Skip to content

Privacy Policy

Last updated: June 2026

Introduction

This policy explains how moqqa ("we", "our", "us") collects, uses, discloses, retains, and protects personal information in connection with the moqqa.ai website, public forms, newsletter, AI-Ready audit, related reports, and the moqqa B2B SaaS platform. It is written to support compliance with Quebec Law 25, Canada's PIPEDA, and, where applicable, the European GDPR.

Scope

This policy applies to website visitors, prospects, newsletter subscribers, AI-Ready audit users, moqqa platform users, and B2B customer representatives. It does not replace a customer agreement, data processing addendum, or negotiated special terms.

Person Responsible for Personal Information Protection

Simon Bourdages acts as the person responsible for personal information protection for moqqa. Privacy requests, data subject rights requests, and internal complaints must be sent to the email below.

Email: simon.b@moqqa.ai

Personal Information We Collect

Accounts and SaaS Platform

When the moqqa platform is used, we may process information related to accounts, workspaces, roles, preferences, activity logs, workflow settings, uploaded files, connected integrations, and content the user chooses to provide.

Contact Form

When you contact us, we may receive your name, email address, organization, message, and any information you choose to include.

Newsletter

When you subscribe to the newsletter, we process your email address, language, subscription date, consent source, and information needed to manage unsubscribes.

AI-Ready Audit and Reports

To generate an AI-Ready report, we process first name, last name, organization, professional email address, consent, questionnaire answers, calculated score, generated report, signed links, and technical metadata needed to send and download the report.

Technical and Security Data

We may collect limited technical data such as IP address, device, browser, pages viewed, errors, security logs, and signals required for internal abuse limitation and rate limiting controls.

Audience Measurement

Analytics cookies are disabled by default. Zipchat is used as an essential customer support service and is not classified as audience measurement. If tools such as Google Analytics, PostHog, Hotjar, Microsoft Clarity, or Meta Pixel are enabled later, they must be enabled only after explicit consent and documented in the cookie policy.

Purposes

We process personal information only for defined, legitimate, and proportionate purposes:

  • responding to contact and demo requests;
  • sending the newsletter and managing consent or unsubscribe requests;
  • generating, sending, and temporarily making available the AI-Ready report;
  • providing, securing, maintaining, and improving the website and moqqa platform;
  • executing workflows, human approvals, integrations, and features requested by authorized users;
  • preventing abuse, spam, fraud, errors, and security incidents;
  • complying with legal, accounting, tax, contractual, and regulatory obligations.

Consent and Legal Bases

Depending on the context, we rely on your consent, performance of a contract or pre-contractual measures, legal obligations, service protection, and legitimate interests compatible with your rights. Where consent is required, it must be free, informed, specific, and may be withdrawn at any time, subject to applicable legal or contractual obligations.

AI, Automation, and Significant Decisions

moqqa AI features are designed to assist users and do not produce automated decisions with legal, financial, or similar effects without an appropriate human framework. AI outputs must be verified by the user before professional use. AI providers are not presented as active for the public website and will be documented when activated in the platform or by customer contract.

Disclosure and Processors

We do not sell your personal information. We may disclose it only to categories of recipients needed to operate the service:

  • Vercel, Inc., for public website hosting and deployment;
  • Vercel Blob, only if configured in production, for private temporary storage of AI-Ready reports;
  • Emailit, for transactional emails, newsletters, and management of certain consented leads;
  • Zipchat, to provide the essential customer support widget on public pages;
  • Supabase, for the public blog and configured public or application data;
  • Google Cloud Platform, for hosting the moqqa platform on servers in Canada according to the production configuration;
  • internal moqqa controls, for abuse limitation, security, and rate limiting;
  • AI, authentication, payment, or observability providers only when activated by contract, customer configuration, or platform feature;
  • authorities, advisors, or parties to a corporate transaction where permitted or required by law.

The public website may involve processing outside Quebec/Canada by Vercel, Emailit, Supabase, or other providers depending on their infrastructure. The Studio platform is planned on Google Cloud Platform with servers in Canada according to the production configuration. Before any required transfer, moqqa applies an appropriate assessment, contractual commitments or DPA, organizational measures, and access limitation.

Subprocessors and B2B Customers

Currently active subprocessors: Vercel, Inc.; Emailit; Zipchat for public website customer support; Supabase; Google Cloud Platform for the Studio platform; Vercel Blob only if configured in production for AI-Ready reports. Rate limiting is treated as an internal moqqa control. AI, authentication, payment, and observability providers are not listed as active for the public website and will be documented when activated.

Retention and Deletion

We retain information only for as long as needed for the described purposes, unless legal obligations, security, disputes, or contract terms require otherwise:

  • contact, demo, and business inquiries: up to 24 months after the last exchange;
  • newsletter data: until unsubscribe or consent withdrawal;
  • AI-Ready reports: 7 days after generation, unless earlier deletion is requested;
  • technical and security logs: 90-day target, except for incidents, abuse, investigations, reasonable backups, or legal obligations;
  • SaaS customer data: for the contract term, then export or deletion according to the contract, with a 30 to 90 day target after termination where technically applicable;
  • minimal archives required for evidence, compliance, billing, or defense of rights, according to applicable legal limitation periods.

At the end of the retention period, information is deleted, anonymized, or made inaccessible using reasonable methods.

Security Measures

We apply proportionate physical, administrative, and technical measures: TLS/HTTPS, server-side validation, restricted access, application secrets, signed links for private reports, abuse prevention, minimal logging, environment separation, and dependency review. No system is perfectly secure; we work to reduce reasonably foreseeable risks.

Your Rights

Depending on your territory and relationship with us, you may have the following rights:

  • Access: ask what personal information we hold about you.
  • Correction: correct inaccurate, incomplete, or ambiguous information.
  • Deletion: request deletion where retention is no longer necessary or legally required.
  • Portability: receive certain information in a structured, commonly used technological format where this right applies.
  • Consent withdrawal: withdraw consent for processing that depends on it, including newsletters and optional cookies.
  • Automated decisions: request information and human review where a solely automated decision produces significant effects, if such a feature is deployed.

To exercise these rights, write to simon.b@moqqa.ai. We may verify your identity in a way proportionate to the request and aim to respond within 30 days or the applicable legal deadline.

Privacy Incidents

If a confidentiality incident presents a risk of serious injury, we will take reasonable measures to reduce the risk, record the incident, and notify affected individuals and competent authorities, including Quebec's Commission d'acces a l'information where required.

Privacy Impact Assessments

Where required by Law 25 or by the nature of a project, we perform or support privacy impact assessments, including for new systems, redesigns involving personal information, transfers outside Quebec, and sensitive AI or integration uses.

Minors

The website and platform are intended for B2B professional use and are not directed to people under 18. We do not knowingly collect personal information from minors.

Changes

We may update this policy to reflect our practices, providers, features, or legal requirements. The update date indicates the most recent version. Important changes will be communicated reasonably.

Contact and Complaints

For privacy questions, requests, or complaints, contact Simon Bourdages at simon.b@moqqa.ai.

If you are not satisfied with our response, you may contact Quebec's Commission d'acces a l'information, the Office of the Privacy Commissioner of Canada, or, where applicable, your European data protection authority.

Newsletter

Practical notes on agent workflows, human review, logs, tools, and AI adoption in companies.