Privacy Policy

Provider: Valiquest AB · Org.nr 559577-0347 · Stockholm, Sweden Service: Virtual Customer Version: v1 — 2026-04-22 (DRAFT — pre-counsel review) Governing law: Swedish law (Dataskyddslagen) and the GDPR (Regulation (EU) 2016/679).

Calibration note for reviewers. Every claim about how Valiquest accesses, secures, and processes data has been calibrated against what we can actually demonstrate today (see documents/legal/research/benchmark-2026.md §"Calibration vs Valiquest's actual capabilities"). Deliberately no claims of SOC 2, ISO 27001, 24/7 SOC, formal pen-tests, RBAC tooling, or "encrypted with customer-managed keys". Items marked [REVIEW] flag points for the external Swedish data protection / IT lawyer (G4.6.13).

1. Introduction

1.1 This Privacy Policy explains how Valiquest AB (Valiquest, we, us, our) collects, uses, shares, and protects personal data when you use the Virtual Customer service (the Service), visit our website, or otherwise interact with us.

1.2 We act in two distinct capacities:

Controller for the personal data of our Account holders, Users, billing contacts, and visitors to our website (sections 3 – 11 of this Policy).
Processor for any personal data contained in Customer Content (e.g. transcripts, prompts, uploaded files) that you process through the Service. The terms governing that processing are set out in our Data Processing Addendum (DPA) at /legal/dpa.html. This Privacy Policy does not govern Customer Content.

1.3 If you have questions or want to exercise any of your rights, contact info@valiquest.com.

2. Who is responsible for your data

The data controller for the personal data described in this Policy is:

Valiquest AB Org.nr 559577-0347 [Postal address — to be added before publication] Stockholm, Sweden Email: info@valiquest.com

We do not currently have a designated Data Protection Officer (DPO) because our processing volume and risk profile do not require one under GDPR Art. 37. [REVIEW] Counsel to confirm threshold assessment.

3. What personal data we collect

We collect personal data in three buckets.

3.1 Data you provide directly

When you create or operate an Account, we receive and store:

Identity: name, email address, profile picture (if you upload one).
Account: display name, language preference, time zone, role within your organisation, password hash (bcrypt; we never store passwords in plain text).
Organisation: organisation name, optional billing entity, team members you invite.
Communications: the contents of emails, support tickets, and other messages you send to us.
Billing: your billing email and any address details you provide. Card and bank details are collected and stored by Paddle.com Market Limited (our merchant of record) — Valiquest does not receive or store full card numbers.

3.2 Data we collect automatically when you use the Service

Usage and event data: which features you use, errors encountered, requests to our API, timestamps. Used to operate and improve the Service.
Device and connection: IP address (truncated for analytics), browser type and version, operating system, device type, language.
Cookies and similar: see our Cookie Notice at /legal/cookie-notice.html for the granular categories you have opted into.
Audit logs: for security and dispute resolution we log administrative actions taken in the Service (e.g. role changes, invitations sent, API key creations, exports). Retention as in section 7.

3.3 Data we receive from third parties

Authentication: if you sign in with Google, we receive your name, email, and profile photo from Google as authorised by you. We do not receive your Google password.
Billing: Paddle provides us with an internal customer ID, billing email, country, currency, subscription status, and invoice history. Paddle does not share full payment-instrument details with us.
Email delivery: Resend / SendGrid (whichever is active) confirm delivery, bounce, and unsubscribe events for the transactional emails we send you.

4. Why we use it (purpose and legal basis)

Purpose	Legal basis (GDPR Art. 6)
Provide the Service to you (sign you in, store your work, deliver outputs)	Contract performance (Art. 6(1)(b))
Process payments and send invoices	Contract performance + legal obligation (Bokföringslagen)
Send transactional emails (e.g. trial reminders, password reset)	Contract performance
Send onboarding and product update emails (with opt-out in every message)	Legitimate interests (Art. 6(1)(f)) — keep paying customers informed
Send marketing emails to non-customers	Consent (Art. 6(1)(a)) — opt-in only, opt-out in every email
Operate, secure, and improve the Service (logging, abuse detection, A/B)	Legitimate interests — operate a stable, secure platform
Comply with legal, accounting, and regulatory obligations	Legal obligation (Art. 6(1)(c))
Defend legal claims and enforce our Terms	Legitimate interests — protect our rights

For each "legitimate interests" basis we have carried out a balancing test that we will share on request. [REVIEW] Counsel to confirm balancing-test documentation requirements under Swedish IMY guidance.

