Privacy Policy

Quinck S.r.l. ("AskMe", "we", "us", "our") operates the website ask-me.studio and the AskMe SaaS platform (the "Service"). This Privacy Policy describes how we collect, use, disclose, and protect personal data of visitors, account holders, and paying customers worldwide.

Data Controller is Quinck S.r.l., an Italian limited-liability company with registered office at Via Filippo Turati 15/C, Imola (BO), Italy, VAT/P.IVA IT03916551207, registered with the Italian Companies Register under REA BO - 555799. You can reach us at info@quinck.io.

We have not formally appointed a Data Protection Officer (DPO) because our processing activities do not meet the thresholds of Article 37 GDPR. For any data-protection inquiry, including the exercise of your rights, please email info@quinck.io.

This Policy applies worldwide to the Service. We comply, where applicable, with: the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"); the Italian Data Protection Code (Legislative Decree 196/2003 as amended by Legislative Decree 101/2018) and the Italian Garante's guidelines; the UK GDPR and Data Protection Act 2018; the Swiss FADP; the California Consumer Privacy Act, as amended by the CPRA ("CCPA/CPRA"); the Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Texas TDPSA, Oregon OCPA, and other US state privacy laws; Canada's PIPEDA; Brazil's LGPD; Australia's Privacy Act 1988. Where laws conflict, the stricter standard applies.

We collect personal data that you provide directly, that is generated as you use the Service, and that we receive from third parties such as identity providers and payment processors.

4.1 Account and Profile Data

When you sign up or log in, we collect:

• Email address (required) and hashed password, or OAuth identifiers from Google/GitHub/Microsoft if you sign in via SSO
• Name and profile picture (optional)
• Company name, role, and intended use case (optional)
• Locale and language preferences
• API keys and integration tokens you connect (stored encrypted)

4.2 Service Content

Configuration of your agents, knowledge-base documents you upload, prompts, end-user conversations routed through your agents, and any other content you submit. You are the controller of personal data contained in this content; we act as your processor under a Data Processing Agreement (Article 28 GDPR).

4.3 Payment and Billing Data

Payments are processed by Stripe (Stripe Payments Europe Ltd / Stripe, Inc.). We never see or store full card numbers. We do receive and retain billing name, billing address, country, VAT number (if any), invoice amounts, last four digits of the card, and Stripe transaction IDs in order to issue compliant invoices and meet tax obligations.

4.4 Technical and Usage Data

Server logs, IP address (truncated where possible), user-agent, device and browser, timestamps, pages viewed, features used, error reports, and rate-limit and security signals.

4.5 Analytics Data

Subject to your cookie consent, we use Google Analytics with IP anonymization to understand aggregate usage, and PostHog for product analytics. Where we use Google Analytics we have signed Google's data-processing terms and configured EU-region data routing where available.

4.6 Cookies and Similar Technologies

Strictly-necessary cookies (authentication, security, fraud prevention, load balancing) are deployed without consent under Article 122 of the Italian Data Protection Code. All other cookies require your prior, granular consent through the cookie banner. You can withdraw consent at any time via the "Cookie preferences" link in the footer.

Depending on the processing activity, we rely on one or more of the following legal bases:

• Performance of a contract (Art. 6(1)(b)): creating and operating your account, providing the Service, processing payments, sending service emails.
• Compliance with legal obligations (Art. 6(1)(c)): tax and accounting records (Italian DPR 633/1972 and Civil Code art. 2220), responses to lawful requests by public authorities, breach-notification obligations.
• Legitimate interests (Art. 6(1)(f)): securing the Service, preventing fraud and abuse, improving the product, defending legal claims, and limited B2B marketing of similar services to existing customers. You can object at any time.
• Consent (Art. 6(1)(a)): marketing emails to new contacts, non-essential cookies, optional integrations. Consent is freely given, specific, informed, and revocable at any time without affecting prior lawful processing.

We use personal data only for the following purposes:

• Create, operate, secure, and support your account and the Service
• Process payments, manage credit balances, issue invoices, and prevent fraud
• Send transactional emails (sign-up confirmation, password reset, billing receipts, security alerts)
• Provide customer support and respond to your requests
• Monitor performance, detect bugs and abuse, and improve features
• Analyze aggregate, anonymized usage to inform product decisions
• Send product updates and marketing — only with your consent or, where allowed, under the soft-opt-in rule, with an unsubscribe link in every message
• Comply with legal obligations and enforce our Terms of Service
• Defend ourselves in legal proceedings and protect our rights and those of our users

The Service relies on Large Language Model (LLM) providers — currently OpenAI, Anthropic, and Google — to generate AI responses. Content you submit to your agents is transmitted to these providers under enterprise data-processing terms that prohibit using your data to train their foundation models, with zero-data-retention tiers used where available. We do not make solely automated decisions producing legal or similarly significant effects on you within the meaning of Article 22 GDPR.

