Legal

Privacy Policy.

Last updated: June 11, 2026

Terms of ServicePrivacy PolicyQuid for Good

Last updated: June 11, 2026

Quidonomics, Inc., a Delaware public benefit corporation doing business as Quid ("Quid," "we," "us"), runs quid.network — a marketplace where sellers pay decision-makers' companies for guaranteed intro meetings.

We built Quid to be honest, and we wrote this policy the same way. It describes what we actually collect, what we actually do with it, and where the rough edges are. Where something is handled by a human instead of a button, we say so.

This policy covers:

  • Account holders — sellers, decision-makers ("DMs"), and company team members.
  • People without Quid accounts whose information ends up on Quid — recipients of paid cold outreach ("door knocks"), business contacts in a user's CRM, and charity contacts our users nominate. Section 3 is written for you.
  • Visitors to our website.

Questions at any point: hello@quid.network.

1. Information you give us

1.1 Account and profile

When you sign up — by email and password, email magic link, or Google or Microsoft sign-in — we collect your email address and name. Your profile can also include a photo, job title, bio, pitch focus, LinkedIn URL, company website, and a scheduling link (for example, a Calendly URL). You control your notification preferences in settings.

You can optionally enable a public profile at a handle you choose (see Section 8). It is off by default — nothing is public until you turn it on.

1.2 Company and team data

Company profiles include name, legal name, description, industry, stage, headcount, headquarters, founding year, website, and logo. We record which people are affiliated with which companies, in what roles, and when affiliations start and end. When you invite a teammate, we store the email address you invite.

1.3 Pitches, meetings, and feedback

We store the pitches you write (subject, body, optional attachment link), the amount offered, every status change, scheduling details, read receipts, ratings and free-text feedback exchanged after meetings, and the optional reason a recipient gives when passing on a door knock. We also keep an append-only log of pitch, meeting, and door-knock status transitions — this log is what keeps the money flow auditable, and it cannot be edited after the fact, including by us through the normal product.

1.4 Payment information — your card number never touches Quid

Card details are entered directly into payment fields served by Stripe, our payment processor. Quid never sees, transmits, or stores card numbers. What we do store: Stripe identifiers (customer, payment intent, charge, transfer, refund), amounts, the 70/21/9 split between the DM's company, Quid, and charity, authorization/capture/refund timestamps, and the payment event records Stripe sends us. We give Stripe your email and name so it can create your customer record.

1.5 CRM data

Quid has a built-in CRM that stores contacts (name, email, title, company, LinkedIn URL, phone, deal stage), notes, relationship records, and contact history. Whether the CRM interface is available is a platform-wide setting we control — but the underlying records are created from marketplace activity either way. Two things deserve a plain-spoken callout:

  • Contacts are captured automatically from marketplace activity — whether or not the CRM screens are currently switched on. When a pitch is accepted, the seller's CRM receives the DM's business contact details, and the DM's CRM receives the seller's. Each record is labeled with where it came from. If the CRM interface is off, these records still accumulate; they become visible (and exportable) when it's on.
  • Inbound email capture. Each CRM contact gets a unique address like `crm+<id>@inbound.quid.network`. When someone emails or replies to that address, we store the full message — sender, recipient, subject, and complete text — in the contact owner's CRM. The CRM owner can read these captured emails but cannot edit them or delete them individually in-product. One honest wrinkle: deleting the contact deletes its captured emails along with it.

Behind the CRM sits an identity record for each person, matched by email address, that keeps a versioned history of attributes (with their sources) over time — including, for account holders, prior values of your name and email when you edit your profile. This versioning runs regardless of whether the CRM interface is enabled.

1.6 Door knocks — information you give us about someone else

When a seller sends a door knock, the seller supplies the target's name, role, company name, company website, LinkedIn URL, and optionally email address. We store that, the pitch itself, and the delivery record of the invite email. If you send door knocks, only supply information you have the right to share. See Section 3 for what this means for recipients.

1.7 Charity nominations

If you nominate a charity for Quid for Good, you may provide a contact name, email, and phone number for that charity. These are visible only to Quid's internal operations — not to other users.

1.8 Files you upload — these are served from public URLs

Profile photos and company logos are stored in publicly readable storage: anyone with the URL can view them. Door-knock attachments are also publicly readable by URL — deliberately, so a recipient can open the attachment from their email without creating an account. Don't upload anything you wouldn't want accessible by link.

