Privacy Policy

Quixyl ("we," "us," "our") respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our document extraction and AI normalization service ("Service").

By using the Service, you consent to the practices described in this Privacy Policy. If you do not agree with this policy, please do not use the Service.

1. Information We Collect

1.1 Information You Provide

Account Information: When you create an account, we collect:

• Name (first and last name)
• Email address
• Password (encrypted)
• Company name (optional)
• Payment information (processed securely by Stripe)

OAuth Authentication: If you sign in using LinkedIn OAuth, we collect:

• Profile information (name, email, profile picture)
• LinkedIn user ID

1.2 Content You Upload

Document Data: When you use the Service, we collect and process:

• Documents you upload (PDF, images, forms)
• Extracted text and data from OCR processing
• AI-normalized structured data
• Custom templates and schemas you create
• Tags, notes, and metadata you add
• Document processing history and audit logs

1.3 Automatically Collected Information

Usage Data: We automatically collect:

• IP address and device information
• Browser type and version
• Operating system
• Pages visited and features used
• Time and date of access
• Referring URLs
• Usage patterns and performance metrics

Cookies and Tracking: We use cookies and similar technologies for:

• Authentication and session management
• Preference storage
• Analytics and performance monitoring
• Security and fraud prevention

2. How We Use Your Information

2.1 Service Provision

We use your information to:

• Provide, operate, and maintain the Service
• Process and analyze your documents using enterprise-grade OCR technology
• Normalize extracted data using advanced AI language models
• Store and manage your documents and templates
• Enable exports and API access
• Track usage quotas and enforce subscription limits

2.2 Account Management

• Create and manage your account
• Process subscription payments and billing
• Send account-related communications
• Provide customer support
• Authenticate and authorize access

2.3 Service Improvement

• Analyze usage patterns and performance
• Improve and optimize the Service
• Develop new features and functionality
• Conduct research and analytics

2.4 Communications

• Send service updates and announcements
• Respond to inquiries and support requests
• Send marketing communications (with your consent)
• Notify you of policy changes

2.5 Security and Compliance

• Detect and prevent fraud and abuse
• Monitor security threats
• Comply with legal obligations
• Enforce our Terms of Service

3. Third-Party Services and Data Sharing

3.1 Third-Party Service Providers

We use the following third-party services to operate the Service:

3.2 When We Share Information

We may share your information in the following circumstances:

• With Your Consent: When you explicitly authorize sharing
• Service Providers: With vendors who perform services on our behalf
• Legal Requirements: To comply with law, court orders, or legal process
• Business Transfers: In connection with merger, acquisition, or asset sale
• Protection: To protect rights, property, or safety of us, users, or others

3.3 We Do Not Sell Your Data

We do not sell, rent, or trade your personal information or document content to third parties for their marketing purposes.

4. Data Security

4.1 Security Measures

We implement industry-standard security measures to protect your information:

• Encryption:
  • Transport Layer: TLS 1.3 encryption for all data in transit
  • Database: PostgreSQL with encryption at rest via managed hosting
  • Field-Level: AES-256-GCM authenticated encryption for sensitive document data (invoice contents, financial information, and extracted PII)
• Access Controls: Role-based access controls and authentication requirements
• Password Protection: Passwords are encrypted using bcrypt hashing
• PII Redaction: Optional automated redaction of personally identifiable information (PII) including:
  • Email addresses, phone numbers, and Social Security numbers
  • Credit card numbers, passport numbers, and driver's license IDs
  • Physical addresses, dates of birth, and medical record numbers
  • IP addresses, account numbers, and tax IDs
  • Redaction modes: mask (asterisks), remove (null), hash (one-way encryption), or partial (first/last char)
  • Template-based configuration for selective category and field-level redaction
  • Full audit trail with detection confidence scores and redaction summaries
• File Processing: Uploaded files are processed immediately and never stored permanently, reducing data exposure risk
• Security Monitoring: Continuous monitoring for threats and vulnerabilities
• Regular Audits: Periodic security assessments and penetration testing
• Data Isolation: User data is logically separated and scoped

4.2 Data Security Limitations

While we strive to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but will notify you promptly of any confirmed data breaches as required by law.

5. Data Retention and Deletion

5.1 Retention Period

We retain your information for as long as:

• Your account is active
• Needed to provide the Service
• Required to comply with legal obligations
• Necessary to resolve disputes
• Appropriate for legitimate business purposes

5.2 Data Deletion

When you delete your account:

• Your personal information and documents will be deleted or anonymized within 90 days
• Some information may be retained in backup systems for up to 180 days
• Aggregated, anonymized data may be retained indefinitely
• Data may be retained longer if required by law

5.3 Request Deletion

You can request immediate deletion of your data by contacting privacy@quixyl.com. We will respond within 30 days.

6. Your Privacy Rights

6.1 GDPR Rights (EEA, UK, Switzerland Users)

Under GDPR, you have the following rights:

• Right to Access: Request a copy of your personal data
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure: Request deletion of your data ("right to be forgotten")
• Right to Restriction: Limit how we process your data
• Right to Object: Object to processing based on legitimate interests
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Withdraw Consent: Withdraw consent at any time
• Right to Lodge a Complaint: File a complaint with your data protection authority

6.2 CCPA Rights (California Users)

Under CCPA, California residents have the right to:

• Know: Request disclosure of personal information we collect, use, and disclose
• Delete: Request deletion of your personal information
• Opt-Out: Opt-out of sale of personal information (note: we do not sell personal information)
• Non-Discrimination: Not be discriminated against for exercising your rights

6.3 How to Exercise Your Rights

To exercise any of these rights, contact us at:

• Email: privacy@quixyl.com
• Account Settings: Update your information directly in the Service
• Response Time: We will respond within 30 days

We may ask you to verify your identity before processing requests.

7. International Data Transfers

7.1 Data Location

The Service is operated from the United States. If you are located outside the United States, your information will be transferred to and processed in the United States.

7.2 Data Transfer Mechanisms

For transfers from the EEA, UK, or Switzerland, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where applicable
• Your explicit consent to the transfer

8. Cookies and Tracking Technologies

8.1 Types of Cookies

We use the following types of cookies:

• Essential Cookies: Required for authentication and basic functionality
• Performance Cookies: Collect usage statistics to improve the Service
• Functional Cookies: Remember your preferences and settings
• Security Cookies: Detect and prevent security threats

8.2 Managing Cookies

You can control cookies through your browser settings. Note that disabling essential cookies may impair Service functionality.

9. Children's Privacy

The Service is not intended for children under 18 years of age. We do not knowingly collect personal information from children under 18. If you believe we have collected information from a child, please contact us immediately at privacy@quixyl.com.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Posting the updated policy with a new "Last Updated" date
• Sending an email notification to your registered email
• Displaying a prominent notice on the Service

Continued use of the Service after changes constitutes acceptance of the updated Privacy Policy.

11. Contact Us

For questions about this Privacy Policy or to exercise your privacy rights, contact us:

EEA Representative: For users in the European Economic Area, you can contact our EU representative at eu-representative@quixyl.com.