Queri

Legal

Privacy Policy

How Queri AB collects, uses and protects personal data when you visit our website, sign up for a free trial, or use the Queri product.

Last updated: 29 April 2026

In short. Queri is a Swedish (EU) company. We host customer data in Sweden, encrypt everything in transit and at rest, and never use customer content to train shared AI models. You always own your content and can ask us to export or delete it. The full, GDPR-required detail is below.

1. Who we are

The data controller for personal data described in this policy is Queri AB, a Swedish limited company with org. no. 559472-0269, registered office at Skansvägen 3 A, 246 57 Barsebäck, Sweden.

You can reach us at privacy@queri.law for any privacy-related question. We have not appointed a Data Protection Officer because we are not required to under Article 37 GDPR; the same address routes to the person responsible for privacy at Queri.

2. Scope

This policy covers personal data we process as a controller - i.e., when you visit our website, request a demo, sign up for a free trial, or communicate with us. When you use the Queri product as part of a paying customer organisation, we process the personal data inside your documents and chats as a processor on your behalf, governed by a separate Data Processing Agreement (DPA) signed with that customer. In that case, the controller is your employer (or the entity that licensed Queri) and you should refer to their privacy notice for those processing activities.

3. Personal data we process

3.1 Marketing site visitors

  • Technical data: IP address, user-agent, approximate location derived from IP, referrer, pages viewed.
  • Communications: messages and email address you submit through forms (contact, demo request, signup).

3.2 Trial and product users

  • Identity & contact: first and last name, work email, company name, optional job title and team size.
  • Authentication: hashed password, refresh tokens, sign-up codes, password-reset tokens.
  • Usage data: log of API calls, feature usage, tokens consumed, error events.
  • Customer Content: documents, contract clauses, chat messages, playbooks and other content you upload to or generate within Queri. Where this includes personal data, we process it on your behalf as your processor.

3.3 Business contacts

  • Names, work emails, job titles and any meeting notes for prospects, customers and vendors we engage with.

4. Purposes and lawful bases

We process personal data for the following purposes, on the bases listed.

PurposeLawful basis (Art. 6 GDPR)
Operate the website and respond to enquiriesLegitimate interest (Art. 6(1)(f)) in running our business
Provision and operate the trial and product (account, login, chat, billing)Performance of a contract with you or your employer (Art. 6(1)(b))
Service emails (verification, password reset, lifecycle notifications about your trial)Performance of a contract (Art. 6(1)(b))
Marketing emails about Queri (only with prior opt-in or to existing customer contacts under soft opt-in)Consent (Art. 6(1)(a)) or legitimate interest (Art. 6(1)(f))
Security: rate-limiting, bot prevention, abuse detectionLegitimate interest (Art. 6(1)(f)) and legal obligation (Art. 6(1)(c))
Comply with legal obligations (accounting, tax, lawful requests)Legal obligation (Art. 6(1)(c))
Defend legal claimsLegitimate interest (Art. 6(1)(f))

5. AI processing and model providers

Queri uses third-party large language models to generate, review and analyse contracts on your instructions. To operate the product, prompts and Customer Content are sent in real time to these model providers under contractual terms that include the following safeguards.

  • No training. Our model providers are contractually prohibited from using your prompts or outputs to train shared models.
  • EU regions where available. We use EU-hosted endpoints where the provider offers them (e.g. Azure OpenAI Service in Sweden Central). Where a model is only available outside the EEA, transfers are governed by Standard Contractual Clauses (see section 7) and we tell you which models that applies to in our sub-processor list.
  • Short retention at the provider. Provider-side prompt and output retention is configured to the minimum the provider permits, typically zero or up to 30 days for abuse detection only.
  • No automated decisions with legal effect. Queri produces drafting and review suggestions to assist a human user. It is not designed to make decisions producing legal effects on a data subject without human review, and you should always have a qualified lawyer review AI output before relying on it.

