Privacy Policy

1.1 Information You Provide

• Account Information: Name, email address, company name, job title, and password. Passwords are stored as cryptographic hashes (bcrypt) and are never stored or accessible in plain text.
• Company Profile: Industry classification, regulatory framework selection (e.g., FDA, ISO, EU MDR), document format preferences, company logo, document numbering conventions, and signature block configurations.
• Equipment and Process Data: Equipment names, manufacturer information, model numbers, specifications, performance parameters, intended use descriptions, and process parameters that you enter to generate validation documents.
• Uploaded Documents: Example protocols, reports, or format templates you upload for format detection and document generation purposes.
• Communications: Information you provide when contacting us for support, submitting feedback, or participating in surveys.

1.2 Information Generated Through Use

• Generated Documents: Validation protocols, reports, VMPs, PFMEAs, and other documents generated by the Service based on your inputs, stored within your account.
• Audit Trail Data: Timestamped records of all user actions within the Service, including document creation, modification, approval, export, and login events. This data is stored in an immutable audit log.
• Usage Analytics: Aggregated and anonymized usage patterns such as feature adoption, protocol types generated, and session duration. This data is used solely to improve the Service and is not linked to individual users.

1.3 Information Collected Automatically

• Technical Data: IP address, browser type and version, operating system, device type, and referring URL.
• Session Data: Authentication tokens and session identifiers necessary to maintain your logged-in state.

We use collected information for the following purposes:

• Service delivery: To provide, operate, and maintain the Service, including generating validation documents based on your equipment data and company format settings.
• Account-specific improvement: To learn your document formatting preferences and improve document generation quality for your account specifically.
• Audit trail compliance: To maintain the immutable audit trail required for regulated environment compliance, consistent with 21 CFR Part 11.
• Security and fraud prevention: To detect, investigate, and prevent unauthorized access, security incidents, and fraudulent activity.
• Support and communication: To respond to support requests, technical issues, and account inquiries.
• Transactional communications: To send account-related emails including security notices, billing confirmations, service updates, and password reset requests.
• Product updates (with consent): With your explicit consent, to send product update emails, feature announcements, and educational content. You may opt out at any time.
• Legal compliance: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests.

3.1 How Your Data is Used in Document Generation

Equipment specifications, process parameters, and company formatting data you provide are used as input to generate documents for your account only. Your data is processed in real time during document generation and is not persistently stored in AI model memory beyond your account context.

3.2 Account-Specific Learning

When you edit AI-generated content (such as modifying test steps or acceptance criteria), the Service may store those editing patterns to improve the quality of future document generation for your account specifically. This learning is isolated to your account and is not shared across accounts.

3.3 Cross-Account Data Isolation

Your data is never used to train models, improve generation quality, or provide any benefit for other companies or accounts. Cross-account data sharing does not occur. Each account operates in a fully isolated data environment.

3.4 Third-Party AI Services

The Service uses third-party AI model providers to power document generation. Your data is transmitted to these providers solely for the purpose of generating documents in response to your requests. We select AI providers that offer commercial data protections, and your data is subject to data processing agreements that prohibit these providers from using your data to train their models.

3.5 AI Output Disclaimer

AI-generated content may contain errors, omissions, or inaccuracies. All generated documents must be reviewed and approved by qualified personnel before use. See Section 7 of our Terms of Service for complete disclaimers.

4.1 Encryption

All data is encrypted in transit using TLS 1.2 or higher. Data at rest is encrypted using AES-256 or equivalent encryption provided by our infrastructure providers.

4.2 Tenant Isolation

Your company's data is tenant-isolated, enforced at the database level using row-level security (RLS) policies.

4.3 Audit Trail Integrity

Every action in the system is logged in an immutable audit trail. Records are append-only and cannot be modified or deleted by any user, including administrators.

4.4 Access Controls

Access to production systems is restricted to authorized personnel using multi-factor authentication. We follow the principle of least privilege for all system access.

4.5 Infrastructure Location

All data is stored on infrastructure hosted in the United States.

4.6 Incident Response

In the event of a data breach or security incident that affects your data, we will notify you by email within 72 hours of becoming aware of the incident.

We do not sell your data. We do not share your data with third parties for advertising, marketing, or profiling purposes.

We share data only in the following limited circumstances:

• Infrastructure and service providers: We use third-party providers for hosting, database management, payment processing, email delivery, and AI model services.
• Payment processing: Payment information is processed directly by our payment processor (Stripe). We do not store full credit card numbers.
• Legal requirements: When required by law, court order, subpoena, or governmental authority.
• Business transfers: In connection with a merger, acquisition, reorganization, or sale of assets, with at least 30 days advance notice.

