Effective date: May 19, 2025
Privacy Policy
1. Introduction
Requo ("Requo," "we," "us," or "our") operates the Requo website and related services at https://requo.app.
This Privacy Policy explains how we collect, use, disclose, and otherwise process personal information when you use Requo, including the website, application, public inquiry pages, public quote pages, and related communications (collectively, the "Service").
If you have questions about this Privacy Policy or our privacy practices, you may contact us at support@requo.app or privacy@requo.app, or by mail at Lucena City, Quezon, Philippines.
2. Scope
This Privacy Policy applies to information we process as the operator of Requo. It covers information from account holders, invited business members, people who submit public inquiries, people who receive or respond through public quote links, and visitors who browse our public pages.
This Privacy Policy does not by itself describe how a business using Requo may handle information outside Requo. Each business using Requo may have its own customer-facing notices, practices, and legal obligations.
3. Information We Collect
A. Information you provide directly
- Account information such as your name, email address, login credentials, profile details, and password-reset details.
- Business information such as business name, slug, logo, business profile details, team member email addresses for invites, and configuration settings for inquiry pages or forms.
- Operational content you create inside the Service, including inquiries, notes, replies, quotes, quote line items, terms and conditions, status changes, pricing entries, FAQs, follow-up tasks, notifications, and activity records.
B. Information collected through public inquiry forms
- Contact details such as name, email address, phone number, and company name when requested by the form.
- Inquiry details such as requested services, project scope, timing, budget, free-form descriptions, and answers to custom fields configured by the business.
- Conversational messages exchanged with an AI-powered intake assistant, when the business has enabled conversational mode for its inquiry form.
- Attachments and supporting files submitted with the inquiry.
C. Information related to quotes and public quote responses
- Customer name and email address, quote line items, notes, totals, status, validity dates, and related customer-facing quote content.
- Responses submitted through public quote pages, including accept or decline actions and any message a customer chooses to provide.
- Public quote view and response timestamps used to support quote activity tracking.
D. Files and uploaded content
- Inquiry attachments uploaded through public inquiry forms.
- Knowledge files and related extracted text stored to support business features.
- Business logos, profile avatars, and other files you upload to the Service.
E. Automatically collected and derived information
- Session and security information such as IP address, user agent, login activity, and device or browser details associated with account access.
- Operational usage information such as page requests, timestamps, business context, notification activity, and records needed to keep the Service working.
- Essential browser-side storage used for session handling and product preferences such as active business selection, theme preference, and sidebar state.
4. Public Inquiry Pages And Forms
Requo allows businesses to publish inquiry pages and inquiry forms that can be completed without creating a Requo account. Those forms may collect contact details, project details, custom responses, and file uploads, depending on how the business configures the form.
Some businesses may enable an AI-powered conversational intake mode for their inquiry form. In that mode, an AI assistant guides the visitor through the inquiry by asking follow-up questions in a chat interface. The messages exchanged in the conversation are processed through an AI provider to generate responses, and the extracted inquiry details are stored alongside the submission.
Information submitted through a public inquiry form, including any conversational messages, is made available to the receiving business and to authorized users within that business so they can review, qualify, and respond to the inquiry.
5. User Accounts And Businesses
Requo supports account registration, authentication, password reset, session management, account deletion, multi-business access, and business member invites. Users may belong to more than one business and may switch between businesses they are authorized to access.
We process account and business information to authenticate users, maintain business-scoped access, send invite or password-reset emails, show the correct business context, and keep records needed to support legitimate product and security operations.
5A. Billing And Payment Information
When you subscribe to a paid plan, payment is processed by Polar, our merchant of record. We do not directly collect or store full payment card details. Polar collects and processes payment information on our behalf.
We receive and store subscription-related records including plan selection, billing interval, subscription status, payment attempt outcomes, transaction identifiers, and refund status. These records are used to manage your subscription, enforce plan limits, process refund requests, and maintain billing history.
