Contents
1. Overview
This Privacy Policy describes how Que (que.fyi) collects, uses, stores, and protects your personal information when you use our platform. Que is a scheduled AI prompt platform that lets you configure AI-powered prompts to run on schedules and delivers the results to you via email. Que operates on a Bring Your Own Key (BYOK) model: you provide your own API keys for the AI providers you wish to use, and Que executes prompts on your behalf using those keys.
Que is operated from Australia. Our infrastructure is hosted in the ap-southeast-2 (Sydney, Australia) region via Supabase on AWS. We are committed to complying with the Australian Privacy Act 1988 (Cth) and the thirteen Australian Privacy Principles (APPs) that govern how APP entities handle personal information.
This policy applies to all visitors, users, and customers of the Que website, application, and related services. By creating an account or using Que, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and disclosure of your information as described herein.
For the purposes of this policy, "personal information" has the meaning given in the Privacy Act 1988 and includes any information or opinion about an identified individual, or an individual who is reasonably identifiable, whether true or not and whether recorded in a material form or not.
2. Information We Collect
Account information
When you sign up for Que, we collect your name and email address. Authentication is handled by Supabase Auth, which may also store a hashed password or OAuth provider token depending on your sign-in method. We do not store raw passwords.
API keys (BYOK)
You provide API keys for third-party AI providers (currently Anthropic and OpenAI). These keys are encrypted immediately upon submission using AES-256-GCM and stored within Supabase Vault. Que never stores API keys in plaintext, never logs them, and never transmits them except to the AI provider you have configured during task execution. See Section 4: BYOK Data Flow for full details.
Task configurations
We store the prompts you write, the schedules you configure (cron expressions, time zones), delivery settings (recipient email addresses), model selections, and any other parameters you set for your tasks. This data is necessary to operate the service.
Task execution data
Each time a task runs, we record the run status (success, failure, or timeout), execution duration, token usage counts, and the AI-generated output. Outputs are stored according to your plan's retention period and are accessible only to you.
Payment information (future)
When paid plans are introduced, billing will be processed by Stripe. Que will never directly receive, process, or store your full credit card number, CVV, or other sensitive payment credentials. We will store only the information Stripe provides to us, such as your billing email, card brand, last four digits, and subscription status.
Information collected automatically
- Usage analytics (Mixpanel) — pages viewed, features used, task creation and execution counts, error rates, and anonymised interaction events. These help us understand how Que is used and identify areas for improvement.
- Session data — browser type, device type, operating system, screen resolution, anonymised IP address (truncated to /24 for IPv4), referral source, and session duration.
- Server logs — Supabase Edge Function invocation logs, including timestamps, HTTP status codes, and execution durations. These logs do not contain prompt content or AI outputs.
What we do NOT collect:
- We do not read, log, or analyse the content of your prompts or AI-generated outputs for any purpose other than delivering the service to you.
- We do not collect biometric data, precise geolocation (GPS), contacts, photos, or data from other applications on your device.
- We do not collect sensitive information as defined under APP 3.4 (such as racial or ethnic origin, political opinions, religious beliefs, sexual orientation, or criminal records).
- We do not use your API keys for any purpose other than executing your configured tasks.
3. How We Use Your Information
We collect and use your information only for the following purposes, consistent with APP 6 (use or disclosure of personal information):
- Operate the service — authenticate your account, execute your scheduled tasks using your API keys, store outputs, and deliver results to your designated email address via Resend.
- Communicate with you — send task result emails, account notifications (such as password resets and verification), quota alerts, service status updates, and material policy changes.
- Improve Que — analyse aggregated and anonymised usage data to identify bugs, improve features, optimise performance, and plan our product roadmap. We never use individual prompt content or AI outputs for this purpose.
- Enforce our terms — detect and prevent abuse, fraud, or violations of our Terms of Service, and protect the security and integrity of the platform.
- Process payments — handle billing, subscription management, invoicing, and refunds when paid plans are available, via Stripe.
- Legal obligations — comply with applicable laws, regulations, legal processes, or enforceable governmental requests, including Australian tax and record-keeping requirements.
We do NOT:
- Sell, rent, lease, or trade your personal information to any third party, ever.
- Use your prompts, AI outputs, or API keys to train, fine-tune, or improve any AI or machine-learning model.
