Privacy Policy

Effective date: May 10, 2026 Version: 2026-05-10

This Privacy Policy explains what information Axevia Labs LLC, doing business as QuillAI ("QuillAI", "we", "us", or "our") collects when you use the QuillAI website, the QuillAI Desktop application, or related services (collectively, the "Service"), how we use it, with whom we share it, and the rights you have over it.

If you reside in the Russian Federation, the Russian-language Политика обработки персональных данных governs your relationship with our Russian counterparty (ИП), and this Privacy Policy does not apply to you.

A jurisdiction-specific section for residents of the European Economic Area, the United Kingdom, and Switzerland appears in Section 11. A section for residents of California (USA) appears in Section 12.

1. Categories of personal data we collect

We collect the following categories of personal data:

1.1 Account information

• email address, name, profile picture (if you sign in with Google or another OAuth provider);
• authentication identifiers (Supabase user UUID and a synthetic numeric identifier we use internally);
• chosen interface language and locale.

1.2 Content you submit

• audio and video files you upload, record, or import by URL (see Section 1.6 regarding desktop-local recordings);
• transcripts, summaries, edits, notes, AI-generated outputs, and any other text or media you create or store in the Service;
• file names, descriptive metadata, tags, and timestamps.

1.3 Usage data

• pages and features you interact with;
• approximate geolocation derived from IP address (country and region only, not precise location);
• device characteristics (operating system, browser, screen size);
• session identifiers.

1.4 Payment data

• billing email and payment metadata returned by Stripe (we do not receive or store full card numbers);
• subscription state (plan, renewal date, status).

1.5 Communications

• messages you send to support, feedback you submit, and messages we send you.

1.6 Local desktop data

The QuillAI Desktop application captures audio on your device when you start a recording. For meetings, audio is stored locally on your device until you choose to upload it; you can review or delete it before upload. For Quick Dictation, audio streams to our real-time transcription provider Gladia and a local backup copy is also retained on your device for resilience. The Desktop app does not access or transmit system audio outside of a recording session you have explicitly started.

2. How we collect it

We collect personal data:

• directly from you when you create an account, configure settings, upload or record content, contact support, or pay for a subscription;
• automatically through cookies and similar technologies (see Cookie Policy);
• from your authentication provider if you sign in with Google or another OAuth provider;
• from our payment processor (Stripe), our error-tracking provider (Sentry), and our analytics provider (PostHog), each as described in Section 4.

3. How we use personal data

We use personal data for the following purposes:

| Purpose | Legal basis (EU/UK) — see §11 | |---|---| | To provide the Service to you, including transcription, summarization, and storage of your content | Performance of contract | | To authenticate you, secure your account, and prevent abuse | Performance of contract; legitimate interests in security | | To process payments and manage your subscription | Performance of contract | | To communicate with you about the Service, support requests, and material changes | Performance of contract; legitimate interests in customer communication | | To send marketing emails (only if you have opted in or where allowed by law) | Consent; legitimate interests where lawful | | To improve and debug the Service through aggregated, non-content analytics | Legitimate interests; consent for non-essential analytics in EU/UK | | To comply with legal obligations and enforce our Terms of Service | Legal obligation; legitimate interests | | To respond to legal process and protect rights, safety, and property | Legal obligation; legitimate interests |

We do not use Your Content (audio, transcripts, or derivatives) to train AI or machine-learning models. Our subprocessors operate under contractual no-training obligations.

4. Subprocessors and third parties with whom we share data

We share personal data with the third-party subprocessors listed at /en/legal/subprocessors. The current list includes (subject to update):

• Supabase — authentication and primary database (region: AWS eu-central-1).
• Wasabi — object storage for your uploaded audio and video (region: eu-central-1).
• AssemblyAI — speech-to-text transcription (region: US).
• OpenAI — AI structuring of transcripts (region: US; we use OpenAI's Zero Data Retention configuration where applicable).
• Gladia — real-time speech-to-text transcription for Quick Dictation (region: EU/France).
• Stripe — payment processing (region: US/Ireland).
• Sentry — error and crash reporting.
• PostHog — product analytics (EU instance).
• Vercel — web-application hosting and edge networking.
• Railway — backend service hosting.
• Google — OAuth authentication if you sign in with Google.
• Resend (planned) — transactional email delivery.

We share personal data only to the extent necessary for each subprocessor to perform its function, and each is bound by a written data-processing agreement (Article 28 GDPR equivalent) requiring confidentiality, security, and limited use of personal data.

We may also disclose personal data:

• to comply with valid legal process (subpoena, court order, regulatory request);
• to enforce our Terms of Service;
• to investigate and prevent fraud, abuse, or security incidents;
• in connection with a merger, acquisition, or sale of assets, in which case continued protection of your data will be a condition;
• with your consent.

We do not sell personal data, and we do not share it for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act (CCPA/CPRA).

5. International data transfers

Some of our subprocessors are located in the United States or other jurisdictions outside the European Economic Area or the United Kingdom. Where such transfers occur, we rely on (a) Standard Contractual Clauses approved by the European Commission, (b) the EU-US Data Privacy Framework where the recipient is certified, and (c) supplementary measures including encryption in transit, encryption at rest, and contractual no-training and confidentiality obligations.

The current list of subprocessors and their regions is available at /en/legal/subprocessors.

