Legal

Privacy Policy

Version 1.0Effective April 28, 2026civiq, Inc.

Plain-language summary

We collect what we need to run civiq for you and nothing more. We don’t sell your data. We don’t train third-party AI models on your business ideas. The technical details are below.

1. Who we are

civiq, Inc. (“civiq,” “we,” “us,” or “our”) operates the AI product engine available at studio.civiq.io and related properties (the “Platform”). This Privacy Policy describes how we collect, use, disclose, and protect your information when you use the Platform.

2. Information we collect

We collect information directly from you, automatically when you use the Platform, and from the third-party platforms you connect.

2.1 Information you provide

  • Account information: name, email, password (stored only as an Argon2id hash), authentication factors (TOTP secrets are encrypted at rest with AES-256-GCM; passkey credentials are stored as public keys per the WebAuthn standard).
  • Customer Content: business ideas, strategy inputs, brand preferences, financial assumptions, and other inputs you provide to the Platform’s AI agents during your civiq engagement.
  • Payment information: processed by Stripe. We never see or store your card number; we retain only the Stripe customer ID, payment status, and billing email.
  • Connected platform credentials: when you authorize civiq to publish on your behalf to LinkedIn, Meta Ads, or Google Ads, the OAuth access and refresh tokens are encrypted at rest with AES-256-GCM (HKDF-derived key from a separate, domain-isolated server secret) and used only for publishing actions you initiate.
  • Email audience lists: when you upload recipient lists for Launch Commander email sequences, we store email addresses, optional names, and any custom merge fields you provide.

2.2 Information collected automatically

  • Usage data: pages visited, agent interactions, deliverables produced, session duration, and feature engagement, used to operate and improve the Platform.
  • Device data: IP address, browser type and version, operating system, device type, and language preference. IP addresses are recorded for security purposes (rate limiting, anomalous-login detection, abuse prevention).
  • Authentication metadata: sign-in timestamps, sessions and devices on which you are signed in, and security events (failed logins, password resets, multi-factor challenges).
  • Cookies and similar technologies: we use httpOnly cookies for session management and minimal first-party analytics. We do not use third-party advertising trackers.

2.3 Information from third parties

  • Identity providers: when you sign in with a magic link, Google, or other identity provider, we receive your email and name as scoped by your consent.
  • Connected publishing platforms: when you connect LinkedIn, Meta Ads, or Google Ads, we receive (subject to the scopes you grant) your account identifiers, ad-account identifiers, and for analytics purposes only the campaign-level metrics needed to power Launch Commander’s closed-loop coaching (impressions, clicks, conversions, spend).

3. How we use your information

We use the information we collect to:

  • Operate the Platform, including running the AI agents that produce your deliverables.
  • Authenticate you and protect your account, including detecting and preventing unauthorized access.
  • Communicate with you about your engagement (welcome, gate completion, sequence scheduling, payment confirmation, security alerts, occasional product updates).
  • Process payments and prevent fraud, in cooperation with Stripe.
  • Publish on your behalf to platforms you have explicitly connected (LinkedIn, Meta Ads, Google Ads), and only for the campaigns and content you have approved.
  • Improve the Platform’s quality, including refining agent behavior, but only using aggregated, de-identified usage signals (see Section 6 on AI training).
  • Comply with our legal obligations and enforce our agreements.

4. We do not train third-party AI models on your data

The AI agents we operate are powered by leading model providers (currently Anthropic, OpenAI, and others). We have configured these integrations so that your Customer Content is not used by those providers to train their models. Specifically:

  • API requests to Anthropic and OpenAI are sent through their commercial APIs with data-use opt-outs in effect.
  • We do not feed Customer Content into civiq’s own training data without explicit opt-in.
  • You can request deletion of your Customer Content at any time (see Section 9).

5. How we share information

We do not sell your personal information. We share information only with:

  • Service providers that help us operate the Platform, under contractual obligations to protect your data: Google Cloud (hosting), Stripe (payments), Resend (transactional email), Anthropic and OpenAI (AI inference), Vercel (deployment of customer-built sites where applicable), and similar.
  • Connected publishing platforms (LinkedIn, Meta Ads, Google Ads) only to the extent required to publish content you authorize.
  • Legal authorities when required by law, subpoena, court order, or to protect the safety, rights, or property of civiq, you, or others.
  • Successors in interest in the event of a merger, acquisition, or sale of assets, in which case the acquirer assumes the obligations of this Policy.

6. How we protect your data

civiq applies defense-in-depth security controls. Highlights:

  • Encryption in transit: all traffic is encrypted with TLS 1.2 or higher.
  • Encryption at rest: sensitive credentials (TOTP secrets, OAuth access tokens, OAuth refresh tokens) are encrypted with AES-256-GCM using HKDF-derived keys, domain-isolated by purpose.
  • Authentication: Argon2id password hashing, optional TOTP and WebAuthn passkeys, sign-out-everywhere, anomalous-login alerts.
  • Database: hosted on managed PostgreSQL with point-in-time recovery, automated backups, deletion protection, and HA replicas.
  • Network: production traffic isolated to a VPC; private-pool builds; SQL access only via Cloud SQL proxy.
  • Application: server-side OAuth flows (tokens never touch the browser), CSRF protection on state tokens, rate limits on auth endpoints, fail-closed cron auth, container vulnerability scanning, principle-of-least-privilege IAM.

For full detail see our Security Overview.

7. Data retention

We retain your information for as long as your account is active and as needed to provide the Platform. Specific retention periods:

  • Account data: until you request deletion, plus a 30-day soft-delete window.
  • Customer Content: until you request deletion, plus a 30-day soft-delete window. After hard delete, copies persist only in encrypted backups for up to 90 days, after which they are unrecoverable.
  • Payment records: 7 years to satisfy financial recordkeeping obligations.
  • Security logs and audit trails: 12 months.
  • Connected platform tokens: until you disconnect the platform, after which we mark them revoked and exclude them from any future use.

8. Your rights

Depending on where you live, you may have the right to:

  • Access the personal information we hold about you.
  • Correct inaccurate information.
  • Delete your information (subject to lawful retention requirements).
  • Object to or restrict certain processing.
  • Receive a portable copy of your data.
  • Withdraw consent at any time.

To exercise any of these rights, email privacy@civiq.io. We will respond within 30 days. You may also lodge a complaint with your local data protection authority.

9. International transfers

civiq is operated from the United States. If you access the Platform from outside the United States, your information will be transferred to and processed in the United States. We rely on standard contractual clauses and appropriate safeguards for transfers from regions with cross-border restrictions.

10. Children’s privacy

The Platform is not intended for individuals under 16. We do not knowingly collect personal information from children. If we learn we have collected information from a child, we will delete it.

11. Changes to this Policy

We may update this Privacy Policy. Material changes will be notified via email or in-Platform notice and will require fresh acceptance where applicable. The version and effective date at the top of this page reflect the current edition.

12. Contact

Questions, requests, or complaints? Email privacy@civiq.io or write to:

civiq, Inc.
Attn: Privacy
privacy@civiq.io