Join Our Team

Quey Customer Data Security And Incident Response Policy

Effective Date: September 26, 2025

WHEREAS, Quey, LLC, a Nevada limited liability company ("Company"), collects and processes personal information from customers in connection with line-holding and queueing services; and

WHEREAS, Company is committed to protecting customer personal information through comprehensive security measures and incident response procedures; and

WHEREAS, Company must comply with Nevada privacy laws, federal regulations, and industry security standards in protecting customer data;

NOW, THEREFORE, Company hereby establishes this Customer Data Security and Incident Response Policy ("Policy") to govern the protection of customer personal information and response to security incidents.

1. DEFINITIONS

1.1 "Company" means Quey, LLC, a Nevada limited liability company, and its successors and assigns.

1.2 "Customer" means any individual who uses Company's platform to request line-holding services.

1.3 "Customer Personal Information" means information that identifies, relates to, describes, or is capable of being associated with a particular Customer, including name, contact information, payment data, location information, and service records.

1.4 "Data Breach" means unauthorized acquisition of Customer Personal Information that compromises the security, confidentiality, or integrity of such information.

1.5 "Incident Response Team" means Company personnel designated to respond to security incidents and data breaches affecting Customer Personal Information.

1.6 "Third-Party Processors" means vendors including Stripe, Inc., Twilio Inc., and other service providers that process Customer Personal Information on Company's behalf.

2. CUSTOMER DATA CLASSIFICATION AND PROTECTION

2.1 Customer Data Categories. Company processes the following categories of Customer Personal Information: account information including name, email address, and mobile telephone number; service request information including location addresses, timing preferences, and special instructions; payment information including credit card details, billing addresses, and transaction history; communication records including SMS messages, emails, and customer service interactions; and location data including GPS coordinates during service delivery periods.

2.2 Data Protection Standards. All Customer Personal Information shall be protected through: encryption of data in transit using Transport Layer Security (TLS) version 1.2 or higher; encryption of data at rest using Advanced Encryption Standard (AES) 256-bit encryption; role-based access controls limiting access to authorized personnel with legitimate business needs; multi-factor authentication for all systems containing Customer Personal Information; and regular security monitoring and audit procedures.

2.3 Access Control Requirements. Access to Customer Personal Information shall be restricted to: Company employees whose job responsibilities require such access for customer service, technical support, or business operations; authorized Third-Party Processors under written data processing agreements; and law enforcement or regulatory authorities pursuant to valid legal process. All access shall be logged, monitored, and subject to regular review and certification.

2.4 Data Minimization Principles. Company shall collect and retain only Customer Personal Information that is necessary for providing services, processing payments, ensuring customer safety, and complying with legal obligations. Company shall not collect or use Customer Personal Information for purposes incompatible with the original collection purpose without obtaining additional consent.

3. THIRD-PARTY PROCESSOR SECURITY

3.1 Payment Processor Security. Stripe, Inc. processes all customer payment information and maintains Payment Card Industry Data Security Standard (PCI DSS) Level 1 compliance. Company does not store complete payment card information on its systems and relies on Stripe's secure payment processing infrastructure for all financial transactions.

3.2 Communication Service Security. Twilio Inc. facilitates SMS communications between customers and service providers under written data processing agreements requiring: encryption of all communications in transit; access controls restricting Company personnel access to customer communications; data retention limitations aligned with Company's retention policies; and incident notification requirements for any security breaches affecting customer communications.

3.3 Vendor Security Requirements. All Third-Party Processors handling Customer Personal Information must maintain: SOC 2 Type II compliance certification or equivalent security standards; written data processing agreements specifying security obligations and data handling limitations; incident notification procedures requiring notification within twenty-four (24) hours of any security incident; and regular security assessments and penetration testing with results available to Company upon request.

3.4 Vendor Monitoring and Oversight. Company shall conduct quarterly security reviews of all Third-Party Processors including: verification of current security certifications and compliance status; review of incident reports and security performance metrics; assessment of contract compliance and data processing adherence; and evaluation of any security control changes or system modifications affecting Customer Personal Information.

4. CUSTOMER DATA RETENTION AND DELETION

4.1 General Retention Periods. Company retains Customer Personal Information according to the following schedule: account information for three (3) years following account closure; service history and communication records for two (2) years following last service request; payment transaction records for seven (7) years as required by financial regulations; and location data for ninety (90) days following service completion unless involved in disputes requiring extended retention.

4.2 Secure Deletion Procedures. Upon expiration of retention periods, Company shall securely delete Customer Personal Information using: cryptographic erasure for encrypted data; multiple-pass overwriting for unencrypted data storage; physical destruction of storage media containing Customer Personal Information; and verification of complete data removal through audit procedures.

