Privacy Policy

1. Introduction & Scope

FQ Central ("FQ," "we," "us," or "our") is an AI Solutions & Consulting company founded in 2025, headquartered in San Francisco, California. We provide enterprise AI solutions through our SaaS platforms including REVEAL Platform, DMAIC Tool, and ETIA AI Assistant, as well as professional consulting services in AI Strategy, Implementation Support, and Training & Enablement.

This Privacy Policy applies to:

• All visitors to our website (www.fqcentral.com)
• Users of our SaaS platforms (REVEAL, DMAIC Tool, ETIA)
• Clients of our consulting services
• Anyone who communicates with us or provides personal information

By using our services, you acknowledge that you have read and understood this Privacy Policy and consent to our data processing practices as described herein, subject to applicable law.

2. Information We Collect

We collect various types of information to provide and improve our services. The categories of personal data we collect include:

2.1 Personal Identification Information

• Account Information: Name, email address, phone number, job title, company name, billing address
• Authentication Data: Username, password (encrypted), security questions, multi-factor authentication credentials
• Professional Information: Professional credentials, areas of expertise, industry sector
• Payment Information: Credit card details, billing information (processed securely through third-party payment processors)

2.2 Usage Data & Analytics

• Platform Usage: Features accessed, time spent, interaction patterns, user preferences
• Technical Data: IP address, browser type and version, device type, operating system, time zone settings
• Log Data: Access times, pages viewed, page response times, download errors, navigation paths
• Performance Metrics: System performance data, error reports, diagnostic information

2.3 Customer Data & Content

• Speech Data: Audio recordings uploaded for analysis via REVEAL Platform (speech-to-text conversion, sentiment analysis)
• Text Data: Customer interaction transcripts, chat logs, support tickets, feedback submissions
• Business Data: Process documentation, performance metrics, analytics results, custom configurations
• Project Data: DMAIC project information, improvement initiatives, analysis results

2.4 Communication Data

• Correspondence: Emails, chat messages, support requests, feedback, survey responses
• Marketing Communications: Newsletter subscriptions, event registrations, webinar attendance
• Consultation Records: Notes from consulting engagements, meeting recordings (with consent)

2.5 Cookies & Tracking Data

We use cookies, web beacons, and similar tracking technologies to collect information about your browsing activities. For detailed information, please see Section 10 (Cookies & Tracking Technologies).

3. How We Use Your Information

We process your personal data for the following lawful purposes, based on legitimate business interests, contractual necessity, legal obligations, or your explicit consent:

3.1 Service Delivery & Platform Operation

• Providing access to and functionality of our SaaS platforms (REVEAL, DMAIC Tool, ETIA)
• Processing and analyzing data through our AI/ML systems
• Delivering consulting services and implementation support
• Managing user accounts and authentication
• Processing payments and managing subscriptions

3.2 Service Improvement & Development

• Analyzing usage patterns to improve platform functionality
• Training and improving our AI/ML models (using aggregated, anonymized data)
• Developing new features and services
• Conducting research and development in AI technologies
• Performance optimization and bug fixing

3.3 Communication & Support

• Responding to inquiries and providing customer support
• Sending service-related notifications and updates
• Providing training and educational resources
• Soliciting feedback and conducting surveys
• Sending administrative information about your account

3.4 Marketing & Business Development

• Sending promotional materials and product updates (with consent)
• Conducting market research and analysis
• Personalizing your experience and recommendations
• Organizing webinars, events, and training sessions

3.5 Security & Legal Compliance

• Detecting and preventing fraud, abuse, and security incidents
• Ensuring platform security and data integrity
• Complying with legal obligations and regulatory requirements
• Enforcing our Terms of Service and other policies
• Protecting our rights, property, and safety

3.6 Legal Basis for Processing (GDPR)

Under GDPR, we process personal data based on the following legal grounds:

• Contractual Necessity: Processing necessary to fulfill our service agreement with you
• Legitimate Interests: Improving services, security, fraud prevention, business analytics
• Legal Obligation: Compliance with applicable laws and regulations
• Consent: Marketing communications, optional features, special processing activities

4. AI & Machine Learning Processing

As an AI-focused company, we utilize advanced machine learning and artificial intelligence technologies to process customer data. This section provides transparency about our AI processing activities in compliance with GDPR, CCPA, and the EU AI Act.