1.9 Support

When you email hello@quid.network, we keep the correspondence so we can help you and keep a record of what was agreed.

2. Information we collect automatically

2.1 Product analytics and session replay (PostHog)

We use PostHog (US cloud) to understand how the product is used. We configured it conservatively:

  • All text and input content is masked. Events record which button or field was used, never what was typed or what the screen said.
  • Session replay is enabled but masks every input and all on-screen text — a replay shows navigation, clicks, and scrolls, not content. Card fields live inside Stripe's own frames, which replay cannot see at all.
  • Every URL is scrubbed before it leaves your browser: invite and claim tokens, auth codes, access tokens, one-time codes, and email addresses in URLs are redacted.
  • We collect click heatmaps (positions only) and page-performance metrics. We do not record console logs or the contents of network requests.
  • Analytics events are not currently linked to your account identity, and we do not build analytics profiles of anonymous visitors.

2.2 Error monitoring (Sentry)

We use Sentry to catch errors and performance problems. It is configured not to send IP addresses or request bodies, and the same URL-scrubbing applies to everything it receives.

2.3 Hosting logs

Our hosting provider (Vercel) keeps standard server request logs, and browsers may send us security (CSP) violation reports, which land in those logs.

We use no advertising pixels and no Google Analytics. We do not store email open or click tracking — if our email provider reports an open or click event, we discard it.

3. If you don't have a Quid account

3.1 Door-knock recipients

If you received a door-knock email, here is the full picture:

  • Where your data came from. A Quid user (the seller, named in the email) typed in your name, role, company, LinkedIn URL, and — if they had it — your email address. We did not buy your data or scrape it; the sender supplied it.
  • What we sent and why. One email per door knock, containing the sender's identity, their full pitch, and the amount they're offering your company for a meeting. The link in it expires after 7 days.
  • What happens to money. Nothing, unless you act. The sender's card was verified but is not charged unless you claim the knock and the meeting actually happens. If you decline or ignore it, no money moves and nobody is charged.
  • Your choices. You can accept (which requires creating an account, and lets you correct anything the sender got wrong about you), pass (decline with an optional reason — no account needed; the link itself is your authorization), or ignore (the knock expires on its own).
  • Honest gaps. We do not currently have an automated unsubscribe or suppression system for door-knock emails, and the door-knock record (including your details) persists in our systems after it expires. If you don't want to be contacted through Quid again, or want your details removed, email hello@quid.network and a human will handle it manually.

3.2 Contacts in a user's CRM

Quid users can add, import, or automatically capture business contacts — including people who have never used Quid. If a user has your business card details in their Quid CRM, that data is held for that user; other users can't browse it. There is no self-service way for a non-user to see or erase these records today. Email hello@quid.network and we will deal with it manually.

4. Meeting recordings, transcripts, and AI

These features only operate when video meetings are enabled on the platform; in our launch configuration they are off and no recording occurs. When enabled:

  • Video meetings run on Daily.co. Rooms are private, limited to the two participants, and expire automatically a few hours after the scheduled time.
  • Recording requires explicit consent from both participants. Before your first Quid video meeting you'll see a consent screen explaining that audio and video are recorded, transcribed, and processed by AI to populate the seller's CRM. Consent persists across meetings, and you can revoke it at any time in settings — after which no meeting of yours can be recorded until you consent again. We keep a record of your current consent status — when it was granted and, if you've revoked, when. Honest detail: this is your current status, not a running history — if you revoke and later re-consent, the new consent replaces the old record.
  • Recordings are transcribed (Daily uses Deepgram for transcription), and the transcript is stored with the meeting in the seller's CRM.
  • Transcripts and meeting context are sent to Anthropic (Claude) to extract structured CRM data — participants, budget signals, pain points, next steps — for the seller. The DM does not see the extracted intelligence.
  • A live in-call coach for the seller, if enabled, processes the rolling transcript during the call; its output is shown in the moment and never stored.

5. How we use information, and our legal bases

Where GDPR or similar laws apply, the legal basis is noted in parentheses.