4.3 Legal Hold Exceptions. Notwithstanding standard retention periods, Company may retain Customer Personal Information for extended periods when: required by law, regulation, or court order; necessary to establish, exercise, or defend legal claims; involved in pending litigation, investigation, or regulatory proceeding; or subject to customer dispute requiring retention for resolution purposes.

4.4 Customer Deletion Requests. Upon receiving verified customer requests for data deletion, Company shall: verify customer identity through established authentication procedures; delete Customer Personal Information within sixty (60) days of verified request; notify relevant Third-Party Processors of deletion requirements; and provide confirmation of completed deletion to the requesting customer, subject to legal retention obligations.

5. SECURITY MONITORING AND INCIDENT DETECTION

5.1 Continuous Security Monitoring. Company maintains twenty-four (24) hour security monitoring through: Security Information and Event Management (SIEM) systems for real-time threat detection; automated intrusion detection and prevention systems; network traffic analysis and anomaly detection; database activity monitoring for unauthorized access attempts; and employee access logging and behavioral analysis.

5.2 Incident Detection Procedures. Company shall detect potential security incidents through: automated security alerts and threshold monitoring; employee reporting of suspicious activities or security concerns; customer reports of unauthorized account access or suspicious activities; Third-Party Processor notifications of security incidents; and regular security assessments and vulnerability scans.

5.3 Threat Intelligence Integration. Company integrates threat intelligence feeds to: identify emerging cybersecurity threats and attack patterns; update security controls and monitoring rules; assess potential impacts on customer data protection; and coordinate with law enforcement and industry security organizations when appropriate.

6. INCIDENT RESPONSE PROCEDURES

6.1 Incident Classification. Security incidents affecting Customer Personal Information are classified as follows: Critical Incidents involving unauthorized access to Customer Personal Information affecting five hundred (500) or more customers, complete system compromise, or ransom demands; High Priority Incidents involving unauthorized access affecting fifty (50) to four hundred ninety-nine (499) customers, attempted system compromise, or significant service disruption; and Medium Priority Incidents involving unauthorized access affecting fewer than fifty (50) customers, security control failures, or minor system vulnerabilities.

6.2 Immediate Response Procedures. Upon incident detection, Company shall: activate the Incident Response Team within one (1) hour of detection; implement immediate containment measures to prevent further unauthorized access; preserve digital evidence and forensic information for investigation; assess the scope and impact of the incident on Customer Personal Information; and notify senior management and legal counsel of the incident status.

6.3 Investigation and Assessment. Company shall conduct thorough incident investigations including: forensic analysis of affected systems and data; determination of incident cause and attack vectors; assessment of Customer Personal Information accessed, acquired, or compromised; evaluation of potential harm to affected customers; and documentation of incident timeline, response actions, and lessons learned.

6.4 Incident Containment and Recovery. Company shall implement incident containment through: isolation of affected systems and networks; elimination of attacker access and persistence mechanisms; system restoration from secure backups when necessary; implementation of additional security controls to prevent recurrence; and coordination with Third-Party Processors for incident response when their systems are affected.

7. CUSTOMER NOTIFICATION PROCEDURES

7.1 Nevada Law Notification Requirements. In accordance with Nevada Revised Statutes Section 603A.220, Company shall notify affected customers of data breaches involving Customer Personal Information without unreasonable delay and in no case later than sixty (60) days after discovery of the breach, unless law enforcement determines that notification would impede a criminal investigation.

7.2 Notification Content Requirements. Customer breach notifications shall include: date of the data breach and general description of the incident; types of Customer Personal Information involved in the breach; steps Company has taken to investigate the breach and protect customers; contact information for customer inquiries; and recommended actions customers can take to protect themselves from potential harm.

7.3 Notification Methods. Company shall notify customers through: email notification to customers' registered email addresses; postal mail notification if email addresses are unavailable or compromised; prominent notice posted on Company's website and mobile application; and toll-free telephone support for customer inquiries and assistance.

7.4 Nevada Attorney General Notification. Company shall notify the Nevada Attorney General of data breaches affecting five hundred (500) or more Nevada residents in accordance with Nevada law, including submission of breach details, affected resident count, and remediation measures taken.

8. CUSTOMER PROTECTION AND REMEDIATION

8.1 Immediate Customer Protection. Upon confirming a data breach affecting Customer Personal Information, Company shall: require password resets for all affected customer accounts; implement enhanced fraud monitoring for affected customer accounts; provide dedicated customer support for breach-related inquiries; and coordinate with payment processors for additional payment card monitoring when financial information is involved.

8.2 Identity Protection Services. For significant data breaches involving sensitive Customer Personal Information, Company may provide: credit monitoring services for affected customers; identity theft protection and restoration services; fraud alert placement with major credit reporting agencies; and reimbursement for certain costs incurred due to identity theft resulting from the breach.

