Privacy Policy

This Privacy Policy describes how Qmirac™ ("Qmirac," "we," "us," or "our") collects, uses, and protects information in connection with the BizGuru desktop application, the qmirac.ai website, and related services (collectively, the "Service"). By using the Service, you agree to this policy.

This policy is currently published in English only. Translations may be made available in the future; if a translation is provided and there is any conflict between versions, the English version controls.

1. Who We Are (Data Controller)

Qmirac is the data controller for the personal information described in this policy. We collect and process your information for our own purposes — to operate your account, deliver the Service, and process payments. We do not act as a data processor on behalf of business customers, because BizGuru runs locally on your device and we do not receive or process your business data.

For privacy questions, requests, or complaints, contact us at contact@qmirac.ai or by mail at [TBD registered address].

Qmirac has not appointed a Data Protection Officer (DPO) or EU/UK representative under GDPR Article 27, as we do not currently meet the thresholds requiring one. If this changes, we will update this policy.

2. Information We Collect

We collect only the information necessary to provide and operate the Service. Specifically, we collect three categories of personal information:

2.1 Account information

Collected via qmirac.ai: your email address, first name, password (stored as a salted hash), and any details you choose to add to your profile.

2.2 Business profile information

Company name, industry, your role, company size, and similar company-level information about the entity you represent. This is information about your own company — we do not collect data about your employees, customers, vendors, or other third parties.

2.3 Subscription and payment information

The plan you select, subscription status (active, cancelled, etc.), renewal dates, billing identifiers issued by Stripe, billing address, applicable tax-status information, and (for AOB customers) the audited annual revenue figures you provide for fee calculation. We do not store full payment card numbers — Stripe collects, processes, and stores card data directly under PCI DSS.

2.4 Communications

If you email us, request a demo, or contact support, we keep a record of that correspondence so we can respond and improve the Service. While we currently provide support through text and email, if we add voice or audio support channels in the future, we will keep the relevant audio recordings and transcripts for the same purposes.

2.5 Website usage and security logs

Standard server logs (IP address, browser/device type, pages visited, timestamps), authentication events, and security telemetry for security, abuse prevention, fraud detection, and aggregate analytics on the qmirac.ai website.

2.6 Application telemetry

Limited operational telemetry from the BizGuru desktop application — such as app version, crash reports, license-verification pings, and anonymized feature-usage events. This telemetry does not include any of your business data. Telemetry is enabled by default and can be disabled at any time in BizGuru's settings.

2.7 What we do not collect

The BizGuru desktop application does not transmit the business data, files, AI prompts, AI responses, scoring inputs, or assessment content you create or process inside the application.

3. Local-First Data Storage

BizGuru is a desktop application built on a local-first architecture. The data you enter, import, or generate inside the application is stored on your device, in files such as:

• business-guru-data.json — your business inputs, scores, and assessments;
• ai-chat-state.json — chat conversation state;
• chat-data/ — local vector database (ChromaDB) for retrieval-augmented generation, and a SQLite memory database for chat history;
• Local caches for AI scoring and insights.

AI inference (chat, scoring, insights) is performed locally on your device using open-source models running through a local inference server (e.g., Ollama). Audio transcription (e.g., OpenAI Whisper) and text-to-speech also run locally. Anonymous usage telemetry from bundled components such as ChromaDB is explicitly disabled by default.

We have no ability to read, copy, or otherwise access this locally stored data, and we do not back it up. You are responsible for safeguarding your device and creating backups if you wish to retain your data.

4. Automated Decision-Making and AI Outputs

BizGuru generates scores (including the Q-Score), insights, and recommendations using AI and statistical models running locally on your device. These outputs are produced from inputs you provide and are intended as informational aids only — they are not used by Qmirac to make any decision about you, and Qmirac does not see the inputs or outputs. As described in our Terms of Service, you are solely responsible for evaluating and acting on these outputs. You retain the right to seek human review of any decision you make using BizGuru, since you are the decision-maker.

5. How We Use Information and Legal Bases

We use the information we collect for the purposes set out below. Where the EU GDPR or UK GDPR applies, the legal bases are noted in brackets.