6. Files, Uploads, And Customer-Submitted Content
The Service supports file uploads and customer-submitted content, including inquiry attachments, knowledge files, business logos, profile avatars, public quote responses, notes, FAQs, pricing entries, and other business content that users or customers provide.
Some uploaded knowledge files may be processed to extract text needed for knowledge and AI drafting features.
7. How We Use Information
- Provide, maintain, and secure the Service, including account access, businesses, public inquiry pages, public quote pages, and related workflows.
- Authenticate users, manage sessions, administer business membership and invites, and support business switching for authorized users.
- Receive, store, display, route, and deliver inquiries, quotes, follow-up tasks, notifications, and transactional emails.
- Support knowledge features, file handling, internal analytics features, AI drafting features, and AI-powered conversational inquiry intake.
- Maintain audit logs of sensitive business actions for security and accountability.
- Monitor usage, troubleshoot issues, investigate suspected abuse, respond to support requests, and comply with legal obligations.
8. AI Features
A. Internal AI drafting
If an authorized user uses AI-powered drafting features in the Service, certain inputs may be processed through Groq, Gemini, or OpenRouter and, depending on configuration, by the model provider used to generate drafts, summaries, or suggestions.
Based on the current Service, those inputs may include inquiry details, submitted custom field responses, internal notes, FAQ content, excerpts from uploaded knowledge files, and the prompt or drafting request entered by an authorized business user.
B. AI-powered conversational inquiry intake
When a business enables conversational mode for its public inquiry form, visitors interact with an AI assistant that guides them through the inquiry. Messages sent by the visitor and the AI responses are processed through an AI provider. The AI extracts structured inquiry details from the conversation, which are stored alongside the submission and made available to the receiving business.
You should avoid submitting highly sensitive personal information to AI-powered features unless necessary and appropriate for your use case.
AI-generated outputs can be incomplete or inaccurate and should be reviewed by a human before use.
9. When We Share Information
A. Within a business
Information inside a business may be shared with authorized users of that business, based on their role and access.
B. With service providers
We share information with service providers that host the Service, store data and files, deliver transactional email, support optional social sign-in, or route AI requests when AI features are used.
C. Through public pages or links
Information intentionally published or made available through public inquiry pages or public quote links may be accessible to the intended recipients and to anyone else who receives or accesses the relevant page or link.
D. For legal and security reasons
We may disclose information if we believe it is reasonably necessary to comply with applicable law, respond to lawful requests, protect the Service, investigate misuse, or protect the rights, safety, or property of Requo, our users, or others.
E. Business transfers
We may disclose information in connection with an actual or proposed merger, acquisition, financing, reorganization, sale of assets, or similar corporate transaction, subject to applicable law.
10. Service Providers And Infrastructure
We use the following third-party services to operate Requo:
- Vercel, for hosting and application delivery.
- Supabase, for database, storage, and related backend infrastructure.
- Polar, for subscription billing, payment processing, and refunds as the merchant of record.
- Resend, for transactional email delivery.
- Groq, Gemini, and OpenRouter, for AI request routing when AI features are used.
- Google, for optional OAuth sign-in when enabled, and transactional email providers for magic link sign-in when configured.
If we materially change the services listed above, we may update this Privacy Policy.
11. Cookies, Browser Storage, And Analytics
We use essential cookies and similar technologies needed to operate and secure the Service.
The current Service also uses browser storage for product settings and interface preferences such as theme selection, active business selection, and sidebar state. If we enable additional analytics, performance, or advertising technologies, we will update this Privacy Policy to describe those tools and related choices.
Requo also includes internal analytics features based on data stored within the Service. We did not identify a dedicated third-party web analytics or advertising SDK in the current app code.
12. Data Retention And Security
We retain personal information for as long as reasonably necessary to provide the Service, maintain business and operational records, comply with legal obligations, resolve disputes, enforce our agreements, and protect our legitimate interests. Retention periods may vary depending on the type of information and the purpose for which it was collected.
