Account and workspace data
Names, business profile details, plan information, user roles, billing state, and login/session metadata.
Data We Process
Only the data needed to run your analysis workspace.
AIIQData is designed around customer-controlled business workspaces. Depending on the features you use, the platform may process the following categories.
Business datasets
CSV, Excel, Google Sheets, database rows, MongoDB collections, dashboards, reports, documents, and chat context you choose to upload or connect.
Connector and service data
Encrypted connection profiles, OAuth references, API configuration, report delivery metadata, and lead/support communications.
Important:
AIIQData does not need your passwords inside uploaded files. Do not upload API keys, bank credentials,
personal identity documents, or protected health information unless your agreement explicitly allows it.
Retention and Deletion
Retention follows the product feature and customer request.
SMB teams need history for trend analysis, KPI comparisons, auditability, and executive reports. AIIQData therefore keeps workspace records while an account is active unless a shorter retention rule is configured or deletion is requested.
Standard retention
- Uploaded datasets, analysis results, dashboards, chats, and generated reports are retained while the workspace is active.
- Temporary files should be removed after processing whenever they are no longer needed by the analysis pipeline.
- Connection profiles remain stored until a user deletes the connector, revokes access, or closes the workspace.
- Billing, fraud-prevention, security, and legal records may be retained longer where required.
Deletion requests
- Workspace admins can request deletion of account data, uploaded datasets, reports, connector profiles, and chat history.
- When a connector is removed, AIIQData stops using that stored credential for future syncs.
- Some provider-side data must also be revoked directly with the connected provider, such as Google, database users, or payment accounts.
- Backups and logs may age out on a separate operational retention schedule.
Security Controls
Practical controls for a multi-tenant analytics product.
AIIQData combines application-level isolation, encrypted secrets, session protections, and operational safeguards to reduce the risk of cross-company data exposure.
Encryption
Production traffic should run over HTTPS/TLS. Stored connector credentials are encrypted before persistence. Sensitive values are not intentionally printed in logs.
Session and request safety
Authenticated flows validate session context, protect form submissions with CSRF tokens, and use secure cookie settings in production.
Least-privilege access
Customers should use read-only database users for analytics connectors whenever possible and rotate credentials after staff or vendor changes.
Tenant Isolation
Each company is isolated by business_id.
AIIQData uses a MongoDB multi-tenant architecture where customer records are scoped by business_id. Authenticated routes, connector records, chat artifacts, dashboards, reports, and analysis history must use that identifier when reading or writing customer data.
Backend isolation
Queries are expected to include the current session's business_id so one company cannot read another company's datasets, prompts, reports, connectors, or dashboard state.
AI and file isolation
Analysis pipelines should convert customer sources into Pandas DataFrames inside the current request/workspace context and keep generated outputs tied to that same business_id.
AI Providers
How OpenAI is used by AIIQData.
AIIQData may send selected prompts, schema information, dataset samples, summaries, report content, and chat context to OpenAI through its API in order to generate analysis, explanations, anomaly detection narratives, chart recommendations, and executive summaries.
Customer-controlled context
The best privacy pattern is to send only the minimum context required for the business question. Avoid including secrets, unnecessary personal data, or raw records that are not needed for the answer.
OpenAI business data handling
OpenAI states that API and business data are not used to train its models by default, unless a customer explicitly opts in. OpenAI may retain API inputs and outputs for a limited period for service delivery and abuse monitoring, subject to its published terms and eligible retention controls.
Subprocessors
Core vendors that may process customer data.
The exact list depends on which product features are enabled in your deployment. AIIQData should review this list when adding new infrastructure, AI, billing, email, analytics, or storage vendors.
| Provider | Purpose | Typical data involved |
|---|---|---|
| OpenAI | AI analysis, chat, summaries, document reasoning, and agent responses. | Prompts, selected dataset context, summaries, schemas, document snippets, and generated outputs. |
| MongoDB / database hosting | Application database, tenant records, analysis history, plans, reports, and metadata. | Workspace data, business_id-scoped records, encrypted connector profiles, and app metadata. |
| Google Sheets integration and OAuth/service-account connectivity. | Sheet metadata, selected worksheet data, authorization references, and sync status. | |
| Stripe | Subscription billing and payment lifecycle events. | Customer billing references, plan details, invoices, and payment status metadata. |
| SendGrid / SMTP provider | Transactional email, notifications, and support or lead follow-up. | Email addresses, message metadata, and email content needed for delivery. |
| Hosting and infrastructure providers | Application hosting, networking, logging, backups, and operational monitoring. | Application traffic, operational logs, IP addresses, and deployment metadata. |
Need a deletion, export, or security review?
Workspace admins can request data deletion, connector removal, export support, or procurement security information. Include your business name, account email, and the scope of the request.