V. 3.1 | Last update:
Querlo LLC (“Querlo”) is a consultancy firm providing artificial intelligence solutions to Customers worldwide. Querlo’s main solution is the Chatbot, a product designed to artificially interact with Users, entertaining conversations, asking and responding to questions. By making use of the Chatbot, Querlo collects and processes Users’ personal information. Querlo either operates the Chatbot on its own capacity, thus acting as a data controller, or on behalf of a Customer, thus acting as a data processor. In the first scenario (the “Controller scenario”), Querlo establishes the purposes and means for processing your personal data. Therefore, you may refer to this Data Protection Policy (the “Policy”) for all the information required in terms of transparency of personal data processing operations. In the second scenario (the “Processor scenario”), Querlo invites you to consult and familiarize with the data protection policies rendered to you directly by our Customers, and to inquire directly to the same Customers for anything related to such data processing operations.
For the purposes of this Policy:
“Chatbot” means the artificial intelligence solution provided by Querlo;
“Controller”; “data subject”; “personal data” and “processor” have the same meaning as in Article 4 GDPR. On the other hand, “Personal Data” refers to any information related to an identified or identifiable individual collected under this Policy and comprehends Website data, Chatbot data and Customer’s data, as defined herein;
“Customer” means any individual acting either in its own capacity or on behalf of an entity who has signed up for an account on Querlo’s website. Customers may be making use of the Service on one or more Website(s). The term Customer indistinctively refers to paying and non-paying individuals, within the meaning ascribed in this paragraph;
“EEA” means the European Economic Area;
“GDPR” means the General Data Protection Regulation;
“Service” means the provision, management, maintenance and support of the Chatbot by Querlo for the Customer;
“Special categories of personal data” have the same meaning as in Article 9(1) GDPR;
“User” means any individual that interacts with the Chatbot;
“Website” means a web-page where the Chatbot is hosted.
In the Controller scenario, Querlo operates the Chatbot for its own purposes and with its own means. Querlo LLC is reachable at fr@querlo.com or by contacting its data protection representative based in the EEA, reachable at lm@Querlo.com.
Personal Data collected by Querlo may be categorized into the sections below:
When Users interact with the Chatbot, certain categories of Personal Data are automatically collected. These include:
i. IP Address;
ii. Geolocation (based on the IP Address);
iii. Cookies (Please see our Cookie Policy for further details);
iv. Client browser information (type, version, capabilities, screen size, OS type and version).
Querlo may collect, process and retain the personal data that Users may voluntarily disclose by chatting and interacting with the Chatbot. Said personal data is always freely given by Users.
As an example, Personal Data that is provided by Users may include their gender, age, location or profession.
The Chatbot is configured not to ask any question that may involve the collection of special categories of personal data.
When a Customer signs up for an account on Querlo’s portal, certain personal details are required for creating such account. These details include full name and email address for an account created for a natural person, or full name, email address and job title in the organization for accounts created by a User on behalf of an entity.
In the Processor scenario, the purpose(s) and legal basis for processing personal data are established by the respective Customer.
In the Controller scenario, and insofar as Website data and Chatbot data are concerned, the purpose for processing personal data is the operation of an artificial intelligence service to assist the Users, provide them information in a timely manner and speed-up certain customer-service channels. Such service may be, for example, the provision of information to the User about a product or a service. In addition to the above, Personal Data may be also collected and used by Querlo in order to produce anonymous Users’ satisfaction reports and statistics. The legal basis for processing Website data and Chatbot data shall be found in the legitimate interest of Querlo to provide the Chatbot service to Users. Such legitimate interest takes into account the interests and the fundamental rights and freedoms of the data subjects, which remain safeguarded and are not overridden. As a matter of fact, Users are free to opt-out the conversation at any time.
As of the Customer’s data, the purposes for collecting the data are to identify the Customer as the counterpart to the User Agreement with Querlo and fulfill certain requirements of Querlo in terms of Customer identification, to create an account as required by the Customer and to be able to correspond with the Customer for any matter that may arise in relation to the Service governed by the afore-mentioned agreement. In the case of Customer’s data, the legal basis governing the processing of such data shall be the necessity of such data for the conclusion and performance of a binding contract between Querlo and the Customer, which shall be found in the User Agreement.
