Legal

Privacy Policy

Last updated:

TAURUS AI Corp (“we”, “us”, “our”) operates Q-Grid Comply and Q-Grid Scanner. This Privacy Policy explains how we collect, use, store, and protect information when you use our services.

1. Information We Collect

Account Information

Name and email address provided when you register via Clerk authentication. We store only what is necessary to manage your account and deliver the service.

AI System Details

Information about your AI systems that you submit during registration, including system name, type, deployment context, and risk classification inputs. This data is used solely to generate your compliance assessments.

Assessment Responses

Answers you provide during compliance assessments (EU AI Act, NIST FIPS 203/204, SWIFT 2027). These responses are stored to generate reports and track compliance progress over time.

Scan Data

Domain names and publicly accessible SSL certificate information submitted through Q-Grid Scanner. This data consists exclusively of publicly available information. We do not access any non-public systems.

Usage Analytics

Server-side event data (pages visited, features used, session duration) used to improve the platform. No third-party advertising analytics are used.

Payment Information

Billing is processed by Stripe. We receive only a tokenized payment reference and subscription status — we never store credit card numbers, CVV codes, or full payment details on our servers.

2. How We Use Your Information

  • Provide compliance assessment services and generate compliance reports.
  • Anchor audit trail hashes to the Hedera blockchain for immutable verification. Only cryptographic hashes are anchored — raw assessment data is never written to the public ledger.
  • Apply ML-DSA-65 post-quantum signatures to all generated artifacts for tamper-evidence and long-term verifiability.
  • Send transactional emails (assessment complete, report ready, billing receipts) via Resend.
  • Respond to support requests and account inquiries.
  • Improve platform performance, fix bugs, and develop new compliance frameworks.
  • Comply with applicable laws and enforce our Terms of Service.

3. Data Storage & Security

Data is stored in Neon PostgreSQL with regional routing (see Section 4). We apply multiple layers of security:

  • ML-DSA-65 post-quantum digital signatures on all compliance artifacts (NIST FIPS 204)
  • ML-KEM-768 key encapsulation for key exchange (NIST FIPS 203)
  • AES-256-GCM encryption for cryptographic keys at rest
  • TLS 1.3 for all data in transit
  • Hedera HCS (Hashgraph Consensus Service) for immutable audit anchoring — hashes only, never raw data
  • Access controls: least-privilege database roles, short-lived credentials, no standing access

In the event of a data breach that poses a high risk to your rights and freedoms, we will notify you within 72 hours of becoming aware, as required under GDPR Article 34.

4. Data Residency

We operate regional database instances to keep your data in your jurisdiction. Your data is routed based on the domain you access:

RegionDomainData Location
EUeu.q-grid.netFrankfurt, Germany (aws-eu-central-1)
North Americana.q-grid.netUS East (aws-us-east-2)
Indiain.q-grid.netMumbai, India (aws-ap-south-1)
UAEae.q-grid.netBahrain (aws-me-central-1)

EU customer data is never transferred outside the European Economic Area without appropriate safeguards (Standard Contractual Clauses or equivalent).

5. Your Rights (GDPR)

If you are in the European Economic Area, you have the following rights under the General Data Protection Regulation:

Right of Access (Article 15): Request a copy of all personal data we hold about you.
Right to Rectification (Article 16): Request correction of inaccurate or incomplete personal data.
Right to Erasure (Article 17): Request deletion of your personal data. Note: data anchored to Hedera HCS as cryptographic hashes cannot be deleted from the public ledger, but raw data associated with those hashes can be deleted from our systems.
Right to Data Portability (Article 20): Request an export of your data in a machine-readable format (JSON or CSV).
Right to Restrict Processing (Article 18): Request that we limit how we process your data in certain circumstances.
Right to Object (Article 21): Object to processing of your personal data based on legitimate interests.

To exercise any of these rights, email admin@taurusai.io. We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority (e.g., the CNIL in France, ICO in the UK, or the relevant EU member state DPA).

6. Third-Party Services

We use the following third-party processors. Each has been evaluated for GDPR compliance and where applicable, Data Processing Agreements are in place:

Clerk

Authentication and identity management (SSO, MFA, session management)

Stripe

Payment processing. Card data is handled exclusively by Stripe and never stored on our servers

Hedera

Blockchain audit trail anchoring via Hedera Consensus Service (HCS). Only cryptographic hashes are written to this public ledger

Vercel

Application hosting and edge network. Handles TLS termination and HTTP request routing

Neon

Serverless PostgreSQL database provider with regional data residency

Resend

Transactional email delivery (assessment notifications, billing receipts)

7. Cookies

We use a minimal set of cookies. We do not use advertising cookies, cross-site tracking cookies, or sell your data to ad networks.

CookieTypePurpose
__sessionEssentialClerk authentication session token
__client_uatEssentialClerk client-side user activity token
__cf_bmEssentialCloudflare bot management (Vercel infrastructure)

Analytics are collected via server-side event logging — no client-side tracking scripts are injected, which means no third-party cookies from analytics providers.

8. Sovereign AI Option

Enterprise customers can elect to use Sovereign AI mode for compliance report generation. In this mode:

  • AI inference runs on the customer's own infrastructure using a self-hosted model (Ollama, vLLM, or compatible OpenAI-API endpoint)
  • Assessment data and report content never leave the customer's network boundary
  • Q-Grid Comply acts as a thin orchestration layer — it sends structured prompts to your local AI endpoint and formats the response
  • Blockchain anchoring (Hedera HCS hashes) still occurs from customer infrastructure, ensuring audit trails remain intact without data exposure

Sovereign AI mode is available on Enterprise plans. Contact admin@taurusai.io to configure this for your organization.

9. Contact & Data Protection Officer

For all privacy-related requests, data subject rights exercises, or DPA inquiries:

Organization
TAURUS AI Corp

Jurisdictions
Ontario, Canada · Dubai IFZA · Wyoming LLC

Data Protection Officer
admin@taurusai.io

We aim to respond to all privacy requests within 30 days. For urgent security matters, mark your email subject line with [URGENT PRIVACY].

10. Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, applicable law, or the services we offer. When we make material changes:

  • Registered users will be notified by email at least 14 days before changes take effect
  • The "Last updated" date at the top of this page will be revised
  • For significant changes, we will display a notice in the application dashboard

Continued use of Q-Grid Comply after changes become effective constitutes acceptance of the updated Privacy Policy.

Back to HomeTerms of Service →