We do not use Customer Content to train general-purpose foundation models. We may use de-identified, aggregated usage signals (counts, latency, error rates) to operate and improve the Service.

5. Cookies and similar technologies

We use a limited set of cookies. The full inventory, with purpose and duration for each cookie, is in our Cookie Notice at /legal/cookie-notice.html. We use a granular consent banner that lets you opt in to:

Strictly necessary cookies (always on — required for sign-in and security).
Analytics cookies (off by default; we ask before setting).
Marketing cookies (off by default; we ask before setting).

You can change your choices at any time from the "Cookie preferences" link in the footer of our site.

6. Who sees your data

6.1 Inside Valiquest

Access to personal data inside Valiquest is limited to a small number of personnel under written confidentiality obligations who need it to operate, support, secure, or bill the Service. We do not sell or rent personal data to anyone.

We do not currently maintain a formal role-based access control system across all internal tools. Access is controlled through:

Firebase Auth + custom claims for the Service.
Per-organisation isolation enforced by Firestore Security Rules.
Single-administrator access to Railway and Firebase Console (Fredrik Sjöström).
Logging of administrative actions taken on Customer Accounts.

We do not claim to operate "least-privilege RBAC" or a "24/7 security operations centre". We are a small team and we tell you that honestly. [REVIEW] Counsel to confirm this disclosure approach is acceptable.

6.2 Third parties (subprocessors)

We use a limited set of subprocessors to deliver the Service. The current list, including each provider's purpose and processing region, is at /legal/subprocessors.html. As of 2026-04, our subprocessors are:

Google Cloud / Firebase (authentication, Firestore, Storage, Functions, hosting) — EU regions where available.
Railway (application runtime, container hosting) — region per environment.
Paddle.com Market Limited (merchant of record, billing) — UK + Ireland.
Flowise (conversational engine container) — co-located with our Railway runtime.
OpenAI (LLM provider) — US.
Anthropic (LLM provider) — US.
Google AI / Gemini (LLM provider) — Google Cloud regions.
Resend / SendGrid (transactional email) — US.

We give 30 days' notice before adding or replacing a subprocessor. Subscribe to changes via the RSS feed at /legal/subprocessors.rss or by emailing info@valiquest.com.

6.3 International transfers

Some of our subprocessors are located outside the EEA. Where personal data is transferred outside the EEA, the transfer is protected by the EU Standard Contractual Clauses (Commission Decision 2021/914) and, where applicable, the UK Addendum.

6.4 Other recipients

We may disclose personal data to:

Professional advisers (lawyers, accountants, auditors) under confidentiality obligations.
Authorities where we are legally compelled to disclose (court order, regulator request). We will, where lawful and practicable, notify you before disclosing your personal data.
Acquirers in connection with a merger, acquisition, financing, or sale of substantially all our assets — under appropriate confidentiality.

7. How long we keep it

We keep personal data only as long as we need it for the purposes set out above, or as required by law.

Data category	Retention
Account profile (name, email, etc.)	While Account is active + 30 days after closure
Customer Content (covered by DPA)	While Account is active + 30 days export window after closure
Backups	Rolling cycle of up to 90 days, then overwritten
Invoices and accounting records	7 years (mandatory under Bokföringslagen)
Audit logs (admin actions)	12 months
Email delivery logs	30 days
Marketing email lists (consented)	Until you unsubscribe or withdraw consent
Cookie consent records	12 months from last interaction
Support tickets	24 months from resolution

After the retention period elapses, we delete or irreversibly anonymise the data. You may request earlier deletion, subject to legal retention obligations — see section 9.

8. How we protect it

We take reasonable and proportionate technical and organisational measures to protect personal data, calibrated to the risk involved. The measures we currently rely on include:

In transit: TLS 1.2+ (HTTPS) for all browser and API traffic.
At rest: encryption with platform-managed keys (Firebase + Railway managed disks).
Per-organisation isolation: Firestore Security Rules enforce that one organisation's data is not accessible by another.
Authentication: Firebase Auth with provider-managed password hashing; OAuth via Google supported.
Webhooks: HMAC signature verification on inbound provider webhooks (Paddle) where Paddle is configured.
Rate limiting: per-IP API rate limiting is implemented and active in staging; production activation is part of the cutover checklist.
Secret management: Railway environment variables and Firebase service accounts; secrets are not committed to source control.
Secret masking: outbound application logs can be scanned and masked for high-entropy secrets and known token formats; this is active in staging and planned for production cutover.
Invite-token isolation: invite tokens are scoped per organisation and validated at use.
Backups: Firebase platform backups; restore procedure documented internally.

