Legal
Privacy Policy
Last updated: May 14, 2026 · Effective: May 14, 2026
Queen City AI LLC (“Queen City AI,” “we,” “us”) builds AI workflows and agent systems for businesses. This Privacy Policy explains what information we collect through queen-city.ai, how we use it, who we share it with, and the choices you have. It was written to be readable by a person — not just a lawyer — while still meeting the substance expected by enterprise procurement and security teams.
We deliberately collect as little as we can. We do not sell your data. We do not use information submitted through our website to train third-party AI models.
Who this policy applies to
This policy applies to visitors to our marketing website, prospects and clients who contact us, and people who subscribe to our content. Engagements with active clients are governed by the Master Services Agreement and Data Processing Addendum signed at the start of the engagement, which supersede this policy for project data.
What we collect
Information you give us directly
- Contact form submissions — name, email address, company name, message text, and any optional fields you fill in.
- Meeting bookings — name, email, and scheduling details when you book a call through Calendly.
- Blog subscriptions — email address only.
- Correspondence — content of emails and messages you send us.
Information collected automatically
- Usage data — pages viewed, referring URL, approximate location derived from IP address (city/region level), device type, browser. Collected via Google Analytics and Vercel Analytics in an aggregated, anonymized form.
- Performance data — page load times, errors, and Core Web Vitals via Vercel Analytics.
- B2B visitor signals — Apollo.io may identify the company a visitor is associated with based on network signals (not the individual). This is used to prioritize follow-up with companies that match our ideal customer profile.
Information we do not collect
- Government identifiers (SSN, driver’s license, etc.).
- Payment card information — we do not process payments through this website.
- Health or biometric information.
- Precise geolocation.
- Information from anyone under 16. The site is intended for business audiences.
How we use information
- To respond to inquiries and schedule meetings.
- To deliver services to active clients under our Master Services Agreement.
- To send relevant content to subscribers, who can unsubscribe at any time.
- To improve the website (measuring which pages help and which don’t).
- To prevent fraud and abuse (honeypot fields, rate limiting, basic security logging).
- To comply with legal obligations.
We do not use information collected through this website to train large language models or sell to data brokers.
Legal bases (GDPR)
If you are in the EU, EEA, or UK, our legal bases for processing are:
- Consent — for marketing subscriptions and non-essential cookies.
- Legitimate interests — for security, fraud prevention, and basic analytics needed to operate the site.
- Contract — to provide services you have engaged us to deliver.
- Legal obligation — to comply with applicable law.
Subprocessors
We use the third-party services listed below to operate the site and deliver services. Each is bound by its own privacy and security commitments. We review the list periodically and update it when material changes occur.
| Vendor | Purpose | Data touched | Location |
|---|---|---|---|
| Vercel | Website hosting, serverless functions, edge delivery | Request metadata, form submissions in transit | United States |
| Neon | Managed PostgreSQL database for form submissions and CRM snapshots | Contact form submissions, calendar bookings, reply tracking | United States |
| SendGrid (Twilio) | Transactional and outbound email delivery | Email addresses, message content, delivery metadata | United States |
| HubSpot | CRM, lead tracking, and pipeline management | Contact details, conversation history, deal stage | United States |
| Apollo.io | Website visitor analytics and B2B contact data | Anonymized visitor signals; firmographic enrichment of submitted business email addresses | United States |
| Google Analytics | Aggregate website traffic measurement | Anonymized usage metrics, device and browser info, referral source | United States |
| Vercel Analytics | First-party page-view and performance analytics | Anonymized page views, performance metrics | United States |
| Anthropic | AI model inference for content generation and internal automation | Prompts and outputs generated by our internal tooling — does not include your form submissions | United States |
| Calendly | Meeting scheduling for discovery calls | Name, email, scheduling preferences | United States |
| Microsoft (Entra ID, Microsoft 365) | Internal staff authentication and email communications with clients | Staff identity (not customer data); inbound and outbound email correspondence | United States |
How we protect information
- Encryption in transit — TLS 1.2+ everywhere. HSTS preload enabled. No information is transmitted to or from the site in plaintext.
