Skip to content

Latest commit

 

History

History
134 lines (82 loc) · 9.79 KB

privacy-and-compliance.mdx

File metadata and controls

134 lines (82 loc) · 9.79 KB
title icon
Privacy & Compliance
shield

At Quivr, we prioritize the security and privacy of our users. This document outlines our commitment to privacy and compliance, detailing our security measures, telemetry use, row-level policy enforcement, local data handling, and compatibility with various Language Learning Models (LLMs).

Open-Source Security Model

Quivr is built on an open-source model, allowing for transparency and community-driven security enhancements. Our codebase is publicly available for review, ensuring that security experts can audit and contribute to our security practices.

Responsible Use of Telemetry

Telemetry data is used to improve user experience and product performance. We collect minimal data necessary for these purposes, ensuring it is anonymized and securely stored. Users have the option to opt-out of telemetry collection.

Row-Level Policy Enforcement

Security is enforced at the database level through row-level policies. This ensures that data access is strictly controlled, with users only able to access data they are explicitly permitted to view or modify.

Local Data Handling

All data processed by Quivr remains local, ensuring that no data is sent outside without explicit user consent. This local-first approach guarantees data privacy and sovereignty.

Compatibility with Any LLM

Quivr is compatible with any Language Learning Model, including local server-run models. This flexibility allows users to choose the most suitable model for their needs, whether it's for privacy reasons or specific feature requirements.

SOC2 Compliance

Through our partnership with Porter & Oneleet, we offer SOC2 compliance within 90 days for instances managed by Quivr. This demonstrates our commitment to maintaining high standards of security and data protection.

Our Role in Your Privacy

If you are a Quivr customer, user, employee, applicant, or just visiting our website, this policy applies to you.

Our Responsibilities

If you are a registered customer of Quivr, we act as the ‘data controller’ of personal data about you and your use of Quivr, but as the ‘data processor’ of personal data in the information you put into Quivr (like information about your users, etc.).

Your Responsibilities

  • Read this Privacy Policy.
  • If you are our customer, please also check the contracts between us: they may contain further details on how we collect and process your data.
  • If you provide us with personal information about other people, or if others give us your information, we will only use that information for the specific reason for which it was provided to us. By submitting the information, you confirm that you have the right to authorize us to process it on your behalf in accordance with this Privacy Policy.

When and How We Collect Data

From the first moment you interact with Quivr, we are collecting data. Sometimes you provide us with data, and sometimes we collect data about you, either automatically or from other sources, like publicly available websites or from a trusted data supplier.

Types of Data We Collect

  • Contact Details: Your name, address, telephone number, email address.
  • Financial Information: Your credit/debit card details.
  • Data that Identifies You: Your IP address, login information, browser type and version, time zone setting, browser plug-in types, geolocation information, operating system and version, etc.
  • Data on How You Use Quivr: Your URL clickstreams, products/services viewed, page response times, download errors, how long you stay on our pages, what you do on those pages, how often, and other actions.

Sensitive Data

We don’t collect any "sensitive data" about you (like racial or ethnic origin, political opinions, religious/philosophical beliefs, trade union membership, genetic data, biometric data, health data, data about your sexual life or orientation, and offenses or alleged offenses) except when we have your specific consent, or when we have to comply with the law.

Children’s Data

Quivr is a business-to-business service directed to and intended for use only by those who are 16 years of age or over. We do not target Quivr at children, and we do not knowingly collect any personal data from any person under 16 years of age.

How and Why We Use Your Data

Data protection law means that we can only use your data for certain reasons and where we have a legal basis for doing so.

Reasons for Processing Your Data

  • Keeping Quivr Running: Log in and authentication, processing payments.
    • Legal Basis: Contract + Legitimate Interests
  • Improving Quivr: Testing features, interacting with feedback platforms and questionnaires, managing landing pages, heat mapping our site, traffic optimization and data analysis and research, including profiling and the use of machine learning and other techniques over your data and in some cases using third parties to do this.
    • Legal Basis: Contract + Legitimate Interests
  • Customer Support: Notifying you of any changes to our service, solving issues via live chat support, phone or email, including any bug fixing.
    • Legal Basis: Contract
  • Newsletter and Event Invitations (with your consent): Sending you emails and messages about events and new features, products and services, and content.
    • Legal Basis: Consent
  • Applicant and Employee Data: We will use and retain the personal data of our employees to enable us to run our business and manage our relationship with you effectively, lawfully and appropriately while you are working for us.
    • Legal Basis: Contract

Legal Bases Explained

  • Consent: You have given clear consent for us to process your personal data for a specific purpose.
  • Contract: Processing your data is necessary for a contract you have with us, or because you have asked us to take specific steps before entering into that contract.
  • Legitimate Interests: Processing your data is necessary for our legitimate interests or the legitimate interests of a third party, provided those interests are not outweighed by your rights and interests.

Your Privacy Choices and Rights

Your Choices

  • You can choose not to provide us with personal data: If you choose to do this, you can continue to use the website and browse its pages, but we will not be able to process transactions without personal data.
  • You can ask us not to use your data for marketing: We will inform you (before collecting your data) if we intend to use your data for marketing and if third parties are involved. You can opt out from marketing by emailing us at [email protected].

Your Rights

You can exercise your rights by sending us an email at [email protected].

  • Right to Access: You have the right to access information we hold about you.
  • Right to Correct: You have the right to make us correct any inaccurate personal data about you.
  • Right to Object: You can object to us using your data for profiling you or making automated decisions about you.
  • Right to Port: You have the right to port your data to another service.
  • Right to be Forgotten: You have the right to be ‘forgotten’ by us.
  • Right to Lodge a Complaint: You have the right to lodge a complaint regarding our use of your data.

How Secure is the Data We Collect?

We have put in place reasonably appropriate security measures designed to prevent your personal data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. These measures include:

  • Encryption: All data is encrypted both in transit and at rest using industry-standard encryption protocols.
  • Access Controls: Strict access controls are in place to ensure that only authorized personnel can access your data. This includes multi-factor authentication and role-based access controls.
  • Regular Audits: We conduct regular security audits and vulnerability assessments to identify and mitigate potential risks.
  • Incident Response: A robust incident response plan is in place to quickly address any security breaches or incidents.
  • Employee Training: All employees undergo regular training on data protection and security best practices.

We limit access to personal data only to those employees, agents, contractors, and third parties who have a business need-to-know.

Where Do We Store the Data?

Quivr is a global service with primary storage of your information in the United States and the EEA. To facilitate our global operations, we may process personal information from around the world, including from other countries in which Quivr has operations, employees, or in the data processing facilities operated by the third parties identified below.

How Long Do We Store Your Data?

If you’ve been a Quivr customer, we’ll delete your personal data from our systems six years after you stop being a Quivr customer. We keep the information in this time in case there are any legal claims relating to your time as a customer.

Third Parties Who Process Your Data

We partner with third parties who we believe are the best in their field at what they do. When we do this, sometimes it is necessary for us to share your data with them in order to get these services to work well. Your data is shared only when strictly necessary and according to the safeguards and good practices detailed in this Privacy Policy.

No Cookies and Dedicated Instances

We do not use cookies on our website. If you contract with us for a dedicated instance, there will be no data collection on our side. Data collection only occurs on the hosted version of Quivr.com.

By adhering to these principles, Quivr ensures a secure, private, and compliant environment for all users. Our commitment to transparency, rigorous security practices, and user-centric design ensures that Quivr remains a trusted platform for all your data privacy and compliance needs.