Introduction
Protecting your private information is our priority. This Privacy Policy applies to www.bundleiq.com, the Alani suite of products (Alani Hub, Alani Connect, and Alani Insights), and all related services operated by bundleIQ, Inc. ("bundleIQ," "we," "us," or "our"). This Policy describes the data practices that apply when you use our services, whether as an individual user, as an employee or authorized user of an organization that has contracted with bundleIQ, or as a publisher or community member on Alani Connect.
bundleIQ operates an AI-powered knowledge management platform delivered as software as a service (SaaS). This Policy describes what information we collect, how we use and protect it, who we share it with, and what rights you have regarding your data.
Information We Collect
Information You Provide Directly
We collect personally identifiable information that you voluntarily provide, including:
- Name
- Email address
- Payment and billing information (processed by Stripe)
- Account credentials
Information Collected Through Your Use of Our Services
When you use our AI-powered features across Alani Hub, Alani Connect, or Alani Insights, we may collect:
- Content you upload, create, or interact with, including documents, notes, files, images, audio, video, and queries
- AI-generated outputs such as summaries, insights, recommendations, and conversational responses
- Usage data related to search queries, content interactions, and feature engagement
- Organizational and team data when using Alani Insights in an enterprise context
- Publisher and community interaction data when using Alani Connect
Information Collected Automatically
We automatically collect certain technical information when you use our services, including your IP address, browser type, device type, operating system, domain names, access times, pages viewed, and referring website addresses. This information is used for the operation and improvement of our services and to provide general usage statistics.
Cookies and Tracking Technologies
bundleIQ uses cookies and similar tracking technologies on our websites and applications. We use the following categories of cookies:
- Strictly Necessary Cookies — Required for authentication, security, and core functionality. These cookies are essential for the operation of our services and cannot be disabled.
- Analytics and Error Tracking Cookies — Used to understand how visitors interact with our services and to identify and resolve technical issues. These cookies are only set with your consent.
- Third-Party Cookies — When you connect third-party accounts or interact with embedded content, those third-party services may set their own cookies subject to their respective privacy policies.
You can manage your cookie preferences through our cookie consent banner displayed when you first visit our sites. You may withdraw consent at any time by clearing your browser cookies and revisiting the site, or by adjusting your cookie preferences through our consent banner. You may also configure your browser to refuse cookies, although this may limit your ability to use certain features.
A detailed list of all cookies used across our properties, including their purposes and approximate durations, is available upon request by contacting hello@bundleiq.com.
Do Not Track and Global Privacy Control
Some browsers offer a "Do Not Track" (DNT) signal. bundleIQ does not currently respond to DNT signals, as there is no industry-standard protocol for how to interpret or respond to them.
However, bundleIQ does honor the Global Privacy Control (GPC) signal, which is a legally recognized browser-based opt-out mechanism under the California Consumer Privacy Act (CCPA/CPRA). If your browser sends a GPC signal, we will treat it as a valid opt-out request for the sale or sharing of your personal information.
How We Use Your Information
bundleIQ collects and uses your personal information to:
- Operate our websites, applications, and deliver the services you request
- Provide AI-powered knowledge management, content discovery, and data intelligence features
- Process payments and manage subscriptions
- Send transactional communications such as account confirmations, security alerts, and service updates
- Inform you of other products or services available from bundleIQ (with your consent or as permitted by law)
- Conduct surveys and research about your opinion of current or potential new services
- Improve and optimize our products, features, and user experience
- Comply with legal obligations
Data Processing Inventory
The following table provides a summary of the categories of personal data we process, their purposes, lawful bases, and retention periods:
| Data Category | Purpose | Lawful Basis | Retention Period |
|---|---|---|---|
| Name, email | Account creation and management | Contract | Until account deletion |
| Payment and billing information | Subscription processing | Contract | Until account deletion; transaction records retained per legal requirements |
| Account credentials (hashed) | Authentication and access control | Contract | Until account deletion |
| Uploaded content (documents, files, audio, video, images) | AI-powered processing, search, and knowledge management | Contract | Until account deletion; immediately removed on account deletion, retained on free-plan downgrade |
| AI-generated outputs (summaries, insights, embeddings) | Service delivery and semantic search | Contract | Until account deletion or content removal |
| Usage data (queries, interactions, feature engagement) | Product improvement and analytics | Legitimate interest | Aggregated and anonymized within 24 months |
| Technical data (IP address, browser, device, OS) | Service operation, security, and diagnostics | Legitimate interest | Up to 12 months |
| Cookie and tracking data | Analytics and error tracking | Consent | See Cookies and Tracking Technologies section |
| Marketing contact data | Promotional communications | Consent | Until consent is withdrawn or user opts out |
| Organizational and team data (Alani Insights) | Enterprise data intelligence | Contract (enterprise agreement) | Per enterprise agreement terms |
| Publisher and community data (Alani Connect) | Content distribution and community features | Contract (publisher agreement) | Per publisher agreement terms |
AI and Data Processing
bundleIQ's Alani products use artificial intelligence across multiple stages of content processing and analysis. Our AI capabilities include a combination of self-hosted and open-source models that process your data within our own infrastructure, managed cloud AI services, and third-party large language model (LLM) APIs. The type of processing applied depends on the content type and the feature being used.