  • Run the marketplace — match sellers and DMs, deliver pitches and door knocks, schedule meetings, send transactional email (performance of contract).
  • Move money correctly — authorize, capture, refund, split, pay out, donate, and keep auditable records of all of it (performance of contract; legal obligation).
  • Compute and display trust signals — accept rates, response times, completed meetings, no-shows, ratings, and named reviews, shown as described in Section 8 (legitimate interest in a marketplace that works on reputation; we disclose exactly what is shown).
  • Prevent abuse — enforce amount-tampering guards, per-pitch amount caps, team budgets and approval controls, and immutable audit logs (legitimate interest; legal obligation).
  • Improve the product — masked analytics and error monitoring as described in Section 2 (legitimate interest).
  • Record and analyze meetings — only as described in Section 4 (consent).
  • Send marketing email — only to account holders, who can opt out in settings at any time (legitimate interest with opt-out, or consent where required).
  • Comply with law — respond to lawful requests and keep records the law requires (legal obligation).

We do not sell personal information, and we do not share it for cross-context behavioral advertising.

6. Who we share data with

We use a small set of service providers ("subprocessors"). Each receives only what its job requires:

ProviderWhat it doesPersonal data involved
SupabaseAuthentication, database, file storageAll data described in Section 1
StripePayments, payouts, refunds (incl. Stripe Connect)Email, name, account identifiers; card data goes directly to Stripe and never to us
VercelHosting and request logsStandard web request data
ResendSends our email; receives inbound CRM emailRecipient addresses, email content, inbound message bodies
PostHog (US cloud)Product analytics, masked session replayMasked interaction events; no text, no inputs, scrubbed URLs
SentryError and performance monitoringStack traces and scrubbed URLs; no IPs, no request bodies
Daily.coVideo rooms, cloud recording, transcription (via Deepgram)Participant id and display name; audio/video and transcripts, only with two-party consent
AnthropicAI transcript extraction and live meeting coachTranscripts and meeting context, only when those features are enabled
Merge.devOptional one-click sync of CRM data to your company's external CRMContact names, emails, phones, companies — only if your company turns this on

Beyond subprocessors:

  • Destinations you configure. A company can point its CRM sync at a webhook URL it controls (e.g., Zapier or its own endpoint). What happens to data after it reaches a destination you configured is governed by that destination, not by us.
  • Other users, as the product requires: your pitch goes to its recipient; your name, company, and feedback travel with your marketplace activity; accepted-pitch contact capture works as described in Section 1.5.
  • Legal. We will disclose data if required by law, or to protect Quid, our users, or others — and we'll be no broader about it than the law requires.
  • Corporate events. If Quid is involved in a merger, acquisition, or asset sale, data may transfer with the business; this policy would continue to apply until replaced with notice.

7. What we deliberately don't do

  • We never see or store card numbers or payment credentials.
  • We don't sell personal data, run ad pixels, or use advertising cookies.
  • We don't store email open/click tracking.
  • We don't capture what you type or what your screen shows in analytics or replay.
  • We don't send IP addresses or request bodies to our error monitoring.
  • We never store the live meeting coach's output.
  • We don't hold your external CRM's own OAuth credentials — those stay with the integration broker (Merge). Honest footnote: we do store a Merge account token that authorizes us to push data to your CRM on your behalf. Disconnecting stops the sync; if you also want the stored token removed, email hello@quid.network and we'll clear it.
  • Our public embed (the "Quidget") exposes only listing data — name, role, photo, price — never emails, payment identifiers, or account state.

8. What other people can see

  • Marketplace listing pages show a DM's performance record — accept rate, median response time, completed meetings, no-show count, and average star rating — computed from actual behavior on Quid, along with the DM's most recent reviews. Listing-page reviews are shown with the reviewing seller's name, company, star score, and feedback text. If you list yourself as a DM, these stats and reviews are public; that's part of the deal. And if you're a seller who reviews a DM, your review appears publicly on that DM's listing under your name and company — the review toggle on your own public profile (next bullet) controls your `/u/` page only, not reviews you leave on someone else's listing.
  • Public trust profile (`/u/your-handle`) is opt-in and off by default. If you enable it, you separately control whether reviews and company names appear. Reviews, where shown, include the reviewer's name, company, and feedback text.
  • Uploaded files — profile photos, company logos, and door-knock attachments — are accessible to anyone with their URL (Section 1.8).

9. Cookies and local storage

  • Authentication cookies (via Supabase) keep you signed in. These are strictly necessary; the site doesn't work without them.
  • Analytics storage (PostHog) is set only when analytics is active, to distinguish sessions — with the masking described in Section 2.
  • Browser localStorage holds interface preferences only — your browse filters and which explainer banners you've dismissed. No personal data.

