Privacy Policy

Quick Lib

70 rue du Vauxhall, 62100 Calais, France

SIRET: 93885830500015

DPO Contact: [email protected]

In the absence of a designated Data Protection Officer (DPO), any request relating to the protection of your data may be sent to: [email protected]

As part of the Quick Ask service, we collect and process the following categories of personal data:

• Identification and account data: email address, password (stored in encrypted form via bcrypt), account creation date
• Uploaded documents: PDF, Word, Excel, image files, audio files (MP3, WAV) and video files (MP4) provided by the user for training their AI assistants
• Prospect data: information collected via forms integrated into the user's bots (name, email, company, phone, and any custom field configured by the user)
• Technical and usage data: login IP address, login country, usage logs, bot interactions, usage statistics, browser type
• Billing data: payment information (credit card) is collected and processed exclusively by our provider Stripe. Quick Lib does not store any banking data on its servers.

In accordance with Article 6 of the GDPR, each data processing activity relies on a specific legal basis:

• Performance of a contract (Art. 6.1.b GDPR): processing necessary for the provision of the Quick Ask service (account creation, subscription management, AI processing of documents, response generation)
• Consent (Art. 6.1.a GDPR): collection of prospect data via bot forms, sending of commercial communications
• Legal obligation (Art. 6.1.c GDPR): retention of billing data in accordance with French tax and accounting obligations
• Legitimate interest (Art. 6.1.f GDPR): service improvement through anonymized statistics, fraud prevention, service security

Your data is stored in the European Union (Paris, France) on Supabase servers via AWS Region eu-west-3.

This location ensures GDPR compliance and the sovereignty of your data within the European Union. Databases and files are hosted in ISO 27001 certified data centers.

As part of providing the service, your data may be shared with the following sub-processors, each acting in compliance with the GDPR:

• Supabase Inc. (database hosting and authentication) — Servers located in Paris, France (EU). Privacy Policy: https://supabase.com/privacy
• Vercel Inc. (web platform hosting) — Global edge network with EU routing. Privacy Policy: https://vercel.com/legal/privacy-policy
• Stripe, Inc. (payment processing) — PCI-DSS Level 1 certified. Banking data is processed exclusively by Stripe. Privacy Policy: https://stripe.com/privacy
• Google LLC — Gemini API (AI document processing) — Paid professional API access. Privacy Policy: https://policies.google.com/privacy

The documents you upload are processed by the Google Gemini API to generate contextual responses based on your content (RAG — Retrieval-Augmented Generation technology). Processing involves extracting and indexing the textual content of your documents to enable the AI assistant to answer end-user questions.

Your documents are processed via paid professional access to the Gemini API: they remain strictly confidential and are NEVER used to train Google's models, in accordance with the Google Cloud API terms of service.

No fully automated decision within the meaning of Article 22 of the GDPR is made regarding users based on AI processing. AI-generated responses are informational in nature and do not produce legal effects.

Your personal data is processed for the following purposes:

• Provision of the Quick Ask service: account creation and management, AI assistant creation, document processing, response generation, subscription management
• Payment management and billing via Stripe
• Customer support, request processing and service-related communication
• Compliance with our legal, tax and regulatory obligations
• Service security: fraud detection and prevention, protection against unauthorized access
• Service improvement based on anonymized and aggregated statistics

Quick Lib implements appropriate technical and organizational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, in accordance with Article 32 of the GDPR:

• Password encryption (bcrypt) and communication encryption (HTTPS/TLS 1.2+)
• Strict access control: mandatory authentication, data separation between users (Row Level Security)
• Hosting on certified infrastructure (AWS eu-west-3, ISO 27001, SOC 2 certifications)
• Regular encrypted database backups
• Continuous monitoring and access logging

In accordance with Articles 15 to 22 of the GDPR, you have the following rights over your personal data:

• Right of access (Art. 15 GDPR): obtain confirmation that your data is being processed and receive a copy
• Right to rectification (Art. 16 GDPR): have inaccurate or incomplete data corrected
• Right to erasure (Art. 17 GDPR): request the deletion of your data, subject to legal retention obligations
• Right to data portability (Art. 20 GDPR): receive your data in a structured, commonly used and machine-readable format
• Right to restriction of processing (Art. 18 GDPR): request the suspension of processing under certain circumstances
• Right to object (Art. 21 GDPR): object to processing based on legitimate interest
• Right to withdraw consent: withdraw your consent at any time, without affecting the lawfulness of prior processing

To exercise these rights, please send your request accompanied by proof of identity to: [email protected]. We commit to responding within a maximum of one (1) month from receipt of your request, in accordance with the GDPR.

In case of complex requests or a high volume of requests, this period may be extended by two (2) additional months. You will be informed within the initial one-month period.

Your data is retained in accordance with the following periods:

• Account data: for the duration of the active subscription, then deleted within 30 days after definitive account closure
• Uploaded documents: deleted at your request or automatically upon account closure
• Billing data: retained for 10 years in accordance with French accounting and tax obligations (Article L. 123-22 of the French Commercial Code)
• Connection data and technical logs: retained for 12 months in accordance with French Law No. 2004-575 of June 21, 2004 (LCEN)
• Prospect data: retained as long as the bot is active, then deleted at the request of the bot owner