Iqidis

Iqidis Privacy & Data Policy

Last Updated: August 25, 2025
Owner: Legal & Security, Iqidis, Inc.
Contact: security@iqidis.ai

1. Introduction

Iqidis, Inc. (“Iqidis,” “we,” “us,” or “our”) is committed to protecting your privacy and safeguarding your information. This Privacy & Data Policy explains how we collect, use, disclose, secure, and retain information when you use our legal AI services, our website at https://iqidis.ai, and any related applications or services (collectively, the “Services”). By accessing or using the Services, you agree to the practices described here. If you do not agree, please discontinue use of the Services. This Policy complements and should be read together with our Terms of Service, Acceptable Use Policy, and Service Providers & Subprocessors Policy.

1.1 Scope and Audience

This Policy applies to (i) enterprise customers and their authorized users, (ii) visitors to our website and marketing properties, and (iii) prospective customers who engage with us through demos, events, or forms.

1.2 Roles & Ownership (Controller/Processor)

  • Enterprise Use. For Customer Content and Customer Data processed on behalf of enterprise customers, you (the customer) are the data controller/owner of your data and Iqidis is your data processor/service provider acting solely on your documented instructions. We are not a custodian or data owner of your Customer Content. Ownership of your Customer Content and Output remains with you, as further described in the Terms of Service.
  • Website & Marketing. For website/marketing interactions (e.g., newsletter sign‑ups), Iqidis acts as data controller of that contact/admin data as described in this Policy.

1.3 Definitions

  • Customer Content: Files, documents, text, prompts, and other content you or your users provide to the Services for processing, including resulting Output.
  • Customer Data: Personal and account information needed to administer your use of the Services (e.g., user identity, billing, settings).
  • Telemetry: Limited behavioral/interaction metadata (e.g., UI clicks, navigation flows, request timing, status/error codes, coarse device/browser metadata) used to ensure reliability, security, and abuse detection—not prompts, model outputs, or uploaded documents/files.

2. Information We Collect

2.1 Information You Provide

  • Account & Profile: Name, email, firm/organization, role, and authentication data.
  • Payment/Billing: Processed by trusted payment providers (we do not store full payment card details).
  • Customer Content: Documents and other materials you upload or input to use the Services.
  • Support/Feedback: Content of support tickets, feature requests, or product feedback.
    (Consistent with your current policy.)

2.2 Information Collected Automatically

  • Telemetry (content‑free): We collect minimal operational telemetry that excludes Customer Content and excludes uploaded user content. Telemetry is limited to behavioral/interaction metadata (e.g., UI events/clicks, navigation flows, request timing, status/error codes, coarse device/browser metadata) to improve reliability, security, and detect abuse. Telemetry does not include prompts, model outputs, or uploaded documents/files.
  • Device/Log Data: IP address, device and browser type, operating system, general geo (city/country), and timestamps to secure and operate the Services.
    (Refining your prior “Usage/Log Data” with this clarification.)

2.3 Information from Third Parties

We may receive limited information from (i) security/fraud prevention partners, (ii) marketing/event platforms, and (iii) analytics vendors, consistent with this Policy.

2.4 Publicly Available Information

We may use public legal sources (e.g., court rulings, filings) to develop and improve our platform, in compliance with applicable law, without processing data restricted by confidentiality or contract.

3. How We Use Information

  • Service Delivery & Improvement: To provide, maintain, secure, and enhance the Services (including availability, performance, and feature improvements).
  • AI Processing & Orchestration: To run our in‑house Knowledge Graph (KG), Retrieval‑Augmented Generation (RAG), and orchestration services and, where necessary, to perform scoped inference using third‑party models as described in Section 4.
  • Support & Communications: To provide customer support, notifications, updates, and product information.
  • Payments & Transactions: To process billing, subscriptions, and account matters.
  • Security & Compliance: To prevent fraud, abuse, and misuse; to comply with laws and enforce our terms.
  • Analytics (content‑free): To understand general usage patterns without analyzing Customer Content.