How AI Is Applied to Your Data
Document Processing (Self-Hosted and Managed Cloud)
When you upload documents, bundleIQ applies optical character recognition (OCR) and document parsing to extract text, tables, and structured content. For documents containing charts, graphs, and other visual elements, we use open-source image recognition models to analyze and extract information. These capabilities run through a mix of self-hosted infrastructure and managed cloud services.
Audio and Video Processing (Self-Hosted and Managed Cloud)
Audio and video files are processed using speech-to-text models to generate transcriptions. bundleIQ self-hosts open-source speech-to-text models for audio transcription within our own infrastructure. For video files, we also apply image recognition models to analyze individual frames for visual content extraction. Additional managed cloud services may be used depending on the processing requirements.
Embedding and Search (Managed Cloud)
Your content is chunked, converted into numerical embeddings, and stored to enable semantic search and retrieval-augmented generation (RAG). Embeddings are generated using managed cloud embedding models as well as open-source models accessed through managed inference APIs. Embeddings and search indices are maintained in our database and search infrastructure.
Text Generation and Conversational AI (Third-Party LLM APIs)
When you interact with AI-powered chat, summarization, recommendation, auto-tagging, or content generation features, your content and queries are transmitted to third-party large language model providers for processing. These are the only AI capabilities where your content is sent to external third-party APIs for inference.
How Your Data Is Handled by Product
- Alani Hub: Content processed through Alani Hub remains associated with your personal account and is not shared with other users unless you explicitly choose to share it.
- Alani Connect: Content on Alani Connect is surfaced to other users in accordance with publisher permissions and your privacy settings. Publishers retain full ownership of their content, and the terms governing publisher content are covered under a separate agreement.
- Alani Insights (Enterprise): Enterprise data processed through Alani Insights is handled in accordance with your organization's data governance policies and applicable enterprise agreements. Dedicated infrastructure deployments are available for enterprises requiring fully isolated environments. Data Processing Agreements (DPAs) are available upon request for enterprise customers by contacting hello@bundleiq.com.
Model Training
bundleIQ does not use your proprietary content to train AI models. Our third-party AI providers process your data under their respective API terms of service and privacy policies, which generally prohibit the use of API-submitted data for model training. We encourage you to review the privacy policies of our AI providers for the most current information on their data handling practices.
AI Processing Summary
The following table summarizes where and how AI is applied to your data:
| AI Capability | Processing Location | Providers |
|---|---|---|
| OCR and document parsing | Self-hosted and managed cloud | Open-source tools, managed cloud services |
| Image and chart recognition | Self-hosted and managed cloud | Open-source image recognition models |
| Speech-to-text (audio/video) | Self-hosted and managed cloud | Self-hosted open-source models, managed cloud services |
| Video frame analysis | Self-hosted and managed cloud | Open-source image recognition models |
| Embeddings and semantic search | Managed cloud | Managed cloud embedding models, open-source models |
| Text generation and chat | Third-party LLM APIs | Anthropic (Claude), OpenAI (GPT), Google (Gemini), Groq, Perplexity |
| Audio transcription (alternative) | Third-party APIs | OpenAI, Groq |
| Auto-tagging and classification | Third-party LLM APIs | OpenAI (GPT) |
Data Storage and Infrastructure
Your data is stored and processed using cloud-hosted infrastructure located primarily in the United States. This includes relational databases, vector search and full-text search indices, dedicated databases for specific platform features, video asset management services, and serverless cloud functions for document and media processing.
