Privacy Policy
Last updated: January 2025
Your Privacy Matters
QolinAI is built on the principle of Privacy-by-Design. We process all data in compliance with the EU General Data Protection Regulation (GDPR) and host all services exclusively within the European Union.
1. Controller and Data Protection Officer
Controller:
Rubinshelf MarTech Initiatives SL
Av. de Princep Benlloch 26-30
AD500 Andorra la Vella
Principality of Andorra
Email: privacy@qolinai.com
Data Protection Officer:
Email: dpo@qolinai.com
2. Overview of Data Processing
2.1 General Principles
QolinAI processes personal data only to the extent necessary to provide our AI management services. We implement:
- Data Minimization: We collect only essential data
- Purpose Limitation: Data is used only for specified purposes
- Storage Limitation: Data is retained only as long as necessary
- Pseudonymization: Sensitive data is pseudonymized before AI processing
- Encryption: All data is encrypted in transit and at rest
2.2 Types of Data We Process
Depending on your use of our services, we may process:
- Account Data: Name, email address, company name, role
- Usage Data: Login times, feature usage, system interactions
- Content Data: Documents uploaded, chat conversations, AI queries
- Technical Data: IP addresses, browser type, device information
- Payment Data: Billing address, payment method (processed by third-party payment providers)
3. Legal Basis for Processing
We process personal data based on the following legal grounds:
- Contract Performance (Art. 6(1)(b) GDPR): Processing necessary to provide our services
- Consent (Art. 6(1)(a) GDPR): Where you have given explicit consent
- Legitimate Interest (Art. 6(1)(f) GDPR): For security, fraud prevention, and service improvement
- Legal Obligation (Art. 6(1)(c) GDPR): To comply with legal requirements
4. Data Processing Activities
4.1 Website Usage
Data Collected: IP address, browser type, referring URL, pages visited, timestamps
Purpose: Website operation, security, analytics
Legal Basis: Legitimate interest (Art. 6(1)(f) GDPR)
Retention: 90 days
4.2 Account Registration and Management
Data Collected: Name, email, company name, role, password (hashed)
Purpose: Account creation, authentication, service provision
Legal Basis: Contract performance (Art. 6(1)(b) GDPR)
Retention: Duration of contractual relationship plus statutory retention periods
4.3 AI Service Usage
Data Collected: User queries, uploaded documents, chat histories, AI model interactions
Purpose: Service provision, AI processing, quality improvement
Legal Basis: Contract performance (Art. 6(1)(b) GDPR)
Special Protection:
- Sensitive data is automatically pseudonymized before AI processing
- Encryption keys are managed separately (BYOK option available)
- Data is not used to train third-party AI models
- Complete audit trails for all data access
Retention: According to customer settings; minimum 30 days for audit purposes
4.4 Payment Processing
Data Collected: Billing address, payment information
Purpose: Payment processing, invoicing
Legal Basis: Contract performance (Art. 6(1)(b) GDPR)
Third-Party Processors: Payment data is processed by certified payment providers (Stripe, PayPal)
Retention: 10 years (legal obligation for accounting)
4.5 Customer Support
Data Collected: Contact information, support requests, communication history
Purpose: Customer support, issue resolution
Legal Basis: Contract performance and legitimate interest (Art. 6(1)(b)(f) GDPR)
Retention: 3 years after case closure
5. Data Sharing and Third Parties
5.1 Hosting and Infrastructure
All QolinAI services are hosted exclusively in EU data centers:
- Cloud Hosting: [EU Cloud Provider Name], Germany
- Database Services: Hosted in EU (Germany/France)
- CDN Services: EU nodes only
5.2 Third-Party Service Providers
We work with the following categories of processors:
- Payment Processing: PayPal (Luxembourg)
- Email Services: [EU Email Provider]
- Analytics: Self-hosted Matomo (no data sharing with third parties)
All third-party processors are bound by Data Processing Agreements (DPAs) and comply with GDPR requirements.
5.3 No Data Transfer Outside EU
Important: QolinAI does not transfer any personal data outside the European Economic Area (EEA). All data processing occurs within EU jurisdiction.