- Serve advertisements of any kind, or use your data for ad targeting or retargeting.
- Build marketing profiles, user segments, or behavioural profiles from your individual usage patterns.
- Share your personal information with data brokers or aggregators.
4. BYOK Data Flow
Because Que operates on a Bring Your Own Key (BYOK) model, it is important that you understand exactly what happens with your API keys and prompt data throughout the lifecycle of a task execution. This section describes the complete data flow.
How task execution works
- Trigger — at the scheduled time, Que's task scheduler invokes a Supabase Edge Function to execute your task.
- Key retrieval — the Edge Function, running under a dedicated
que_executorPostgreSQL role, retrieves your encrypted API key from Supabase Vault and decrypts it in memory using the Vault's Data Encryption Key (DEK). - Prompt dispatch — your prompt is sent to the AI provider you configured (Anthropic or OpenAI) over a TLS 1.2+ encrypted connection, authenticated with your decrypted API key. The prompt is sent only to the single provider you selected. It is never sent to any other provider, service, or endpoint.
- Response receipt — the AI provider processes your prompt under your API account and returns the output to the Edge Function.
- Key zeroing — immediately after the API call completes (whether successful or failed), the decrypted API key is zeroed from memory. It is never written to disk, logged, cached, or persisted outside Supabase Vault.
- Output storage — the AI output is stored in your account's run history, encrypted at rest in the Supabase database, subject to your plan's retention period.
- Delivery — the output is sent to your configured email address via Resend.
What Que does NOT do with your data
- Que does not use your prompts or AI outputs for any form of training, analytics, benchmarking, or product improvement.
- Que does not inspect, log, or monitor the content of your prompts or outputs beyond what is necessary to store and deliver them to you.
- Que does not aggregate prompt or output content across users for any purpose.
- Que does not retain your decrypted API key beyond the duration of a single task execution.
AI provider data handling
Important: When Que sends your prompt to an AI provider using your API key, that provider receives and processes your data under their privacy policy and terms of service, not ours. Que acts as an intermediary executing requests on your behalf, similar to any other API client. You are responsible for reviewing and accepting the privacy policies of the AI providers whose keys you use:
- Anthropic — anthropic.com/privacy
- OpenAI — openai.com/privacy
Que has no control over how these providers handle data once it is transmitted to their API endpoints. The provider's data retention, training, and privacy practices are governed entirely by their own policies and the terms of your API agreement with them.
Output retention
AI-generated outputs are stored in your account according to your plan's retention period:
- Free tier — 7 days
- Pro tier — 90 days
- Team tier — unlimited (until account deletion)
After the retention period expires, outputs are permanently and irreversibly deleted from our database. There is no recovery mechanism.
API key security details
- Encryption algorithm — AES-256-GCM (authenticated encryption with associated data).
- Key management — Data Encryption Keys (DEKs) are managed by Supabase Vault, which handles key rotation and secure storage. DEKs are never exposed to application code or client-side environments.
- Access control — only the
que_executorPostgreSQL role can invoke the Vault decryption function, and only within the context of a Supabase Edge Function execution. No other role, including the application's standardanonorauthenticatedroles, can decrypt API keys. - Transport security — all API calls to AI providers are made over TLS 1.2 or higher. Certificate pinning is enforced by the Deno runtime in Supabase Edge Functions.
- No logging — decrypted keys are never written to logs, error reports, analytics, or any persistent storage outside Supabase Vault.
5. Third-Party Services
Que relies on a limited number of third-party services to operate. We have selected these providers carefully, prioritising those with strong privacy practices and, where possible, Australian or regional data hosting. Below is a complete and exhaustive list of services that receive or process your data:
| Service | Purpose | Data Shared | Privacy Policy |
|---|---|---|---|
| Supabase | Database, authentication, edge function execution, vault (key storage) | Account data, encrypted API keys, task configurations, run outputs, auth tokens | supabase.com/privacy |
| Anthropic | AI model provider (via your key) | Prompt text sent and AI output received using your API key | anthropic.com/privacy |
| OpenAI | AI model provider (via your key) | Prompt text sent and AI output received using your API key | openai.com/privacy |
| Resend | Transactional email delivery | Recipient email address, email subject, email body (task output) | resend.com/legal/privacy-policy |
| Mixpanel | Product usage analytics | Anonymised usage events, user ID, email, anonymised IP | mixpanel.com/legal/privacy-policy |
| Stripe (future) | Payment processing | Email, billing address, payment method token | stripe.com/privacy |
| Google Fonts | Web typography | IP address, browser user-agent (standard HTTP request headers) | policies.google.com/privacy |
We do not share your personal information with any parties other than those listed above. We do not sell, rent, or trade your data. Each third-party provider is used solely for its stated purpose, and we only share the minimum data necessary for that purpose, consistent with APP 6.