4.1 AI Processing Activities

• Speech Analytics: Converting audio to text and analyzing sentiment, tone, and patterns in customer conversations
• Natural Language Processing: Understanding and processing text data from customer interactions
• Pattern Recognition: Identifying trends, anomalies, and root causes in business processes
• Predictive Analytics: Forecasting outcomes and generating insights based on historical data
• Automated Decision Support: Providing recommendations and insights to support business decisions

4.2 Large Language Models (LLMs) & Small Language Models (SLMs)

We employ both LLMs for comprehensive analysis and SLMs for real-time processing:

• LLM Processing: Advanced speech analytics, deep sentiment analysis, complex pattern recognition
• SLM Processing: Real-time customer insights, instant analytics, continuous monitoring
• Data Privacy: We use privacy-preserving techniques including pseudonymization and data minimization
• Model Training: AI models are trained using aggregated, anonymized data that cannot identify individuals

4.3 Automated Decision-Making & Profiling

• AI-generated insights and recommendations are reviewed and validated by qualified personnel
• Users maintain control over final decisions and actions based on AI outputs
• You have the right to obtain human intervention and contest automated decisions
• We provide explanations of AI-driven recommendations upon request

4.4 AI Model Governance & Transparency

• Data Protection Impact Assessments (DPIAs): Conducted for all high-risk AI processing activities
• Privacy by Design: AI systems built with data protection principles from inception
• Regular Audits: Ongoing monitoring of AI systems for bias, accuracy, and compliance
• Documentation: Comprehensive records of AI processing activities and data flows
• ISO 42001 Compliance: Adherence to international AI management system standards

4.5 Your Rights Regarding AI Processing

You have specific rights related to AI processing of your data:

• Right to be informed about AI processing activities
• Right to object to automated processing and profiling
• Right to request human review of AI-generated decisions
• Right to receive meaningful information about the logic involved in automated processing
• Right to opt-out of certain AI processing activities (where applicable)

5. Data Sharing & Third Parties

We do not sell your personal information to third parties. We may share your data only in the following limited circumstances:

5.1 Service Providers & Processors

We engage trusted third-party service providers to support our operations. These processors are contractually obligated to protect your data and use it only for specified purposes:

• Cloud Infrastructure: Amazon Web Services (AWS), Microsoft Azure for hosting and data storage
• Payment Processing: Stripe, PayPal for secure payment transactions
• Analytics Services: Google Analytics, Mixpanel for usage analytics and performance monitoring
• Communication Tools: SendGrid, Twilio for email and SMS communications
• Customer Support: Zendesk, Intercom for customer service platforms
• Security Services: Cloudflare, Auth0 for security and authentication

5.2 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you via email and/or prominent notice on our website of any such change in ownership or control of your personal information.

5.3 Legal Requirements & Protection

We may disclose personal data when required by law or when we believe disclosure is necessary to:

• Comply with legal obligations, court orders, or government requests
• Enforce our Terms of Service and other agreements
• Protect our rights, property, or safety, or that of our users or the public
• Detect, prevent, or address fraud, security, or technical issues
• Respond to claims of violation of third-party rights

5.4 Aggregated & Anonymized Data

We may share aggregated, anonymized data that cannot reasonably be used to identify you with:

• Research institutions for academic and industry research
• Business partners for market analysis and trends
• The public through reports, whitepapers, and case studies

5.5 Data Processing Agreements

All third-party processors sign comprehensive Data Processing Agreements (DPAs) that include:

• GDPR-compliant Standard Contractual Clauses (SCCs)
• Security and confidentiality obligations
• Data subject rights fulfillment procedures
• Data breach notification requirements
• Audit rights and compliance verification

6. Data Security & Protection

We implement comprehensive technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction.

