Privacy Policy

KeystoneIQ is provided by Intellibricks Inc. ("Intellibricks," "we," "us," or "our"). Intellibricks Inc. is a federal corporation incorporated under the Canada Business Corporations Act (Canada), located in Ontario, Canada; KeystoneIQ is our product.

This Privacy Policy describes how we collect, use, disclose, and protect personal information and personal data in connection with the KeystoneIQ service (the "Service") and our websites that link to this policy.

Product website: https://keystoneiq.ai

Effective date: March 20, 2026 Last updated: May 2, 2026 (revised — Slack scope expansion + deal-owner email storage; see §3.3)

At a glance

• Who we are: Intellibricks Inc., a federal Canadian corporation in Ontario, Canada, operating KeystoneIQ.
• What we collect: Account and profile data; competitive intelligence content you add; data from integrations you connect; optional documents for search and context; usage and device data; cookies as described in our Cookie Policy.
• Why: To provide and secure the Service, bill subscriptions, improve the product, and comply with law.
• Where: We process data in the United States; cross-border transfer safeguards are described in Section 6.
• AI: Features may send context to AI providers under terms that exclude using your content to train their models.
• Your choices: Rights vary by region (Canada, EEA/UK, U.S. states). Contact support@keystoneiq.ai for privacy requests.
• Terms of Service: Use of the Service is also governed by our Terms of Service.

1. Who we are

For personal information governed by Canadian privacy law, we are accountable as Intellibricks Inc. under the Personal Information Protection and Electronic Documents Act (PIPEDA), where applicable, and under substantially similar provincial laws.

If you are in the EEA or UK, Intellibricks is the controller of personal data described in this policy.

2. Scope

This policy applies when you:

• Visit our website or use the Service;
• Create an account or workspace;
• Connect integrations (e.g., CRM, messaging, documents);
• Interact with support or subscribe to communications.

It does not apply to third-party sites or services we do not control.

3. Information we collect

3.1 You provide

• Account: Name, email address, password (stored hashed).
• Workspace / company profile: Company name, product lines, ideal customer profile, and similar fields you enter.
• Competitive intelligence content: Competitors, briefs, deals, notes, uploaded content, and metadata you add.
• Billing: Payment processing is handled by our payment processor. Fees are billed in U.S. dollars (USD). We do not store full payment card numbers; we may receive billing contact details and subscription status.

3.2 Automatically collected

• Usage and device: Log data, IP address, browser type, approximate location derived from IP, timestamps, and diagnostic identifiers necessary to operate and secure the Service.
• Cookies and similar technologies: See our Cookie Policy.

3.3 From integrations you connect

When you authorize integrations (e.g., CRM, documents, analytics), we receive and store data needed to provide sync and brief features. Integration credentials are encrypted at rest.

Specific integration scopes worth calling out:

• Gong (when connected): We retrieve scheduled-call records, call metadata, transcript text, and Smart Tracker match results for the calls within scope of your Gong API package. We use this data to surface competitor mentions in your weekly brief and per-deal context blocks. We do not initiate calls, modify recordings, or write back to Gong.

• Slack (when connected): We use the OAuth scopes incoming-webhook (post weekly briefs and competitor alerts to a workspace channel you choose), commands (register the /keystone slash command), chat:write (deliver per-deal nudges as direct messages to the deal owner when a high-impact competitor signal lands on one of their active deals), users:read.email (resolve the deal owner's email — sourced from your CRM — to a Slack user ID for the DM), and users:read (Slack-required parent of users:read.email). We do not enumerate workspace members, persist any Slack user IDs beyond the per-nudge API call, post messages outside the deal-nudge and brief-delivery flows, or read messages, channels, or threads. The Slack bot token is encrypted at rest. You can disconnect Slack at any time from KeystoneIQ Settings or revoke from your Slack workspace admin.

• HubSpot / Salesforce deal owner data (when those CRMs are connected): For deal-nudge delivery and bi-directional CRM write-back, we additionally store the email address of each deal owner alongside the deal record (HubSpot owners API / Salesforce SOQL Owner.Email). The email is matched against the user list of the same KeystoneIQ workspace to resolve the owner to a KIQ member where applicable; emails of CRM owners who are not workspace members are stored alongside the deal but never used outside Slack DM lookup. Bi-directional CRM write-back PATCHes the KeystoneIQ-derived deal-risk score back into custom fields on the deal/opportunity (keystoneiq_deal_risk / KeystoneIQ_Deal_Risk__c); we never modify any other CRM fields and never read any field except the ones documented here.

• Reddit (public-data sync, expanded Sprint 3 P2): For each tracked competitor we read public Reddit posts via Reddit's official OAuth API. The pass includes a site-wide search for the competitor name (existing behavior), targeted reads of a curated list of business / GTM subreddits (r/SaaS, r/sales, r/SaaSSales, r/startups, r/Entrepreneur, r/marketing, r/BusinessIntelligence), and an automatic probe for a competitor brand subreddit (e.g. r/<CompetitorName>) when one exists and is public. We use a service-level Reddit OAuth client (no per-customer Reddit login). Stored as reddit_mention items with the originating subreddit in content_metadata.subreddit.

• Status pages (public-data sync, Sprint 3 P4): For competitors you tag with a status-page URL, KeystoneIQ polls that page weekly via the public Atlassian Statuspage v2 incidents API or generic RSS/Atom feeds (Instatus, etc.). Stored as status_incident items with structured impact + status + timestamps. No auth required; no customer credentials stored; we don't write or modify anything on the status page.

