Introduction
ConvergeQA (convergeqa.net) is operated by Tuscaloosa Primary Care LLC, located in Tuscaloosa, Alabama. This Privacy Policy describes what data we collect, how we use it, and your rights regarding your personal information.
Data Roles: For purposes of data protection law, ConvergeQA acts as the Data Controller for account information and billing data, and as a Data Processor for user-submitted review content (which is processed on your behalf and transmitted to third-party LLM providers).
We may update this policy from time to time. We will notify registered users of material changes via email at least 30 days before the revised policy takes effect. Your continued use of the service following the effective date constitutes acceptance of the updated policy.
Information We Collect
Account Information
- Username, email address
- Password (hashed using PBKDF2-HMAC-SHA256 with 100,000 iterations and per-user cryptographic salt, never stored in plaintext)
- Account tier, preferences, MFA enrollment status
Billing Information
- Processed and stored by Stripe (Level 1 PCI-DSS compliant)
- We store only Stripe customer ID and tokenized payment method references
- We never store, process, or transmit full credit card numbers
Review Content
- Prompts, uploaded files, review configurations, and AI-generated output you submit or receive through the service
- Files are processed on our servers for text extraction. When needed for review history, exports, audit bundles, or Critique original-deliverable records, a copy of the original file may be retained with the review session until you delete the session or your account, subject to the retention limits described below.
Usage Data
- Review counts, feature usage, timestamps, IP addresses
- Rate limiting and abuse prevention data
- Error logs for service reliability
- Public marketing page visit counts collected through Plausible Analytics, a privacy-focused, cookieless, EU-hosted service. Plausible is used on public marketing pages only, sets no cookies or persistent identifiers, and does not sell personal data.
Cookies
- Flask session cookies for authentication (functional, not tracking)
- No third-party tracking cookies, analytics cookies, or advertising cookies are used
Legal Bases for Processing (EEA/UK Users)
If you are located in the European Economic Area or the United Kingdom, we process your personal data on the following legal bases:
- Contract Performance (Art. 6(1)(b) GDPR): Processing your account data, review content, and billing information to deliver the ConvergeQA service.
- Legitimate Interest (Art. 6(1)(f) GDPR): Rate limiting, abuse prevention, security monitoring (including MFA), service improvement, and maintaining platform integrity.
- Legal Obligation (Art. 6(1)(c) GDPR): Retaining billing records as required by tax and financial regulations.
- Consent (Art. 6(1)(a) GDPR): Where applicable, for optional features or communications. You may withdraw consent at any time without affecting the lawfulness of prior processing.
How We Use Your Information
- To provide and operate the ConvergeQA service
- To process reviews by transmitting content to LLM providers (Anthropic/Claude, OpenAI/GPT, Google/Gemini, xAI/Grok, Perplexity/Sonar) and, for additional models you select, OpenRouter, which forwards your content to the downstream model provider you choose
- To manage billing and payments via Stripe
- To generate audit reports and verification metadata
- To enforce rate limits and prevent abuse
- To communicate service updates and material policy changes
- To respond to support and privacy requests
We do NOT:
- Sell or share your data with third parties for advertising
- Use your Input or Output to train machine learning models
- Use third-party tracking or analytics cookies
- Profile you for targeted advertising
LLM Provider Data Sharing (Critical)
When you submit a review, your content is transmitted to the LLM providers selected for that review. This is a core function of the service.
Important disclosures:
- ConvergeQA accesses LLM providers via API endpoints. Under standard API terms, providers generally do not use API-submitted data for model training. However, providers may temporarily retain API inputs for abuse monitoring, safety, or operational purposes according to their own policies and our applicable provider terms.
- Each provider has its own data handling policies. ConvergeQA does not control how LLM providers process or retain data beyond the terms of our API agreements.
- Some optional models are accessed through OpenRouter, a model-routing service. When you select an OpenRouter-routed model, your content is sent to OpenRouter and then forwarded to the underlying model provider you choose; each has its own data-handling policy. ConvergeQA configures OpenRouter to request no-retention/no-training handling where available but does not control downstream provider practices.
- Users should not submit sensitive, confidential, or regulated information that they cannot risk being processed by third-party AI providers.
Provider Privacy Policies:
ConvergeQA offers access to many AI models. The available models, the third-party providers behind them, and their underlying pricing may change at any time without advance notice. The current list of sub-processors is available at convergeqa.net/providers.
Data Retention
Users can delete individual history entries at any time. Full account deletion can be requested by contacting [email protected]. Account data will be permanently removed within 30 days of a confirmed deletion request, except where retention is required by law.
