Privacy Policy

Introduction

HQDM ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered business communication platform and services.

1. Information We Collect

1.1 Personal Information

• Email address
• First and last name
• Profile picture
• Company information
• Contact lists and customer data you provide

1.2 Google Account Information

When you connect your Google account to HQDM, we collect:

• Email address (from Google OAuth)
• Name and profile picture (from Google userinfo.profile)

1.3 SMS Communications Data

When you or your contacts opt in to receive SMS messages from HQDM, we collect:

• Mobile phone number provided at the time of opt-in
• SMS conversation content — messages sent and received by our AI-powered messaging agents
• Opt-in timestamp and method — date, time, and channel through which consent was provided
• Message metadata — delivery status, session identifiers, and interaction timestamps

1.4 Usage Data

• Log data and analytics
• Device information
• IP addresses
• Browser type and version

2. How We Use Your Information

2.1 Google OAuth Integration

2.2 Core Platform Services

• Providing and maintaining our services
• Processing transactions and sending notifications
• Customer support
• Improving our services and developing new features

2.3 Email Campaign Features

• Generating email content using AI when not predefined
• Tracking email opens through optional pixel tracking (can be disabled per campaign)
• Managing contact lists and campaign analytics

2.4 AI-Powered SMS Communications

When SMS communications are enabled for your account, we use your contacts' mobile phone numbers and conversation data to:

• Deliver SMS messages through our AI-powered conversational messaging system
• Process inbound and outbound message content through AI agents to generate contextual, automated responses
• Maintain conversation history within each SMS session for coherent AI interactions
• Track message delivery status and session analytics
• Honor opt-out requests — when a recipient replies STOP, they are immediately removed from all SMS communications

Conversation data processing: Message content is processed by our AI messaging infrastructure to generate responses. Conversation transcripts may be stored for quality assurance, compliance, and analytics purposes. Personally identifiable information within conversations is handled in accordance with this Privacy Policy.

3. How We Share Your Information

3.1 Artificial Intelligence Services

OpenAI and Anthropic:

We use AI services to analyze the content of email responses and generate email content:

• Data shared: Email subject lines, email body content, campaign context, existing contact information
• Purpose: Lead classification, sentiment analysis, intent detection, content generation
• NOT shared: Gmail access tokens, OAuth credentials, authentication data, emails unrelated to campaigns

3.2 CRM Integration (Optional)

GoHighLevel:

If you configure GoHighLevel integration:

• Data shared: Contact email addresses, names, websites mentioned in responses, lead status updates, AI-generated notes
• Purpose: Bidirectional synchronization with your CRM
• Control: Only active if you explicitly connect GoHighLevel to your HQDM account

3.3 AI Messaging Infrastructure

To deliver AI-powered SMS communications, mobile phone numbers and conversation content are transmitted to our AI messaging infrastructure provider solely for the purpose of message delivery and AI response generation. This provider:

• Processes phone numbers in E.164 format to route messages
• Processes conversation content to generate AI agent responses
• Stores conversation transcripts and session metadata for the purpose of providing the service
• Does NOT use your data or your contacts' data for their own marketing purposes

3.4 We DO NOT Share Data With:

• Advertising platforms or networks
• Data brokers or information resellers
• Marketing automation services (unless you explicitly integrate them)
• Social media platforms for advertising purposes

3.5 Legal Requirements

We may disclose your information if required by law, court order, or government regulation, or to protect our rights, property, or safety.

4. Google API Services User Data Policy Compliance

HQDM's use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, regarding the userinfo.email and userinfo.profile scopes used for authentication:

• We limit our use of Google account data to providing or improving user-facing features in HQDM
• We do NOT transfer Google account data to third parties except as explicitly disclosed in this policy
• We do NOT use Google account data for serving advertisements

5. Data Storage and Security

5.1 Storage Infrastructure

• Location: Amazon Web Services (AWS) in the us-east-1 region
• Database: PostgreSQL on AWS RDS with encryption at rest enabled
• File Storage: AWS S3 with server-side encryption
• Cache: Redis for temporary data and background job processing

5.2 Security Measures

5.3 Email Delivery (SendGrid)

• Outbound email campaigns are delivered through SendGrid, which processes email content and recipient addresses
• SendGrid operates under its own Privacy Policy and is compliant with GDPR and CAN-SPAM
• We do not store full email message bodies beyond what is needed for campaign analytics

6. Data Retention and Deletion

6.1 Active Account Data

While your account is active, we retain:

• OAuth tokens indefinitely (until you disconnect the integration)
• Emails sent through campaigns (for analytics and auditing)
• AI analysis results and lead classifications
• Contact lists and campaign data
• SMS conversation transcripts and session data (for the duration of active opt-in consent)
• Mobile phone numbers and opt-in records (retained only while the contact remains subscribed to SMS communications)

6.2 Disconnecting Google Integration

You can disconnect your Google account at any time:

• From HQDM: Go to Settings → Integrations → Account → Disconnect
• From Google: Visit https://myaccount.google.com/permissions

When you disconnect:

• OAuth tokens are permanently deleted from our database (hard delete)
• We immediately stop accessing your Google account
• Historical campaign data and analytics are retained for your records

