Introduction
ConvergeQA (convergeqa.net) is operated by Tuscaloosa Primary Care LLC, located in Tuscaloosa, Alabama. This Privacy Policy describes what data we collect, how we use it, and your rights regarding your personal information.
Data Roles: For purposes of data protection law, ConvergeQA acts as the Data Controller for account information and billing data, and as a Data Processor for user-submitted review content (which is processed on your behalf and transmitted to third-party LLM providers).
We may update this policy from time to time. We will notify registered users of material changes via email at least 30 days before the revised policy takes effect. Your continued use of the service following the effective date constitutes acceptance of the updated policy.
Information We Collect
Account Information
- Username, email address
- Password (hashed using PBKDF2-HMAC-SHA256 with 100,000 iterations and per-user cryptographic salt — never stored in plaintext)
- Account tier, preferences, MFA enrollment status
Billing Information
- Processed and stored by Stripe (Level 1 PCI-DSS compliant)
- We store only Stripe customer ID and tokenized payment method references
- We never store, process, or transmit full credit card numbers
Review Content
- Prompts, uploaded files, review configurations, and AI-generated output you submit or receive through the service
- Files are processed on our servers for text extraction and are not retained after processing is complete. Transient copies may briefly exist in server memory or processing buffers during extraction.
Usage Data
- Review counts, feature usage, timestamps, IP addresses
- Rate limiting and abuse prevention data
- Error logs for service reliability
Cookies
- Flask session cookies for authentication (functional, not tracking)
- No third-party tracking cookies, analytics cookies, or advertising cookies are used
Legal Bases for Processing (EEA/UK Users)
If you are located in the European Economic Area or the United Kingdom, we process your personal data on the following legal bases:
- Contract Performance (Art. 6(1)(b) GDPR): Processing your account data, review content, and billing information to deliver the ConvergeQA service.
- Legitimate Interest (Art. 6(1)(f) GDPR): Rate limiting, abuse prevention, security monitoring (including MFA), service improvement, and maintaining platform integrity.
- Legal Obligation (Art. 6(1)(c) GDPR): Retaining billing records as required by tax and financial regulations.
- Consent (Art. 6(1)(a) GDPR): Where applicable, for optional features or communications. You may withdraw consent at any time without affecting the lawfulness of prior processing.
How We Use Your Information
- To provide and operate the ConvergeQA service
- To process reviews by transmitting content to LLM providers (Anthropic/Claude, OpenAI/GPT, Google/Gemini, xAI/Grok, Perplexity/Sonar)
- To manage billing and subscriptions via Stripe
- To generate audit reports and verification metadata
- To enforce rate limits and prevent abuse
- To communicate service updates and material policy changes
- To respond to support and privacy requests
We do NOT:
- Sell or share your data with third parties for advertising
- Use your Input or Output to train machine learning models
- Use third-party tracking or analytics cookies
- Profile you for targeted advertising
LLM Provider Data Sharing (Critical)
When you submit a review, your content is transmitted to the LLM providers selected for that review. This is a core function of the service.
Important disclosures:
- ConvergeQA accesses LLM providers via API endpoints. Under standard API terms, providers generally do not use API-submitted data for model training. However, providers may temporarily retain API inputs for abuse monitoring, safety, or operational purposes according to their own policies and our applicable provider terms.
- Each provider has its own data handling policies. ConvergeQA does not control how LLM providers process or retain data beyond the terms of our API agreements.
- Users should not submit sensitive, confidential, or regulated information that they cannot risk being processed by third-party AI providers.
Provider Privacy Policies:
The current list of sub-processors is available at convergeqa.net/providers. We will notify paid-tier subscribers via email at least 30 days before adding a new LLM provider.
Data Retention
| Data Type |
Retention Period |
| Review history (Free tier) |
7 days |
| Review history (Student/Basic/Plus/Pro/Enterprise) |
Full retention while account is active; auto-deleted after 2 years of account inactivity |
| Account data |
While account is active; deleted within 30 days of account deletion request |
| Uploaded files |
Processed for text extraction and not retained after processing |
| Audit reports |
Retained for the lifetime of the account for verification purposes |
| Billing records |
7 years (per tax/financial regulations) |
| Usage/rate limiting data |
90 days |
Users can delete individual history entries at any time. Full account deletion can be requested by contacting [email protected]. Account data will be permanently removed within 30 days of a confirmed deletion request, except where retention is required by law.