6. Retention

We retain personal data for as long as needed for the purposes described in Section 3 and, where you have an account, for as long as your account is active. Specific retention rules:

| Category | Retention | |---|---| | Account profile data | Until you delete your account | | Audio and video recordings, transcripts, and derived content | Until you delete the content or your account | | Backup copies of deleted content | Up to 30 days after deletion, then physically purged | | Payment and invoice records | Up to 7 years after the relevant transaction (US tax/audit requirements) | | Anti-fraud signals (hashed device fingerprints, IP history, abuse flags) | Up to 1 year | | Support correspondence | Up to 3 years after the last interaction | | Error logs and analytics data | Up to 13 months |

When you delete your account through Settings → Privacy → Delete Account or by contacting [email protected], we mark your data for deletion immediately. Physical deletion of database rows and Wasabi objects occurs within thirty (30) days. Backups containing your data are purged within an additional thirty (30) days. Records we are required to retain by law (notably payment records) are kept only for the legally required period and only for that purpose.

7. Security

We implement reasonable and appropriate technical and organizational measures to protect personal data, including:

• TLS 1.2+ encryption in transit;
• AES-256 encryption at rest for stored audio, video, and database records;
• access controls and least-privilege principles for engineering access;
• audit logs of administrative actions;
• contractual obligations on subprocessors;
• regular review of security practices.

No method of transmission or storage is perfectly secure. We cannot guarantee absolute security, but we will notify you of a personal-data breach involving your data without undue delay and within applicable legal deadlines (notably 72 hours for GDPR-applicable breaches).

8. Cookies

We use cookies and similar technologies to operate the Service, remember your preferences, and (with your consent in the EU/UK) measure usage. See the Cookie Policy for details and to manage your preferences.

9. Children

The Service is not directed to children under 18, and we do not knowingly collect personal data from children under 18. If we learn that we have collected such data, we will delete it promptly. If you believe a child has used the Service, contact [email protected].

10. Recording-Consent Notice (third-party participants)

When you use the Service to record meetings or conversations involving third parties, those third parties' personal data (including their voices, statements, and any personal information they share) is captured and processed by us as a processor on your behalf. You are the controller for those third parties' personal data and are responsible for obtaining their consent before recording, as required by Section 5 of the Terms of Service and by applicable wiretapping and privacy laws.

If you receive a request from a third party (a meeting participant) to access, correct, or delete their personal data captured in your recordings, you are responsible for handling that request. We will assist on commercially reasonable terms.

11. Information for residents of the European Economic Area, the United Kingdom, and Switzerland

This Section 11 applies if you are a resident of an EEA member state, the United Kingdom, or Switzerland.

11.1 Controller and representative

Axevia Labs LLC (d/b/a QuillAI), organized in Wyoming, USA, is the controller for personal data processed under this Privacy Policy.

Our representative in the European Union, designated under Article 27 of the GDPR, is [to be filled — VeraSafe / Prighter / equivalent service]. You may contact our EU representative at the address published on our subprocessors page once designated. In the interim, please contact [email protected].

For residents of the United Kingdom, our UK GDPR representative is the same entity unless otherwise specified.

11.2 Lawful bases

We process personal data under the lawful bases identified in the table in Section 3. Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing before the withdrawal.

11.3 Your rights under the GDPR / UK GDPR / Swiss FADP

You have the rights to:

• access your personal data and obtain a copy;
• rectify inaccurate or incomplete personal data;
• erase ("right to be forgotten") your personal data, subject to lawful retention requirements;
• restrict processing in certain circumstances;
• object to processing based on legitimate interests, including direct marketing;
• data portability — receive your personal data in a structured, machine-readable format;
• withdraw consent at any time where processing is based on consent;
• lodge a complaint with the supervisory authority in your country of residence, place of work, or place of the alleged infringement.

To exercise any of these rights, contact [email protected] or use the in-app controls at Settings → Privacy. We will respond within thirty (30) days; complex requests may take up to ninety (90) days, in which case we will inform you of the extension.

11.4 Automated decision-making

We do not engage in solely automated decision-making producing legal or similarly significant effects on you within the meaning of Article 22 GDPR.

11.5 Special-category data

Audio recordings can incidentally contain special-category personal data (Article 9 GDPR), such as health information, political opinions, or biometric characteristics, depending on what is said. We do not deliberately solicit such data. If you upload or record content containing special-category data of any person, you confirm that you have a lawful basis under Article 9 GDPR (typically explicit consent of the data subject under Article 9(2)(a)) for both the controller (you) and any processor (us).

12. Information for residents of California (USA)

This Section 12 applies if you are a California resident under the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act ("CCPA/CPRA").

12.1 Categories collected and disclosed

In the past 12 months, we have collected the categories of personal information described in Section 1 of this Privacy Policy and disclosed them to the categories of subprocessors described in Section 4.

We do not "sell" personal information and do not "share" personal information for cross-context behavioral advertising.

12.2 Your rights under the CCPA/CPRA

You have the rights to:

• know the categories of personal information we collect and the purposes for which we use it;
• access specific pieces of personal information;
• delete personal information, subject to lawful retention exceptions;
• correct inaccurate personal information;
• opt out of the sale or sharing of personal information (we do not sell or share, but the opt-out is available regardless);
• limit the use of sensitive personal information.

You may exercise these rights by contacting [email protected] or through Settings → Privacy. You will not be discriminated against for exercising your rights.

You may designate an authorized agent to make a request on your behalf, subject to verification of the agent's authority.

12.3 Notice at collection

The categories collected, the purposes of collection, and the retention periods are described in Sections 1, 3, and 6 respectively.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. If a change is material, we will provide reasonable advance notice through in-product messaging or email. The current version is shown at the top of this page; previous versions can be requested by emailing [email protected].

14. Contact

For privacy questions, requests, or complaints:

• [email protected]
• Axevia Labs LLC (d/b/a QuillAI), 30 N. Gould St Ste R, Sheridan, WY 82801, USA
• EU/UK representative under GDPR Article 27: [to be filled before publish]