Privacy Policy

Quavix, Inc. ("Quavix", "we", "us") operates Quavix Messenger, an invite-only, compliance-grade messaging platform for financial services professionals. We are the data controller for personal data processed through this platform.

Contact: legal@quavix.com

Account data: Name, email address, password (hashed), company or firm name, role, phone number, and business address provided during registration.

Organization data (regulated firms): Firm legal name, SEC registration number, FINRA CRD number, approved email domains, and primary compliance contact information provided by the CCO during onboarding.

Message content: All messages sent through the platform, including the content of direct messages, group messages, and community posts. This data is subject to mandatory compliance archiving described below.

Compliance archive data: A permanent record of every message sent, including sender identity, organizational affiliation at the time of sending, recipient identity, timestamps, and conversation context. This archive is retained for a minimum of 7 years and cannot be deleted or altered (see Section 6).

Usage and access logs: Actions taken within the compliance portal (searches, exports, message views), including the actor's identity, IP address, session identifier, and timestamp.

Technical data: IP addresses, browser type, device type, and session data collected automatically when you use the platform.

Billing data: Payment card details are collected and stored by our payment processor, Stripe. We receive and store a tokenized reference, the last four digits of the card, billing name, and subscription status. We do not store full card numbers.

Service delivery: We use your account and message data to operate the messaging platform and deliver messages between users.

Regulatory compliance: For regulated firms, we archive all communications as required under SEC Rule 17a-4, FINRA Rule 4511, and similar regulations. This archiving is a legal requirement for our regulated customers, not optional. The compliance archive cannot be suppressed, altered, or deleted during the mandatory retention period.

Billing and access management: We use your billing and subscription data to manage your firm's account, process payments, and enforce seat limits.

Security and audit: We log access to the compliance portal and other sensitive functions to detect unauthorized access and support regulatory examination responses.

Platform improvement: We may use aggregated, anonymized usage data to improve the platform. We do not sell personal data to third parties for advertising purposes.

If you are located in the European Economic Area or United Kingdom, our legal basis for processing your data is:

Performance of a contract: Processing necessary to deliver the messaging service you have signed up for.

Legal obligation: Compliance archiving required by applicable financial regulations.

Legitimate interests: Security logging, fraud prevention, and platform integrity, where these interests are not overridden by your rights.

Consent: Where we rely on consent, you may withdraw it at any time — though withdrawal does not affect the lawfulness of prior processing, and does not apply to data we are legally required to retain.

Compliance archive (message records): A minimum of 7 years from the date of the message, enforced at the storage level. These records cannot be deleted during the retention period, even on account closure, because they belong to the regulated organization's compliance record.

Account data: Retained for the duration of your account, plus a reasonable period after closure to allow for billing reconciliation and regulatory inquiries (typically 12 months).

Compliance portal access logs: Retained for a minimum of 7 years, consistent with the message archive.

Billing records: Retained for 7 years as required by applicable tax and financial record-keeping laws.

Technical and session data: Retained for up to 90 days unless needed for an ongoing security investigation.

The compliance archive is designed to be immutable. If you exercise a right to erasure (GDPR Article 17) or deletion under US state privacy law, we will delete your account data and suppress your profile — but we cannot delete message records from the compliance archive. These records are held under a legal obligation that supersedes individual deletion rights.

This is not a loophole. The legal basis for retaining this data is the regulatory obligations of the organization your messages were sent under. Your message records belong to the organization's compliance record, not to your personal account. This is consistent with how Bloomberg, email archiving systems, and other regulated communication platforms operate.

We will clearly inform you of this limitation when you request deletion.

We do not sell personal data. We share data only as follows:

Your firm's compliance officers: CCOs and authorized compliance personnel at your organization have access to your message records through the compliance portal, as required for regulatory oversight.

Sub-processors: We use the following third-party services to operate the platform:

• Amazon Web Services (AWS) — United States — Infrastructure, database hosting, and S3 Object Lock storage for compliance archives.
• Stripe — United States — Payment processing and subscription management.
• OpenAI — United States — Powers the optional AI assistant feature (@chat). Only messages containing an @chat command are sent to OpenAI. These are not used to train OpenAI models under our API agreement.

Regulators and law enforcement: We will disclose data when required by a valid legal process — court order, subpoena, regulatory examination, or equivalent. Where legally permitted, we will notify the affected organization before disclosure.

Successors: In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the successor entity, subject to the same privacy obligations.

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Delete your account data (subject to the compliance archive limitations described in Section 6).
• Port your data in a machine-readable format.
• Object to processing based on legitimate interests.
• Restrict processing in certain circumstances.

To exercise these rights, contact legal@quavix.com. We will respond within 30 days. If you believe your rights have been violated, you may lodge a complaint with your local data protection authority.

We use only the cookies necessary to operate the platform: a session cookie that keeps you logged in, and a preference cookie that stores your display theme. We do not use advertising cookies or cross-site tracking.

Our infrastructure is hosted in the United States on AWS. If you are located outside the United States, your data will be transferred to and processed in the US. For transfers from the EEA or UK, we rely on standard contractual clauses where required.

We implement technical and organizational measures to protect your data, including TLS encryption in transit, AES-256 encryption at rest, AWS S3 Object Lock for archive immutability, role-based access controls, and access logging. For a full description of our security posture, see our Security Overview.

We will post any changes to this policy on this page with an updated effective date. For material changes, we will notify account holders by email at least 14 days before the change takes effect. Continued use of the platform after the effective date constitutes acceptance of the updated policy.

Questions about this policy: legal@quavix.com

Quavix, Inc. · New York, NY