6. Recipients and sub-processors

We share personal data with service providers we contract with under written data processing terms. The current categories are:

  • Cloud infrastructure for hosting databases, application servers and storage (EU regions).
  • AI model providers for the inference described in section 5.
  • Email delivery providers for transactional and lifecycle email.
  • Edge / CDN and bot-prevention providers (e.g. Cloudflare) for serving the marketing site and protecting forms.
  • Analytics and observability tooling for product reliability and error monitoring (no advertising or cross-site tracking).
  • Professional advisors (auditors, lawyers, accountants) under duties of confidentiality.

An up-to-date list of sub-processors with their roles and locations is available on request from privacy@queri.law and is included in our DPA.

7. International transfers

Queri stores and processes Customer Content in the EU. Some of our service providers (in particular AI model providers) may process limited data outside the EEA. Where that is the case, we rely on adequacy decisions of the European Commission, or, where no adequacy decision applies, we use the Standard Contractual Clauses adopted by the Commission together with technical measures such as encryption in transit and short retention. You can request a copy of the relevant transfer mechanism for any specific provider.

8. Retention

  • Trial accounts: personal data and Customer Content are retained for the trial period plus up to 30 days, then deleted unless the trial converts to a paid plan or you ask us to delete it sooner.
  • Paid customers: Customer Content is retained for the term of the subscription and deleted within 30 days after termination, unless a longer period is agreed in the Order Form. Backups roll off within 35 days.
  • Account & access logs: up to 12 months for security purposes.
  • Accounting & tax records: 7 years, as required by Swedish law (Bokföringslagen 1999:1078).
  • Email logs (delivery metadata): up to 12 months.
  • Marketing contact data: until you unsubscribe or 24 months of inactivity, whichever comes first.

9. Security

We apply administrative, technical and organisational measures appropriate to the risk, including:

  • Encryption at rest (AES-256) and in transit (TLS 1.3).
  • Logical tenant isolation; per-tenant encryption boundaries.
  • Role-based access control with least-privilege defaults; SSO/SAML for customers on supported plans.
  • Audit logging of administrative and access events.
  • Background checks, training and confidentiality undertakings for staff with access to production systems.
  • Regular vulnerability scanning and an annual third-party penetration test.
  • An incident-response process; we notify affected customers without undue delay (and within 72 hours where required by Article 33 GDPR).

10. Your rights

Where we are the controller of your personal data, you have the rights set out in Articles 15–22 GDPR:

  • Access to your data (Art. 15).
  • Rectification of inaccurate data (Art. 16).
  • Erasure (Art. 17), subject to legal retention obligations.
  • Restriction of processing (Art. 18).
  • Data portability (Art. 20) where processing is based on consent or contract.
  • Object to processing based on legitimate interest (Art. 21), including direct marketing at any time.
  • Withdraw consent at any time, where consent is the basis of processing (Art. 7(3)). Withdrawal does not affect the lawfulness of processing before withdrawal.

To exercise any of these rights, email privacy@queri.law. We respond within one month and may extend by two further months for complex requests, as permitted by Article 12(3) GDPR. We may need to verify your identity before responding.

Where we process personal data as a processor on a customer's behalf, please raise rights requests with that customer; we will assist them in responding.

11. Complaints

If you are not satisfied with how we handle your personal data, you can lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) at imy.se, or with the supervisory authority in your EU country of residence or place of alleged infringement.

12. Cookies and tracking

The Queri marketing site uses only cookies and similar storage that are strictly necessary to deliver the service you request (e.g. to maintain a session, set anti-CSRF tokens, run the bot-prevention challenge that protects our signup form). We do not currently set advertising cookies, build cross-site tracking profiles, or share data with ad networks. If we add any non-essential cookies in the future, we will update this policy and request your consent through a cookie banner before placing them, in line with the Swedish Electronic Communications Act (lagen om elektronisk kommunikation).

13. Children

Queri is a B2B service intended for legal and business professionals. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, contact us and we will delete it.

14. Changes

We may update this policy to reflect changes in our practices or the law. Material changes will be communicated by email to active customers and posted on this page with a revised "Last updated" date at least 30 days before they take effect, where practical.

15. Contact

Queri AB
Skansvägen 3 A
246 57 Barsebäck, Sweden
privacy@queri.law · hello@queri.law

See also our Terms of Service and our Security overview.