QiCli

Privacy Policy

At Ekan Limited (registered in Hong Kong), we are committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use QiCli, our AI-powered client onboarding automation platform.

1. Information We Collect

Information You Provide

  • Account Information: Name, email address, and authentication credentials when you create an account
  • Profile Information: Any additional information you choose to provide in your user profile
  • Content Data: Client information, templates, onboarding data, and generated documents you create using our services
  • Payment Information: Billing details processed securely through Stripe (we do not store full payment card information)
  • Communication Data: Messages, feedback, and correspondence when you contact us for support

Automatically Collected Information

  • Usage Data: How you interact with our services, features used, and time spent on the platform
  • Device Information: Browser type, device type, operating system, and IP address
  • Log Data: Access times, pages viewed, and actions taken within the application
  • Cookies and Tracking: We use cookies and similar technologies to enhance your experience and analyze usage patterns

2. How We Use Your Information

Primary Uses:

  • Provide, maintain, and improve our AI-powered onboarding automation services
  • Process transactions and manage your subscription
  • Personalize your experience and deliver content tailored to your preferences
  • Communicate with you about your account, services, and important updates
  • Respond to your inquiries, comments, and support requests
  • Monitor and analyze usage patterns to enhance platform functionality
  • Detect, prevent, and address technical issues and security threats
  • Comply with legal obligations and enforce our terms of service

3. Information Sharing and Disclosure

We respect your privacy and do not sell, rent, or trade your personal information. We may share your information only in the following circumstances:

Service Providers

We work with trusted third-party service providers (such as Supabase for data storage, Stripe for payments, OpenRouter for AI services, and Resend for email) who assist us in operating our platform. These providers are contractually obligated to protect your information and use it only for specified purposes.

Legal Requirements

We may disclose information if required by law, court order, or government regulation, or to protect our rights, property, or safety, or that of our users or others.

Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction, with notice provided to you.

4. Data Security

We implement industry-standard security measures to protect your personal information:

  • Encryption of data in transit and at rest
  • Secure authentication and access controls
  • Row Level Security (RLS) policies in Supabase to ensure data isolation
  • Regular security assessments and monitoring
  • Secure payment processing through PCI-compliant providers
  • Limited access to personal information on a need-to-know basis

Note: While we strive to protect your information, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security but are committed to using commercially reasonable measures to protect your data.

5. Data Retention

We retain your information for as long as necessary to provide our services and fulfill the purposes outlined in this policy:

Retention Periods:

  • Active Account Data: Retained while your account is active
  • Content After Cancellation: Your onboarding data, templates, and generated content remain accessible for 30 days after account cancellation or termination
  • Permanent Deletion: After the 30-day grace period, all user-generated content is permanently deleted from our systems
  • Transaction Records: Retained for 7 years as required by Hong Kong tax and accounting laws
  • Account Metadata: Basic account information (email, user ID) may be retained to prevent fraud and abuse
  • Legal Hold: Data may be retained longer if required by law, litigation, or regulatory investigation

Export Your Data: You can export your content at any time before cancellation or within the 30-day grace period. After 30 days, data recovery is not possible.

6. Your Rights and Choices

You have the following rights regarding your personal information:

Access & Portability

Request access to your personal data and receive it in a portable format

Correction

Update or correct inaccurate information in your account settings

Deletion

Request deletion of your account and associated data (subject to legal requirements)

Opt-Out

Unsubscribe from marketing communications while retaining essential service communications

7. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience:

  • Essential Cookies: Required for the platform to function properly (authentication, security)
  • Analytics Cookies: Help us understand how users interact with our services to improve functionality
  • Preference Cookies: Remember your settings and preferences for a personalized experience

You can control cookies through your browser settings, though disabling certain cookies may limit functionality.

8. Third-Party Services

Our platform integrates with third-party services that have their own privacy policies:

  • Authentication: Supabase Auth for secure account access
  • Payment Processing: Stripe handles all payment transactions securely
  • Data Storage: Supabase provides secure cloud database services
  • AI Services: OpenRouter processes content generation requests
  • Email Services: Resend handles email delivery for onboarding packages (when Gmail is not connected)
  • Gmail Integration: Google Gmail API for sending emails on your behalf (optional integration - see section 8.1 for detailed information)

We encourage you to review the privacy policies of these third-party services to understand how they handle your information.

8.1. Google User Data - Gmail Integration

Scope of Access

When you connect your Gmail account to QiCli, we request permission to send emails on your behalf using Google's Gmail API. We request the following scope:

  • gmail.send - Permission to send emails on your behalf

Important: We do not request permission to read, access, or view your email messages or content. We only request permission to send emails.