Data Security
- Passwords hashed with PBKDF2-HMAC-SHA256 (100,000 iterations + per-user cryptographic salt)
- TLS 1.2 and 1.3 for all data in transit
- Encrypted at rest via AWS-managed encryption where supported by infrastructure provider
- API keys hashed with SHA-256 before storage, plaintext never retained
- Optional two-factor authentication (TOTP) with hashed backup codes
- Session-based authentication with 7-day expiration
- Per-user and per-API-key rate limiting to prevent abuse
- See /compliance for full security controls overview
No system is 100% secure. We encourage all users to enable two-factor authentication and use strong, unique passwords.
Data Breach Notification
In the event of a personal data breach:
- We will notify relevant supervisory authorities within 72 hours of confirming a breach that is likely to result in a risk to individuals' rights and freedoms (per GDPR Art. 33, where applicable).
- We will notify affected users without undue delay via email when a breach is likely to result in a high risk to their rights and freedoms.
- Notifications will include the nature of the breach, categories of data affected, likely consequences, and measures taken to address and mitigate the breach.
Your Rights
All Users
- Access: View your data through your dashboard, history, and account settings
- Deletion: Delete individual reviews at any time; request full account deletion by contacting [email protected] (completed within 30 days)
- Correction: Update account information through your settings
- Data Portability: Export review sessions via the export feature
- Account controls: Manage payment methods, credit purchases, and notification preferences in Account settings
GDPR Rights (EEA/UK Users)
- Right to object to processing based on legitimate interest
- Right to restrict processing
- Right to lodge a complaint with your local supervisory authority
CCPA/CPRA Rights (California Residents)
Categories of personal information we collect: Identifiers (username, email, IP address), commercial information (billing records, account plan and credit status), internet/electronic activity (review history, usage data), and other categories as described in Section 2.
- Right to Know: Request disclosure of categories and specific pieces of PI collected
- Right to Delete: Request deletion of personal information
- Right to Correct: Request correction of inaccurate personal information
- Right to Opt-Out of Sale or Sharing: We do not sell or share personal information for cross-context behavioral advertising
- Right to Limit Use of Sensitive Personal Information: We do not use sensitive PI for purposes beyond those permitted by the CCPA/CPRA
- Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights
Identity Verification
To protect your privacy, we may verify your identity before fulfilling data rights requests. Verification may include confirming your email address or account credentials.
We will respond to all data rights requests within 30 days. If we need additional time, we will notify you of the extension and the reasons for the delay.
To exercise any of these rights, contact [email protected].
Children's Privacy
ConvergeQA is not intended for children under 13. Users who are under the age of majority should use ConvergeQA only with appropriate parent, guardian, school, or organizational authorization. If you believe a child under 13 has provided information to ConvergeQA, please contact us immediately at [email protected].
NOT HIPAA Covered
CRITICAL: ConvergeQA is NOT a HIPAA-covered entity or business associate, and no Business Associate Agreement (BAA) is available. Do not submit Protected Health Information (PHI), including patient names, medical records, diagnoses, or any regulated health data.
Although ConvergeQA is operated by Tuscaloosa Primary Care LLC, the ConvergeQA platform is a standalone, general-purpose software service with no connection to medical practice operations. No medical services, patient care, or clinical data processing is provided through ConvergeQA.
ConvergeQA does not provide HIPAA-compliant workflows or Business Associate Agreements for ConvergeQA services.
International Data Transfers
ConvergeQA's servers and primary data processing are located in the United States (AWS us-east-1, N. Virginia). By using the service, your data is transferred to and processed in the United States.
If you are located outside the United States, please be aware that data protection laws in the United States may differ from those in your jurisdiction. By using ConvergeQA, you consent to the transfer of your data to the United States.
If your organization requires a Data Processing Agreement (DPA) or similar addendum, contact [email protected]. Availability and terms are reviewed case by case and are not included by default in public plans.
Third-Party Services & Subprocessors
ConvergeQA uses the following third-party services to deliver and operate the platform:
The set of model providers and sub-processors used to deliver the service may change from time to time without advance notice. The current list is maintained at convergeqa.net/providers.
Enterprise data protection terms, including DPA availability, are handled case by case. Do not rely on the public plan pages as a commitment that any particular addendum or provider retention term is available.
Changes to This Policy
We may update this Privacy Policy from time to time. We will notify registered users of material changes via email at least 30 days before the revised policy takes effect. We will indicate the date of last revision at the top of this page. Your continued use of ConvergeQA after the effective date of any changes constitutes acceptance of the updated policy.
Contact Us
If you have questions about this Privacy Policy, wish to exercise your data rights, or have privacy concerns, please contact:
© 2026 Tuscaloosa Primary Care LLC. All rights reserved.