6. Cookies and Tracking
Essential cookies and storage
Supabase authentication tokens are stored in your browser's localStorage. These are strictly necessary for the service to function and cannot be disabled while using Que. They contain no personal information beyond an opaque session identifier.
Analytics cookies
Mixpanel sets first-party cookies and uses localStorage to assign a unique device identifier for analytics purposes. This helps us understand how users interact with Que, identify bugs, and prioritise feature development. Mixpanel data is anonymised and never includes prompt content or AI outputs.
No advertising cookies
We do not use advertising cookies, tracking pixels, retargeting scripts, social media widgets, or any other form of cross-site tracking technology. Que has no advertising of any kind.
Do Not Track (DNT)
We respect the Do Not Track browser signal. If your browser sends a DNT header, we will disable Mixpanel analytics for your session. You can also opt out of analytics tracking entirely by contacting us at support@que.fyi, and we will configure your account to exclude all non-essential tracking.
7. Your Rights
Under the Australian Privacy Principles (APPs 12 and 13 in particular) and consistent with rights afforded under the GDPR, you have the following rights regarding your personal information:
- Access (APP 12) — you may request a copy of the personal information we hold about you. We will respond within 30 days and provide the information in a commonly used, machine-readable format.
- Correction (APP 13) — you may update or correct your personal information at any time via your account Settings page. If you identify an error in information we hold that you cannot correct yourself, contact us and we will rectify it promptly.
- Deletion — you may delete your account and all associated data at any time. Upon account deletion: API keys are deleted immediately, task configurations and account data are purged within 30 days, and run outputs are deleted per your tier's retention schedule or immediately if requested. See Section 8: Data Retention for details.
- Data export — you may request a full export of your data, including task configurations, run history, and account information. We will provide the export in JSON format within 30 days.
- Objection — you may contact us to object to specific data processing activities. Where we have no overriding legitimate interest or legal obligation, we will cease the processing you have objected to.
- Restrict processing — you may request that we limit our processing of your personal information to storage only while a dispute or request is being resolved.
- Complaint to the OAIC — if you believe we have breached your privacy or mishandled your personal information, you have the right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au. We ask that you contact us first at support@que.fyi so we have the opportunity to address your concern directly.
To exercise any of these rights, email us at support@que.fyi. We may need to verify your identity before processing your request, and we will respond within 30 days.
8. Data Retention
We retain your data only for as long as necessary to provide the service or comply with legal obligations. The following table details our retention periods for each category of data:
| Data Type | Retention Period | Notes |
|---|---|---|
| Account information | Until account deletion + 30 days | Name, email, auth data. 30-day buffer allows for accidental deletion recovery. |
| API keys | Immediate deletion | Deleted instantly when you remove a key or delete your account. No grace period. |
| Task configurations | Until account deletion + 30 days | Prompts, schedules, delivery settings, model selections. |
| Run outputs | 7 days (Free) / 90 days (Pro) / unlimited (Team) | Permanently deleted after retention period. No recovery. |
| Usage analytics | 12 months (anonymised) | Stored in Mixpanel. Anonymised and aggregated. Does not include prompt content. |
| Email delivery logs | 30 days | Stored by Resend. Includes delivery status, not full email content after 30 days. |
| Payment records (future) | 7 years | Required under Australian taxation law (Income Tax Assessment Act 1997). |
When data is deleted, it is permanently removed from our active database. Supabase may retain encrypted backups for a limited period as part of their infrastructure disaster recovery, subject to Supabase's privacy policy.
9. Data Security
We take the security of your personal information seriously and implement multiple layers of protection consistent with APP 11 (security of personal information):
Encryption at rest
- API keys are encrypted using AES-256-GCM (authenticated encryption with associated data) before storage.