4. How Our AI Processes Your Data (Hybrid Architecture)

4.1 Local‑First, In‑House Processing

By default, requests are handled in‑house by Iqidis within Iqidis‑controlled infrastructure using our KG/RAG and orchestration layers. Customer Content is stored and processed within your organization’s dedicated Iqidis tenant and per‑user profile containersnot pooled or commingled with other customers or matters. We do not use Customer Content to train models.

4.2 Selective, Discrete Subprocessor Inference (If Needed)

For certain discrete aspects of a query (e.g., language polish, format transformation, translation, or general‑knowledge reasoning), our orchestrator may invoke a subprocessor (e.g., OpenAI, Anthropic, Google) for inference only. We disable vendor caching/retention, apply data minimization (often redaction/abstraction and least‑necessary context), and contractually require no training on Customer Content. Many requests are satisfied entirely in‑house without any external call.

4.3 Ephemeral Model Calls; No Training on Your Data

Third‑party model calls are stateless and ephemeral: prompts/outputs are not retained by vendors, and Customer Content is never used to train Iqidis or third‑party models. Internally, any temporary access for support/troubleshooting is purpose‑limited and deleted or anonymized consistent with Section 6 (Retention).

4.4 Why This Differs From “ChatGPT” or Default Cloud LLMs (and Many Legal Providers)

  • Default LLM usage often sends entire prompts to a third party and may use default vendor caching/retention.
  • Iqidis handles most logic in‑house, segments data per tenant/profile, and uses third‑party models only for narrow, bounded tasks with no training and no retention—reducing exposure and preserving confidentiality.
  • Unlike some legal tools that aggregate client data to “improve the model,” Iqidis does not pool or train on your Customer Content. You retain ownership of your data and Output; Iqidis acts solely as your processor/service provider.

5. Legal Bases for Processing (GDPR/UK GDPR)

We process personal data under one or more of the following bases: contract performance, legitimate interests (e.g., service security and improvement), consent (where required), and legal obligations.

6. Data Processing, Storage & Retention

6.1 AI Processing (No Training / No Vendor Retention)

  • No training on Customer Content by Iqidis or third‑party models.
  • Vendor caching/retention disabled for third‑party inference.
  • We do not enable optional vendor features that would store prompts/outputs. (If a customer explicitly requests such a feature for a use case, it will require a separate, written agreement and configuration.)

6.2 In‑House vs. Third‑Party Processing

  • In‑House (Default): KG/RAG and orchestration run inside Iqidis‑controlled infrastructure.
  • Third‑Party (Selective): If beneficial for a discrete inference step, we send minimal data to the selected model vendor under no‑retention/no‑training controls.

6.3 Limited Access by Authorized Personnel

Authorized personnel may access Customer Content only to resolve technical issues, provide support, ensure operation, or enforce terms, consistent with strict access control and audit logging. Access is purpose‑limited and time‑bound.

6.4 Retention

  • Customer Content (Support Cases): Deleted or anonymized within 30 days after issue resolution, unless a longer period is required by law or expressly requested by you for ongoing support.
  • Backups: Maintained securely and isolated until deletable.
  • Telemetry/Logs: Behavioral/interaction metadata retained for reliability/security; telemetry does not contain prompts, model outputs, or uploaded files.

7. Sharing & Disclosure

We do not sell personal data. We may share data with:

  • Service Providers & Subprocessors as necessary to deliver features (see our Service Providers & Subprocessors Policy for current list and commitments, including change‑notice/objection rights).
  • Regulators, Legal Authorities, and Advisors as necessary to comply with law, enforce rights, or protect safety.
  • Business Transfers (e.g., M&A) subject to this Policy’s protections.
  • With Your Consent or at your direction.
    (Aligned with your current policy.)

8. Security

8.1 Technical & Organizational Measures.
We maintain controls aligned with SOC 2 and ISO 27001 frameworks, including encryption in transit and at rest; least‑privilege access and SSO/IdP; network segmentation and WAF; vulnerability scanning and independent penetration testing; centralized logging and anomaly detection; and secure SDLC practices.

