Privacy Policy

Last Updated: February 28, 2026

1. Who we are

This Privacy Policy explains how unquestion (www.unquestion.ai) collects, uses, and protects your information when you use our AI-powered conversations service.

Contact: support@unquestion.ai

2. Roles (Controller vs. Processor)

  • For your account/ops data (e.g., email, authentication, usage necessary to operate your account): we are the controller.
  • For end‑user responses you collect through published conversations: you are the controller and we act as your processor, processing that data only to provide the Service and per your documented instructions.

Responsibilities for published conversations include informing respondents, obtaining required consents, and complying with applicable privacy laws.

3. What we collect

Account Information

Required:

  • Email address

Optional:

  • First name and last name

Content You Create

  • Conversation Dialogues
  • System prompts and AI instructions
  • Any text or content you input

Conversation Data

When someone fills out a conversational form:

  • All text responses and inputs
  • Interaction choices and conversation flow
  • Conversation metadata (timestamps, completion status)

Technical Information

We automatically collect:

  • IP addresses (for security and rate limiting)
  • Browser and device information
  • Usage analytics
  • Error logs and diagnostic data

Prohibited Data Collection (for published conversations)

Do not use our service to collect:

  • Protected health information (HIPAA)
  • Payment card information (PCI-DSS)
  • Social Security numbers or government IDs
  • Information from children under 13 without parental consent
  • Any data you are not legally authorized to collect

4. How we use data

We use your information to:

Provide the Service:

  • Process conversations through AI
  • Generate AI-powered responses
  • Store and display your conversations
  • Manage your account

Improve the Service:

  • Analyze usage patterns
  • Monitor and improve performance
  • Fix bugs and technical issues
  • Develop new features

Security and Compliance:

  • Prevent fraud and abuse
  • Enforce our Terms of Service
  • Rate limiting to prevent service abuse
  • Comply with legal obligations

Communication:

  • Send service-related notifications
  • Respond to support requests
  • Provide customer service

5. Legal bases (EEA/UK)

Where applicable, we rely on: (i) Contract, (ii) Legitimate Interests (e.g., improving and securing the Service), (iii) Consent where required (e.g., certain analytics), and (iv) Legal Obligation.

Consent statement (informational): By using unquestion, you consent to the collection and use of information as described in this Privacy Policy, processing of data through AI services, international data transfers to the United States, and our data retention practices.

6. Subprocessors

We use the following services to operate our platform:

Better Auth (Authentication and Account Management):

  • Email address and name
  • Account security, login management, and OAuth consent
  • Self-hosted authentication — no data is sent to a third-party authentication provider

PostHog (Analytics):

  • Product analytics in cookieless mode
  • Email address
  • Usage tracking and error monitoring

Langfuse (AI Performance Monitoring):

  • AI model performance tracking
  • Conversation metadata and usage metrics

Upstash (Rate Limiting):

  • IP addresses for rate limiting
  • Request timing and frequency

We maintain our current subprocessors list within this Privacy Policy (see providers listed above). We will provide at least 15 days' notice of material additions (for example, via updates to this Policy or in‑app notice) before they take effect so customers may object where applicable. Our service and third-party providers process data in the United States and, where providers operate globally, in other countries.

7. International transfers

Our service and third-party providers process data in the United States and, where providers operate globally, in other countries. If you access our service from outside the US, your information will be transferred to and processed in the United States.

8. AI model providers

All conversation responses are processed through Cerebras as our AI inference provider. This means:

  • All user inputs to conversational forms are sent to Cerebras for inference
  • Cerebras processes the data to generate AI responses
  • Data may be transferred internationally for AI processing

AI providers publish their own policies about API data use and retention. Review provider policies directly. We may add or change AI service providers in the future and will reflect material changes in this Privacy Policy.

As of February 28, 2026, Cerebras does not use customer API data to train its models. Provider policies may change, and we will update this Policy accordingly. (See: Cerebras Terms of Service)

8a. MCP (Model Context Protocol) integrations

unquestion provides a Model Context Protocol (MCP) server that allows compatible third-party AI clients to interact with your account on your behalf. When you connect a third-party client via MCP:

  • You will be presented with an OAuth consent screen before access is granted
  • You may grant or deny access at your discretion
  • Authorized clients can access your account data (e.g., workspaces, forms, conversations)

We are not responsible for how third-party MCP clients handle your data after it is transmitted to them. Review the privacy policies of any third-party client before authorizing access.

9. Cookies & local storage

What We Use

  • Session storage: Essential for authentication (required for service functionality)
  • Cookieless analytics: PostHog operates in cookieless mode

What We Don't Use

We do not use:

  • Advertising cookies
  • Third-party tracking pixels
  • Cross-site behavioral tracking

10. Retention

Active Accounts

We retain all account information, forms, and conversations while your account is active.

After Account Deletion

  • Account information (email, name, preferences): Deleted immediately
  • Conversation data and responses: Deleted within 90 days
  • Aggregated analytics: May be retained indefinitely in anonymized form

Additional retention:

  • Backups and logs may persist up to 180 days.
  • Billing/transaction records are retained as required by law (often 7 years).
  • We also retain data as needed to resolve disputes, enforce agreements, comply with legal obligations, and protect our service.

We aim to delete data as quickly as technically feasible, within the stated timeframes.

11. Security & incidents

We implement industry-standard security measures including:

  • HTTPS/TLS encryption for data in transit
  • Secure authentication services
  • Access controls
  • Regular security monitoring
  • Webhook signature verification

No security system is completely secure. While we implement reasonable measures to protect your data, we cannot guarantee absolute security.

Security incidents: In the event of a data breach affecting your information, we will notify you and relevant authorities without undue delay and as required by law.

12. Your rights

You can:

  • Access your data: Request a copy of your personal information
  • Correct your data: Update or correct inaccurate information
  • Delete your account: Delete your account and data at any time
  • Export your data: Export your conversations data
  • Object to processing: Contact us with concerns about how we process your data

To exercise any of these rights, email support@unquestion.ai. We will respond within 30 days. For verification purposes, we may request additional information to confirm your identity.

California (CCPA/CPRA) notice: We do not sell or share personal information as defined by CPRA and do not use/disclose Sensitive Personal Information to infer characteristics. California residents may request to know, delete, or correct personal information and may not be discriminated against for exercising these rights. Submit requests at support@unquestion.ai.

13. Children

Our service is not intended for children under 13 (or under 16 in the European Economic Area). We do not knowingly collect personal information from children.

If you are a parent or guardian and believe your child has provided us with personal information, contact us immediately at support@unquestion.ai and we will delete the information.

14. Changes

We may update this Privacy Policy from time to time. When we make changes:

  • We will update the "Last Updated" date
  • Continued use of the service after changes constitutes acceptance

We encourage you to review this Privacy Policy periodically.

Service Discontinuation: We reserve the right to discontinue the service at any time. If we permanently discontinue the service, we will provide reasonable notice (at least 30 days when possible), allow you to export your data, and delete all personal information in accordance with this Privacy Policy.