6. AI Model Processing and Data Protection
6.1 AI Model Architecture
QolinAI uses a combination of:
- Self-hosted open-source AI models (fully under our control)
- EU-based AI service providers with GDPR-compliant agreements
6.2 Privacy-by-Design Features
- Automatic Pseudonymization: Personal data is pseudonymized before AI processing
- Separate Key Management: Encryption keys stored separately from data
- BYOK Support: Enterprise customers can bring their own encryption keys
- No Model Training: Customer data is never used to train AI models
- Data Isolation: Complete tenant isolation in multi-tenant deployments
6.3 Data Retention in AI Processing
- AI query data: Retained according to customer settings (default: 90 days)
- Audit logs: 1 year minimum for compliance purposes
- Training data: Not applicable (we don't train on customer data)
7. Your Rights Under GDPR
You have the following rights regarding your personal data:
7.1 Right of Access (Art. 15 GDPR)
You can request information about personal data we process about you, including copies of your data.
7.2 Right to Rectification (Art. 16 GDPR)
You can request correction of inaccurate or incomplete personal data.
7.3 Right to Erasure (Art. 17 GDPR)
You can request deletion of your personal data under certain conditions.
7.4 Right to Restriction (Art. 18 GDPR)
You can request restriction of processing under certain conditions.
7.5 Right to Data Portability (Art. 20 GDPR)
You can receive your personal data in a structured, machine-readable format and transfer it to another controller.
7.6 Right to Object (Art. 21 GDPR)
You can object to processing based on legitimate interest or for direct marketing purposes.
7.7 Right to Withdraw Consent (Art. 7(3) GDPR)
Where processing is based on consent, you can withdraw consent at any time.
7.8 How to Exercise Your Rights
To exercise any of these rights, contact us at:
- Email: privacy@qolinai.com
- Via your account settings (for data access and portability)
We will respond to your request within 30 days.
8. Data Security Measures
We implement comprehensive technical and organizational measures:
8.1 Technical Measures
- TLS 1.3 encryption for all data in transit
- AES-256 encryption for data at rest
- Regular security audits and penetration testing
- Multi-factor authentication (MFA)
- Automated backup and disaster recovery
- Intrusion detection and prevention systems
- Regular security updates and patch management
8.2 Organizational Measures
- Information security management system
- Employee training on data protection
- Strict access controls and need-to-know principle
- Incident response procedures
- Regular risk assessments
9. Cookies and Tracking
Our website uses minimal cookies:
9.1 Essential Cookies
Required for website functionality (session management, security). No consent required.
9.2 Analytics Cookies
We use self-hosted Matomo analytics. These cookies require your consent and:
- Are not shared with third parties
- Anonymize IP addresses
- Don't track across websites
9.3 Managing Cookies
You can manage cookie preferences via our cookie banner or browser settings.
10. Data Retention
We retain personal data only as long as necessary:
- Account data: Duration of contract plus statutory retention periods
- Usage logs: 90 days (security purposes)
- Audit logs: 1 year (compliance)
- Invoices: 10 years (legal requirement)
- Support tickets: 3 years
- Customer content: According to customer settings or until account deletion
11. Children's Privacy
QolinAI is not intended for individuals under 16 years of age. We do not knowingly collect personal data from children.
12. Changes to This Privacy Policy
We may update this Privacy Policy periodically. We will notify you of material changes via:
- Email notification to your registered email address
- Prominent notice on our website
- In-app notification
13. Supervisory Authority
You have the right to lodge a complaint with a supervisory authority. As we operate from Andorra with services in the EU, you may contact the data protection authority in your EU member state or the Andorran Data Protection Agency (APDA).
Andorran Data Protection Agency (APDA)
Carrer de la Vall, 60
AD500 Andorra la Vella
Principality of Andorra
Website: www.apda.ad
14. Contact Us
For questions about this Privacy Policy or our data practices:
Privacy Team
Rubinshelf MarTech Initiatives SL
Email: privacy@qolinai.com
Questions about your data?
We're committed to transparency. Contact our privacy team anytime at privacy@qolinai.com