6.1 Technical Security Measures

• Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access Controls: Role-based access control (RBAC), multi-factor authentication (MFA), least privilege principle
• Network Security: Firewalls, intrusion detection/prevention systems, DDoS protection
• Vulnerability Management: Regular security scanning, penetration testing, patch management
• Data Backup: Regular automated backups with encryption and geographic redundancy
• Secure Development: Security-focused SDLC, code reviews, dependency scanning

6.2 Organizational Security Measures

• Security Training: Mandatory security awareness training for all employees
• Background Checks: Pre-employment screening for personnel with data access
• Confidentiality Agreements: All employees and contractors sign NDAs
• Incident Response: Documented incident response plan with 24/7 security monitoring
• Access Logging: Comprehensive audit trails of all data access and modifications
• Data Segregation: Logical separation of customer data environments

6.3 Compliance Certifications

Our security program maintains the following certifications and compliance frameworks:

• SOC 2 Type II: Annual attestation for security, availability, and confidentiality
• ISO 27001: Information security management system certification
• ISO 42001: AI management system standard compliance
• GDPR: Full compliance with EU data protection regulation
• CCPA/CPRA: California privacy law compliance

6.4 Data Breach Response

6.5 Limitations of Security

While we implement industry-leading security measures, no system is completely secure. You are responsible for maintaining the confidentiality of your account credentials and should immediately notify us of any unauthorized access to your account.

7. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements.

7.1 Retention Periods by Data Type

• Account Information: Duration of account plus 90 days after account closure
• Platform Usage Data: 24 months from collection, then aggregated/anonymized
• Customer Speech/Text Data: As specified in service agreement, minimum 30 days retention
• Billing & Payment Records: 7 years for tax and accounting compliance
• Support Communications: 3 years from last interaction
• Marketing Data: Until consent withdrawal or 2 years of inactivity
• Legal/Compliance Records: As required by applicable law (typically 7-10 years)
• Security Logs: 12 months for incident investigation and forensics

7.2 Data Deletion Procedures

When retention periods expire or upon valid deletion requests:

• Personal data is securely and permanently deleted from active systems
• Backups are purged according to our backup retention schedule (maximum 90 days)
• Data is removed from third-party processors and service providers
• Deletion is documented in compliance audit logs
• Anonymized/aggregated data may be retained indefinitely for analytics

7.3 Extended Retention

We may retain data beyond standard retention periods when:

• Required by legal, regulatory, or contractual obligations
• Necessary for litigation, investigation, or dispute resolution
• Essential for security, fraud prevention, or safety purposes
• Explicitly consented to by the data subject

8. Your Privacy Rights

Depending on your location, you may have specific rights regarding your personal data under GDPR, CCPA, and other applicable privacy laws.

8.1 GDPR Rights (EEA, UK, Switzerland)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights:

• Right to Access: Request copies of your personal data and information about how it's processed
• Right to Rectification: Request correction of inaccurate or incomplete personal data
• Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data under certain circumstances
• Right to Restriction: Request limitation of processing your personal data in specific situations
• Right to Data Portability: Receive your data in a structured, machine-readable format and transfer it to another controller
• Right to Object: Object to processing based on legitimate interests, direct marketing, or research purposes
• Right to Withdraw Consent: Withdraw consent at any time (without affecting lawfulness of prior processing)
• Right to Lodge a Complaint: File a complaint with your local supervisory authority
• Rights Related to Automated Decision-Making: Not be subject to solely automated decisions with legal effects

8.2 CCPA/CPRA Rights (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: Request disclosure of personal information collected, used, sold, or shared
• Right to Delete: Request deletion of personal information we have collected
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out: Opt-out of the sale or sharing of personal information (Note: We do not sell personal information)
• Right to Limit Use of Sensitive Personal Information: Limit use of sensitive personal information
• Right to Non-Discrimination: Not receive discriminatory treatment for exercising CCPA rights
• Right to Opt-Out of Automated Decision-Making: Opt-out of profiling in certain contexts

8.3 How to Exercise Your Rights

To exercise any of these rights, please contact us using the methods outlined in Section 13 (Contact Information). You can submit requests via:

• Email: privacy@fqcentral.com
• Privacy Portal: https://www.fqcentral.com/privacy-request
• Mail: FQ Central - Privacy Team, 123 Market Street, San Francisco, CA 94103