Data Security
- Passwords hashed with PBKDF2-HMAC-SHA256 (100,000 iterations + per-user cryptographic salt)
- TLS 1.2 and 1.3 for all data in transit
- Encrypted at rest via AWS-managed encryption where supported by infrastructure provider
- API keys hashed with SHA-256 before storage — plaintext never retained
- Optional two-factor authentication (TOTP) with hashed backup codes
- Session-based authentication with 7-day expiration
- Per-user and per-API-key rate limiting to prevent abuse
- See /compliance for full security controls overview
No system is 100% secure. We encourage all users to enable two-factor authentication and use strong, unique passwords.
Data Breach Notification
In the event of a personal data breach:
- We will notify relevant supervisory authorities within 72 hours of confirming a breach that is likely to result in a risk to individuals' rights and freedoms (per GDPR Art. 33, where applicable).
- We will notify affected users without undue delay via email when a breach is likely to result in a high risk to their rights and freedoms.
- Notifications will include the nature of the breach, categories of data affected, likely consequences, and measures taken to address and mitigate the breach.
Your Rights
All Users
- Access: View your data through your dashboard, history, and account settings
- Deletion: Delete individual reviews at any time; request full account deletion by contacting [email protected] (completed within 30 days)
- Correction: Update account information through your settings
- Data Portability: Export review sessions via the export feature
- Opt-out: Disable auto top-up and manage notification preferences in billing settings
GDPR Rights (EEA/UK Users)
- Right to object to processing based on legitimate interest
- Right to restrict processing
- Right to lodge a complaint with your local supervisory authority
CCPA/CPRA Rights (California Residents)
Categories of personal information we collect: Identifiers (username, email, IP address), commercial information (billing records, subscription tier), internet/electronic activity (review history, usage data), and other categories as described in Section 2.
- Right to Know: Request disclosure of categories and specific pieces of PI collected
- Right to Delete: Request deletion of personal information
- Right to Correct: Request correction of inaccurate personal information
- Right to Opt-Out of Sale or Sharing: We do not sell or share personal information for cross-context behavioral advertising
- Right to Limit Use of Sensitive Personal Information: We do not use sensitive PI for purposes beyond those permitted by the CCPA/CPRA
- Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights
Identity Verification
To protect your privacy, we may verify your identity before fulfilling data rights requests. Verification may include confirming your email address or account credentials.
We will respond to all data rights requests within 30 days. If we need additional time, we will notify you of the extension and the reasons for the delay.
To exercise any of these rights, contact [email protected].
Children's Privacy
ConvergeQA is not intended for children under 13. Users who are under the age of majority should use ConvergeQA only with appropriate parent, guardian, school, or organizational authorization. If you believe a child under 13 has provided information to ConvergeQA, please contact us immediately at [email protected].
NOT HIPAA Covered
CRITICAL: ConvergeQA is NOT a HIPAA-covered entity or business associate, and no Business Associate Agreement (BAA) is available. Do not submit Protected Health Information (PHI), including patient names, medical records, diagnoses, or any regulated health data.
Although ConvergeQA is operated by Tuscaloosa Primary Care LLC, the ConvergeQA platform is a standalone, general-purpose software service with no connection to medical practice operations. No medical services, patient care, or clinical data processing is provided through ConvergeQA.
ConvergeQA does not provide HIPAA-compliant workflows or Business Associate Agreements for ConvergeQA services.
International Data Transfers
ConvergeQA's servers and primary data processing are located in the United States (AWS us-east-1, N. Virginia). By using the service, your data is transferred to and processed in the United States.
If you are located outside the United States, please be aware that data protection laws in the United States may differ from those in your jurisdiction. By using ConvergeQA, you consent to the transfer of your data to the United States.
If your organization requires a Data Processing Agreement (DPA) or similar addendum, contact [email protected]. Availability and terms are reviewed case by case and are not included by default in public plans.
Third-Party Services & Subprocessors
ConvergeQA uses the following third-party services to deliver and operate the platform:
The current list of sub-processors is maintained at convergeqa.net/providers. We will notify paid-tier subscribers at least 30 days before engaging a new sub-processor.
Enterprise data protection terms, including DPA availability, are handled case by case. Do not rely on the public plan pages as a commitment that any particular addendum or provider retention term is available.
Changes to This Policy
We may update this Privacy Policy from time to time. We will notify registered users of material changes via email at least 30 days before the revised policy takes effect. We will indicate the date of last revision at the top of this page. Your continued use of ConvergeQA after the effective date of any changes constitutes acceptance of the updated policy.
Contact Us
If you have questions about this Privacy Policy, wish to exercise your data rights, or have privacy concerns, please contact:
© 2026 Tuscaloosa Primary Care LLC. All rights reserved.