
  • Response: Within 30-45 days (may extend once by 30 days for complex requests)
  • Appeals: Available if request denied

11.4 Limitations on Rights

We may not be able to honor requests that:

  • Require disproportionate effort
  • Risk others’ privacy
  • Conflict with legal obligations
  • Interfere with legal claims
  • Relate to data we process as a processor (contact the controller)

12. CHILDREN’S PRIVACY

12.1 Age Requirements

  • Our Services are not intended for children under 18
  • We do not knowingly collect data from individuals under 18
  • Users must be at least 18 years old to use our Services

12.2 Parental Controls

If you believe a child under 18 has provided us with personal data:

  • Contact us immediately at privacy@quintix.ai
  • We will promptly delete such information
  • We will take steps to prevent future collection

12.3 Educational Programs

For educational programs involving minors:

  • We obtain parental/guardian consent
  • We collect minimal necessary information
  • We implement additional safeguards

13. CALIFORNIA PRIVACY RIGHTS

13.1 CCPA/CPRA Disclosures

Categories of Personal Information Collected: See Section 2
Sources: Directly from you, automatically, third parties
Business Purposes: See Section 4
Categories Disclosed: Service providers, legal requirements
Categories Sold: None
Categories Shared for Cross-Context Behavioral Advertising: Analytics (with opt-out)

13.2 Sensitive Personal Information

We may collect:

  • Account login credentials
  • Payment card information
  • Government ID (only when legally required)
  • Content of communications

Use is limited to providing Services and as legally permitted.

13.3 Retention

See Section 10 for retention periods by category.

13.4 California Shine the Light

California residents may request information about disclosures to third parties for direct marketing (we don’t make such disclosures).

14. REGION-SPECIFIC PROVISIONS

14.1 Quebec, Canada

CAI: Commission d’accès à l’information du Québec
Privacy Officer: Available at privacy@quintix.ai
Confidentiality Incidents: Notification as required by Law 25
Biometric Data: We do not collect biometric characteristics

14.2 Other Canadian Provinces

PIPEDA Compliance: We strive to comply with federal privacy law
Provincial Laws: We strive to comply with applicable provincial requirements

14.3 International Users

If you are accessing our Services from outside Canada, please note that your information will be transferred to and processed in Canada and the United States, which may have different data protection laws than your jurisdiction. By using our Services, you consent to this transfer and processing.

15. THIRD-PARTY SERVICES AND CONTENT

15.1 Third-Party Integrations

When you connect third-party services to your account:

  • We access only the information necessary for the integration to function
  • Your use of those third-party services remains subject to their terms and privacy policies
  • You can usually revoke our access to third-party services in your account settings

15.2 Embedded Content

Our Services may include embedded content (videos, widgets) that:

  • May place cookies
  • May track interactions
  • Are governed by the third party’s privacy policy

15.3 Links to Other Sites

We’re not responsible for privacy practices of linked sites. Review their policies before providing information.

16. PRIVACY POLICY UPDATES

16.1 Notification of Changes

We may update this Privacy Policy from time to time. For material changes, we will notify you via email. For minor changes, we will update the policy with a new effective date. Continued use after changes constitutes acceptance.

17. CONTACT INFORMATION

17.1 Privacy Officer

QUINTIX AI INC. Attn: Privacy Officer 1255 Peel St, Suite 1000 Montreal, QC H3B 2T9 Canada

Email: privacy@quintix.ai
Website: https://quintix.ai/privacy

17.2 Supervisory Authorities

If we cannot resolve your privacy concerns, you may contact:

Quebec: Commission d’accès à l’information du Québec
Canada (Federal): Office of the Privacy Commissioner of Canada
California: California Privacy Protection Agency
Other Jurisdictions: Your local privacy regulator

17.3 Response Commitment

We commit to:

  • Acknowledge privacy inquiries promptly
  • Provide substantive responses within 30-45 days as required by law
  • Handle privacy matters responsibly
  • Continuously improve our privacy practices

This Privacy Policy forms part of our comprehensive privacy framework. For complete information about our data practices, please also review our Terms & Conditions and Cookie Policy.