ENKI IQ

Privacy Policy

Effective Date: April 3, 2026

Last Updated: April 3, 2026

1. Introduction and Scope

Cardea LLC (“Enki IQ,” “we,” “us,” or “our”) operates the Enki IQ platform, accessible at https://enkiq.ai and through associated APIs and integrations (collectively, the “Platform”). The Platform provides AI-powered sales intelligence capabilities including territory planning, account and contact enrichment, predictive deal intelligence, qualification frameworks, stakeholder mapping, and competitive analysis.

This Privacy Policy describes how we collect, use, disclose, and protect personal information when you visit our website, create an account, or use the Platform as an individual user or as part of an enterprise subscription. It also describes the rights available to you under applicable privacy laws, including the General Data Protection Regulation (“GDPR”), the California Consumer Privacy Act (“CCPA”), and other regional frameworks.

If you are using the Platform under an enterprise or team agreement, your employer or contracting organization (the “Customer”) may have entered into a separate Data Processing Agreement (“DPA”) with us that supplements or modifies this policy with respect to data processed on that organization’s behalf. In the event of a conflict between this Policy and a signed DPA, the DPA prevails.

By accessing or using the Platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please discontinue use of the Platform and contact us to request deletion of your data.

2. Data Controller and Contact Information

Cardea LLC, a Nevada limited liability company, is the data controller for personal information collected through the Platform.

For GDPR-related inquiries from individuals in the European Economic Area (“EEA”), United Kingdom, or Switzerland, please contact us at legal@enkiq.ai with the subject line “GDPR Request.” We aim to respond within 30 days.

3. Information We Collect

We collect information in three primary ways: information you provide directly, information generated automatically through your use of the Platform, and information obtained from third-party data sources that power our enrichment features.

3.1 Information You Provide

• Account Registration: Name, email address, job title, company name, and password (managed through our authentication provider, Clerk). We do not store passwords directly.

• Profile and Preferences: ICP (Ideal Customer Profile) configuration, territory settings, and sales methodology preferences you configure within the Platform.

• CRM and Calendar Data: Records, contacts, opportunities, and calendar events you sync or import from connected systems (e.g., Google Calendar).

• Content and Inputs: Text, notes, call transcripts, meeting summaries, qualification captures (MEDDPIC), discovery notes, and other content you enter or upload.

• Communications: Messages you send to our support team or through in-app feedback mechanisms.

• Payment Information: Billing name, address, and payment method details processed entirely by Stripe. Cardea LLC does not receive or store full card numbers or banking credentials.

3.2 Information Collected Automatically

• Usage Data: Pages visited, features accessed, queries submitted, timestamps, session durations, and interaction logs used to improve platform performance and reliability.

• Device and Technical Data: IP address, browser type and version, operating system, device identifiers, and referral URLs.

• Authentication Events: Login timestamps, session tokens, and multi-factor authentication activity managed by Clerk.

• Error and Performance Data: Stack traces, error codes, and performance metrics collected by Sentry and Datadog to support reliability engineering.

• Log Data: AWS CloudWatch retains Lambda function logs for 30 days for security, debugging, and forensic purposes.

3.3 Information from Third-Party Data Sources

Enki IQ’s core value proposition depends on enriching your sales intelligence with data from curated third-party providers. This data relates primarily to businesses and professional contacts and is used to generate insights within your account.

• Apollo.io: Professional contact data, firmographic information, and intent signals.

• BrightData: Web-sourced business data, technographic signals, and publicly available professional information.

• Google Gemini Deep Research: AI-generated research summaries derived from publicly accessible web sources.

We use this third-party data solely to provide Platform features to you. We do not sell or re-share enriched data externally.

3.4 Cookies and Similar Technologies

We use essential session cookies required for authentication and platform functionality. We also use analytics cookies and browser-level monitoring (Datadog RUM) to understand aggregate usage patterns. A cookie preference banner is displayed on first visit. You may decline non-essential cookies without affecting core platform functionality.

4. How We Use Your Information

We process personal information only for the specific purposes described below. We do not process information in ways that are incompatible with these stated purposes.

5. Data Sharing and Disclosure

We do not sell, rent, or broker your personal information to third parties. We share personal information only in the limited circumstances described below.

