Sque

Privacy
Policy

SuperNomics Technologies Inc.

Effective Date:
December 1, 2023
Last Reviewed:
December 21, 2025
Next Review:
May 2026
Version:
3.0

1.   Introduction

SuperNomics Technologies Inc. (“SuperNomics,” “we,” “us,” or “our”) provides billing and practice management software for professional services firms through our product Sque™ (“Sque,” “Service,” or “Services”). We are committed to protecting your privacy and being transparent about how we collect, use, and share your information.

This Privacy Policy applies to information we collect through:

  • Our websites (sque.ai, supernomics.ai, and related domains)
  • Our software applications and services (Sque)
  • Email, text, and other electronic communications
  • Interactions with our advertisements and applications on third-party websites

This Privacy Policy does NOT apply to:

  • Information collected by third parties, including through any application or content that may link to or be accessible from our Services
  • Information you provide directly to third parties

We never train on your data. We do not use your customer data, documents, or communications to train artificial intelligence models or any other machine learning systems. Your data remains yours.

Please read this Privacy Policy carefully. By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, please do not use our Services.

Notice at Collection for California Residents

This Privacy Policy serves as our Notice at Collection as required by the California Consumer Privacy Act (CCPA). We collect the categories of personal information described in Section 2 below for the business purposes described in Section 3.

2.   Information We Collect

We collect information about you in various ways when you use our Services.

2.1   Information You Provide to Us

Account Information: When you create an account, we collect your name, email address, phone number, company name, job title, and password.

Profile Information: You may choose to provide additional profile information such as your professional credentials, bar admissions, professional licenses, photo, and biography.

Billing and Payment Information: If you purchase our Services, we collect billing information including your name, billing address, and payment method details. Payment information is processed by our third-party payment processors and is subject to their privacy policies.

Content You Create: We collect and store content you create, upload, or provide when using our Services, including:

  • Client and matter information
  • Time entries and billing records
  • Invoices and payment records
  • Documents, files, and attachments
  • Notes, comments, and communications
  • Calendar entries and scheduling information
  • Task lists and project information

Communications: When you contact us, we collect the information you provide in your communications, including your name, email address, phone number, and the contents of your messages.

Survey and Research Information: If you participate in surveys or research, we collect the information you provide.

2.2   Information We Collect Automatically

Usage Information: We automatically collect information about how you use our Services, including:

  • Features you use and actions you take
  • Pages and content you view
  • Time, frequency, and duration of your activities
  • Search queries and results
  • Interactions with other users

Device Information: We collect information about the devices you use to access our Services, including:

  • Device type, model, and operating system
  • Browser type and version
  • IP address
  • Device identifiers
  • Mobile network information

Location Information: We collect approximate location information based on your IP address. We do not collect precise geolocation data unless you explicitly grant permission through your device settings.

Cookies and Similar Technologies: We use cookies, web beacons, pixels, and similar technologies to collect information. See our Cookie Notice for details.

Log Information: Our servers automatically record information when you use our Services, including:

  • Access times and dates
  • Referring URLs
  • Error logs and debugging information

2.3   Information from Third Parties

Integration Partners: When you connect third-party services to your account (such as calendar applications, email providers, payment processors, or accounting software), we receive information from those services as authorized by you.

Business Partners: We may receive information about you from our business partners, such as companies that offer co-branded services or participate in joint marketing activities.

Publicly Available Sources: We may collect information about you from publicly available sources to verify your identity or credentials.

2.4   Meeting Metadata

When you use Sque to track billable time from meetings:

  • We collect metadata about meetings including participant names, email addresses, meeting title, start time, end time, and duration
  • We may capture meeting links and conferencing details
  • We do NOT record meeting content (audio, video, or transcription) unless you explicitly enable recording features

For information about meeting recordings, see Section 8 and our Conferencing, Meetings & Recording Addendum.

