All systems operational
MAEQ
HomeTerms of UseContact
Legal

Privacy Policy

Last updated: 2 July 2026
This policy describes how the MAEQ platform actually handles data. It is provided as a working starting point and is not legal advice. Please have qualified counsel review it before you rely on it.

MAEQ gives an organisation its own branded AI portal and assistant, running on the model, data, and governance it chooses. This policy explains what personal and usage data the platform collects, why, how it is protected, and the choices available to you.

On this page
  1. 1. Our role: controller and processor
  2. 2. Plain-language summary
  3. 3. Information we collect
  4. 4. How we use information
  5. 5. Notifications and reminders
  6. 6. What we do not do
  7. 7. Legal bases
  8. 8. Sharing and subprocessors
  9. 9. Data location and transfers
  10. 10. How we protect data
  11. 11. Retention and deletion
  12. 12. Your rights and choices
  13. 13. Children
  14. 14. Changes
  15. 15. Contact us

1. Our role: controller and processor

MAEQ is a multi-tenant platform used by organisations (each a tenant). For the account and operational data of the tenants and administrators who sign up directly with us, MAEQ acts as a data controller. For the content a tenant loads into the platform and the data of the end-users who use that tenant's portal or embedded assistant, MAEQ generally acts as a processor on the tenant's behalf: the tenant decides what is collected and why, and MAEQ processes it under the tenant's instructions and our agreement with them. If you are an end-user of a company's portal and have questions about your data, the fastest route is usually that company; we will support them in responding.

2. Plain-language summary

  • We collect what is needed to run your portal and assistant: account details, the conversations and content you provide, memory you can see and edit, and technical usage records.
  • We use it to deliver the service, keep it secure, meter usage, and send operational messages such as approval reminders and run-completion notifications.
  • We do not sell personal data, and we do not use your content to train foundation models.
  • The AI models, data stores, and email senders in play are the ones you configure; your data flows to those providers under their terms.
  • You can access, correct, export, and delete data, subject to the controller relationship above.

3. Information we collect

Account and identity (administrators)

When someone creates or is invited to a MAEQ tenant, we store their email address, username, display or full name, an avatar reference if provided, a securely hashed password (never the plaintext), assigned roles and permissions, who invited them, and login timestamps. Where an organisation uses single sign-on, we store the identity-provider subject identifier rather than a password.

Portal end-user accounts

When a portal is configured to require sign-in, we store each end-user's email, display name, chosen authentication method, a hashed password where one is set, account status, and last-login time. Where access is by invite or access code, we store a hashed code and a short non-sensitive prefix used only for administration.

Conversations and content you provide

The platform stores the conversations that take place in a portal or the embedded assistant: message content and roles (user, assistant, specialist, system), conversation titles, running context summaries for long threads, references to the sources used to ground an answer, and any per-message feedback (for example, marking a reply helpful or inaccurate). It also stores the knowledge, documents, and structured data a tenant connects or uploads so that agents can reason over them.

Memory and learned preferences

To be useful over time, the platform can remember facts about how an organisation operates and an individual's stated preferences. These memories are stored as text (with vector embeddings to make them searchable) together with a salience score and access history. Memory is designed to be transparent and editable: it surfaces in the portal's "What we remember" view, where it can be reviewed, corrected, or removed.

Connected data sources and credentials

Tenants connect their own model providers, data stores, and services. The credentials for these (API keys and related configuration) are encrypted at rest and used only to make the connections you have configured. We also keep operational health and test records for these connections (status, latency, and error details) so administrators can see whether a connection is working.

Usage, metering, and technical data

We record aggregated usage per tenant, agent, user, or portal, including invocation counts, token counts, tool-call counts, and computed cost, so administrators can understand consumption and we can meter the service. For security and accountability, an audit log records administrative actions along with the actor, the affected resource, a timestamp, and the originating IP address and browser user-agent. We may also process standard technical data (such as device and connection information) needed to deliver and secure the service.

Communications

When you contact us, or when the platform emails you, we process the message content and delivery metadata needed to respond and to keep a record of important operational messages.

4. How we use information

  • Provide the service. Authenticate users, run portals and the embedded assistant, route questions to the appropriate agent and model, and ground answers on the data a tenant has connected.
  • Personalise responsibly. Maintain the transparent, user-editable memory and preference profile that helps the assistant reflect how you operate.
  • Operate autonomous work with oversight. Support scheduled and autonomous agent runs, and the human-in-the-loop approval gate through which proposed actions pass.
  • Notify and remind. Send account emails (verification, invitations, password resets, welcome) and operational messages, including approval reminders and run-completion notifications (see section 5).
  • Secure and safeguard. Detect, investigate, and prevent abuse, fraud, and security incidents, and maintain audit records.
  • Protect our rights. Where we reasonably suspect copying, reverse engineering, or other infringement or misappropriation of the Platform, our advanced features (such as the Comparison Lab), our trade secrets, or our Terms of Use, we may process your account, identity, and usage data, and where relevant your personal data, to investigate, identify those responsible, and establish, exercise, and defend legal claims.
  • Meter and bill. Measure usage and cost to administer plans and invoicing.
  • Improve the platform. Understand aggregate usage and feedback to fix problems and improve features. Where this uses tenant content, it is done under the tenant agreement and, wherever practical, on aggregated or de-identified data.
  • Comply with law. Meet legal, regulatory, and contractual obligations.