We engage a limited set of vendors that act as our processors under signed Data Processing Agreements (Art. 28 GDPR). Each is bound by confidentiality, security, and purpose-limitation obligations:

• Stripe — payment processing (EU/US; EU-US Data Privacy Framework certified; SCCs)
• Amazon Web Services, Vercel, Cloudflare — hosting, edge delivery, CDN, DDoS protection (EU regions where possible; SCCs for non-EU regions)
• OpenAI, Anthropic, Google Cloud (Vertex AI) — LLM inference (US; SCCs; enterprise no-training terms)
• Loops, Resend — transactional and marketing email (US; SCCs + DPF)
• Google Analytics — anonymized website analytics (EU/US; SCCs)
• PostHog — product analytics (EU instance where available)
• Sentry — error and performance monitoring (EU region)

An updated list of sub-processors is available on request at info@quinck.io.

We do not sell or rent personal data. We disclose personal data only: (a) to the sub-processors listed above acting on our documented instructions; (b) to professional advisors (lawyers, auditors, accountants) under confidentiality; (c) to public authorities where required by law; (d) to potential acquirers in case of merger, acquisition, or asset sale, subject to confidentiality and the continuation of this Policy; and (e) with your consent.

Some sub-processors are established outside the European Economic Area, in particular in the United States. For such transfers we rely on: (i) European Commission adequacy decisions, including the EU–US Data Privacy Framework for certified US recipients; (ii) Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and the UK Addendum where applicable; and (iii) supplementary technical and organizational measures (encryption in transit and at rest, pseudonymization where feasible, access controls). You may request a copy of the safeguards in place by emailing info@quinck.io.

We retain personal data only for as long as necessary for the purposes set out above and as required by law:

• Account data — for the life of the account; up to 30 days in encrypted back-ups after deletion
• Service content (agents, knowledge base, conversations) — until you delete it, or up to 90 days after account closure
• Billing records and invoices — 10 years (Italian DPR 633/1972 art. 22 and Civil Code art. 2220)
• Security and audit logs — up to 12 months
• Web analytics — up to 14 months (Google Analytics default)
• Marketing consent records — for as long as you are subscribed plus 2 years to evidence consent

Subject to applicable conditions and exemptions, you have the right to:

• Access — confirm whether we process your data and obtain a copy (Art. 15 GDPR)
• Rectification — correct inaccurate or incomplete data (Art. 16)
• Erasure ("right to be forgotten") — request deletion when no longer necessary (Art. 17)
• Restriction of processing (Art. 18)
• Data portability — receive your data in a structured, machine-readable format (Art. 20)
• Object to processing based on legitimate interests, including direct marketing (Art. 21)
• Withdraw consent at any time, without affecting prior lawful processing (Art. 7(3))
• Not be subject to solely automated decisions with significant effects (Art. 22)
• Lodge a complaint with the Italian Garante per la protezione dei dati personali (www.garanteprivacy.it) or another supervisory authority in your country of residence, work, or alleged infringement

To exercise any right, email info@quinck.io. We respond within 30 days (extendable by 60 days for complex requests, Art. 12(3) GDPR). We may need to verify your identity before acting.

If you are a resident of California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, or another US state with a comprehensive privacy law, you have additional rights:

• Know what personal information we collect and how it is used and disclosed
• Request deletion of personal information we hold about you
• Correct inaccurate personal information
• Receive a portable copy of your information in a usable format
• Opt out of the "sale" or "sharing" of personal information for cross-context behavioral advertising and of targeted advertising
• Limit the use and disclosure of sensitive personal information to permitted purposes (CPRA)

We do not sell personal information for money. We do not engage in targeted advertising. Some analytics cookies may qualify as "sharing" under California law — you can opt out by adjusting your cookie preferences or by emailing info@quinck.io.

We will not discriminate against you for exercising any of these rights.

California residents may use an authorized agent to submit requests on their behalf. Under California's "Shine the Light" law (Cal. Civ. Code §1798.83) we do not share personal information with third parties for their own direct marketing.

We apply industry-standard administrative, technical, and physical safeguards: encryption in transit (TLS 1.2+) and at rest (AES-256), role-based access control, least-privilege secrets management, audit logging, dependency scanning, multi-factor authentication for administrative access, and a documented incident-response procedure. If a personal-data breach is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours and, where required, you without undue delay (Art. 33–34 GDPR). No system can be guaranteed 100% secure.

The Service is not directed to children. The minimum age to create a free account is 16 (or the digital-consent age set by your country under Art. 8 GDPR; 13 in the US under COPPA, with stricter local thresholds where applicable). Paid Credits may be purchased only by users who are 18 or have reached the age of majority in their jurisdiction. If you believe a child has provided us personal information, email info@quinck.io and we will delete it.

We use a small number of strictly-necessary cookies for authentication, security, and load balancing. With your consent, we also use cookies for analytics and product improvement. Full details, categories, lifetimes, and a granular consent control are provided in our cookie banner and the "Cookie preferences" link in the footer.

We may update this Privacy Policy from time to time. Material changes will be announced by email and through a prominent notice on the site at least 30 days before they take effect. The "Last updated" date above always reflects the current version.

Data Controller: Quinck S.r.l., Via Filippo Turati 15/C, Imola (BO), Italy. Email: info@quinck.io. EU/EEA users may lodge a complaint with the Italian Garante per la protezione dei dati personali (www.garanteprivacy.it). UK users may contact the Information Commissioner's Office (ico.org.uk). Users in other jurisdictions may contact their local supervisory authority.