6.3 Account Deletion

When you delete your HQDM account:

• All personal data is marked as deleted (soft delete) in our system
• OAuth tokens and credentials are marked as deleted
• Data is no longer accessible through our application or APIs
• Some data may be retained temporarily for legal compliance and auditing purposes
• If you are the only admin of a company, all company data is also marked as deleted

To request account deletion: Contact us at dev@hqdm.io

7. Your Rights and Choices

7.1 Access and Control

You have the right to:

• Access your personal data stored in HQDM
• Update or correct your information
• Export your data
• Delete your account and associated data

7.2 Google Account and Campaign Control

• Revoke Google access anytime from HQDM settings or from Google account permissions
• Control campaign settings including email tracking (pixel tracking can be disabled)
• Pause or stop campaigns at any time
• Preview all emails before they are sent

7.3 SMS Opt-Out Rights

If you or your contacts receive SMS messages from HQDM, the following opt-out rights apply:

• Reply STOP to any SMS message to immediately unsubscribe from all future messages. You will receive a single confirmation message and no further SMS will be sent.
• Reply HELP to any SMS message to receive support information and contact details.
• Opt-out requests are processed immediately upon receipt of the STOP keyword.
• Once opted out, the mobile number is flagged and excluded from all future SMS campaigns and AI agent interactions.
• You may also contact us at dev@hqdm.io to request removal from SMS communications.

7.4 Communication Preferences

• Opt out of marketing emails
• Control notification settings
• Manage integration preferences

8. Third-Party Services

8.1 Analytics

Google Analytics: We use Google Analytics to understand how users interact with our website. You can opt out by installing the Google Analytics Opt-out Browser Add-on.

8.2 Advertising

Google Ads: We use Google's remarketing services for targeted advertising. You can customize ad settings at http://www.google.com/settings/ads or install the opt-out browser extension.

8.3 Email Delivery

We use SendGrid to deliver email campaigns on your behalf:

• SendGrid (Twilio) — Privacy Policy

8.4 AI Messaging Infrastructure

We use a third-party AI messaging infrastructure provider to power our SMS chat agent capabilities:

• Data processed: Mobile phone numbers (E.164 format), inbound and outbound message content, session metadata, and dynamic conversation variables
• Purpose: AI agent response generation, message routing, conversation management, and session storage
• Data controls: This provider supports PII scrubbing (removal of sensitive data from transcripts) and configurable data storage settings
• NOT used for: Third-party marketing, data resale, or any purpose beyond enabling HQDM's SMS features

8.5 Payment Processing

We use third-party payment processors and do not store your payment card details:

• Stripe — Privacy Policy
• PayPal — Privacy Policy
• GoCardless — Privacy Policy

9. Email Tracking

9.1 Open Tracking

When enabled (optional, per campaign):

• We include a 1x1 pixel image in emails to track when recipients open emails
• The tracking pixel is hosted on our own infrastructure (not third-party services)
• Tracking URL: https://prod.panel.api.jexhq.com/api/v1/parameters/gmail-email-tracking
• Each email has a unique tracking ID (UUID) for analytics
• You can disable tracking for any campaign

9.2 Link Tracking

We do not modify or track clicks on links in your emails unless explicitly configured.

10. Children's Privacy

HQDM is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If we discover that a child has provided us with personal information, we will delete it immediately.

11. International Data Transfers

Your data is stored and processed in the United States (AWS us-east-1 region). If you are accessing HQDM from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from your country.

12. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights:

• Right to Know: Request information about data we collect and how we use it
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out: Opt out of the sale of personal information (Note: We do NOT sell personal information)
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

To exercise these rights, contact us at dev@hqdm.io.

13. European Privacy Rights (GDPR)

If you are in the European Economic Area (EEA), you have rights under GDPR:

• Right of access to your personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing
• Right to withdraw consent at any time

To exercise these rights, contact us at dev@hqdm.io.

Legal basis for processing:

• Consent (for Gmail access and integrations)
• Contract performance (to provide HQDM services)
• Legitimate interests (for analytics and service improvement)

14. Security Breach Notification

In the event of a data breach that affects your personal information, we will notify you and relevant authorities as required by applicable law, typically within 72 hours of discovering the breach.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by:

• Posting the new Privacy Policy on this page
• Updating the "Last Updated" date
• Sending you an email notification (for material changes)

Your continued use of HQDM after changes are posted constitutes acceptance of the updated Privacy Policy.

16. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us:

17. Audit and Compliance

HQDM undergoes regular security assessments:

• Compliance: We comply with Google API Services User Data Policy, GDPR, CCPA, and other applicable data protection regulations
• SendGrid Compliance: Our email delivery provider, SendGrid, is compliant with CAN-SPAM, GDPR, and CASL
• A2P 10DLC / CTIA: Our SMS communications comply with CTIA Messaging Principles and Best Practices, A2P 10DLC registration requirements, and the Telephone Consumer Protection Act (TCPA)
• TCPA: We obtain prior express written consent before sending marketing SMS messages and honor all opt-out requests immediately

Summary: How HQDM Uses Google Account Data