For enterprise customers requiring dedicated infrastructure, bundleIQ offers privately deployed, containerized environments that are fully isolated from our shared platform.
Specific infrastructure providers are disclosed to enterprise customers through our Data Processing Agreements and subprocessor list, available upon request.
Data Retention and Deletion
- Account deletion: When you delete your bundleIQ account, your personal data and associated content are removed immediately from our active systems.
- Subscription downgrade: If you downgrade your subscription to a free plan, your data is retained in its current state so that it remains available should you choose to upgrade in the future.
- Backups: Residual copies of your data may persist in encrypted backups for a limited period following deletion, after which they are automatically purged in accordance with our backup retention schedule.
- Enterprise customers: Data retention and deletion for enterprise deployments are governed by the terms of the applicable enterprise agreement.
Security of Your Information
bundleIQ secures your personal information from unauthorized access, use, or disclosure using industry-standard measures, including:
- Authentication — Support for email/password, OAuth (Google), magic links, one-time passcodes (OTP), and enterprise identity providers for SSO integrations. Sessions are managed with JWT-based stateless authentication.
- Encryption in Transit — All API communications and data transfers use HTTPS with TLS/SSL encryption.
- Encryption at Rest — All stored data is encrypted at rest using AES-256 encryption.
- Password Security — User passwords are hashed using the PBKDF2 cryptographic function, generating a unique key for each user.
- Secrets Management — All credentials and API keys are managed through a centralized secrets management platform across development, staging, and production environments.
- Access Control — Row-level security (RLS) policies enforce data isolation between organizations and users at the database level.
Data Breach Notification
In the event of a data breach that affects your personal information, bundleIQ will notify affected users and relevant supervisory authorities within 72 hours of becoming aware of the breach, in accordance with applicable law. Notification will include the nature of the breach, the data involved, steps we are taking to address the breach, and recommendations for protective measures you can take.
International Data Transfers
bundleIQ's primary infrastructure is hosted in the United States. If you access our services from outside the United States, including from the European Economic Area (EEA), your data will be transferred to and processed in the United States.
For users in the EEA, we rely on appropriate legal mechanisms for international data transfers, including Standard Contractual Clauses (SCCs) where applicable. By using our services, you consent to the transfer of your information to the United States and other jurisdictions where our service providers operate.
Your Rights Under the General Data Protection Regulation (GDPR)
If you are located in the European Economic Area, you have the following rights under the GDPR:
- Right of access — You may request a copy of the personal data we hold about you.
- Right to rectification — You may request that we correct inaccurate data or complete incomplete data.
- Right to erasure — You may request that we delete your personal data under certain conditions.
- Right to restrict processing — You may request that we limit how we process your personal data under certain conditions.
- Right to object — You may object to our processing of your personal data under certain conditions.
- Right to data portability — You may request that we transfer your data to another organization or directly to you, in a structured, commonly used, machine-readable format.
- Right to withdraw consent — Where processing is based on your consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
Lawful Bases for Processing
We process your data based on the following lawful bases, mapped to specific processing activities:
| Processing Activity | Lawful Basis |
|---|---|
| Providing and operating our services | Performance of a contract |
| Processing payments and managing subscriptions | Performance of a contract |
| AI processing of your uploaded content | Performance of a contract |
| Sending transactional emails (account alerts, service updates) | Performance of a contract |
| Product analytics and service improvement | Legitimate interest |
| Security monitoring and fraud prevention | Legitimate interest |
| Error tracking and bug resolution | Legitimate interest |
| Marketing emails and promotional communications | Consent |
| Cookie-based analytics tracking | Consent |
| Responding to legal requests and regulatory obligations | Legal obligation |
To exercise any of these rights, contact us at hello@bundleiq.com. We will respond within one month of receiving your request.