8.2 Data Security Incidents.
If Iqidis becomes aware of a confirmed unauthorized access to or disclosure of Customer Content processed by the Services (a “Data Security Incident”) that is caused by Iqidis’s breach of this Policy or our Security Measures, Iqidis will:

  • Notify the Customer without undue delay and no later than 72 hours after becoming aware, unless prohibited by law;
  • Provide information reasonably available at the time of notice, including: the nature of the incident, affected data categories, approximate number of data subjects/records affected (if known), likely consequences, and measures taken or proposed to address the incident;
  • Investigate, mitigate, and remediate the incident and take reasonable steps to prevent recurrence; and
  • Cooperate with Customer’s reasonable requests for additional information needed to meet legal or regulatory obligations (including drafts of regulator/individual notices if required).

8.3 Exclusions.
“Data Security Incident” does not include: (i) unsuccessful or attempted attacks (e.g., pings, scans, DDoS); (ii) events impacting only anonymized/aggregated data or telemetry; (iii) incidents caused by Customer’s configurations, credentials, devices, or third‑party systems not controlled by Iqidis; or (iv) Customer’s breach of the Agreement or AUP.

8.4 Customer Responsibilities (Shared Responsibility).
Customer is responsible for (i) configuring security features (e.g., SSO, MFA, role‑based access), (ii) managing user access/permissions and credential hygiene, (iii) classifying and minimizing sensitive data uploaded to the Services, and (iv) promptly notifying Iqidis of suspected compromise of Customer accounts or credentials.

8.5 Subprocessor Incidents.
Iqidis requires subprocessors to provide equivalent incident notice and cooperation. Iqidis will coordinate the response and relay material updates to Customer where the subprocessor’s processing relates to the Services used by Customer.

8.6 No Public Statements.
Iqidis will not name or make public statements about Customer in connection with a Data Security Incident without Customer’s prior approval, unless required by law or regulator. This does not limit Iqidis’s obligation to provide timely notices to regulators/individuals where legally required.

8.7 Security Contacts.
Security questions and incident reports may be submitted to: security@iqidis.ai (or through Customer’s support channel). For sensitive disclosures, encryption instructions are available on request.

Note on costs/remedies. Iqidis will bear its own reasonable, documented costs to investigate and remediate a Data Security Incident caused by Iqidis. Any indemnification or broader cost allocation (e.g., data‑subject/regulator claims, credit monitoring) is governed by a separate DPA or enterprise agreement, as referenced in Section 9.

9. Data Processing Addendum (DPA) & International Transfers

9.1 DPA (Controller–Processor Terms; Indemnity & Costs).
For controller–processor obligations under GDPR/UK GDPR/CCPA (including Standard Contractual Clauses/UK addendum for international transfers), privacy/security indemnification, and cost allocation relating to Data Security Incidents, see the Iqidis Data Processing Addendum (DPA) available upon request. If there is a conflict between this Policy and the DPA, the DPA controls for the subject matter of that conflict.

9.2 Subprocessors and Change Notice.
Current subprocessors and our 30‑day change‑notice/objection process are described in the Service Providers & Subprocessors Policy.

10. Your Rights

Depending on your jurisdiction, you may have rights to access, correct, delete, restrict/object to processing, portability, and to withdraw consent without affecting prior processing. You may also have the right to lodge a complaint with a supervisory authority. To exercise rights, contact info@iqidis.ai.

11. Automated Decision‑Making

We do not use personal data to make decisions that have legal or similarly significant effects solely through automated processing.

12. International Transfers & Regionalization

Data may be processed in the U.S. and E.U. We use appropriate safeguards (e.g., Standard Contractual Clauses and UK addenda) for cross‑border transfers. Regional routing can be configured on request for applicable features, subject to technical feasibility.

13. Children’s Privacy

We do not knowingly collect data from individuals under 18. If such data is identified, it will be promptly deleted.

14. “Do Not Track”

Our Services do not currently respond to browser “Do Not Track” signals. Please use the controls available in our Cookie Policy to manage non‑essential cookies.

15. Changes to This Policy

We may update this Policy to reflect legal, technical, or business developments. Material changes will be posted with a new effective date, and we will provide reasonable advance notice where appropriate.

16. Contact Us

Iqidis, Inc.
3 Columbus Circle, Floor 15
New York, NY 10019
Email: security@iqidis.ai

By using our Services, you acknowledge that you have read and understood this Privacy & Data Policy and agree to our collection, use, and disclosure of your personal information as described herein.