We use no third-party advertising cookies. One related note: some transactional emails contain one-time sign-in links. Treat those emails like keys — don't forward them.

10. How long we keep data

  • Account data is kept while your account is active.
  • Account deletion is self-service in settings (you type a confirmation phrase). Honestly stated: this is a soft delete — you're signed out and locked out immediately, your account is recoverable through support for roughly 30 days, and the final hard deletion is currently performed manually by us rather than by an automated job. If you want us to complete a hard delete, email hello@quid.network and we will.
  • Records we retain even after deletion, because the marketplace's money trail and audit integrity depend on them: payment and donation records, the append-only marketplace event log, and historical versions of profile facts. Where the law gives you a stronger erasure right, we honor it (Section 11).
  • Two kinds of records are tied to their parents and do not survive deletion. Your recording-consent record is kept while your account exists (revoking consent updates the record rather than deleting it), but a hard delete of your account removes it. Captured CRM emails live with the contact they belong to: deleting the contact deletes its captured emails, and a hard delete of a CRM owner's account removes that CRM — captured emails included.
  • Door-knock records persist after expiry, including target details supplied by the sender — see Section 3.1 for the manual removal route.
  • Video rooms expire automatically at our video provider shortly after the meeting; transcripts copied into the CRM persist until deleted on request.

11. Your rights and choices

You can ask us to access, correct, delete, or export your personal data by emailing hello@quid.network. We'll verify the request against your account email and respond within the timelines applicable law sets (typically 30–45 days). Honest note: most of these requests are fulfilled by a human, not a button — we don't yet have automated data-subject tooling, but we do the work. The exception: when the CRM feature is switched on, CRM owners can export their contacts as CSV themselves.

Built-in controls:

  • Marketing email — opt out in notification settings; transactional emails about your own transactions continue.
  • Recording consent — revoke anytime in settings (Section 4).
  • Public profile — off by default; you choose to enable it and what it shows.

California residents (CCPA/CPRA): you have the right to know what personal information we collect (this policy is the disclosure), to access it, to correct it, to delete it, and to not be discriminated against for exercising those rights. We do not sell personal information or share it for cross-context behavioral advertising, so there is nothing to opt out of on that front. You may use an authorized agent; we'll verify the agent's authority and your identity.

EEA/UK residents (GDPR): our legal bases are in Section 5. You have rights of access, rectification, erasure, restriction, portability, and objection, and you may withdraw consent (e.g., recording consent) at any time without affecting prior processing. You may lodge a complaint with your local supervisory authority, though we'd appreciate the chance to fix things first at hello@quid.network.

If you've never used Quid and we hold your data anyway (Sections 3.1 and 3.2), all of the above applies to you too — same email address.

12. Security

  • All traffic is encrypted in transit (TLS, with HSTS enforced).
  • Every database table is protected by row-level security, so users can only reach rows they're entitled to; we've additionally hardened the layer against privilege escalation and money tampering.
  • Card data is isolated to Stripe end-to-end.
  • Sensitive tokens (invite links, claim links, auth codes) are redacted before any URL reaches our analytics or error monitoring.
  • Money movements and operator actions are written to append-only audit logs; every Quid operator action requires a recorded reason.

No system is perfectly secure, and we won't pretend otherwise. If you find a vulnerability, please tell us at hello@quid.network.

13. Children

Quid is a business-to-business service for adults. It is not directed to anyone under 18, and we don't knowingly collect data from anyone under 18. If you believe we have, email us and we'll delete it.

14. International users

Quid operates from the United States, and our service providers process data primarily in the United States. If you use Quid from elsewhere, your data will be transferred to and processed in the US. Where the law requires a transfer mechanism, we rely on our providers' applicable safeguards (such as standard contractual clauses).

15. Changes to this policy

When we change this policy, we'll update the date at the top. For material changes, we'll make reasonable efforts to notify account holders by email or in-product notice before the change takes effect. Continued use after the effective date means the updated policy applies.

16. Contact

Quidonomics, Inc., a Delaware public benefit corporation, d/b/a Quid [POSTAL ADDRESS] hello@quid.network

This policy, and any dispute arising from it, is governed by the laws of the State of Delaware, without regard to conflict-of-laws rules.