This Privacy Policy explains how PartsIQ (“PartsIQ”, “we”, “us”) collects, uses, and shares information when you use our parts procurement platform (the “Service”). This Policy applies to customer administrators, team members, and visitors to our marketing site. It does not cover data that our customers collect about their own suppliers or contacts, which customers are responsible for under their own privacy practices.
Key points in plain language
- We store parts data, supplier contact information, and email/call content you send through PartsIQ.
- Calls placed by our AI voice agent on your behalf are recorded and transcribed.
- We use third-party services (listed below) to process this data — AI models, voice calling, databases, email delivery.
- We do not sell personal information. We do not use your identifiable data to train shared AI models.
- You can export or delete your data at any time.
1. Information We Collect
1.1 Account and contact information
When you sign up, we collect your name, business email, phone number, company name, industry, company size, and password (hashed). We may collect billing information such as billing address and payment method via our payment processor (Stripe).
1.2 Customer Content
Through normal use of the Service, you submit and generate data we call “Customer Content”:
- Parts catalogs, part numbers, descriptions, specifications, and pricing
- Supplier records including names, phone numbers, emails, and specialties
- Quote requests and supplier responses
- Purchase orders and order fulfillment data
- Vehicle and equipment records (make, model, serial number, maintenance schedules)
- Uploaded maintenance manuals (PDFs) and documents
1.3 AI voice agent call data
When you authorize the AI voice agent to call suppliers on your behalf, we collect and retain:
- Call audio recordings of the full conversation between the AI and the supplier
- Call transcripts generated from the audio
- Extracted structured data (prices, availability, lead times) parsed from the conversation
- Call metadata: caller ID, recipient number, duration, timestamps, call status
Call recordings and transcripts are retained for the life of your subscription and for 90 days after cancellation, unless you request earlier deletion.
1.4 Email integration data
If you connect a Gmail or Microsoft 365 account via OAuth, we read and send emails within the scope you authorize (typically: emails related to quote requests you initiate through the Service). Email content is stored for quote extraction, audit, and procurement-history purposes.
1.5 Usage and technical data
We collect technical data to operate and improve the Service:
- Log data (pages visited, features used, timestamps)
- Device and browser information, IP address, approximate location from IP
- Product analytics events (via PostHog — our analytics provider; see § 4)
- Session replays on our marketing site (form inputs are masked)
2. How We Use Your Information
We use collected information to:
- Provide the Service — source parts, call suppliers, compare quotes, manage orders
- Process AI inference on your data (parts search, quote extraction, call transcription)
- Operate billing and manage your subscription
- Provide customer support and communicate service notices
- Monitor security and detect abuse
- Improve our AI models using aggregated, de-identified data only — we do not use identifiable Customer Content to train general-purpose AI models
- Comply with legal obligations
3. Legal Bases for Processing (GDPR)
If you are in the European Economic Area, United Kingdom, or another region with similar data protection laws, we rely on the following legal bases:
- Contract: Processing necessary to provide the Service you subscribed to.
- Legitimate interests: Improving the Service, securing our platform, preventing fraud, and operating our business, balanced against your privacy interests.
- Consent: Where required (e.g., certain marketing communications), we rely on your consent, which you can withdraw at any time.
- Legal obligation: Where we must retain data for tax, accounting, or other regulatory reasons.
4. Sub-Processors
We use the following third-party services to operate the Service. Each has their own privacy policy and data-handling practices. Using the Service requires that Customer Content is transmitted to these sub-processors as necessary.
| Sub-processor | Purpose | Data processed |
|---|---|---|
| Vapi | AI voice calling, recording, transcription | Call audio, transcripts, phone numbers |
| OpenRouter (routes to Anthropic, OpenAI, others) | Large-language-model inference | Conversation text, parts queries, email content passed to the model for processing |
| Mistral AI | Optical character recognition (PDF parsing) | Uploaded maintenance manuals and documents |
| Pinecone | Vector database for semantic parts search | Parts descriptions, embeddings, metadata |
| Neo4j | Graph database for parts relationships | Parts-to-equipment-to-supplier relationships |
| Serper | Web search for parts lookups | Parts search queries |
| Resend | Transactional email delivery | Recipient emails, email content for verification, notifications, supplier correspondence |
| Stripe | Payment processing | Billing name, address, payment method (Stripe handles card data; we do not store card numbers) |
| Google Workspace / Microsoft 365 | Email integration via OAuth | Email content within the OAuth scope you authorize |
| PostHog | Product analytics and session replay | Event data, anonymous identifiers, masked session recordings (form inputs are masked) |
| Neon / PostgreSQL host | Primary application database | All Customer Content and account data |
| Redis host | Caching and session storage | Short-lived cache data, session tokens |
| Vercel (or equivalent cloud hosting) | Application hosting and content delivery | All data transiting the Service |
We do not sell or rent Customer Content or personal information to any third party. We do not share Customer Content with advertising networks.
