We use cookies for security and to improve your experience. Learn more

Privacy Policy

Last updated: December 28, 2025

1. Data Controller

Data Controller: Quorum
Email: [email protected]
Website: https://quorumai.dev

We are responsible for the processing of your personal data in accordance with the EU General Data Protection Regulation (GDPR) and Swedish data protection law.

2. Information We Collect

Account Data

  • Email address (required for account creation)
  • Name (optional)
  • Password (securely hashed using bcrypt, never stored in plaintext)
  • Two-Factor Authentication secrets (encrypted, if you enable 2FA)
  • Recovery codes (encrypted, if you enable 2FA)
  • Account creation and last login timestamps

OAuth Authentication Data

If you sign in using a third-party provider:

  • Google OAuth: User ID, email, profile picture URL, name
  • GitHub OAuth: Username, email, profile picture URL, user ID

Payment Data (via Stripe)

For paid subscriptions, we collect through our payment processor Stripe:

  • Billing name and address
  • Payment method details (card last 4 digits, card type)
  • Transaction history and amounts
  • Stripe Customer ID
  • Subscription tier and status

Usage Data

  • Discussion questions you submit
  • AI models selected and discussion method preferences
  • Discussion history and AI-generated responses
  • IP addresses, browser user agent, device information
  • Timestamps of all activities

API Keys (BYOK Free Tier)

If you use the free tier with your own API keys:

  • Your API keys for OpenAI, Anthropic, Google AI, and xAI
  • Keys are encrypted using AES-256 with separate encryption keys
  • Keys are never stored or logged in plaintext

3. How We Use Your Data

Data Type Purpose Legal Basis (GDPR Art. 6)
Account credentials User authentication Contract performance (Art. 6(1)(b))
Email address Account recovery, service notifications Contract performance (Art. 6(1)(b))
OAuth data Third-party authentication Consent (Art. 6(1)(a))
Payment information Billing, subscription management Contract performance (Art. 6(1)(b))
Discussion content AI processing, service delivery Contract performance (Art. 6(1)(b))
Usage analytics Service improvement, security Legitimate interest (Art. 6(1)(f))
API keys (BYOK) Enable user-controlled AI access Contract performance (Art. 6(1)(b))
IP addresses Security, fraud prevention Legitimate interest (Art. 6(1)(f))
Payment records Tax and accounting compliance Legal obligation (Art. 6(1)(c))

AI Content Processing

When you submit discussion questions and engage with our AI discussion service, your content is processed by third-party AI providers (OpenAI, Anthropic, Google AI, xAI) to generate responses. This processing is necessary to perform the contract and deliver the services you requested.

For Paid Tier: We use managed API keys. Your content is processed under our commercial agreements with AI providers, which prohibit use of your data for model training.

For Free Tier (BYOK): You provide your own API keys. We transmit your content to AI providers using your keys. We do not have access to these API keys in plaintext.

4. Third-Party Recipients

AI Service Providers

Your discussion content is processed by these AI providers:

  • OpenAI (GPT models) - US, EU-US Data Privacy Framework certified
  • Anthropic (Claude models) - US, Standard Contractual Clauses (SCCs)
  • Google AI (Gemini models) - US, EU-US Data Privacy Framework certified
  • xAI (Grok models) - US, Standard Contractual Clauses (SCCs)

Payment Processor

We use Stripe, Inc. as our payment processor. Stripe is based in the United States and is certified under the EU-US Data Privacy Framework.

Stripe processes your payment information on our behalf to handle subscriptions, billing, and transactions. Stripe's use of your personal information is governed by Stripe's Privacy Policy.

Payment Security: We do not store your full credit card numbers on our servers. All payment information is transmitted directly to Stripe using secure, encrypted connections. Stripe is PCI DSS Level 1 certified, the highest level of payment security certification.

Authentication Providers

  • Google (for Google Sign-In)
  • GitHub (for GitHub Sign-In)

5. OAuth Sign-In Disclosures

Google Sign-In

When you sign in with Google, we access the following information from your Google account:

  • Email address (to create and identify your account)
  • Profile name
  • Profile picture URL
  • Google User ID (for authentication purposes)

We use this information solely for authentication and account management. We do not:

  • Access your Google Drive, Gmail, or other Google services
  • Share your Google data with third parties for marketing
  • Use your Google data to train AI models

You can disconnect Google access at any time from your Account Settings.
Revoking Access: Visit https://myaccount.google.com/permissions to revoke Quorum's access to your Google account.
Google Privacy Policy: https://policies.google.com/privacy

GitHub Sign-In

When you sign in with GitHub, we collect:

  • GitHub username
  • Email address (primary or verified email)
  • Profile picture URL
  • GitHub User ID

We use this information to create and authenticate your Quorum account. We do not access your repositories, code, or other GitHub data beyond basic profile information.