In compliance with the principle of purpose limitation of GDPR, Querlo will only collect and retain Personal Data which is relevant to the purposes for which the information is collected and will not use it in a way that is incompatible with such purposes. Querlo will take reasonable steps to ensure that Personal Data is reliable for its intended use, accurate, complete and current. Only where necessary and where there are legitimate and grounded doubts on the accuracy of the Personal Data, Querlo may contact the data subjects to determine that the Personal Data is still accurate and current.
Querlo may disclose Personal Data that its Users may provide to its Customers, contractors, business partners and service providers it uses to support the Chatbot. These transfers are required to provide the Services, and are limited and restricted in nature, meaning that only the necessary Personal Data is transferred, only when strictly necessary.
Querlo is based in the US, however, it holds personal data of EEA users on servers located in the EEA. No personal data collected in the EEA ever leaves the border of the EEA, or is ever transferred to international organizations.
Personal Data collected by Querlo in the capacity of data controller will be retained for ten (10) years from the date of collection, and immediately erased afterwards. In certain limited instances, for example when Querlo needs certain information to defend legal claims, or to comply with a newly introduced legislation or guideline of binding nature, Querlo may retain Personal Data for longer periods. Nevertheless, in such cases, best practices security measures such as data pseudonymization will be applied in order to ensure compliance with the principle of storage limitation, integrity and confidentiality.
Querlo takes data security seriously and abides by the security requirements set forth by the GDPR (inter alia, Article 5(1)(f) and Article 32). In this respect, Querlo takes reasonable steps to protect the Personal Data against loss, misuse, and unauthorized access, disclosure, alteration, or destruction. In this respect, Querlo adheres to best industry standards and makes use of consolidated technologies such as:
i. encryption of data in transit by means of industry-standard SSL (“Secure Socket Layer”);
ii. Encryption of data at rest;
iii. SHA256 cryptographic hash algorithm for passwords (sha256);
iv. Storage on state-of-the-art secured servers located in the EEA;
v. Other physical security and procedural safeguards to protect the integrity and confidentiality of the Personal Data.
In case you are based in the EEA, you have the right to:
i. access your Personal Data held by Querlo;
ii. rectify your Personal Data in possession of Querlo;
iii. when the conditions of law apply, erase your Personal Data in possession of Querlo;
iv. restrict the processing of your Personal Data held by Querlo;
v. object to the processing of your Personal Data held by Querlo;
vi. receive a copy of your Personal Data in a commonly used portable format, and where feasible, have such copy directly transmitted by Querlo to another data controller that you indicate (“data portability”);
vii. submit a complaint to the competent data protection supervisory authority.
You may action the rights below by contacting Querlo or its EEA representative using the contact details provided in section 3 above.
This section applies solely to data subjects as defined by the General Data Protection Regulation (“GDPR”) (“EU data subjects”). For these purposes, reference to the EU also includes the European Economic Area countries of Iceland, Liechtenstein and Norway and, where applicable, and Switzerland. Reference to the EU also includes the UK in the case when the scope of GDPR is equivalent to the scope of data protection in the UK (the UK-GDPR).
In relation to the rights and obligations of EU data subjects, this Privacy Policy should be interpreted in a way that assures maximum compliance with GDPR. Thus, regarding EU data subject, the terms of this Privacy Policy are to be understood in accordance with the meaning given to them by GDPR.
Querlo is the data controller for processing of your personal data, but we also act as a data processor for personal data that we process on behalf of our Users.
Querlo is the data controller of your personal data processed for purposes set forth herein and, unless expressly specified otherwise, is responsible for the collection, use, disclosure, retention, and protection of your personal data in accordance with this Privacy Policy and applicable laws.
The data controller and the processor have signed and comply with the Standard Contractual Clauses for data transfers between EU and non-EU countries.
Subject to applicable EU law, you have the following rights in relation to your personal data:
You may exercise your rights by contacting us as indicated under the “Contact Us” section below. We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection law. We may ask you to verify your identity in order to help us respond efficiently to your request.