How We Access Google User Data

We access Google user data only through Google's official OAuth 2.0 authentication flow. When you choose to connect your Gmail account:

  • You are redirected to Google's secure consent screen
  • You explicitly grant permission for QiCli to send emails on your behalf
  • Google provides us with an access token and refresh token (stored securely and encrypted)
  • We use these tokens exclusively to send emails through Google's Gmail API

What Google User Data We Access

With the gmail.send scope, we can only:

  • Send emails on your behalf through your Gmail account
  • Access your Gmail account's sending capabilities

We do NOT access:

  • Your email messages or email content
  • Your email inbox or sent items
  • Email metadata (subject lines, recipients, dates) unless you explicitly provide it
  • Any other Gmail data beyond sending capabilities

How We Use Google User Data

We use Google user data (Gmail sending capabilities) solely for the following purposes:

  • Onboarding Email Delivery: Sending client onboarding packages, welcome emails, questionnaires, and follow-up communications that you create through our platform
  • Email Threading: When replying to existing email threads, we use thread IDs to ensure your emails are properly threaded in Gmail (this requires only the thread ID you provide, not access to thread content)

AI Processing Policy: We never send data obtained from Google APIs (including Gmail API) to AI services for training or processing. AI processing in our platform only occurs on content that you explicitly provide by pasting or typing into our platform. Google user data obtained via Google APIs is completely isolated from our AI processing pipeline.

How We Store Google User Data

We store the following Google user data securely:

  • OAuth Tokens: Access tokens and refresh tokens are encrypted using industry-standard encryption before being stored in our secure database (Supabase)
  • Integration Status: We store a record that you have connected Gmail (integration type and active status)
  • No Email Content: We do not store any email content, email messages, or email metadata obtained from Google APIs

All stored tokens are encrypted at rest and transmitted over secure, encrypted connections (HTTPS/TLS). Tokens are automatically refreshed when they expire, and you can revoke access at any time through your Google Account settings or by disconnecting the integration in QiCli.

How We Share Google User Data

We do not share, sell, or transfer Google user data to any third parties. Specifically:

  • We do not share Google user data with AI service providers
  • We do not share Google user data with analytics services
  • We do not share Google user data with advertising networks
  • We do not use Google user data for any purpose other than sending emails on your behalf

The only exception is when required by law, court order, or to protect our rights and safety, in which case we will comply with legal requirements and notify you when legally permitted.

Data Retention and Deletion

  • OAuth Tokens: Stored until you disconnect the Gmail integration or delete your account
  • Immediate Deletion: When you disconnect Gmail integration, all stored tokens are immediately and permanently deleted from our systems
  • Account Deletion: All Google integration data is permanently deleted when you delete your QiCli account

Your Control Over Google User Data

You have complete control over your Google user data:

  • Disconnect Anytime: You can disconnect your Gmail integration at any time through Settings → Integrations in QiCli
  • Revoke Access: You can revoke QiCli's access to your Gmail account at any time through your Google Account permissions page
  • No Data Retention: When you disconnect, all tokens are immediately deleted - we do not retain any Google user data

Compliance: Our use of Google user data complies with Google's API Services User Data Policy, including the Limited Use requirements. We only use Google user data to provide and improve our app's functionality, and we never use it for training generalized AI models or any other purpose beyond email sending.

For questions about our use of Google user data, please contact us through our contact form.

9. Children's Privacy

Our services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us immediately so we can delete it.

10. International Data Transfers

Your information may be transferred to and processed in Hong Kong and other countries where our service providers operate, including the United States. These countries may have different data protection laws than your country of residence.

Safeguards for International Transfers: We use standard contractual clauses approved by the European Commission, adequacy decisions, and other appropriate safeguards to ensure your data is protected when transferred internationally, particularly for transfers from the EEA, UK, or Switzerland.

We ensure appropriate safeguards are in place to protect your data in accordance with this Privacy Policy and applicable data protection laws, regardless of where it is processed.

11. Your Privacy Rights

Depending on your location, you may have specific privacy rights under applicable laws:

GDPR Rights (EU/UK/Swiss Users)

  • Right to access your data
  • Right to rectify inaccurate data
  • Right to erasure ("right to be forgotten")
  • Right to data portability
  • Right to restrict processing
  • Right to object to processing
  • Right to withdraw consent
  • Right to lodge a complaint with supervisory authority

CCPA/CPRA Rights (California Users)

  • Right to know what data we collect
  • Right to delete your personal information
  • Right to correct inaccurate data
  • Right to opt-out of sale (we don't sell data)
  • Right to limit use of sensitive data
  • Right to non-discrimination

To exercise your privacy rights, contact us through our contact form with "Data Rights Request" in the subject line. We will respond within 30-45 days as required by law.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by:

  • Posting the updated policy on this page with a new "Last updated" date
  • Sending an email notification to registered users for significant changes
  • Displaying a notice on our platform when you next log in

Your continued use of our services after changes become effective constitutes acceptance of the updated policy.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

  • Company: Ekan Limited
  • Registered in: Hong Kong SAR
  • Contact: Use our contact form for privacy-related inquiries
  • Response time: 24-48 hours

Version 2.0 | Last updated: January, 2026