2.5   Categories of Personal Information (CCPA)

For California residents, we collect the following categories of personal information as defined by the CCPA:

  • Identifiers: Name, email address, IP address, account name, and online identifiers
  • Customer Records: Name, address, phone number, payment information
  • Protected Classifications: Professional credentials, bar admissions, licenses (voluntarily provided)
  • Commercial Information: Billing records, purchase history, client information
  • Internet/Network Activity: Browsing history, search history, interaction with our Services
  • Geolocation Data: Approximate location based on IP address
  • Professional Information: Employment information, professional credentials, work history
  • Inferences: Preferences and behavior patterns derived from your use of our Services

We do NOT collect sensitive personal information as defined by the CCPA, including precise geolocation, racial or ethnic origin, religious beliefs, genetic data, biometric data for identification purposes, health information, or information concerning sex life or sexual orientation.

3.   How We Use Your Information

We use the information we collect for the following purposes:

3.1   To Provide and Improve Our Services

  • Create and maintain your account
  • Provide access to our Services and features
  • Process transactions and send billing information
  • Provide customer support and respond to your requests
  • Improve, test, and monitor the effectiveness of our Services
  • Develop new features, products, and services
  • Debug and repair errors
  • Perform data analysis and testing
  • Conduct research and analytics

3.2   To Communicate With You

  • Send you service-related announcements and updates
  • Respond to your inquiries and requests
  • Send you marketing communications (with your consent where required)
  • Request feedback or participation in surveys
  • Notify you about changes to our Services or policies

3.3   To Ensure Security and Prevent Fraud

  • Authenticate users and prevent unauthorized access
  • Detect, investigate, and prevent fraudulent transactions and other illegal activities
  • Monitor and analyze security threats
  • Enforce our Terms & Conditions and other policies
  • Comply with legal obligations and protect legal rights

3.4   To Personalize Your Experience

  • Customize content and features based on your preferences
  • Remember your settings and preferences
  • Provide relevant recommendations
  • Display personalized advertisements (with your consent where required)

3.5   For Legal Compliance

  • Comply with applicable laws, regulations, and legal processes
  • Respond to lawful requests from public authorities
  • Enforce our agreements and protect our rights
  • Establish, exercise, or defend legal claims

3.6   With Your Consent

We may use your information for additional purposes with your explicit consent.

3.7   Business Purposes (CCPA)

For California residents, we use personal information for the following business purposes as defined by the CCPA:

  • Auditing interactions and transactions
  • Security and fraud detection
  • Debugging and repair
  • Short-term, transient use
  • Performing services on behalf of the business
  • Internal research for technological development
  • Quality and safety verification and improvement

4.   How We Share Your Information

We share your information in the following circumstances:

4.1   With Your Consent

We share your information when you direct us to do so or consent to the sharing.

4.2   Service Providers

We share information with third-party service providers who perform services on our behalf, including:

  • Cloud hosting and infrastructure providers
  • Payment processors
  • Email and communication services
  • Analytics providers
  • Customer support tools
  • Security and fraud prevention services
  • Marketing and advertising partners

These service providers are contractually obligated to protect your information and may only use it to provide services to us. For a current list of our subprocessors, see our Subprocessor List.

4.3   Business Transfers

If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will provide notice before your information is transferred and becomes subject to a different privacy policy.

4.4   Legal Requirements

We may disclose your information if required to do so by law or in response to:

  • Valid legal processes (subpoenas, court orders, search warrants)
  • Government or regulatory requests
  • Legal claims or disputes
  • Emergencies involving danger of death or serious physical injury

4.5   Protection of Rights

We may share information to:

  • Enforce our Terms & Conditions and other agreements
  • Protect our rights, property, or safety
  • Protect the rights, property, or safety of our users or others
  • Detect, prevent, or investigate security incidents or fraud

4.6   Aggregated or De-identified Information

We may share aggregated or de-identified information that cannot reasonably be used to identify you.