• GitHub (public-data sync, Sprint 3 P3): For competitors you tag with a GitHub URL, we read public GitHub data only — release notes, recent commit count and top contributors per repo, and open issue titles + labels. We use a service-level Personal Access Token with the public_repo read scope; no per-customer GitHub OAuth, no private repos, no write access. The data is stored as github_release / github_commit_velocity / github_issue items in your workspace's intel stream and surfaced in weekly briefs. We do not store GitHub user identifiers beyond the public commit-author logins that appear in release notes.

3.4 Document processing

When you upload documents or sync files from connected platforms, we may extract text and generate search indexes for retrieval when generating briefs. Extracted data is retained while the associated file or workspace exists, is not used to train any AI model, and is not shared across workspaces.

4. How we use information

Canada (PIPEDA / provincial laws)

EEA / UK (GDPR)

We do not sell your personal information as defined under the California Consumer Privacy Act (CCPA/CPRA).

AI features

Brief generation and intelligence features may send prompts and context to AI providers. Under their API terms, customer content is not used to train their models. Outputs may be inaccurate; see our Terms of Service, Section 2.

Specific AI features worth calling out:

• Competitor-mention classification (when Gong is connected): We send short excerpts of your sales-call transcripts (already received under §3.3) to our AI sub-processor for classification — labeling each excerpt as an assertion, question, or incidental mention so we can drop noise from your weekly brief. Excerpts are not used to train the provider's models.

5. How we share information

We share personal information only as needed:

• Service providers who host, secure, or process data on our behalf under contractual terms.
• Payment processors to complete transactions.
• Professional advisers (lawyers, accountants) under confidentiality.
• Authorities when required by law, subpoena, or to protect rights, safety, and security.

We may share aggregated or de-identified information that cannot reasonably identify you.

6. International transfers

Intellibricks Inc. is a Canadian company. Personal information is processed and stored in the United States. Some service providers may process data in other countries.

Outside Canada. We implement safeguards appropriate under applicable Canadian law, including contractual terms with service providers.

EEA / UK / Switzerland. Transfers may use adequacy decisions, Standard Contractual Clauses, supplementary measures, or other approved mechanisms.

7. Service providers

We use third-party service providers in the following categories:

All service providers process data only as instructed under contractual terms. We may update the providers we use; changes are reflected in this policy with an updated "Last updated" date.

A current list of named sub-processors is available to customers and prospective customers on request — contact support@keystoneiq.ai to receive the list and to subscribe to change notifications.

When you connect optional integrations (e.g., CRM, documents, call recording), those third-party services process data under their terms. Your credentials are encrypted at rest in our database.

8. Data processing agreement

If your organization requires a Data Processing Agreement (DPA) for GDPR or similar regulatory compliance, contact support@keystoneiq.ai. We will provide a DPA consistent with Standard Contractual Clauses and applicable data protection law upon request.

9. Retention

We retain personal information while your account is active. After you fully cancel a paid subscription or delete your account, your workspace remains accessible in a read-only state for 30 days so you can export anything you need. After that 30-day window, your workspace data is permanently deleted from our primary data store on a daily basis, including briefs, intelligence items, deals, competitors, related records, file caches, audit logs, and notifications. The same data is purged from backups within 90 days.

If your account is deleted under your right to erasure, your user account is removed immediately. Workspaces where you were the sole member follow the 30-day deletion path above; workspaces where other members remain continue under their care, and ownership is transferred to the longest-tenured remaining member.

Workspaces with zero remaining members are deleted after 30 days of inactivity.

Free-plan workspaces that remain inactive after a trial expires are not deleted on a fixed schedule, although we may contact you about long-inactive workspaces before any cleanup.

Security-relevant audit logs (sign-ins, permission changes, admin actions) are retained for up to 90 days and then deleted automatically. Backups are managed by our hosting provider and follow their standard retention windows.

Export: Available from your account settings or via API. Deletion: Available from your account settings or via API, subject to legal retention requirements.

10. Your rights and choices

All users

• Access / update: Available in the Service (Settings, workspace profile).
• Marketing: Opt out via unsubscribe links or by contacting support@keystoneiq.ai.

EEA / UK (GDPR)

You may have rights including access, rectification, erasure, restriction, portability, objection, and withdrawal of consent. You may lodge a complaint with a supervisory authority.

California (CCPA / CPRA)

You may have the right to know, delete, and correct personal information, and to opt out of certain sharing (we do not "sell" personal information).

Canada (PIPEDA and provincial laws)

Rights may include access, correction, and withdrawal of consent. You may complain to the Office of the Privacy Commissioner of Canada or your provincial commissioner.

Other U.S. states

We respond as required by applicable state privacy laws.

For all privacy requests, contact support@keystoneiq.ai.

11. Security

We use administrative, technical, and organizational measures appropriate to the risk, including encryption in transit and at rest for sensitive data, access controls, and multi-tenant data isolation.

No method of transmission or storage is 100% secure. We work to protect your information and notify you of material breaches as required by applicable law.

For more detail, see our Security overview.

12. Children

The Service is not intended for children under 16 (or the age required in your jurisdiction). We do not knowingly collect personal information from children. Contact support@keystoneiq.ai if you believe we have collected a child's data.

13. Changes to this policy

We may update this Privacy Policy and post the revised version with a new "Last updated" date. Continued use after the effective date constitutes acceptance where permitted by law.

14. Contact

For contractual limitations and dispute resolution, see our Terms of Service.