QiduJoin the Waitlist
Legal

Privacy Policy

Last updated: May 19, 2026

This Privacy Policy explains how Qidu, LLC (“Qidu”, “we”, “us”, or “our”) collects, uses, shares, and protects information about its customers and about the Instagram users those customers communicate with through our service.

Who We Are

Qidu is operated by Qidu, LLC, a Delaware limited liability company with its principal office at 131 Continental Dr, Suite 305, Newark, DE 19713, USA. For any privacy question or request you can reach us at axel@qidu.ai.

Qidu provides a software service that helps businesses manage their Instagram direct messages with the assistance of artificial intelligence. For purposes of GDPR and similar laws, Qidu, LLC acts as the data controller for the personal data described below, except where we process customer-provided data on behalf of our customers, in which case we act as a processor and the customer is the controller.

Information We Collect

From our customers (business owners who sign up for Qidu)

  • Account information handled by our authentication provider (Clerk): name, email address, and OAuth identifiers from any identity provider used to sign in.
  • Workspace information: the name and configuration of the workspace you create inside Qidu.
  • Billing information: the Stripe customer ID and subscription status associated with your account. Payment method details (such as credit card numbers) are collected and stored by Stripe, not by Qidu.
  • Instagram account information: after you connect your Instagram business account, we receive your Instagram-scoped user ID (IGSID), username, display name, profile picture URL, and the associated Facebook Page ID.
  • OAuth tokens: the Instagram OAuth access token required to call the Instagram Graph API on your behalf. Tokens are encrypted at rest.

From third parties (Instagram users who DM your business)

When a customer connects their Instagram account, Qidu receives data about the people who message that account. This includes:

  • The Instagram-scoped user ID, username, display name, and profile picture URL of the message sender.
  • The full content of direct messages exchanged with the customer’s account (received and sent), along with timestamps.
  • Comments left on the customer’s Instagram posts (when the instagram_business_manage_comments scope is granted).
  • AI-derived metadata generated from message content, such as sentiment classification and intent category.

Instagram permissions we request

When you connect Instagram, Qidu requests the following OAuth scopes through the Meta Login dialog:

  • instagram_business_basic — to read basic profile information about your Instagram business account.
  • instagram_business_manage_messages — to read and send direct messages on your behalf, with your approval.
  • instagram_business_manage_comments — to read and reply to comments on your posts.

How We Use Information

  • To provide, operate, and improve the Qidu service.
  • To draft, classify, and route messages on behalf of our customers using AI inference. This involves sending message content and participant names to our AI model provider (see Subprocessors below).
  • To authenticate users and protect against fraud and abuse.
  • To process subscription billing through Stripe.
  • To send service-related communications, such as security alerts and account notices.
  • To comply with legal obligations.

We do not sell personal information, and we do not use Instagram message content to train any general-purpose machine-learning model.

How We Share Information (Subprocessors)

We share personal information with a small set of trusted service providers that help us run the service. We require each subprocessor to handle data under contractual obligations consistent with this policy.

  • Google Cloud Platform — hosting infrastructure (Cloud Run, Cloud SQL for PostgreSQL, Artifact Registry, Cloud Build). Region: us-central1.
  • Google Gemini API (@google/genai) — AI inference for message drafting, intent classification, and sentiment analysis. Models used include gemini-1.5-flash, gemini-2.0-flash, and gemini-2.5-pro. Message contents and participant names are sent to Gemini in prompt context to generate responses.
  • Clerk — user authentication and identity management.
  • Stripe — subscription billing and payment processing.
  • Meta Platforms, Inc. / Instagram — the source of the Instagram data we process. Qidu accesses Instagram data through the Instagram Graph API, subject to Meta’s Platform Terms and Developer Policies.

We may also disclose information if required by law or in response to valid legal requests by public authorities.

Data Retention

We retain active conversation data, account information, and Instagram profile data for as long as the relevant customer account is active. When a customer deletes their account or disconnects their Instagram integration, we permanently delete the associated data within thirty (30) days, subject to limited exceptions described under Data Deletion.

Data Deletion

You can request deletion of your data at any time. Detailed instructions are on our Data Deletion page. In short, you can disconnect Instagram and delete your account from within the product, or email axel@qidu.ai with the subject “Data Deletion Request”.

Your Rights

Subject to applicable law, you have the right to access, correct, update, port, or delete the personal information we hold about you, and to object to or restrict certain processing.

If you are in the European Union, the United Kingdom, or another jurisdiction with similar laws, you also have the right to lodge a complaint with your local data-protection authority. California residents have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what categories of personal information are collected and to request deletion.

To exercise any of these rights, email axel@qidu.ai. We respond to verified requests within thirty (30) days.

Cookies

The Qidu landing site uses a minimal set of cookies and similar technologies that are strictly necessary to deliver the site and to measure aggregate usage through Vercel Analytics. We do not use advertising or cross-site tracking cookies. The Qidu product (signed-in application) uses cookies for authentication via Clerk.

Children’s Privacy

Qidu is not intended for children under thirteen (13). We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact axel@qidu.ai and we will delete it.

Security

We implement appropriate technical and organizational measures to protect personal information against unauthorized access, alteration, disclosure, or destruction. Instagram OAuth tokens are encrypted at rest, traffic is encrypted in transit using TLS, and access to production systems is restricted to authorized personnel.

International Data Transfers

Qidu is operated from the United States. If you access the service from outside the United States, your information may be transferred to, stored, and processed in the United States and other countries where our service providers maintain facilities. Where required, we rely on appropriate transfer mechanisms such as the European Commission’s Standard Contractual Clauses.

Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes we will notify customers by email and update the “Last updated” date at the top of this page.

Governing Law

This Privacy Policy is governed by the laws of the State of Delaware, United States of America, without regard to its conflict-of-laws principles.

Contact Us

Questions, comments, or privacy requests can be sent to axel@qidu.ai or by mail to:

Qidu, LLC
131 Continental Dr, Suite 305
Newark, DE 19713
USA