Quarri Privacy Policy

Effective date: March 18, 2026 | Last updated: March 18, 2026

1. Who We Are

This Privacy Policy describes how Quarri AI Inc., a Delaware corporation ("Quarri," "we," "us," or "our"), collects, uses, stores, and protects information when you use our AI-powered data analytics platform at quarri.ai and related services (the "Platform").

Quarri AI Inc. is the data controller for the purposes of applicable data protection legislation.

Contact: theo+privacy@quarri.ai

2. Information We Collect

Account Information. When you create an account, we collect your name, email address, and password (stored as a bcrypt hash). We may also collect your company name, role, and billing information.

Business Data (Customer Data). Files, databases, spreadsheets, and other data you upload to or connect with the Platform for analysis. Customer Data is stored in tenant-isolated environments and belongs to you at all times.

Usage Data. Query activity, session metadata, tool invocations, and performance logs used for auditing, support, and service improvement.

MCP Session Data. When you interact with Quarri through the Model Context Protocol (MCP) — for example, via Claude Desktop, Claude.ai, Claude Code, or Cowork — we process tool requests in real time. We log tool invocations and parameters for auditing purposes but do not store conversation content from the host application.

3. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Platform and related services;

  • Authenticate users and manage account access;

  • Generate analytical outputs, reports, dashboards, and automations you request;

  • Send transactional communications (account confirmations, service notices, billing);

  • Monitor Platform performance, diagnose issues, and improve reliability; and

  • Compile Aggregated Statistics (as defined below).

We do not use your Customer Data to train AI models that are shared with other customers, sell to third parties, or serve advertisements.

4. Aggregated Statistics and Platform Improvements

In the course of providing the Platform, we may compile aggregated and anonymised data related to your use of the services ("Aggregated Statistics"). Aggregated Statistics do not identify you, any individual, or your Customer Data.

We may also develop or refine tools, software components, analytical techniques, automation workflows, data models, and methodologies in the course of providing services to you. We retain ownership of these methods and may use them to improve the Platform and serve other customers, provided we do not disclose your Confidential Information or Customer Data in doing so.

We will not sell Aggregated Statistics to third parties without your prior written consent.

5. Data Storage and Security

Customer Data resides in tenant-isolated databases on MotherDuck (DuckDB cloud), Neon (Postgres), and AWS infrastructure. We maintain enterprise-grade security measures including:

  • Encryption of data at rest (AES-256 or equivalent);

  • Encryption of data in transit (TLS 1.2 or higher);

  • Role-based access controls limiting access to authorised personnel on a need-to-know basis;

  • Complete audit logging of data access and tool invocations;

  • Regular security assessments and vulnerability testing;

  • Incident response procedures; and

  • Data residency options (United States or European Union, as selected by you).

Our infrastructure providers maintain SOC 2 Type II certification.

6. Data Sharing

We share your information only with:

  • Infrastructure and service providers operating under written agreements with data protection obligations no less protective than this Policy (including MotherDuck, AWS, Neon, and Fly.io);

  • Third-party APIs and data sources that you explicitly authorise us to connect to on your behalf; and

  • Law enforcement or regulatory authorities where required by law, regulation, or court order. Where legally permitted, we will notify you before making such disclosures.

We maintain a current list of sub-processors, available upon request by emailing theo+privacy@quarri.ai. We will provide at least 30 days' notice before engaging any new sub-processor.

7. Data Retention and Deletion

Customer Data is retained for the duration of your active subscription. Upon termination or expiry of your agreement with us, we will make your Customer Data available for export for 30 days. After that period, Customer Data will be securely deleted.

Usage logs (query activity, session metadata, and audit records) are retained for up to 90 days after generation for auditing and service improvement purposes, after which they are automatically purged. Usage logs do not contain Customer Data; they contain metadata about tool invocations and session activity.

Account information is retained for as long as your account is active and for a reasonable period thereafter to comply with legal obligations.

Upon request, we will certify the destruction of your data in writing.

8. Breach Notification

In the event of a breach of security safeguards involving personal data, we will notify affected customers without undue delay and in any event within 72 hours of becoming aware of the breach. The notification will include the nature and scope of the breach, the categories and approximate number of individuals affected, a description of the measures taken or proposed to address the breach, and the name and contact details of a Quarri representative who can provide further information.

9. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you;

  • Correct inaccurate or incomplete personal data;

  • Delete your personal data (subject to legal retention requirements);

  • Export your data in a portable format;

  • Restrict or object to certain processing activities; and

  • Withdraw consent where processing is based on consent.

To exercise any of these rights, contact theo+privacy@quarri.ai. We will respond within 30 days (or sooner where required by applicable law).

10. International Data Transfers

The Platform is hosted in the United States. If you are located outside the United States, your data will be transferred to and processed in the United States.

For EU/EEA residents: We rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure an adequate level of protection for personal data transferred outside the EU/EEA. We offer EU data residency upon request.

For Canadian residents: We ensure that personal data transferred outside Canada receives a comparable level of protection through contractual means, consistent with PIPEDA Principle 1 and the Office of the Privacy Commissioner of Canada's guidance on cross-border transfers.

A Data Processing Agreement is available upon request by contacting theo+privacy@quarri.ai.

11. Cookies

We use session-only cookies for authentication and Platform functionality. We do not use tracking cookies, advertising cookies, or third-party analytics cookies. No data is shared with advertising networks.

12. Children's Privacy

The Platform is designed for business use and is not directed at individuals under the age of 16. We do not knowingly collect personal data from anyone under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that information.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Platform at least 30 days before the changes take effect. Continued use of the Platform after such notice constitutes acceptance of the updated Policy.

14. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

Quarri AI Inc. 390 NE 191st St STE 18580 Miami, FL 33179 United States

Email: theo+privacy@quarri.ai