4.7   Within Our Corporate Family

We may share information with our parent company, subsidiaries, and affiliates for purposes consistent with this Privacy Policy.

4.8   Disclosures to Third Parties (CCPA)

For California residents, we disclose the following categories of personal information for business purposes:

  • Identifiers
  • Customer Records
  • Commercial Information
  • Internet/Network Activity
  • Geolocation Data
  • Professional Information
  • Inferences

We disclose these categories to: service providers, cloud hosting providers, payment processors, analytics providers, communication service providers, and security providers.

We do NOT sell your personal information. We have not sold personal information in the preceding 12 months and do not have actual knowledge that we sell personal information of minors under 16 years of age.

5.   Data Retention

We retain your information for as long as necessary to provide our Services, comply with legal obligations, resolve disputes, and enforce our agreements.

5.1   Retention Periods

Account Information: Retained for the duration of your account plus a reasonable period after account closure to comply with legal obligations and resolve disputes.

Billing and Transaction Records: Retained for at least 7 years to comply with accounting and tax requirements.

Client and Matter Data: Retained according to your retention settings and professional obligations. You control when this data is deleted.

Communications: Support communications retained for 3 years. Marketing communications retained until you unsubscribe.

Usage and Log Data: Retained for up to 2 years for security, debugging, and analytics purposes.

Backup Data: Retained in encrypted backups for up to 90 days, then permanently deleted.

5.2   Deletion

When we delete information, we do so in a manner designed to make recovery impossible. Deleted information may persist in backups for up to 90 days before permanent deletion.

You may request deletion of your information at any time by contacting us at [email protected]. See Section 6 for information about your deletion rights.

6.   Your Privacy Rights

Depending on your location, you may have certain rights regarding your personal information.

6.1   Rights for All Users

Access: You can access most of your information through your account settings.

Correction: You can correct inaccurate information through your account settings.

Deletion: You can request deletion of your information, subject to legal retention requirements.

Portability: You can export your data in common formats.

Objection: You can object to certain processing of your information.

6.2   Rights for California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights:

Right to Know: You can request disclosure of: categories of personal information we collect; categories of sources from which we collect personal information; business or commercial purposes for collecting personal information; categories of third parties with whom we share personal information; and specific pieces of personal information we have collected about you.

Right to Delete: You can request deletion of your personal information, subject to certain exceptions.

Right to Correct: You can request correction of inaccurate personal information.

Right to Opt-Out: You have the right to opt-out of the sale or sharing of your personal information. We do not sell personal information.

Right to Limit Use of Sensitive Personal Information: We do not use or disclose sensitive personal information for purposes other than those permitted by the CCPA.

Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

Right to Appeal: If we deny your request, you have the right to appeal our decision. See Section 6.6 below.

6.3   Rights for European Residents (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under GDPR:

Right of Access: You can obtain confirmation of whether we process your personal data and request a copy.

Right to Rectification: You can request correction of inaccurate personal data.

Right to Erasure: You can request deletion of your personal data in certain circumstances.

Right to Restriction: You can request restriction of processing in certain circumstances.

Right to Data Portability: You can receive your personal data in a structured, commonly used format.

Right to Object: You can object to processing based on legitimate interests or direct marketing.

Right to Withdraw Consent: Where processing is based on consent, you can withdraw consent at any time.

Right to Lodge a Complaint: You can lodge a complaint with your local data protection authority.

Legal Basis for Processing:

  • Contract performance (to provide our Services)
  • Legitimate interests (to improve and secure our Services)
  • Legal obligations (to comply with laws)
  • Consent (where required)

6.4   Rights for Other Jurisdictions

Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA): Residents of these states have rights similar to California residents, including rights to access, correct, delete, and opt-out, as well as the right to appeal denials.

Canada (PIPEDA): Canadian residents have rights to access and correct personal information and challenge compliance with PIPEDA.

Other Jurisdictions: If you reside in a jurisdiction with privacy laws not specifically mentioned here, you may have additional rights under local law. Contact us to learn more.

