Privacy Policy

Last updated: 10 June 2026

This Privacy Policy explains how Roman Demydov (“we”, “us”) handles information when you use the Quill application for HubSpot (the “Service”). We act as a data processor for the CRM data we process on your behalf; you (the installing organization) are the data controller for that data.

Information we process

• HubSpot account identifiers — your HubSpot portal ID, the acting user’s ID and email, and the app ID, supplied by HubSpot with each request.
• OAuth tokens — access and refresh tokens that authorize Quill to read and write the CRM data you approve. These are encrypted at rest.
• CRM content — when you trigger a feature, we read the relevant contact’s properties and associated engagements (emails, notes, calls) needed to produce the requested output.
• Your AI provider key — if you configure one, it is encrypted before storage and used only to call your chosen AI provider on your behalf.
• Configuration and subscription status — your selected AI provider/model and your subscription/trial state.

How we use it

We process this information solely to provide the Service: to authenticate with HubSpot, to generate summaries and drafts, and to create tasks you request. CRM content is processed transiently to fulfil a request and is not retained by us after the response is produced. We do not sell your data and we do not use your CRM data to train any model.

Sub-processors

To deliver the Service we share data with the following providers, only as needed:

• HubSpot — the source CRM and the platform the Service runs in.
• Your chosen AI provider — DeepSeek, OpenAI, or Anthropic, depending on your configuration. The CRM content needed for a request is sent to that provider to generate output, under that provider’s API terms.
• Paddle — our Merchant of Record, which processes payments and billing data.
• Our hosting and database providers — Ionos, USA, which store encrypted tokens and configuration.

Retention

We retain OAuth tokens, your encrypted AI key, and configuration for as long as the app is installed. CRM content used to generate output is not stored after the request completes. When you uninstall the app or on request, we delete the stored tokens, key, and configuration.

Security

Tokens and your AI provider key are encrypted using authenticated encryption (AES-256-GCM) before storage. Requests from the app to our backend are verified using HubSpot’s request signatures, and traffic is sent over HTTPS.

Your rights

Depending on your jurisdiction (including under the GDPR), you may have rights to access, correct, or delete personal data, or to restrict or object to its processing. As we process CRM data on behalf of the installing organization, please direct data-subject requests to that organization; we will assist them as their processor. To exercise rights regarding data we hold as a controller (e.g., account/billing data), contact us below.

Changes

We may update this policy; the “Last updated” date reflects the latest version.

Contact

Roman Demydov, Ukraine — romandemidov1993@gmail.com.