Privacy Notice — QueryTek Tapestry

What we process

Depending on configuration, Tapestry may process categories such as business contact details, identifiers used for authentication and routing (for example names, email addresses, usernames, subject or tenant identifiers), session and security telemetry needed to operate the platform, and audit information. We apply data minimization consistent with Tapestry’s role as a broker and routing plane—partner business content generally remains with the Customer and partner applications unless explicitly configured otherwise.

Why we process it

• Provide, secure, monitor, and improve the Tapestry service
• Authenticate and route users per Customer configuration and executed agreements
• Meet legal, security, and compliance obligations
• Respond to requests and incidents, and communicate about the service where appropriate

Legal bases (for example contract, legitimate interests, or consent) depend on context and region; your organization’s administrator or privacy office can clarify how your employer instructs processing for workforce use.

Regional privacy rights

Privacy laws vary by location. Tapestry implements jurisdictional controls and workflows aligned with SPEC-020 (for example CCPA/CPRA and PIPEDA where applicable). Depending on your situation, you may have rights to access, correct, delete, or limit certain processing, or to appeal a decision.

• California (CCPA/CPRA): California residents may have rights to know, delete, correct, and opt out of certain “selling” or “sharing” as defined by law. We do not sell personal information for monetary consideration; describe any sharing under CPRA in your organization’s notices as applicable.
• Canada (PIPEDA): Individuals may have rights of access and challenge to accuracy, subject to exceptions; regional workflows may apply when enabled for the tenant.
• EEA, UK, Switzerland: If GDPR or UK GDPR applies, you may have rights including access, rectification, erasure, restriction, portability, and objection; transfers outside those regions typically rely on approved mechanisms described in the DPA (for example Standard Contractual Clauses).

How to exercise rights: If you access Tapestry through an employer or Customer, direct most privacy requests to that organization’s privacy or IT contact—they are often the controller. If you contact us directly, we may need to verify your request and coordinate with the Customer when we act as a processor.

Privacy inquiries: privacy@querytek.io (monitored mailbox; replace with production alias if different).

Retention, subprocessors, and transfers

We retain personal information only as long as needed for the purposes above, consistent with Customer instructions, our retention schedules, and law. We use infrastructure and service providers (“subprocessors”) under contractual safeguards. Cross-border transfers use mechanisms appropriate to the jurisdictions involved, as documented in customer agreements.

Updates

We may update this notice from time to time. The effective date reflects the latest revision posted here. Material changes may also be communicated through Customer administrators or contractual channels where required.

Effective: April 22, 2026