6.5   How to Exercise Your Rights

To exercise your privacy rights:

Online: Submit a request through our Privacy Request Form at https://supernomics.ai/privacy-request.

Email: Send a request to [email protected].

Verification: To protect your privacy, we must verify your identity before fulfilling your request. We will request information to match against our records, such as your name, email address, and account information.

Authorized Agents: You may designate an authorized agent to make requests on your behalf. The agent must provide proof of authorization.

Response Time — We will respond to verified requests within:

  • 45 days (CCPA) — may extend once by 45 days with notice
  • 30 days (GDPR) — may extend by 2 months with notice
  • Timeframes specified by other applicable laws

6.6   Appeal Process (CCPA/CPRA and Other Applicable Laws)

If we deny your request in whole or in part, you have the right to appeal our decision.

How to Appeal:

  • Submit your appeal within 30 days of receiving our denial
  • Include your original request details and reasons for appealing

Send your appeal to [email protected] with subject line “Privacy Request Appeal”

Appeal Process:

  • We will acknowledge receipt within 5 business days
  • We will review your appeal and respond within 45 days (CCPA) or the timeframe required by applicable law
  • Our response will explain our decision and provide additional information about your rights
  • If we deny your appeal, we will provide information about how to contact your local attorney general or data protection authority

6.7   No Fee

We do not charge a fee to process or respond to your privacy requests unless requests are manifestly unfounded or excessive, or you request additional copies of information beyond the first copy. If we determine a fee is warranted, we will notify you and provide a cost estimate before completing your request.

7.   International Data Transfers

SuperNomics is based in the United States. If you access our Services from outside the United States, your information will be transferred to, stored in, and processed in the United States and other countries where our service providers operate.

These countries may have data protection laws that differ from the laws of your country. By using our Services, you consent to the transfer of your information to the United States and other countries.

7.1   European Economic Area (EEA), United Kingdom, and Switzerland

For data transfers from the EEA, UK, or Switzerland to the United States and other countries that do not provide an adequate level of data protection, we implement appropriate safeguards:

Standard Contractual Clauses (SCCs): We use Standard Contractual Clauses approved by the European Commission for transfers of personal data to third countries.

UK International Data Transfer Addendum (IDTA): For transfers from the UK, we use the UK IDTA to the EU SCCs.

Swiss SCCs: For transfers from Switzerland, we use Swiss-approved Standard Contractual Clauses.

Data Processing Addendum: Our Data Processing Addendum incorporates these mechanisms. Enterprise customers can execute our DPA at https://supernomics.ai/dpa.

7.2   EU Representative (Article 27 GDPR)

We are currently evaluating whether we are required to appoint a representative in the European Union under Article 27 GDPR. If required, we will appoint a representative and provide their contact details here.

7.3   UK Representative (Article 27 UK GDPR)

We are currently evaluating whether we are required to appoint a representative in the United Kingdom under Article 27 UK GDPR. If required, we will appoint a representative and provide their contact details here.

8.   Video Conferencing & Meeting Recordings

Sque may capture meeting metadata (participants, duration, timing) to create billable time entries. Recording of meeting content (audio, video, transcription) is optional and controlled by the meeting host.

8.1   Meeting Metadata

What We Collect:

  • Meeting participants (names, email addresses)
  • Meeting title or subject
  • Start time, end time, and duration
  • Meeting link or conferencing details
  • Calendar integration information

How We Use Metadata:

  • Create automatic time entries for billing
  • Suggest client and matter associations
  • Calculate billable hours
  • Generate productivity reports

8.2   Meeting Recordings

Recording is OFF by default. Meeting hosts must explicitly enable recording.