Revoking Access: You can revoke Quorum's access to your GitHub account at any time by visiting https://github.com/settings/applications
GitHub Privacy Policy: GitHub Privacy Statement

6. International Data Transfers

Your personal data may be transferred to the United States by our AI service providers and payment processor. We ensure adequate protection through:

  1. EU-US Data Privacy Framework for certified providers (OpenAI, Google, Stripe)
  2. Standard Contractual Clauses (SCCs) approved by the European Commission
  3. Technical measures including encryption in transit and at rest

Transfer Impact Assessment: We have conducted Transfer Impact Assessments (TIAs) as required by the Schrems II decision to confirm that U.S. laws do not undermine the protections afforded by SCCs.

Documentation: Copies of our SCCs and TIA findings are available upon request: [email protected]

7. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

Technical Measures

  • Encryption in transit: TLS 1.3 for all connections
  • Encryption at rest: AES-256 for sensitive data
  • Password hashing: bcrypt with salt
  • API key encryption: Separate encryption keys per tenant
  • Regular security updates and patching
  • Secure coding practices and code reviews

Organizational Measures

  • Access controls and role-based permissions
  • Employee confidentiality agreements
  • Regular security audits
  • Incident response procedures
  • Data breach notification procedures (within 72 hours)

8. Data Retention

  • Account data: Until account deletion + 30 days for backup purging
  • Discussion history: Until user deletion or account closure
  • Payment records: 7 years (Swedish Bokföringslagen requirement)
  • Security logs: 90 days
  • Session cookies: Deleted on logout
  • BYOK API keys: Deleted immediately upon user request or account deletion

9. Your Rights

Under GDPR, you have the following rights:

  1. Right of Access (Art. 15) - Request a copy of your personal data. We will respond within 1 month, free of charge for the first request.
  2. Right to Rectification (Art. 16) - Request correction of inaccurate data.
  3. Right to Erasure (Art. 17) - Request deletion of your data (exceptions apply for legal obligations, e.g., payment records for tax purposes).
  4. Right to Restriction (Art. 18) - Request temporary halt of processing.
  5. Right to Data Portability (Art. 20) - Receive your data in machine-readable format (JSON/CSV), including discussion history and account settings.
  6. Right to Object (Art. 21) - Object to processing based on legitimate interests.
  7. Right to Withdraw Consent (Art. 7(3)) - Disconnect OAuth, unsubscribe from marketing.

How to Exercise Your Rights

Email: [email protected]
Subject: Data Subject Rights Request

We will respond within 30 days. To verify your identity, we may request additional information.

10. Swedish Supervisory Authority

You have the right to lodge a complaint with the Swedish Data Protection Authority:

Integritetsskyddsmyndigheten (IMY)
Box 8114
104 20 Stockholm
Sweden

Email: [email protected]
Phone: +46 8 657 61 00
Website: https://www.imy.se

You may also lodge a complaint with the supervisory authority in your EU member state of residence.

11. AI Provider Data Practices

OpenAI (GPT Models)

For Paid Tier Users: Your discussion content processed through OpenAI's GPT models is NOT used to train or improve OpenAI's models. According to OpenAI's Business Terms, customer data submitted via the API is treated as confidential.

For BYOK Users: Data usage is governed by your direct agreement with OpenAI and your API tier. Please review OpenAI's API data usage policy.

Data Retention: OpenAI retains API data for up to 30 days for abuse and misuse monitoring, then deletes it (unless legally required to retain).

Human Review: Your content may be subject to review by OpenAI for safety and policy compliance purposes.

Anthropic (Claude Models)

Data Training Prohibition: Under Anthropic's Commercial Terms of Service, your content submitted to Claude models via the API is NOT used to train Anthropic's AI models.