- Data Encryption Keys (DEKs) are managed exclusively through Supabase Vault and are never exposed to application code, client-side environments, or server logs.
- The underlying Supabase database uses full-disk encryption on AWS infrastructure.
Encryption in transit
- All data transmitted between your browser and our servers is protected with TLS 1.2 or higher.
- All API calls from Que to AI providers are made over TLS-encrypted connections.
- HSTS (HTTP Strict Transport Security) headers are enforced to prevent protocol downgrade attacks.
Access control
- Database access is scoped using PostgreSQL Row Level Security (RLS) policies, ensuring users can only access their own data.
- A dedicated
que_executorPostgreSQL role is used for task execution with the minimum required permissions (principle of least privilege). - API key decryption is restricted to the
que_executorrole within Supabase Edge Functions only.
Edge Function isolation
- Each task execution runs in an isolated Supabase Edge Function invocation with its own memory space.
- Decrypted API keys exist in memory only for the duration of the API call and are zeroed immediately after.
- Edge Functions have no persistent file system access and cannot write to disk.
Monitoring and incident response
- We monitor for unauthorised access attempts and anomalous activity patterns.
- Access to production infrastructure is restricted and logged.
10. Data Breach Response
In the event of a data breach involving personal information, we will follow the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988:
- Assessment — upon becoming aware of a suspected breach, we will promptly assess whether the breach is likely to result in serious harm to affected individuals.
- Containment — we will take immediate steps to contain the breach and mitigate any potential harm, including revoking compromised credentials, isolating affected systems, and patching vulnerabilities.
- Notification to affected users — if we determine the breach is likely to result in serious harm, we will notify affected users as soon as practicable, and no later than 30 days after becoming aware of the breach. Notification will include the nature of the breach, the types of information involved, and recommended steps you should take (such as rotating your API keys).
- Notification to the OAIC — we will notify the Office of the Australian Information Commissioner as required under the NDB scheme, including all mandatory particulars.
- Remediation — we will conduct a thorough post-incident review to identify root causes and implement measures to prevent recurrence.
If you believe your account or API keys have been compromised, contact us immediately at support@que.fyi. We recommend that you also rotate your API keys directly with your AI provider as a precaution.
11. Children
Que is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children or minors. If we become aware that we have inadvertently collected data from a person under 18, we will take steps to delete that information as quickly as possible and terminate the associated account. If you believe a child has provided us with personal data, please contact us immediately at support@que.fyi.
12. International Users
Que is operated from Australia, and your data is stored on infrastructure located in the ap-southeast-2 (Sydney, Australia) AWS region. If you are accessing Que from outside Australia, please be aware that your data will be transferred to and processed in Australia.
By using Que, you consent to this transfer and acknowledge that your data will be subject to Australian privacy laws, which may differ from those in your country of residence. We take reasonable steps, consistent with APP 8 (cross-border disclosure of personal information), to ensure your data is treated securely and in accordance with this Privacy Policy regardless of where you are located.
Some third-party services we use (such as Mixpanel, Resend, and Stripe) may process data in jurisdictions outside Australia, including the United States. We only engage third-party providers that maintain appropriate privacy and security safeguards. Refer to the Third-Party Services table for links to each provider's privacy policy.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, third-party services, or legal requirements.
- Material changes — if we make changes that materially affect how we collect, use, or share your personal information, we will notify you by email at least 14 days before the changes take effect. Material changes include new categories of data collection, new third-party data sharing, or changes to your rights.
- Non-material changes — minor clarifications, formatting updates, or changes that do not affect your rights may be made without advance notice.
The "Last updated" date at the top of this page indicates when the policy was last revised. We encourage you to review this policy periodically. Your continued use of Que after changes take effect constitutes acceptance of the updated policy.
14. Contact
For all privacy-related questions, data access requests, correction requests, deletion requests, complaints, or any other concerns about how we handle your personal information, contact us at:
Email: support@que.fyi
We will acknowledge your enquiry within 5 business days and aim to resolve all requests within 30 days.
If you are not satisfied with our response, or if you believe we have breached the Australian Privacy Principles, you have the right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC):
- Website: oaic.gov.au