Our legal basis for collecting and using the personal data described above will depend on the personal data concerned and the specific context in which we collect it. If you are an EU resident, we will only process your personal data in accordance with the purposes and corresponding legal bases as set below:
Purpose/Activity | Type of data | Legal basis for processing |
To respond to your queries and to provide you with the information you request from us in relation to our products or Services. | Identity Data Contact Data Profile Data Technical Data Usage Data | Necessary for our legitimate interests (to respond to new or existing customer queries and grow our business); Performance of a contract with you |
To set up and administer your account for the Services. | Identity Data Profile Data | Performance of a contract with you |
To provide the Services and perform our obligations arising from any contracts entered into between you and us. | Identity Data Transactional Data Technical Data Usage Data | Performance of a contract with you |
To manage payments, fees, and charges and to collect and recover money owed to us. | Identity Data Transactional Data | Performance of a contract with you; Necessary for our legitimate interests (to recover debts due to us) |
To manage our relationship with you, including notifying you about changes to the Services, our Terms of Services or Privacy Policy. | Identity Data Profile Data Technical Data Usage Data | Performance of a contract; Necessary to comply with a legal obligation; Necessary for our legitimate interests (to keep our records updated and to study how customers use our products and services). |
To provide you with information about goods and services we offer that are similar to those that you have already purchased or enquired about. | Identity Data Technical Data Usage Data | Necessary for our legitimate interests (to develop our products or Services and grow our business) |
Where you have given us your consent to do so, to provide you with information about other goods or services we feel may interest you. | Identity Data Profile Data Technical Data Usage Data | Consent |
To ensure that content is presented in the most effective manner for you and for your computer or device. | Identity Data Technical Data Usage Data | Necessary for our legitimate interests (to keep our Site and the Services updated and relevant and to develop and grow our business). |
To administer and protect our business, our Site, the Services, and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes. | Identity Data Technical Data Usage Data | Necessary for our legitimate interests (for running our business and as part of our efforts to keep our Site and the Services safe and secure) |
To use data analytics to improve or optimize our Site, Services, marketing, customer relationships, and experiences | Technical Data Usage Data | Necessary for our legitimate interests (to define types of customers for our products and services, to keep our Site and the Services updated and relevant, to develop and grow our business and inform our marketing strategy). |
To measure or understand the effectiveness of advertising we serve to you and others, and, where applicable, to deliver relevant advertising to you. | Identity Data Technical Data Usage Data | Necessary for our legitimate interests (to study how customers use our products or Services, to develop them, to grow our business, and to inform our marketing strategy). |
Security measures: Appropriate technical and organizational measures are implemented to ensure that, by default, the only personal data processed are those, which are necessary for each specific purpose of processing. This applies to the quantity, the extent of the processing, the period of storage and the accessibility of the collected personal data. With such measures, we try to ensure that personal data are not made accessible to an indefinite number of persons without your intervention. In case of a personal data breach: If a personal data breach occurs we shall without undue delay, where feasible, not later than 72 hours after having become aware of it, notify the supervisory authority. This does not apply when the personal data breach is unlikely to resolve in risk to your rights and freedoms. In case of a risk to your rights and freedoms due to a personal data breach, we shall also inform you without undue delay. This does not apply to situations where we have implemented appropriate technical and organizational protection measures that were applied to the personal data affected by the breach or if our subsequent measures ensure that the risk is no longer likely to materialize. It also does not apply when it would involve disproportionate effort. In the described cases we shall inform you through public communication or similar way in an equally effective manner.
Querlo reserves the right to amend this Policy from time to time. If we do, we will update this page, together with the date of last update at the beginning of this document. Please check this page periodically to be stay up-to-date with the changes which may affect you.
Querlo complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Querlo has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. Querlo has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Querlo commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU and UK individuals and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact Querlo at info@querlo.com.
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Querlo commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.
PLEASE NOTE that Querlo may be obliged to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
PLEASE NOTE that the Federal Trade Commission (FTC) and the has jurisdiction over Querlo’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).
PLEASE NOTE that you possess the possibility, under certain conditions to invoke binding arbitration. Please visit https://www.dataprivacyframework.gov/framework-article/ANNEX-I-introduction for more information on how Querlo arbitrates claims in accordance with pursuant to the Recourse, Enforcement and Liability Principle.
PLEASE NOTE that in the context of an onward transfer of your personal data, a Querlo has responsibility for the processing of personal information it receives under the DPF Principles and subsequently transfers to a third party acting as an agent on its behalf. Querlo shall remain liable under the DPF Principles if its agent processes such personal information in a manner inconsistent with the DPF Principles, unless Querlo proves that it is not responsible for the event giving rise to the damage.