What we do not currently have, and do not claim:

SOC 2 Type I or II certification.
ISO 27001 certification.
A formal external penetration testing programme.
A formal security operations centre or 24/7 incident response.
Customer-managed encryption keys.
A bug bounty programme (responsible disclosure invited at info@valiquest.com).

We will update this section as our security posture matures.

If we suffer a personal data breach affecting you, we will notify you and the relevant supervisory authority without undue delay, and in any event within 72 hours of becoming aware where required by GDPR Art. 33.

9. Your rights

Where the GDPR applies to your personal data, you have the right to:

Access the personal data we hold about you.
Rectify inaccurate or incomplete data.
Erase your data ("right to be forgotten") in defined circumstances.
Restrict how we process your data while a request is being resolved.
Object to processing based on legitimate interests, including for direct marketing.
Portability — receive a copy of certain data in a structured, commonly used, machine-readable format.
Withdraw consent at any time where processing is based on your consent (without affecting prior processing).
Lodge a complaint with the Swedish supervisory authority — Integritetsskyddsmyndigheten (IMY), imy@imy.se, https://www.imy.se/. You may also lodge a complaint with the supervisory authority of your habitual residence.

We will respond to verifiable rights requests within one (1) month of receipt; if the request is complex we may extend by up to two further months and will tell you within the first month.

To exercise any right, email info@valiquest.com. We may need to verify your identity before responding (for example, by asking you to use the email address linked to your Account).

10. Children

The Service is not intended for and not directed at children. You must be at least 16 years old to use the Service. We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, contact info@valiquest.com and we will delete it.

11. Automated decision-making and AI Outputs

The Service uses third-party large language models to generate AI Outputs in response to your inputs. Where you use the Service, the outputs are generated automatically — but they are suggestions for human review, not legally significant decisions made by us about you or anyone else.

We do not use personal data to make automated decisions that produce legal or similarly significant effects on individuals within the meaning of GDPR Art. 22.

For more on how the AI features work and their limitations, see our AI Use Disclosure at /legal/ai-use.html.

12. Changes to this Policy

We may update this Privacy Policy from time to time. The current version, version number, and effective date are always shown at the top of this page. Material changes will be notified at least 30 days in advance via email or in-app notice.

13. Contact

Valiquest AB Org.nr 559577-0347 Stockholm, Sweden

Privacy / DSARs: info@valiquest.com
Legal: info@valiquest.com
Security: info@valiquest.com
General: info@virtualcustomer.io

Supervisory authority: Integritetsskyddsmyndigheten (IMY) Box 8114, SE-104 20 Stockholm — imy@imy.se — https://www.imy.se/

Reviewer flags ([REVIEW] markers)

For the external Swedish data protection / IT lawyer (G4.6.13), please calibrate:

[REVIEW] §2 Postal address — confirm whether we must list a physical service address (vs c/o coworking) before publication.
[REVIEW] §2 DPO threshold — confirm Art. 37 assessment is properly documented internally.
[REVIEW] §4 Legitimate-interests balancing tests — confirm Swedish IMY documentation expectations.
[REVIEW] §6.1 "Limited personnel under confidentiality" without RBAC tooling — confirm this conservative wording is acceptable and does not understate vs reality.
[REVIEW] §6.3 SCC + UK addendum reference — confirm we have the executed templates on file.
[REVIEW] §7 Retention table — confirm 7-year accounting retention vs Bokföringslagen, 12-month audit-log defensibility, 90-day backup retention.
[REVIEW] §8 Security-measures list — confirm we are not claiming anything we cannot demonstrate, and that the omitted-claims paragraph is appropriately worded.
[REVIEW] §9 Response window — confirm 1-month default + 2-month extension wording matches GDPR Art. 12 verbatim.
[REVIEW] §10 Children's age — confirm 16 vs 13 (Sweden has not lowered Art. 8).
[REVIEW] §11 Art. 22 wording — confirm scope when AI outputs are used by customers in HR / hiring contexts (downstream user responsibility).

End of draft v1 — 2026-04-22