Copyright Indemnification: For Paid Tier users, Anthropic provides copyright indemnification, defending customers from copyright infringement claims related to Claude-generated outputs. This protection does not cover claims arising from your prompts/inputs, modifications you make to outputs, uses that violate Anthropic's terms, or willful misconduct.

Data Retention: Content is automatically deleted within 30 days unless legally required to retain.

Terms: Anthropic Commercial Terms

Google AI (Gemini Models)

For EU/EEA Users: If you are in the EU/EEA, Switzerland, or UK, your data is NOT used for training (same protections as paid tier, regardless of your Quorum tier).

For Paid Tier (Paid Quota): Your inputs and outputs are treated as confidential and are NOT used to train Google's AI models.

Age Requirement: You must be 18 years or older to use Quorum services that integrate with Gemini API.

Terms: Google Gemini API Terms

xAI (Grok Models)

Data Training Prohibition: xAI does NOT use your content (inputs or outputs) for AI training purposes or to develop new products/services. This applies to all Quorum users (both paid and BYOK).

Data Retention: User content is automatically deleted within 30 days. Exceptions apply for legal requirements and safety/compliance flagging.

Terms: xAI Enterprise Terms

12. BYOK (Bring Your Own Key)

On the free tier, you provide your own API keys for AI providers. This gives you direct control over your AI usage and data.

How BYOK Works

  1. You provide API keys through our secure interface
  2. Keys are encrypted using AES-256 with separate encryption keys
  3. When you submit a discussion, we decrypt your key temporarily in memory
  4. We make API calls to AI providers using YOUR API key
  5. AI responses are delivered to you through our platform
  6. We do NOT have access to your API keys in plaintext at rest

Your BYOK Responsibilities

  • Maintaining valid API keys with sufficient quota/credits
  • Complying with each AI provider's terms of service
  • Understanding each provider's data usage policies for your API tier
  • Securing your AI provider accounts
  • Revoking API keys if compromised

Our BYOK Responsibilities

  • Encrypting your API keys at rest
  • Using secure connections (TLS 1.3) for API calls
  • Deleting your API keys immediately upon request
  • Never using your API keys for purposes other than your requested discussions
  • Not logging or storing your API keys in plaintext

Data Usage Under BYOK

When you use BYOK, your data usage is governed by YOUR direct agreement with each AI provider. We act as a technical intermediary. You should review:

Key Deletion

You can delete your API keys at any time from Settings. Upon deletion:

  • Keys are immediately removed from active storage
  • Keys are purged from backups within 30 days
  • All encrypted copies are destroyed

Loss of Keys

We do NOT maintain any alternate means of recovering your encrypted API keys. If you lose access to your API provider accounts, delete your keys from our system, or experience key corruption, you will need to provide new valid keys. We cannot recover lost keys.

Security Recommendations

  • Use API keys with restricted permissions (if provider allows)
  • Regularly rotate your API keys
  • Monitor your API usage on provider dashboards for suspicious activity
  • Never share your API keys with others
  • Revoke and replace keys immediately if compromised

13. Cookies

We use only essential cookies that do not require consent:

Cookie Name Purpose Duration Type
session_id Maintains your login session Session Essential
csrf_token Security - prevents CSRF attacks Session Essential
remember_token Keeps you logged in (if selected) 30 days Essential

We do not use analytics or advertising cookies. A cookie consent banner will be implemented in a future update.

14. Data Breach Notification

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will:

  1. Notify the Swedish Data Protection Authority (Integritetsskyddsmyndigheten - IMY) within 72 hours of becoming aware of the breach
  2. Notify affected users without undue delay if the breach poses a high risk
  3. Provide information about the nature of the breach, likely consequences, and measures taken to address the breach

Security contact: [email protected]

15. Children's Privacy

Age Requirement: Our services are not intended for individuals under 18 years of age. We do not knowingly collect personal data from children.

Our AI providers (OpenAI, Anthropic, Google AI, xAI) prohibit use of their services by individuals under 18. We enforce this age requirement across all tiers.

If we become aware that we have collected personal data from a child without parental consent, we will take steps to delete such information.

16. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Email notification to your registered email address
  • Prominent notice on our website for 30 days

Last Updated: December 28, 2025

Contact Us

All inquiries: [email protected]

Processing Records

We maintain comprehensive records of our processing activities as required by GDPR Article 30. These records are available to the Swedish Data Protection Authority (IMY) upon request.

For information about our processing activities, please contact: [email protected]