5.1 Sub-Processors and Service Providers

We engage trusted third-party vendors (“sub-processors”) who process personal data on our behalf under contractual obligations that require them to protect your data and use it only as we instruct. Our key sub-processors include:

Enterprise customers may request a complete and current sub-processor list at any time by contacting legal@enkiq.ai. We provide 30 days’ notice before adding new sub-processors that materially affect data processing.

5.2 Business Transfers

In the event of a merger, acquisition, financing, reorganization, or sale of all or substantially all of our assets, personal information may be transferred to the successor entity. We will provide notice via email or prominent in-app notice prior to any such transfer and describe any material changes to your rights.

5.3 Legal Requirements

We may disclose personal information when required by law, court order, or government authority, or when we have a good-faith belief that disclosure is necessary to protect the rights, property, or safety of Enki IQ, our users, or the public. Where legally permissible, we will notify affected users of such requests.

5.4 Aggregated and De-Identified Data

We may use and share aggregated, de-identified, or anonymized data that cannot reasonably be used to identify you for product analytics, industry benchmarking, or marketing purposes. Such data is not considered personal information under applicable law.

6. Data Security

Security is foundational to Enki IQ. We apply defense-in-depth controls across every layer of our infrastructure. Below is a detailed description of the controls in place.

6.1 Authentication and Access Control

• All user authentication is managed by Clerk (SOC 2 Type II certified). Session tokens are cryptographically validated on every single API request before any data is accessed or returned.

• No anonymous access is permitted. Every AWS Lambda function (110+ functions in production) independently verifies user identity before executing.

• Single Sign-On (SSO) is supported for enterprise accounts, enabling organizations to enforce their own identity policies.

• Multi-factor authentication (MFA) is available and recommended for all users.

6.2 Data Isolation

• Every data record — accounts, contacts, opportunities, MEDDPIC captures, Foresight signals, AI-generated content, and research outputs — is bound to your user_id.

• Row-Level Security (RLS) is enforced at the PostgreSQL database level via the policy: user_id = get_profile_id_from_clerk(). The database engine itself prevents cross-user data access regardless of application code.

• Application-layer Lambda functions independently filter all queries by user_id, providing defense-in-depth so that neither a database misconfiguration nor an application bug alone can expose cross-user data.

• AI semantic search (Voyage AI vector embeddings) is fully user-scoped. Your indexed content never surfaces in another user’s query results.

6.3 Encryption

• At rest: All Aurora PostgreSQL storage is encrypted using AWS KMS-managed AES-256 keys. AWS Secrets Manager encrypts all credentials and API keys used by the Platform.

• In transit: All data is transmitted over HTTPS/TLS 1.2 or higher — from browser to CloudFront, CloudFront to API Gateway, API Gateway to Lambda, Lambda to Aurora via RDS Data API, and all outbound calls to third-party AI providers (Anthropic, Google, Voyage AI).

6.4 Network Security

• Aurora PostgreSQL runs inside a private AWS VPC with no public internet exposure. Only Lambda functions and ECS tasks in explicitly authorized security groups are permitted network access to the database.

• S3 buckets hosting frontend assets are accessible exclusively through CloudFront with Origin Access Control (OAC) enabled. Direct S3 access is blocked.

• Four scoped IAM roles ensure that each functional Lambda group has only the permissions required for its specific operations. No function has broad-access policies.

6.5 Infrastructure Integrity

• All infrastructure is defined and version-controlled as code using AWS CloudFormation, stored in Git. This prevents configuration drift and provides a complete change audit trail.

• Deletion protection and DeletionPolicy: Retain are enforced on all database resources to prevent accidental data loss.

• AWS CloudWatch captures logs from all Lambda functions with a 30-day retention window, supporting forensic review and incident response.

6.6 Monitoring and Incident Response

• Sentry monitors errors across all 110+ Lambda functions, tagging context for rapid anomaly detection and alerting.

• Datadog Real User Monitoring (RUM) captures frontend behavior and performance metrics.

• In the event of a data breach that meets notification thresholds under applicable law, we will notify affected individuals and relevant authorities within the legally required timeframe (72 hours under GDPR where applicable).

6.7 Compliance Posture

7. Data Retention

We retain personal information only as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements.

Upon account termination or subscription expiration, you have a 30-day window to export your data. After this window, your data is scheduled for secure deletion in accordance with the retention schedule above. Deletion is performed using NIST SP 800-88 compliant data sanitization practices on all storage media managed by AWS.