Right to lodge a complaint: If you are located in the European Economic Area and believe that we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with your local supervisory authority. A list of EU data protection authorities is available at edpb.europa.eu.
Your Rights Under the California Consumer Privacy Act (CCPA/CPRA)
If you are a California resident, you have the following rights:
- Right to know — You may request that we disclose the categories and specific pieces of personal information we have collected about you, the sources of that information, the business purposes for collection, and the categories of third parties with whom we share it.
- Right to delete — You may request that we delete personal information we have collected from you, subject to certain exceptions.
- Right to correct — You may request that we correct inaccurate personal information.
- Right to opt out of sharing — You have the right to opt out of the "sale" or "sharing" of your personal information. bundleIQ does not sell your personal information. We do not share your personal information for cross-context behavioral advertising.
- Right to non-discrimination — We will not discriminate against you for exercising any of your rights.
To exercise any of these rights, contact us at hello@bundleiq.com.
Children's Privacy and Educational Data
Children Under Thirteen (COPPA)
bundleIQ does not knowingly collect personally identifiable information directly from children under the age of thirteen. In cases where bundleIQ's services are deployed by educational institutions (such as K-12 school districts) and minors may interact with the platform, the collection and use of student data is governed by the applicable enterprise agreement with the educational institution. The educational institution is responsible for obtaining any required parental consent in accordance with the Children's Online Privacy Protection Act (COPPA).
If we learn that we have collected personal information from a child under thirteen without proper authorization, we will take steps to delete that information promptly.
Student Data and FERPA
When bundleIQ's services are used by educational institutions subject to the Family Educational Rights and Privacy Act (FERPA), we act as a "school official" with a legitimate educational interest as defined under FERPA. In these cases:
- Student education records are used solely to provide the contracted services to the educational institution.
- bundleIQ does not use student education records for advertising, marketing, or any purpose other than delivering the contracted services.
- Student data is not shared with third parties except as necessary to provide the service and as permitted under the applicable enterprise agreement and FERPA.
- Upon termination of the agreement with the educational institution, student data will be deleted or returned in accordance with the terms of the enterprise agreement.
Educational institutions that deploy bundleIQ should ensure that their use of our services complies with FERPA and any applicable state student privacy laws. Data Processing Agreements tailored to educational data are available upon request.
Third-Party Connections
When connecting your bundleIQ account to third-party accounts (such as Google or Microsoft via OAuth), you acknowledge and agree that you are consenting to the continuous release of information about you to others in accordance with your privacy settings on those third-party sites.
Do not use this feature if you do not want information about yourself, including personally identifying information, to be shared in this manner. You may disconnect your account from a third-party account at any time through your account settings or by contacting us.
Opt-Out Rights
We respect your privacy and allow you to opt out of receiving promotional communications. You may opt out of receiving any or all marketing communications from bundleIQ by:
- Using the unsubscribe link in any marketing email
- Contacting us at hello@bundleiq.com
- Visiting bundleiq.com
Please note that you may still receive transactional communications related to your account and services even after opting out of marketing communications.
Changes to This Policy
bundleIQ will occasionally update this Privacy Policy to reflect changes in our products, practices, and legal requirements. We encourage you to periodically review this Policy. For material changes, we will provide notice through our services or by email.
Privacy Contact
For all privacy-related inquiries, data protection requests, and GDPR-related matters, including requests from EU data subjects, please contact our designated Privacy Contact:
Email: hello@bundleiq.comSubject line: Privacy Inquiry
We will acknowledge all privacy-related requests within 48 hours and respond substantively within one month.
Compliance and Security Standards
bundleIQ is currently pursuing SOC 2 Type II certification to provide independent, third-party validation of our security controls, data handling practices, and operational processes. We evaluate all subprocessors for adequate security and data protection practices prior to engagement and conduct periodic reviews to ensure ongoing compliance with our security standards.
Upon completion, our SOC 2 report will be available to enterprise customers and prospects under NDA upon request.
Contact Information
bundleIQ welcomes your questions or comments regarding this Privacy Policy. If you believe that bundleIQ has not adhered to this Policy, please contact us at:
bundleIQ, Inc.319 Clematis St., Suite 300
West Palm Beach, FL 33401
Email: hello@bundleiq.com
Phone: +1 (561) 373-0384