- Encryption at rest — our database (Neon) and email provider (SendGrid) encrypt data at rest.
- Access controls — internal staff access requires Microsoft Entra ID with multi-factor authentication. Access is restricted to the Queen City AI team members who need it.
- Least-privilege subprocessors — each subprocessor only receives the data it needs to perform its function.
- Honeypot and rate limiting — applied to all public forms to prevent automated abuse.
- Secrets management — API keys are stored in Vercel-encrypted environment variables, never committed to source control.
Data retention
- Contact form submissions — retained while there is an active conversation, then archived for up to 36 months in case you return. Deleted on request.
- Email correspondence — retained in Microsoft 365 according to our internal retention schedule (currently 7 years for client records, 3 years for prospect records).
- Blog subscribers — retained until you unsubscribe. Unsubscribed addresses are kept in a suppression list to honor your preference.
- Analytics — Google Analytics retention is set to 14 months. Vercel Analytics is aggregated and not tied to individuals.
- Backups — encrypted backups follow each provider’s standard rotation (typically 7 to 35 days).
Your rights
Regardless of where you live, you can ask us to:
- Access the information we hold about you.
- Correct information that is wrong.
- Delete your information (subject to legal retention obligations).
- Export a copy of your information in a portable format.
- Restrict or object to certain processing.
- Opt out of marketing emails — every email has an unsubscribe link, or email us directly.
- Withdraw consent where processing is based on consent.
California, Virginia, Colorado, Connecticut, Utah, and other US state residents have specific rights under their respective privacy laws — we honor all of them at the same standard regardless of your state. To make a request, email privacy@queen-city.ai. We will respond within 30 days.
We do not sell personal information and we do not engage in cross-context behavioral advertising. There is no “Do Not Sell or Share My Personal Information” mechanism to opt out of because there is nothing to opt out of.
Cookies and tracking
We use a small number of cookies and similar technologies:
- Essential — required for the site to function (e.g., session for the internal dashboard).
- Analytics — Google Analytics and Vercel Analytics, used in aggregate to understand site performance.
- Sales operations — HubSpot tracking cookie and Apollo.io visitor tracking. These help us understand which companies are evaluating us so we can follow up usefully. They do not identify individuals who have not contacted us.
You can disable cookies in your browser settings. Most of the site will continue to work normally.
International transfers
Queen City AI is based in the United States, and all of our subprocessors store data in the United States. If you contact us from outside the US, your information will be transferred to and processed in the US. We rely on Standard Contractual Clauses or equivalent mechanisms where required.
Security incident notification
If we become aware of a security incident that affects your personal information, we will notify you within 72 hours of confirming the incident, in line with GDPR Article 33 timelines. Notifications will include what happened, what data was affected, what we are doing about it, and what you can do.
AI and automated decision-making
We build AI systems for clients. On this website, we do not use AI to make decisions that have a legal or similarly significant effect on you. When we use AI internally (for example, to summarize a piece of public content), we do not send your form submissions or other personally identifiable data through external AI models without your knowledge.
Children’s privacy
The site is for business audiences. We do not knowingly collect information from anyone under 16. If you believe a child has provided us with information, email privacy@queen-city.ai and we will delete it.
Changes to this policy
We update this policy when our practices change or when law requires it. Material changes will be announced on this page with an updated “Last updated” date. For active clients, material changes will also be communicated through the contact you designated in your MSA.
Contact us
For any privacy question, request, or concern:
- Email — privacy@queen-city.ai
- General contact — contact@queen-city.ai
- Mail — Queen City AI LLC, Charlotte, North Carolina, United States
For enterprise procurement teams: we are happy to complete vendor security questionnaires, sign mutual NDAs ahead of evaluation, and provide a Data Processing Addendum on request.