5. Notifications and reminders

Because MAEQ supports agents that can act and run on a schedule, timely messages are part of how it works. The platform may send:

  • Approval reminders, sent when a proposed action is waiting for a person to review and approve it, so nothing sits unattended.
  • Completion notifications, sent when a scheduled or autonomous run finishes, summarising what happened.
  • Account and security emails, such as invitations, email verification, password resets, sign-in hints, and welcome messages.
  • Digests and status messages, where a tenant has configured recurring summaries or connection-health alerts.

These messages are sent through the email or notification provider the tenant configures (or a platform default where enabled), using a sender identity the tenant controls. Transactional and security messages are part of the service and cannot always be switched off while an account is active; where a message is optional, it can be managed in settings by the tenant or, for personal reminders, by the individual.

6. What we do not do

  • We do not sell personal data, and we do not share it for third-party advertising.
  • We do not use tenant or end-user content to train foundation models. MAEQ is model-agnostic; when a request is sent to a model provider you have chosen, it is processed under that provider's terms, not used by us to build models.
  • We do not access tenant content except as needed to provide, secure, and support the service, or where the law requires it.

7. Legal bases

Where the GDPR or similar laws apply and MAEQ is the controller, we rely on: performance of a contract (to provide the service you asked for); legitimate interests (to secure, operate, meter, and improve the platform, and to protect our rights, balanced against your rights); consent (where we ask for it, for example optional communications); and legal obligation. Where MAEQ is a processor, the tenant is responsible for establishing the legal basis for its processing, and MAEQ acts on its documented instructions.

For processing to investigate and pursue suspected infringement or misappropriation of our intellectual property, trade secrets, or Terms of Use, we rely on our legitimate interests under Article 6(1)(f) GDPR and, for any special-category data, on Article 9(2)(f) GDPR (processing necessary for the establishment, exercise, or defence of legal claims). In that context, the right to erasure and the right to object are limited under Articles 17(3)(e) and 21 GDPR. Comparable processing under United States law supports claims including those under the Defend Trade Secrets Act (18 U.S.C. section 1836) and the Computer Fraud and Abuse Act (18 U.S.C. section 1030).

8. Sharing and subprocessors

We share data only as needed to run the service:

  • Providers you configure. The model providers, vector and object stores, document sources, and email or notification senders that a tenant connects. Data flows to these under the tenant's own accounts and each provider's terms.
  • Infrastructure and subprocessors. Hosting and supporting services that operate the platform on our or the tenant's chosen infrastructure. A current list of subprocessors is available on request.
  • Professional and legal. Advisors, or authorities where required by law, and parties to a corporate transaction subject to appropriate protections.

We put appropriate agreements in place with the parties that process personal data on our behalf.

9. Data location and transfers

MAEQ is designed to run on infrastructure and in regions that the organisation chooses, which helps keep data where it belongs. Where personal data is transferred across borders, we rely on appropriate safeguards such as standard contractual clauses or an equivalent recognised mechanism. Because tenants select their own providers and regions, the specific location of a given tenant's data depends on that tenant's configuration.

10. How we protect data

  • Passwords are stored only as secure hashes; access codes and one-time tokens are stored hashed, with plaintext shown once at creation.
  • Third-party credentials are encrypted at rest.
  • Access is controlled by roles and permissions, scoped strictly per tenant so tenants are isolated from one another.
  • Administrative actions are recorded in an audit log.
  • We apply organisational and technical measures appropriate to the risk. No system is perfectly secure, but we work to protect data and to respond promptly to any incident.

11. Retention and deletion

We keep personal data for as long as an account is active and as needed to provide the service, meet legal and accounting obligations, resolve disputes, and enforce agreements. Conversation history, memory, and connected content are retained until the tenant deletes them or closes the account; the platform also runs housekeeping to clear stale conversation state, and dashboard snapshots are cached only briefly and expire automatically. On account closure we delete or de-identify personal data within a commercially reasonable period, except where retention is required by law.

12. Your rights and choices

Depending on where you live, you may have rights to access, correct, delete, restrict, or object to processing of your personal data, to portability, and to withdraw consent. Much of this is available directly in the product: you can review and edit memory, manage your profile, and administrators can manage users and export or delete data. To exercise a right, contact us using section 15. If MAEQ processes your data on behalf of an organisation (you are an end-user of its portal), we will direct your request to that organisation and support it in responding. You also have the right to complain to your local data protection authority.

13. Children

MAEQ is a business platform not directed to children and is not intended for use by anyone under the age required to form a binding contract in their jurisdiction. We do not knowingly collect personal data from children; if you believe a child has provided data, contact us and we will take appropriate steps.

14. Changes

We may update this policy as the platform and the law evolve. We will change the "last updated" date above and, for material changes, provide a more prominent notice. Continued use after an update means you accept the revised policy.

15. Contact us

For any privacy question or request, or to reach our data protection contact, please use our contact page. The controller responsible for your data is SmallCircle B.V. (Netherlands Chamber of Commerce (KvK) no. 86233044), Kinkerstraat 86-4, 1053 EB Amsterdam, the Netherlands, reachable at hello@maeq.com.

MAEQ
ContactTerms of UsePrivacy Policy
© 2026 MAEQ