8.4 Verification & Response Process

• Identity Verification: We will verify your identity before processing requests to protect against fraud
• Response Time: We respond to verified requests within 30 days (GDPR) or 45 days (CCPA)
• Extensions: Complex requests may require up to 90 days with notification
• Free of Charge: First request is free; excessive or repetitive requests may incur reasonable fees
• Authorized Agents: California residents may designate authorized agents to submit requests on their behalf

8.5 Supervisory Authority Contact

EEA/UK residents have the right to lodge complaints with their local data protection authority. Our lead supervisory authority is the Irish Data Protection Commission:

9. International Data Transfers

FQ Central operates globally and may transfer, store, and process your personal data in countries outside your country of residence, including the United States. We ensure appropriate safeguards are in place for international data transfers.

9.1 Data Transfer Mechanisms

For transfers from the EEA, UK, or Switzerland to countries without adequate data protection laws, we rely on:

• Standard Contractual Clauses (SCCs): EU Commission-approved contractual terms for data transfers
• Adequacy Decisions: Transfers to countries recognized by the EU Commission as providing adequate protection
• Binding Corporate Rules: Internal privacy rules for intra-group transfers (where applicable)
• Supplementary Measures: Additional technical and organizational safeguards per Schrems II requirements

9.2 Cross-Border Data Flows

• Primary Data Location: United States (AWS/Azure US regions)
• Backup Locations: EU regions for EEA customer data (GDPR compliance)
• Data Residency Options: Available for enterprise customers upon request
• Transfer Impact Assessments: Conducted for all high-risk international transfers

9.3 Your Rights Regarding International Transfers

You have the right to:

• Obtain information about where your data is stored and processed
• Request copies of transfer safeguards (e.g., SCCs)
• Object to transfers in certain circumstances
• Request data residency options for sensitive information

10. Cookies & Tracking Technologies

We use cookies and similar tracking technologies to collect information about your browsing activities and improve your experience on our website and platforms.

10.1 Types of Cookies We Use

• Essential Cookies: Required for platform functionality, authentication, and security
• Performance Cookies: Collect analytics about site usage and performance
• Functional Cookies: Remember preferences and personalization settings
• Targeting/Advertising Cookies: Track visits across websites for marketing purposes (with consent)

10.2 Specific Technologies

• First-Party Cookies: Set directly by FQ Central for account management and preferences
• Third-Party Cookies: Set by partners (Google Analytics, marketing platforms)
• Web Beacons: Small graphics for email tracking and analytics
• Local Storage: Browser storage for application state and preferences
• Session Storage: Temporary storage cleared when browser closes

10.3 Managing Cookies

You can control cookies through:

• Cookie Consent Banner: Customize preferences on first visit to our website
• Browser Settings: Configure your browser to block or delete cookies
• Opt-Out Tools: Use industry opt-out mechanisms (e.g., Network Advertising Initiative)
• Do Not Track: We honor Do Not Track signals where technically feasible

Note: Blocking essential cookies may affect platform functionality. For detailed information, see our Cookie Policy at www.fqcentral.com/cookie-policy.

11. Children's Privacy

Our services are not directed to individuals under the age of 18, and we do not knowingly collect personal information from children.

If we become aware that we have collected personal information from a child under 18 without parental consent, we will take immediate steps to delete that information from our systems. If you believe we have collected information from a child, please contact us immediately at privacy@fqcentral.com.

11.1 COPPA Compliance (United States)

We comply with the Children's Online Privacy Protection Act (COPPA) and do not knowingly collect personal information from children under 13 years of age.

12. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or business operations.

12.1 Notification of Changes

• Material Changes: We will notify you via email (to your registered address) and/or prominent notice on our website at least 30 days before changes take effect
• Non-Material Changes: We will update the "Last Updated" date at the top of this policy
• Version History: Previous versions available upon request

12.2 Your Acceptance

Your continued use of our services after the effective date of any changes constitutes acceptance of the updated Privacy Policy. If you do not agree with changes, you may discontinue use of our services and request deletion of your account and data.

12.3 Review Recommendation

We encourage you to review this Privacy Policy regularly to stay informed about how we protect your information. You can find the most current version at www.fqcentral.com/privacy-policy.