Key Points:

  • All participants must be notified before and during recording
  • Participants can decline to be recorded
  • Recordings are encrypted and access-controlled
  • Participants can request deletion of recordings
  • Meeting hosts are responsible for obtaining appropriate consent and complying with applicable laws

For detailed information about meeting recordings, including consent requirements, participant rights, host responsibilities, legal compliance (two-party consent states, attorney-client privilege, HIPAA), data handling and security, and platform-specific details (Zoom, Microsoft Teams, Google Meet), please see our Conferencing, Meetings & Recording Addendum.

9.   AI Processing & Automated Decision-Making

Sque uses artificial intelligence to enhance your experience and automate certain tasks.

9.1   How We Use AI

Ask Sque (AI Assistant):

Our AI assistant uses large language models from providers such as OpenAI to:

  • Answer questions about your billing data
  • Generate billing narratives and invoice descriptions
  • Suggest time entries and rates
  • Provide insights and recommendations
  • Draft communications and documents

Automated Suggestions:

We use machine learning to:

  • Suggest clients and matters for time entries
  • Recommend billing rates
  • Identify potentially billable activities
  • Flag missing or incomplete information
  • Predict payment likelihood

Data Analysis:

We use AI to analyze aggregate data for:

  • Improving our Services
  • Developing new features
  • Generating industry benchmarks (anonymized)

9.2   AI Processing Controls

We never train on your data. We do not use your customer data, documents, or communications to train AI models or machine learning systems. Your data is used only to provide services to you.

Third-Party AI Providers: When you use AI features, your queries may be sent to third-party AI providers such as OpenAI. These providers: process your data according to their terms and privacy policies; do not use your data to train their models (per our agreements with them); delete your data after processing (typically within 30 days); and may retain limited data for safety and abuse monitoring purposes.

Data Minimization: We send only the minimum data necessary to AI providers to fulfill your requests. We do not send entire databases or unrelated information.

Opt-Out: You can disable AI features in your account settings. This will prevent your data from being sent to third-party AI providers.

9.3   Automated Decision-Making (GDPR Article 22)

We do not make decisions solely based on automated processing that produce legal effects or similarly significantly affect you.

Our AI features provide suggestions and recommendations, but final decisions are always made by human users. For example:

  • AI may suggest a billing rate, but you decide whether to use it
  • AI may draft an invoice description, but you review and approve it
  • AI may flag a missing time entry, but you decide how to handle it

If we implement automated decision-making in the future, we will notify you and obtain your explicit consent where required, provide information about the logic involved, give you the right to obtain human intervention, and allow you to express your point of view and contest the decision.

9.4   AI Disclaimers

AI-Generated Content is Provided "AS IS": AI may generate inaccurate, incomplete, or inappropriate content. You are responsible for reviewing and verifying all AI-generated content before use.

No Legal Advice: AI-generated content is not legal advice. Do not rely on AI-generated content for legal decisions without consulting a qualified attorney.

Professional Responsibility: You are responsible for complying with your professional obligations and rules of professional conduct when using AI features.

Confidentiality: Be cautious when including confidential or privileged information in AI queries. While we implement safeguards, no system is perfectly secure.

10.   Children's Privacy

Our Services are not directed to children under the age of 18, and we do not knowingly collect personal information from children under 18.

If you are under 18, do not:

  • Use or provide any information on or through our Services
  • Create an account
  • Make any purchases
  • Use any interactive features
  • Provide any information about yourself

If we learn that we have collected personal information from a child under 18 without parental consent, we will delete that information. If you believe we have collected information from a child under 18, please contact us at [email protected].

11.   Security

We implement appropriate technical and organizational measures to protect your information against unauthorized access, alteration, disclosure, or destruction.