We use reasonable administrative, technical, and organizational measures designed to protect information handled through the Service. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
13. International Processing And Your Choices
Requo operates from the Philippines, and our service providers may process information in other countries depending on how the Service is hosted or delivered. By using the Service, you understand that information may be processed outside your local jurisdiction, subject to applicable law.
You may have choices about the information you provide to Requo. For example, you can choose whether to submit information through public inquiry forms, manage certain account details inside the Service, or contact us about access, correction, deletion, or other privacy-related requests where applicable.
We handle personal information in a manner intended to be consistent with applicable privacy laws, including the Data Privacy Act of 2012 (Republic Act No. 10173) of the Philippines, where applicable.
14. Lawful Basis For Processing
Under GDPR Article 6, we rely on the following lawful bases for each processing activity:
| Processing Activity | Lawful Basis (Article 6) |
|---|---|
| Account creation and management | Performance of a contract |
| Inquiry form processing | Legitimate interest |
| AI-assisted drafting | Legitimate interest |
| Conversational AI intake | Legitimate interest (with notice) |
| Transactional email | Performance of a contract |
| Internal analytics | Legitimate interest |
| Billing and subscription | Performance of a contract |
| Security logging and rate limiting | Legitimate interest |
Where we rely on legitimate interest, we have conducted balancing assessments to ensure our interests do not override your fundamental rights and freedoms.
15. Data Retention Schedule
We retain different categories of data for different periods based on their purpose and applicable legal requirements:
| Data Category | Retention Period |
|---|---|
| Account data | Duration of account plus 30 days after deletion |
| Business content | Duration of business plus 90 days |
| AI token logs | 90 days |
| Billing records | 7 years |
| Session and security logs | 90 days |
| Webhook events | 1 year |
| Public action rate limit events | 30 days |
| Analytics events | Duration of business |
After the applicable retention period expires, data is deleted or anonymized in accordance with our data management procedures.
16. International Data Transfers
Your data may be transferred to and processed in countries outside your jurisdiction. The following table lists the third-party providers we use, their data locations, and their roles:
| Provider | Data Location | Role |
|---|---|---|
| Vercel | United States | Hosting |
| Supabase | Singapore | Database and storage |
| Resend | United States | |
| Groq | United States | AI inference |
| Cerebras | United States | AI inference |
| Google / Gemini | United States | AI inference and OAuth |
| OpenRouter | United States | AI routing |
| Mistral | EU / France | AI inference |
| Cloudflare | Global edge | AI inference |
| NVIDIA | United States | AI inference |
| Polar | United States | Payment processing |
Where personal data is transferred outside the European Economic Area or the United Kingdom to a country not recognized as providing an adequate level of data protection, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the transfer mechanism.
17. Your Rights
Depending on your jurisdiction, you may have specific rights regarding your personal information. Below we describe the rights available under the laws most relevant to our users.
A. EU / EEA / UK (GDPR)
If you are located in the European Union, European Economic Area, or United Kingdom, you have the following rights under the General Data Protection Regulation:
- Right of access — request a copy of the personal data we hold about you.
- Right to rectification — request correction of inaccurate or incomplete personal data.
- Right to erasure — request deletion of your personal data where there is no compelling reason for its continued processing.
- Right to restriction — request that we restrict processing of your personal data in certain circumstances.
- Right to data portability — receive your personal data in a structured, commonly used, machine-readable format.
- Right to object — object to processing based on legitimate interest, including profiling.
- Rights related to automated decision-making — not be subject to decisions based solely on automated processing that produce legal or similarly significant effects.
B. California (CCPA / CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act and California Privacy Rights Act:
- Right to know — request disclosure of the categories and specific pieces of personal information we have collected about you.
- Right to delete — request deletion of personal information we have collected from you.
- Right to opt-out of sale or sharing — direct us not to sell or share your personal information. Requo does not sell or share personal information as defined under the CCPA/CPRA.
- Right to non-discrimination — not receive discriminatory treatment for exercising your privacy rights.
C. Philippines (Data Privacy Act)
If you are located in the Philippines, you have the following rights under Republic Act No. 10173 (Data Privacy Act of 2012):
- Right to be informed — be informed of the purpose and extent of data processing before or at the time of collection.