5.1 Current Service Providers

• Hosting/Infrastructure: IONOS (VPS hosting, United States)
• Database: IONOS (self-hosted PostgreSQL, United States)
• DNS/Security: Cloudflare (DNS, DDoS protection, CDN)
• Payment Processing: Stripe
• AI Services: Anthropic (Claude API, primary AI provider for document generation), OpenAI (fallback AI provider for protocol generation)
• Cache/Rate Limiting: Upstash (Redis cache for rate limiting and security tokens, us-east-1)
• Email Delivery: Resend (transactional email delivery)
• Font Delivery: Google Fonts (font delivery via CDN)

6.1 Active Accounts

We retain your data for as long as your account is active and as necessary to provide the Service.

6.2 Account Closure

If you close your account, we will:

• Provide a 30-day window for you to export all your documents and data
• Delete your personal information and company data within 90 days
• Retain anonymized, aggregated usage data that cannot be linked back to you

6.3 Audit Trail Retention

Audit trail records may be retained for up to 7 years after account closure to support regulatory compliance requirements.

6.4 Legal Obligations

We may retain certain data beyond the standard deletion timeline when required by law, tax obligations, or to resolve disputes.

6.5 Inactive Accounts

Free tier accounts that remain inactive for 180 consecutive days may be subject to data deletion, with 30 days prior email notice.

7.1 Access and Portability

You have the right to request a copy of the personal data we hold about you in a commonly used, machine-readable format.

7.2 Correction

You may correct inaccurate personal information through your account settings or by contacting us.

7.3 Deletion

You may request deletion of your account and all associated personal data, subject to the retention exceptions in Section 6.

7.4 Data Export

You may export all documents, protocols, reports, and associated data from your account at any time.

7.5 Opt-Out of Marketing

You may opt out of non-transactional email communications at any time.

7.6 Restriction of Processing

In certain circumstances, you may request that we restrict the processing of your personal data.

7.7 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under CCPA/CPRA:

• Right to know what personal information we collect, use, and disclose
• Right to delete personal information (subject to exceptions)
• Right to opt out of the sale or sharing of personal information. We do not sell or share your personal information.
• Right to non-discrimination for exercising your privacy rights

To exercise these rights, contact us at [email protected]. We will respond within 45 days.

7.8 EU/EEA Residents (GDPR)

If you are in the EU/EEA, you have additional rights under GDPR:

• Right to withdraw consent at any time
• Right to lodge a complaint with your local data protection authority
• Right to object to processing based on legitimate interests

Our lawful basis for processing: (a) performance of a contract, (b) legitimate interests, (c) consent.

7.9 Exercising Your Rights

Contact us at [email protected]. We will verify your identity before processing any request.

We use a minimal set of cookies:

• Essential cookies: Session management cookies required to keep you logged in. These are strictly necessary and cannot be disabled.
• Security cookies: CSRF tokens and similar security mechanisms.
• Analytics cookies (optional, opt-in): On our marketing pages only (not the authenticated application), we use Microsoft Clarity to capture behavioral metrics, heatmaps, and session replays for site optimization, fraud and security monitoring, and product improvement. Clarity is loaded only after you click "Accept" on our cookie banner. It records mouse movements, clicks, scrolls, and viewport information using first and third-party cookies and similar tracking technologies; it does not record the values you type into form fields, and we never enable it inside the authenticated application where your protocol content and equipment data live. Microsoft processes this data as a data processor on our behalf and may use it within its services as described in its policies. For more information about how Microsoft collects and uses your data, visit the Microsoft Privacy Statement and the Clarity cookie list. You can withdraw consent at any time by clearing the valiqa_cookie_consent_v2 entry in your browser's local storage and choosing "Decline" when the banner reappears, or by opting out globally at clarity.microsoft.com/optout.
• What we do not use: We do not use advertising cookies, retargeting tags, or third-party analytics inside the authenticated application.

The Service is designed for use by qualified professionals and is not directed to anyone under 18. We do not knowingly collect personal information from anyone under 18.

The Service is operated from the United States. If you access the Service from outside the United States, you understand and consent to the transfer of your data to the United States. For EU/EEA users, we use Standard Contractual Clauses (SCCs).

The Service does not currently respond to DNT signals automatically. We do not use advertising or retargeting cookies regardless of DNT settings. Optional analytics (Microsoft Clarity) is opt-in via the cookie banner; if you decline, no third-party analytics scripts are loaded.

We may update this Privacy Policy from time to time:

• We will update the effective date at the top of this page
• For material changes, we will notify you by email at least 30 days before changes take effect
• We will maintain an archive of previous versions, available upon request

Valiqa

Privacy inquiries: [email protected]

General inquiries: [email protected]

Website: valiqa.io