11.1   Security Measures

Data Encryption:

  • Data in transit: TLS 1.2 or higher
  • Data at rest: AES-256 encryption
  • Database encryption: Transparent data encryption (TDE)
  • Backup encryption: AES-256

Access Controls:

  • Role-based access control (RBAC)
  • Multi-factor authentication (MFA) required for sensitive operations
  • Principle of least privilege
  • Regular access reviews

Network Security:

  • Firewalls and intrusion detection systems
  • Regular vulnerability scanning
  • Penetration testing
  • DDoS protection

Application Security:

  • Secure development practices
  • Code review and static analysis
  • Regular security updates
  • Third-party security audits

Organizational Security:

  • Background checks for employees with data access
  • Security awareness training
  • Incident response plan
  • Data breach notification procedures

Compliance Programs:

  • SOC 2 Type II (in progress — target Q2 2026)
  • ISO 27001 alignment (pursuit underway)
  • HIPAA-supporting controls for healthcare clients
  • Regular compliance audits

11.2   Your Responsibilities

Account Security — You are responsible for:

  • Maintaining the confidentiality of your password
  • Restricting access to your account
  • Logging out when finished
  • Notifying us immediately of unauthorized access

Use Strong Passwords — Use passwords that are:

  • At least 12 characters long
  • Include uppercase and lowercase letters, numbers, and symbols
  • Not reused from other services
  • Changed regularly

Enable MFA: We strongly recommend enabling multi-factor authentication for additional security.

11.3   Security Incidents

Despite our security measures, no system is completely secure. If you discover a security vulnerability, please report it to [email protected]. We have a responsible disclosure policy and will acknowledge and address reported vulnerabilities promptly.

In the event of a data breach that affects your information, we will notify you:

  • Without undue delay
  • Within the timeframe required by applicable law (e.g., 72 hours under GDPR, as required by state breach notification laws)
  • Via email or account notification
  • With information about the breach, affected data, and steps we are taking

For more information about our security practices, see our Security Overview at https://supernomics.ai/security.

12.   Third-Party Services

Our Services may contain links to third-party websites, applications, or services that are not operated or controlled by SuperNomics.

12.1   Third-Party Links

When you click on third-party links, you will leave our Services. We are not responsible for the privacy practices or content of third-party services. We encourage you to review the privacy policies of any third-party services you visit.

12.2   Integrations

When you connect third-party services to your account (such as calendar applications, email providers, payment processors, or accounting software), those services may have access to your information according to their own privacy policies and the permissions you grant. We are not responsible for how third-party services use your information. Review their privacy policies before connecting them to your account.

12.3   Single Sign-On (SSO)

If you log in using single sign-on (Google, Microsoft, etc.), we receive basic profile information from the SSO provider according to your privacy settings with that provider.

12.4   Analytics and Advertising

We use third-party analytics and advertising services that may collect information about your use of our Services. See our Cookie Notice for more information.

13.   Changes to This Policy

13.1   How We Notify You

Material Changes: If we make material changes that significantly affect your rights, we will notify you by email to the address associated with your account, prominent notice on our website, and in-app notification. We will provide notice at least 30 days before material changes take effect.

Non-Material Changes: For minor changes, we will update the "Last Reviewed" date at the top of this Privacy Policy.

13.2   Your Acceptance

By continuing to use our Services after changes become effective, you accept the updated Privacy Policy. If you do not agree with changes, you must stop using our Services and may request deletion of your account and information.

13.3   Version History

You can review prior versions of this Privacy Policy in our Legal Archive at https://supernomics.ai/legal/archive.

Current Version: 3.0 (December 21, 2025)

  • Added Recording & Meeting Privacy section
  • Enhanced AI processing disclosures
  • Added Right to Appeal for California residents
  • Updated data retention periods
  • Clarified international transfer mechanisms

Previous Versions:

  • Version 2.0 (December 1, 2023): Public enterprise baseline
  • Version 1.0 (November 2, 2023): Internal version

14.   Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

Email: [email protected]

Privacy Request Form: https://supernomics.ai/privacy-request

Data Protection Officer: For GDPR-related inquiries, you may contact our Data Protection Officer (if appointed) at [email protected].

Response Time: We will respond to your inquiry within 30 days. For privacy rights requests, see Section 6 for specific response timeframes.

Additional Resources: