Privacy Policy
GPU IQ, Inc. ("Company", "we", "us") is a Delaware corporation that operates the GPU IQ software-as-a-service platform. This Privacy Policy explains what Personal Data we collect, why, how we protect it, and your rights. It covers the United States, European Economic Area, United Kingdom, Switzerland, and Japan.
Summary
- We collect the minimum Personal Data needed to deliver the Service to our customers and their authorized users.
- We do not sell Personal Data.
- We do not use customer prompts or customer-provided data to train AI models.
- We honor data-subject rights globally via privacy@gpuiq.ai.
- Sub-processors are published at gpuiq.ai/legal/subprocessors.
Who we are
Data Controller for Personal Data about our own users, prospects, and website visitors: GPU IQ, Inc., Delaware registered address (to be inserted before publication), privacy@gpuiq.ai.
Data Processor for Personal Data that our customers upload or instruct us to process on their behalf: GPU IQ, Inc., acting on documented instructions from the Customer under the applicable Data Processing Agreement. The Customer remains the Controller of that data.
Categories of Personal Data we collect
From users of the Service
- Account identifiers (email, name, OAuth tokens, session tokens)
- Tenant configuration (company, role, feature flags, integrations)
- Usage data (pages, features, actions, timestamps, IP, user-agent, approximate geolocation)
- Support and communications (email content, attachments, meeting notes submitted to AI features)
About prospects and contacts in Customer Data
- Business contact information (name, title, employer, work email, work phone, LinkedIn URL)
- Firmographic data (industry, employee count, location, parent company, tech stack)
- Meeting transcript content (names, opinions, statements)
- Partner Business Case Tool submissions
This data originates from public sources, commercial data vendors, the Customer's own inputs, or the Customer's connected systems.
Website visitors (public pages)
- Technical data (IP, user-agent, referring URL, timestamps)
- Cookie / storage data — see Cookie Policy
- Form submissions (name, email, company, message)
We do not currently run analytics or marketing cookies. When we introduce any, this policy and the Cookie Policy will be updated before activation.
How we use Personal Data (lawful bases for GDPR)
- Contract performance (Art. 6(1)(b)): provide the Service, authenticate users, deliver AI features, send transactional email.
- Legitimate interests (Art. 6(1)(f)): operate, secure, and improve the Service; respond to support; pursue or defend legal claims.
- Consent (Art. 6(1)(a)): marketing email, non-essential cookies.
- Legal obligation (Art. 6(1)(c)): tax, audit, valid legal process.
For Customer Data processed as Processor, the lawful basis sits with the Customer as Controller. We process only on documented instructions per the applicable DPA.
AI features and Customer Data
GPU IQ uses Anthropic's Claude API for AI features. Customer Data submitted to these features is transmitted to Anthropic for inference. Anthropic does not use API inputs to train its models under its standard commercial terms. We do not use Customer prompts or outputs to train any model, our own or third-party, and we do not offer Customer Data for training purposes to any third party.
How we share Personal Data
- Sub-processors listed at gpuiq.ai/legal/subprocessors, updated with 30 days' notice before material changes.
- Customers receive the outputs of the Service, which may include Personal Data about prospects and contacts they cause us to process.
- Legal disclosures when required by valid legal process or necessary to protect rights, property, or safety.
- Corporate transactions (merger, acquisition, financing, asset sale, insolvency) subject to customary confidentiality protections.
- We do not sell Personal Data, share for cross-context behavioural advertising, or participate in data brokerage.
International data transfers
Primary processing occurs in the United States. Transfers are covered by:
- EU and Switzerland: EU Standard Contractual Clauses (2021/914/EU) plus Swiss Addendum
- United Kingdom: UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs
- Japan: consent of the data subject or equivalent-measure contractual commitments under APPI
- Supplementary measures: encryption in transit and at rest, access controls, logging
Data retention
| Category | Retention |
|---|---|
| Active account records | Relationship duration + 24 months |
| Session tokens | 7 days (30 days for learn.gpuiq.ai) |
| Usage / audit logs | 24 months |
| AI feature prompts and outputs | Relationship + 12 months, or sooner on Customer deletion |
| Support correspondence | 36 months from last interaction |
| Marketing contact records | Until opt-out + 24 months for suppression-list compliance |
| Partner Business Case submissions | 36 months |
| Financial records | 7 years (tax law) |
At end of retention, Personal Data is deleted or anonymised. Customer may request earlier deletion subject to our legal obligations.
Your rights
EU, UK, Switzerland (GDPR / UK GDPR / nFADP)
Access, rectification, erasure, restriction, portability, objection, withdrawal of consent, and complaint to a supervisory authority.
California (CPRA)
Know, delete, correct, opt-out of sale or sharing (we do not sell or share), limit use of Sensitive Personal Information, non-discrimination, and authorized agent submissions.
Japan (APPI)
Disclosure of retained Personal Data, correction or deletion, cessation of use or third-party provision, and records of third-party provision.
Other U.S. states
We handle requests under VCDPA, CPA, CTDPA, UCPA, and other enacted laws consistently with CPRA where the statute allows.
How to exercise your rights
Email privacy@gpuiq.ai with the right you wish to exercise, your name, the email you used with us, and any jurisdictional basis (e.g., "GDPR Article 15 access request").
Response deadlines: GDPR / UK / Swiss — 30 days, extendable by 60. CPRA — 45 days, extendable by 45. APPI — without delay (generally 2 weeks). We acknowledge within 5 business days.
Security
TLS in transit, encryption at rest, role-based access control, multi-factor administrative authentication, audit logging of administrative actions, quarterly access review, sub-processor diligence, and incident notification within 72 hours (or applicable jurisdictional deadline). Vulnerability reports: security@gpuiq.ai.
Representatives and supervisory authorities
EU Representative (GDPR Art. 27): To be appointed prior to launch.
UK Representative (UK GDPR): To be appointed prior to launch.
Japan APPI contact: To be appointed prior to launch.
You may lodge a complaint with the supervisory authority of your jurisdiction: EU (edpb.europa.eu), UK (ico.org.uk), Switzerland (edoeb.admin.ch), California (cppa.ca.gov), Japan (ppc.go.jp).
Children
The Service is not intended for individuals under 16. We do not knowingly collect Personal Data from children. If you believe we have, contact privacy@gpuiq.ai and we will delete it.
Changes to this policy
Material changes are announced at least 30 days in advance by email to the primary Customer contact and by notice on the Sites. The version history is available at docs/legal/privacy-policy.md in the source repository.
Contact
- Privacy and DSAR: privacy@gpuiq.ai
- Security incidents: security@gpuiq.ai
- Legal notices: legal@gpuiq.ai
- Corporate address: GPU IQ, Inc., Delaware registered address (to be inserted before publication)