- Right to access — obtain a copy of your personal data being processed.
- Right to correction — dispute and have corrected any inaccuracy or error in your personal data.
- Right to erasure or blocking — suspend, withdraw, or order blocking, removal, or destruction of your personal data.
- Right to data portability — obtain your personal data in an electronic or structured format.
- Right to object — object to the processing of your personal data, including processing for direct marketing, automated processing, or profiling.
- Right to damages — be indemnified for damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of personal data.
D. How to exercise your rights
To exercise any of the rights described above, contact us at privacy@requo.app. We will respond to your request within 30 days. In certain circumstances, this period may be extended as permitted by applicable regulation, in which case we will notify you of the extension and the reason for it.
18. AI Provider Data Practices
Requo uses multiple AI providers as part of its inference and drafting features. None of these providers use Requo customer data submitted through the API to train their models. The following table summarizes the data handling practices of each provider:
| Provider | Training on Customer Data | Data Retention | Zero Data Retention (ZDR) |
|---|---|---|---|
| Groq | No | Not retained after processing | Yes (default) |
| Cerebras | No | Not retained after processing | Yes (default) |
| Google / Gemini | No | Transient processing; not stored beyond request | Yes (paid API tier) |
| OpenRouter | No | Short-term logging for abuse prevention | Varies by upstream model |
| Mistral (API / La Plateforme) | No | Not retained for training; 30-day abuse log | Yes (API) |
| Cloudflare Workers AI | No | Not retained after processing | Yes (default) |
| NVIDIA NIM | No | Not retained after processing | Yes (default) |
Requo accesses all AI providers exclusively through their API services. API terms universally prohibit using customer data for model training. This is distinct from consumer-facing chat products offered by the same companies, which may have different data practices.
Mistral: API vs. Consumer Chat
Mistral is included in Requo’s AI provider fallback chain and is accessed through Mistral’s API platform (La Plateforme). Per Mistral’s API terms, data sent through the API is not used for model training and is subject to a 30-day retention period for abuse and safety monitoring only. This is separate from Mistral’s consumer chat product (Le Chat), which may use conversation data for model improvement under different terms. Requo does not use the consumer chat product.
19. Automated Decision-Making
Requo includes AI-powered features that assist with drafting quotes, generating suggestions, and guiding conversational inquiry intake. These features are designed as assistive tools only.
No automated decisions with legal or similarly significant effects are made about you through the Service. All AI-generated outputs, including draft text, suggestions, and extracted inquiry details, require human review before use. A business user must review, edit, and approve any AI-assisted content before it is sent to a customer or used to make a business decision.
If you have questions about how AI features are used in the context of a specific business, you may contact that business directly or reach us at privacy@requo.app.
20. Breach Notification
In the event of a confirmed personal data breach that poses a risk to your rights and freedoms, we will notify affected account holders via email within 72 hours of confirming the breach.
Breach notifications will include a description of the nature of the breach, the categories of data affected, the likely consequences, and the measures we have taken or propose to take to address the breach and mitigate its effects.
Where required by applicable law, we will also make a public disclosure about the breach and notify relevant supervisory authorities within the timeframes required by those laws.
21. Do Not Track And Global Privacy Control
Requo does not track users across third-party websites and does not sell or share personal information with third parties for advertising or cross-site tracking purposes.
We honor Global Privacy Control (GPC) signals where applicable. Because we do not engage in cross-site tracking or sell personal information, our existing practices are consistent with the choices expressed by Do Not Track (DNT) and GPC signals.
22. Children’s Privacy And Policy Changes
The Service is designed for businesses and business-related customer communications. We do not knowingly provide account features for children under 13. If you believe a child has provided personal information through the Service inappropriately, contact us at privacy@requo.app.
We may update this Privacy Policy from time to time. If we make material changes, we will post the updated version on this page and update the effective date above. Your continued use of the Service after a change becomes effective means the updated Privacy Policy will apply going forward.