5. Data Retention
| Data type | Retention period |
|---|---|
| Account and profile data | Life of subscription + 30 days after cancellation |
| Parts catalogs, quotes, orders | Life of subscription + 30 days after cancellation |
| Call audio recordings | Life of subscription + 90 days after cancellation |
| Call transcripts and extracted quote data | Life of subscription + 90 days after cancellation |
| Email content (Gmail/Microsoft integration) | Revoked when you disconnect the OAuth integration |
| Billing records (legal retention) | 7 years from transaction date |
| Security logs | 12 months |
| Product analytics (PostHog) | 12 months |
You can request earlier deletion by contacting us (see § 9). Some records may persist longer in backups before being purged.
6. Security
We implement technical and organizational measures appropriate to the nature of the data:
- In transit: All connections to the Service use TLS 1.2 or higher.
- At rest: Databases and call recordings are encrypted at rest by our hosting providers.
- Access controls: Role-based access inside the platform; internal team access limited to need-to-know.
- OAuth credentials: Third-party service credentials are stored encrypted and scoped narrowly.
- Monitoring: Security logs are monitored for anomalies.
No system is perfectly secure. In the event of a data breach affecting your information, we will notify you without undue delay as required by applicable law.
7. International Data Transfers
Our infrastructure and sub-processors may store or process data in the United States, Canada, European Union, and other regions. Where required, transfers from the EEA, UK, or Switzerland to the United States and other non-adequate jurisdictions are protected by Standard Contractual Clauses or equivalent safeguards.
8. Your Rights
8.1 All users
Regardless of where you live, you can:
- Access and export your Customer Content via the Service
- Correct inaccurate account information in your settings
- Delete your account and Customer Content (see § 5)
- Disconnect third-party integrations (Gmail, Microsoft) at any time
8.2 European Economic Area, UK, Switzerland (GDPR / UK GDPR)
You have additional rights including: access, rectification, erasure, restriction of processing, data portability, objection to processing, and the right to lodge a complaint with a supervisory authority. To exercise these rights, contact us via the form at the bottom of this page.
8.3 California residents (CCPA / CPRA)
California residents have the right to:
- Know what personal information we collect and how we use it (disclosed in this Policy)
- Access specific pieces of personal information
- Delete personal information (subject to legal exceptions)
- Opt out of the sale or sharing of personal information — we do not sell or share personal information for cross-context behavioral advertising
- Non-discrimination for exercising these rights
To exercise these rights, contact us via the form at the bottom of this page.
8.4 Canadian residents (PIPEDA)
If you are in Canada, you may request access to or correction of your personal information, or lodge a complaint with the Office of the Privacy Commissioner of Canada. Contact privacy@partsiqai.com.
9. Call Recording and Supplier Data
When you use the AI voice agent to call suppliers, the supplier is a data subject whose information we process on your behalf. We record calls and transcribe conversations as described in § 1.3. You, the customer, are responsible for ensuring you have the right to initiate these calls and that recording is lawful in the jurisdictions of both parties. Our Terms of Service (§ 3.3) describe these obligations in detail.
If a supplier requests that we delete a recording of a call placed from your account, we will work with you to honor that request, and we reserve the right to comply directly with such requests where required by law.
10. Cookies and Similar Technologies
We use essential cookies for authentication and session management. We use analytics cookies (via PostHog) to understand product usage. We do not use advertising or cross-site tracking cookies. You can control cookies via your browser settings; disabling essential cookies will prevent you from logging in.
11. Children’s Privacy
The Service is intended for business use and is not directed at individuals under 18. We do not knowingly collect personal information from children. If we learn we have collected information from a child, we will delete it.
12. Changes to This Policy
We may update this Policy from time to time. For material changes, we will provide at least 30 days’ notice by email or in-app notification. The “Effective” date at the top reflects the most recent update.
13. Contact Us
For privacy questions, data access/deletion requests, or complaints, use the form below. Submissions are routed directly to our team and you’ll receive a confirmation email.
This Policy describes our current practices in good faith. For a customized Data Processing Addendum (DPA) suitable for enterprise or regulated-industry customers, please contact us.