• Create and authenticate your account on qmirac.ai [performance of contract];
• Provision, renew, and manage your subscription, including AOB invoicing and audits [performance of contract; legitimate interests in collecting amounts owed];
• Provide customer support and respond to your inquiries [performance of contract; legitimate interests];
• Send service-related communications (e.g., billing notices, security alerts, material policy changes) [performance of contract; legal obligation];
• Detect, investigate, and prevent fraud, abuse, and security incidents [legitimate interests; legal obligation];
• Comply with legal, tax, accounting, and audit obligations [legal obligation];
• Enforce our Terms of Service and any executed AOB agreement [legitimate interests];
• Understand aggregate usage of our website and improve the Service [legitimate interests].

We do not currently send marketing emails. If we begin offering marketing communications in the future, we will send them only on the legal basis of your consent (where required) or our legitimate interests, and you will be able to unsubscribe at any time.

6. Third-Party Service Providers

We rely on a small number of trusted service providers to operate the Service. They process information only on our behalf, under appropriate confidentiality and data-protection terms (including, where applicable, GDPR Article 28 data processing agreements). The providers we currently use are:

• Stripe, Inc. — payment processing, recurring billing, and tax calculation (Stripe Tax);
• [TBD hosting provider] — hosting and infrastructure for the qmirac.ai website and account/authentication backend;
• [TBD email delivery provider] — transactional email delivery for account, billing, and support communications;
• Independent Certified Public Accountants and forensic auditors engaged to perform Revenue Share Audits under the AOB plan, where applicable;
• Third-party debt collection agencies and outside legal counsel, engaged to recover past-due amounts where customer accounts (including unpaid AOB invoices) become delinquent.

A current list of subprocessors processing personal data on our behalf is available on request via contact@qmirac.ai. We will update this list as our service providers change.

BizGuru also bundles or relies on local, on-device components — including a local LLM inference server (Ollama), a local vector database (ChromaDB), local speech-to-text models (e.g., OpenAI Whisper), and a local text-to-speech engine (e.g., Edge TTS). These components run on your machine and do not transmit your business data to Qmirac or third parties.

7. Sharing & Disclosure

We do not sell or "share" personal information for cross-context behavioral advertising, as those terms are defined under the California Consumer Privacy Act (CCPA/CPRA), and we do not share your business data — because we do not have it. We may disclose account, business profile, or payment information in limited circumstances:

• Service providers: as described in Section 6, only to the extent needed to operate the Service;
• Debt collection and legal enforcement: to recover past-due fees and enforce our agreements, including referrals to collections agencies and legal counsel;
• Legal requirements: to comply with applicable laws, lawful requests, court orders, or to protect the rights, property, or safety of Qmirac, our users, or others;
• Business transfers: in connection with a merger, acquisition, financing, or sale of assets, subject to standard confidentiality protections;
• With your consent: for any other purpose disclosed to you and to which you consent.

8. International Data Transfers

The qmirac.ai website and account services may be operated from, and information may be processed in, the United States or other jurisdictions outside your home country. Where personal information is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country that has not received an adequacy decision, we rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, and supplementary measures where required. A copy of the relevant clauses is available on request.

Because BizGuru's business data processing happens locally on your device, that data does not leave your country unless you choose to move it.

9. Data Retention

We retain personal information only as long as necessary for the purposes described in this policy. Specific retention periods are:

• Account and business profile information: for the duration of your account, plus twenty-four (24) months after closure for fraud prevention, dispute resolution, and reactivation purposes;
• Subscription and billing records: for the duration of your subscription, plus seven (7) years thereafter to comply with tax, accounting, and audit obligations;
• AOB revenue records: [TBD — to be set in consultation with our accountant; will reflect applicable tax, audit, and contractual record-retention requirements for the AOB plan];
• Support communications: up to three (3) years from the date of the last interaction;
• Server and security logs: typically up to twelve (12) months, longer where required for an active investigation;
• Telemetry data: typically up to twenty-four (24) months in identifiable form, longer in aggregated/de-identified form.

Locally stored data on your device persists until you delete it through the application or remove it from your device — Qmirac has no role in its retention.

10. Security

We implement reasonable technical and organizational measures to protect account information, including encryption in transit (TLS), password hashing (salted), restricted internal access on a least-privilege basis, audit logging, and standard application-security practices (e.g., context isolation in the desktop application). No system is perfectly secure, however, and you are responsible for keeping your account credentials and your device safe.

Breach notification. In the event of a personal data breach affecting your information, we will notify you and applicable supervisory authorities to the extent and within the timeframes required by applicable law.

