Privacy Policy

1. Overview

Custovia Inc. (“Custovia”, “we”, “us”) operates Reqify (“Service”), a SaaS workspace for business analysis and documentation. This Privacy Policy explains how we collect, use, store, and disclose personal information when you use reqify.ai and related APIs.

2. Data we process

We typically process categories such as:

• Account identifiers — name, email, authentication IDs from Clerk, avatar URL, organisational affiliation you provide.
• Uploaded content — documents you add to Projects, embeddings or derived text used strictly to power product features you request (e.g. generation, search, mentorship).
• Technical telemetry — IP-derived security signals, timestamps, coarse device/browser metadata strictly needed for reliability and audit.
• Billing snapshots — minimal records required to reconcile payments processed by Stripe where you purchase subscriptions or packs.
• Support communications — correspondence you voluntarily send through in-product prompts or listed contact channels.

3. Purpose & legal bases (GDPR / UK GDPR)

Processing is grounded in contractual necessity for paying customers (Art. 6(1)(b)), legitimate interest in securing the Service and preventing misuse (Art. 6(1)(f)), and — where required — your consent for non-essential analytics cookies (Art. 6(1)(a)). Financial records tied to invoicing may be retained under legal obligation exemptions (Art. 6(1)(c)) even after broader erasure workflows complete.

4. Regions, residency & transfers

You select a residency bucket inside the Product. We endeavour to persist primary content in the corresponding supported region unless you expressly opt into a feature that requires cross-region processing. Where lawful transfer mechanisms apply (EU SCCs, UK IDTA equivalents, supplementary measures as updated), subprocessors execute under written agreements with Custovia acting as exporter or processor as appropriate.

5. Sharing & subprocessors

We share limited data with processors who help operate Reqify — e.g. authentication, cloud infrastructure, transactional email, payment processing (Stripe). Each party is contractually bound to confidentiality, security parity requirements, and data processing terms consistent with GDPR Article 28. We do not sell personal information.

6. Retention

Operational data is retained only as long as needed for the lawful purposes outlined here. Custovia applies layered retention: finished generation jobs expire after ninety (90) days, Stripe webhook fingerprints after one hundred eighty (180) days, immutable audit artefacts after thirty-six (36) months unless a longer statute applies. Billing ledgers referencing credit movements may persist where finance regulations require — identifiers are rotated when you invoke account deletion to the extent technically feasible while preserving lawful accounting trails.

7. Your rights

Depending on jurisdiction you may exercise access, correction, portability, objection, restriction, or erasure (“right to be forgotten”). Custovia honours verifiable GDPR requests within statutory timelines subject to narrowly tailored exemptions (billing ledgers where erasure contradicts AML / tax mandates). Residents of California or other US states with parallel privacy statutes may lodge equivalent requests using the email on this page — we reply without discrimination tied to exercising those rights.

Inside the authenticated Product we provide tooling to voluntarily delete projects and — irreversibly — close your Workspace which triggers cryptographic scrubbing workflows for user-generated objects and rotates stored identities.

8. Cookies & analytics

Only strictly necessary authentication cookies activate before you grant consent where required. Deferred analytics instrumentation (currently Posthog) initializes solely when the consent banner expressly records acceptance, ensuring no behavioural profiling prior to opt-in jurisdictions.

9. Security

Custovia employs TLS in transit, least-privilege service accounts, environment-isolated CI secrets, intrusion monitoring, segregated staging, and tabletop incident procedures. Responsibility for endpoint protection on customer devices nonetheless remains jointly with your organisation's administrators.

10. Children

The Service is marketed to professional teams — we do not knowingly collect data about children under sixteen. If you believe we mistakenly processed such data notify us promptly and we will purge it.

11. Changes

We revise this Privacy Policy when features, laws, or risk posture shift materially. Elevated protections apply automatically; punitive reductions prompt advance notice plus, where required, renewed acknowledgement.