Querlo Data Protection Policy

V. 2 | Last update: September 17th, 2020

1. Introduction

Querlo LLC (“Querlo”) is a consultancy firm providing artificial intelligence solutions to Customers worldwide. Querlo’s main solution is the Chatbot, a product designed to artificially interact with Users, entertaining conversations, asking and responding to questions. By making use of the Chatbot, Querlo collects and processes Users’ personal information. Querlo either operates the Chatbot on its own capacity, thus acting as a data controller, or on behalf of a Customer, thus acting as a data processor. In the first scenario (the “Controller scenario”), Querlo establishes the purposes and means for processing your personal data. Therefore, you may refer to this Data Protection Policy (the “Policy”) for all the information required in terms of transparency of personal data processing operations. In the second scenario (the “Processor scenario”), Querlo invites you to consult and familiarize with the data protection policies rendered to you directly by our Customers, and to inquire directly to the same Customers for anything related to such data processing operations.

2. Definitions

For the purposes of this Policy:

“Chatbot” means the artificial intelligence solution provided by Querlo;

“Controller”; “data subject”; “personal data” and “processor” have the same meaning as in Article 4 GDPR. On the other hand, “Personal Data” refers to any information related to an identified or identifiable individual collected under this Policy and comprehends Website data, Chatbot data and Customer’s data, as defined herein;

“Customer” means any individual acting either in its own capacity or on behalf of an entity who has signed up for an account on Querlo’s website. Customers may be making use of the Service on one or more Website(s). The term Customer indistinctively refers to paying and non-paying individuals, within the meaning ascribed in this paragraph;

“EEA” means the European Economic Area;

“GDPR” means the General Data Protection Regulation;

“Service” means the provision, management, maintenance and support of the Chatbot by Querlo for the Customer;

“Special categories of personal data” have the same meaning as in Article 9(1) GDPR;

“User” means any individual that interacts with the Chatbot;

“Website” means a web-page where the Chatbot is hosted.

3. Data Controller and EEA representative

In the Controller scenario, Querlo operates the Chatbot for its own purposes and with its own means. Querlo LLC is reachable at fr@querlo.com or by contacting its data protection representative based in the EEA, reachable at lm@querlo.com.

4. Types of Personal Data Collected

Personal Data collected by Querlo may be categorized into the sections below:

4.1 Website data

When Users interact with the Chatbot, certain categories of Personal Data are automatically collected. These include:

i. IP Address;

ii. Geolocation (based on the IP Address);

iii. Cookies (Please see our Cookie Policy for further details);

iv. Client browser information (type, version, capabilities, screen size, OS type and version).

4.2 Chatbot data

Querlo may collect, process and retain the personal data that Users may voluntarily disclose by chatting and interacting with the Chatbot. Said personal data is always freely given by Users.

As an example, Personal Data that is provided by Users may include their gender, age, location or profession.

The Chatbot is configured not to ask any question that may involve the collection of special categories of personal data.

4.3 Customer’s data

When a Customer signs up for an account on Querlo’s portal, certain personal details are required for creating such account. These details include full name and email address for an account created for a natural person, or full name, email address and job title in the organization for accounts created by a User on behalf of an entity.

5. Purpose and legal basis

5.1 Processor scenario

In the Processor scenario, the purpose(s) and legal basis for processing personal data are established by the respective Customer.

5.2 Controller scenario

In the Controller scenario, and insofar as Website data and Chatbot data are concerned, the purpose for processing personal data is the operation of an artificial intelligence service to assist the Users, provide them information in a timely manner and speed-up certain customer-service channels. Such service may be, for example, the provision of information to the User about a product or a service. In addition to the above, Personal Data may be also collected and used by Querlo in order to produce anonymous Users’ satisfaction reports and statistics. The legal basis for processing Website data and Chatbot data shall be found in the legitimate interest of Querlo to provide the Chatbot service to Users. Such legitimate interest takes into account the interests and the fundamental rights and freedoms of the data subjects, which remain safeguarded and are not overridden. As a matter of fact, Users are free to opt-out the conversation at any time.

As of the Customer’s data, the purposes for collecting the data are to identify the Customer as the counterpart to the User Agreement with Querlo and fulfill certain requirements of Querlo in terms of Customer identification, to create an account as required by the Customer and to be able to correspond with the Customer for any matter that may arise in relation to the Service governed by the afore-mentioned agreement. In the case of Customer’s data, the legal basis governing the processing of such data shall be the necessity of such data for the conclusion and performance of a binding contract between Querlo and the Customer, which shall be found in the User Agreement.

5.3 Purpose limitation

In compliance with the principle of purpose limitation of GDPR, Querlo will only collect and retain Personal Data which is relevant to the purposes for which the information is collected and will not use it in a way that is incompatible with such purposes. Querlo will take reasonable steps to ensure that Personal Data is reliable for its intended use, accurate, complete and current. Only where necessary and where there are legitimate and grounded doubts on the accuracy of the Personal Data, Querlo may contact the data subjects to determine that the Personal Data is still accurate and current.

6. Data Recipients

Querlo may disclose Personal Data that its Users may provide to its Customers, contractors, business partners and service providers it uses to support the Chatbot. These transfers are required to provide the Services, and are limited and restricted in nature, meaning that only the necessary Personal Data is transferred, only when strictly necessary.

Querlo is based in the US, however, it holds personal data of EEA users on servers located in the EEA. No personal data collected in the EEA ever leaves the border of the EEA, or is ever transferred to international organizations.

7. Storage period

Personal Data collected by Querlo in the capacity of data controller will be retained for ten (10) years from the date of collection, and immediately erased afterwards. In certain limited instances, for example when Querlo needs certain information to defend legal claims, or to comply with a newly introduced legislation or guideline of binding nature, Querlo may retain Personal Data for longer periods. Nevertheless, in such cases, best practices security measures such as data pseudonymization will be applied in order to ensure compliance with the principle of storage limitation, integrity and confidentiality.

8. Security

Querlo takes data security seriously and abides by the security requirements set forth by the GDPR (inter alia, Article 5(1)(f) and Article 32). In this respect, Querlo takes reasonable steps to protect the Personal Data against loss, misuse, and unauthorized access, disclosure, alteration, or destruction. In this respect, Querlo adheres to best industry standards and makes use of consolidated technologies such as:

i. encryption of data in transit by means of industry-standard SSL (“Secure Socket Layer”);

ii. Encryption of data at rest;

iii. SHA256 cryptographic hash algorithm for passwords (sha256);

iv. Storage on state-of-the-art secured servers located in the EEA;

v. Other physical security and procedural safeguards to protect the integrity and confidentiality of the Personal Data.

9. Your rights

In case you are based in the EEA, you have the right to:

i. access your Personal Data held by Querlo;

ii. rectify your Personal Data in possession of Querlo;

iii. when the conditions of law apply, erase your Personal Data in possession of Querlo;

iv. restrict the processing of your Personal Data held by Querlo;

v. object to the processing of your Personal Data held by Querlo;

vi. receive a copy of your Personal Data in a commonly used portable format, and where feasible, have such copy directly transmitted by Querlo to another data controller that you indicate (“data portability”);

vii. submit a complaint to the competent data protection supervisory authority.

You may action the rights below by contacting Querlo or its EEA representative using the contact details provided in section 3 above.

10. Changes to this Policy

Querlo reserves the right to amend this Policy from time to time. If we do, we will update this page, together with the date of last update at the beginning of this document. Please check this page periodically to be stay up-to-date with the changes which may affect you.