8. Your Privacy Rights

Depending on your location, you may have specific rights with respect to your personal information. We honor these rights regardless of where you are located, subject to identity verification.

8.1 Rights Available to All Users

• Access: Request a copy of the personal information we hold about you.

• Correction: Request correction of inaccurate or incomplete information.

• Deletion: Request deletion of your personal information, subject to our legal retention obligations.

• Data Portability: Receive your data in a structured, machine-readable format (JSON or CSV).

• Withdrawal of Consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

8.2 Additional Rights Under GDPR (EEA, UK, Switzerland)

• Restriction: Request that we restrict processing of your data while a dispute is pending.

• Objection: Object to processing based on legitimate interests, including profiling.

• Automated Decision-Making: You have the right not to be subject to solely automated decisions with significant effects. Enki IQ does not make automated decisions with legal or similarly significant effects without human review.

• Lodge a Complaint: You have the right to lodge a complaint with your local supervisory authority (e.g., ICO in the UK, CNIL in France). We encourage you to contact us first so we can address your concerns directly.

8.3 Additional Rights Under CCPA / CPRA (California Residents)

• Know: The right to know what personal information we collect, use, disclose, and sell (we do not sell).

• Delete: The right to request deletion of personal information we hold about you.

• Correct: The right to correct inaccurate personal information.

• Opt-Out of Sale / Sharing: We do not sell or share personal information for cross-context behavioral advertising.

• Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

• Sensitive Personal Information: We do not collect sensitive personal information as defined under CPRA for purposes beyond those permitted by law.

8.4 How to Submit a Privacy Request

To exercise any of the above rights, please submit your request to legal@enkiq.ai with the subject line “Privacy Request – [Right Being Exercised].” We will verify your identity before processing your request and respond within 30 days (or 45 days where legally permitted with notice). There is no charge for exercising your rights unless requests are manifestly unfounded or excessive.

Authorized agents submitting requests on behalf of California residents must provide written authorization signed by the resident.

9. International Data Transfers

Enki IQ is hosted on AWS infrastructure in the United States. If you access the Platform from outside the United States, your personal information will be transferred to and processed in the United States, which may not provide the same level of data protection as your home jurisdiction.

For transfers of personal data from the EEA, UK, or Switzerland to the United States, we rely on the following lawful transfer mechanisms:

• Standard Contractual Clauses (SCCs): We incorporate EU Standard Contractual Clauses (2021/914/EU) into our Data Processing Agreements. Enterprise customers may request a pre-signed DPA at legal@enkiq.ai.

• UK International Data Transfer Agreements (IDTA): Available upon request for UK data subjects.

• Swiss Adequacy: We apply equivalent protections for data transferred from Switzerland.

Our sub-processors who receive EEA/UK data are bound by equivalent transfer mechanisms under their own agreements with us.

10. Children’s Privacy

The Platform is a professional B2B tool designed for adults. We do not knowingly collect personal information from anyone under the age of 16. If we become aware that we have inadvertently collected personal information from a minor, we will take prompt steps to delete that information. If you believe we may have collected information from a minor, please contact us at legal@enkiq.ai.

11. Third-Party Links and Integrations

The Platform may contain links to third-party websites or integrate with external services (e.g., your CRM, Google Calendar). This Privacy Policy applies only to information processed by Enki IQ. Third-party services are governed by their own privacy policies, and we encourage you to review those policies before connecting external accounts. We are not responsible for the privacy practices of third-party services.

12. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will:

• Post the updated policy on our website with a revised “Last Updated” date;

• Send an email notification to the address associated with your account; and

• Display a prominent in-app notice for at least 14 days following the change.

Your continued use of the Platform after the effective date of any update constitutes acceptance of the revised policy. If you do not agree with the updated terms, you should cease using the Platform and request deletion of your account.

13. Contact Us

If you have any questions, concerns, or requests related to this Privacy Policy or our data practices, please contact us:

We take privacy inquiries seriously and aim to respond within 5 business days for general inquiries and within 30 days for formal data subject requests.

Enki IQ is operated by Cardea LLC, a Nevada limited liability company. This document does not constitute legal advice. For questions about this policy, contact: legal@enkiq.ai