Privacy Policy
Last Updated: July 5, 2026
quaer.ai respects your privacy. This Privacy Policy explains what data we collect, how we use it, and the choices you have.
1. Data We Collect
Account Data
| Data | Purpose | Retention |
|---|---|---|
| Email address | Account identification, notifications | Until deletion |
| Name | Personalization, billing | Until deletion |
| Password hash | Authentication (bcrypt, 12 rounds) | Until deletion |
| GitHub ID | OAuth login (optional) | Until deletion |
Usage Data
| Data | Purpose | Retention |
|---|---|---|
| API request logs | Rate limiting, abuse prevention | 90 days |
| Query content | NOT LOGGED — search queries are not stored after results are returned | N/A |
| Audit logs | Security, enterprise compliance | 7 years |
| IP address | Rate limiting, security | 90 days |
BYOK Data
| Data | Protection |
|---|---|
| LLM API key (OpenAI/Anthropic) | AES-256-GCM encrypted at rest, decrypted on-demand, never logged, never cached in plaintext |
2. How We Use Data
- Service provision: Authenticate users, enforce rate limits, process billing
- Security: Detect unauthorized access, monitor for abuse, maintain audit trails
- Communication: Transactional emails (billing, security alerts) — no marketing without opt-in
What We Do NOT Do: We do NOT sell your data. We do NOT share query content. We do NOT use your legal queries to train AI models. We do NOT log query content after results are returned.
3. Third-Party Services
| Service | What They Process |
|---|---|
| Stripe | Payment processing (card numbers, billing) |
| Cloudflare | CDN, DNS, DDoS protection, hosting |
| Resend / SendGrid | Transactional email delivery |
| GitHub | OAuth authentication (optional) |
4. Data Security
- In transit: TLS 1.3 (HTTPS) on all connections
- At rest: Database encrypted, BYOK keys use AES-256-GCM
- API keys: Hashed with SHA-256 (raw keys never stored)
- Passwords: Hashed with bcrypt (12 rounds)
- Security headers: CSP, HSTS, X-Frame-Options: DENY, nosniff, Referrer-Policy
5. Your Rights
- Access & Portability: Request a copy of your data — provided within 30 days in machine-readable format
- Deletion: Delete your account from Settings → Account → Delete. Removes email, API keys, saved data. Billing records retained 7 years (tax compliance).
- California (CCPA/CPRA): Right to know, delete, opt out of sale (we don't sell data), non-discrimination
- Other States: VA (VCDPA), CO (CPA), CT (CTDPA), UT (UCPA) residents have similar rights
6. Cookies
We use only essential cookies for authentication (authjs.session-token). We do NOT use tracking, advertising, or analytics cookies. No Google Analytics, no Facebook Pixel.
7. International Users
EU/UK Residents: quaer.ai is not yet GDPR-compliant. EU residents should not use the Service until GDPR compliance is implemented.
8. Data Breach Notification
In the event of a data breach, we will notify affected users within 72 hours, notify state attorneys general as required, and provide remediation details.
9. Contact
Privacy inquiries: [email protected]
This document is a draft prepared for quaer.ai. It should be reviewed by a licensed attorney before publication.