11. Your Rights & Choices

Depending on where you live, you may have rights regarding the personal information we hold about you. These may include the right to access, correct, delete, restrict processing of, or object to processing of your information, the right to data portability, and the right to withdraw consent (where processing is based on consent).

You can exercise these rights as follows:

• Access & correct: review and update your account details from your qmirac.ai account settings, and edit your business data directly inside BizGuru;
• Export: use BizGuru's built-in PDF and JSON export features to obtain copies of your locally stored data; for account data, request an export by emailing contact@qmirac.ai;
• Delete local data: use the "Clear all data" option inside BizGuru's settings to remove locally stored business data, chat history, and caches;
• Delete your account: request account deletion by emailing contact@qmirac.ai from the address associated with your account;
• Opt out of telemetry: disable application telemetry in BizGuru settings;
• Withdraw consent: where applicable, withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at contact@qmirac.ai. We will respond within thirty (30) days (or sixty (60) days for complex requests, with notice). We may need to verify your identity before responding. You will not be discriminated against for exercising your rights.

Right to lodge a complaint. EU/EEA users have the right to lodge a complaint with their local supervisory authority. UK users may lodge a complaint with the UK Information Commissioner's Office (ICO).

12. California Residents (CCPA / CPRA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

12.1 Categories of personal information collected in the past twelve (12) months

Identifiers (name, email, IP address); commercial information (subscription and billing records); internet/network activity (server logs, telemetry); professional/employment information (your role at the company you represent); and inferences drawn from the foregoing.

12.2 Sensitive personal information

We do not collect sensitive personal information for the purpose of inferring characteristics about you. Account login credentials are collected solely to authenticate you and are not used for any other purpose; you have the right to limit such use under CPRA.

12.3 Sources of personal information

Directly from you; automatically from your device when you use qmirac.ai or BizGuru; and from our service providers (e.g., Stripe billing metadata).

12.4 Business purposes for collection

As set out in Section 5 of this policy.

12.5 Your rights

You have the right to know what personal information we collect, to request access to and deletion of that information, to correct inaccurate information, to limit use of sensitive personal information, to opt out of "sale" or "sharing" (we do neither), and to be free from discrimination for exercising your rights.

12.6 Global Privacy Control (GPC)

We honor Global Privacy Control browser signals as a valid request to opt out of "sale" and "sharing" of personal information under California law. Because we do not sell or share personal information, GPC signals received from your browser will be respected without further action required from you.

12.7 No financial incentives

We do not offer financial incentives in exchange for personal information.

12.8 Authorized agents

You may designate an authorized agent to make a request on your behalf. We may require verification of the agent's authority.

12.9 "Shine the Light" (California Civil Code § 1798.83)

California residents may request information about our disclosures of personal information to third parties for those third parties' direct marketing purposes. We do not make such disclosures.

To exercise California rights, email contact@qmirac.ai with the subject line "California Privacy Request."

13. Cookies & Website Analytics

The qmirac.ai website uses a small number of cookies and similar technologies to keep you signed in, remember preferences, and measure aggregate usage. The BizGuru desktop application does not use web cookies in the traditional sense; it stores session and preference data locally on your device. Where required by law, we display a cookie banner and obtain consent before placing non-essential cookies.

14. Children's Privacy

The Service is not directed to children, and consistent with our Terms of Service, you must be at least eighteen (18) years old to use the Service. We do not knowingly collect personal information from anyone under eighteen (18). If you believe a minor has provided us with personal information, please contact us at contact@qmirac.ai and we will take appropriate steps to delete it.

15. No Data Processing Addendum Required

A Data Processing Addendum (DPA) is typically required where a service provider processes personal data on behalf of a business customer. Because BizGuru runs entirely locally on your device and we do not receive, process, or have access to your business data, no DPA is required for the operation of BizGuru. The information Qmirac does collect — your account, business profile, and payment information — is collected and processed by Qmirac for its own purposes as a data controller, governed by this Privacy Policy.

16. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through the Service before they take effect. The "Last updated" date at the top of this policy indicates when it was most recently revised. Prior versions are available on request.

17. Contact Us

For privacy questions, requests, or complaints, contact us at contact@qmirac.ai.

For California residents, the Complaint Assistance Unit of the Division of Consumer Services of the California Department of Consumer Affairs may be contacted in writing at 1625 North Market Boulevard, Suite N 112, Sacramento, CA 95834, or by telephone at (800) 952-5210.