8.3 Communication and Support. Company shall maintain open communication with affected customers through: regular updates on investigation progress and remediation efforts; dedicated customer support hotline for breach-related questions; FAQ resources addressing common customer concerns; and coordination with law enforcement when customers become victims of identity theft or fraud.

9. REGULATORY COMPLIANCE AND REPORTING

9.1 Law Enforcement Coordination. Company shall cooperate with law enforcement investigations of security incidents by: preserving digital evidence and forensic information; providing incident details and investigative findings; coordinating with federal and state cybercrime units; and maintaining confidentiality of ongoing investigations as required.

9.2 Regulatory Reporting Requirements. Company shall comply with applicable regulatory reporting requirements including: Federal Trade Commission breach reporting for incidents affecting interstate commerce; Nevada Attorney General notification for incidents affecting Nevada residents; coordination with industry regulatory bodies when applicable; and provision of incident reports to cyber insurance carriers.

9.3 Industry Coordination. Company shall participate in cybersecurity information sharing through: industry threat intelligence sharing programs; coordination with technology platform security organizations; participation in cybersecurity best practice initiatives; and sharing of anonymized threat information to improve industry security.

10. BUSINESS CONTINUITY AND DISASTER RECOVERY

10.1 Service Continuity Objectives. Company maintains business continuity procedures to ensure: customer service availability within four (4) hours of system recovery; customer account access restoration within two (2) hours of system recovery; payment processing restoration within four (4) hours through backup systems; and customer communication capabilities within one (1) hour through alternative channels.

10.2 Data Backup and Recovery. Company maintains secure data backup procedures including: daily incremental backups of all Customer Personal Information; weekly full system backups with geographic distribution; monthly backup restoration testing and verification; encryption of all backup data using the same standards as production systems; and secure offsite storage with restricted access controls.

10.3 Emergency Communication. During security incidents affecting customer services, Company shall: activate emergency communication protocols to inform customers of service disruptions; provide alternative customer support channels including telephone and email; coordinate with Third-Party Processors for alternative service delivery when possible; and maintain regular customer updates on restoration progress and timeline.

11. CUSTOMER RIGHTS AND PRIVACY PROTECTION

11.1 Customer Data Access Rights. Customers have the right to access their personal information maintained by Company by submitting written requests to privacy@quey.me. Company shall respond to verified access requests within sixty (60) days and provide customers with copies of their Customer Personal Information in a portable format.

11.2 Data Correction and Update Rights. Customers may request correction of inaccurate Customer Personal Information through their account settings or by contacting customer support. Company shall correct verified inaccuracies within thirty (30) days and notify relevant Third-Party Processors of required corrections.

11.3 Nevada Privacy Rights. Nevada residents have the right to opt out of sales of personal information pursuant to Nevada Revised Statutes Section 603A.340. Company does not sell Customer Personal Information to third parties and maintains a "Do Not Sell" policy for all customer data.

11.4 Communication Preferences. Customers may modify their communication preferences at any time by: texting "STOP" to opt out of SMS communications; using unsubscribe links in email communications; updating notification preferences in their account settings; or contacting customer support for assistance with communication preferences.

12. SECURITY TRAINING AND AWARENESS

12.1 Employee Security Training. All Company employees with access to Customer Personal Information shall receive: initial security awareness training within the first week of employment; annual comprehensive security training covering current threats and Company policies; quarterly security updates and policy refreshers; and specialized training for roles involving direct access to Customer Personal Information.

12.2 Security Awareness Program. Company maintains ongoing security awareness through: monthly security tips and best practice communications; simulated phishing exercises and security testing; security incident case studies and lessons learned sharing; and recognition programs for employees demonstrating security-conscious behavior.

12.3 Contractor and Vendor Training. Third-Party Processors and contractors with access to Customer Personal Information must: complete Company-approved security training before accessing customer data; acknowledge understanding of data protection requirements and confidentiality obligations; participate in annual security updates and policy reviews; and report security incidents and concerns through established procedures.

13. POLICY GOVERNANCE AND UPDATES

13.1 Policy Review and Updates. Company shall review and update this Policy: annually to reflect changes in technology, threats, and business operations; upon significant changes to applicable laws or regulations; following major security incidents or breaches affecting customer data; and based on feedback from customers, employees, and security assessments.

13.2 Policy Approval and Communication. Policy updates require: approval by Company's senior management and legal counsel; thirty (30) days advance notice to customers for material changes affecting their rights; updated training for all personnel handling Customer Personal Information; and documentation of policy changes for compliance and audit purposes.

13.3 Compliance Monitoring. Company shall monitor compliance with this Policy through: quarterly internal security assessments and audits; annual third-party security evaluations and penetration testing; regular review of employee access controls and data handling practices; and customer feedback collection regarding data protection and security concerns.

14. CONTACT INFORMATION AND REPORTING

14.1 Customer Security Concerns. Customers may report security concerns or incidents by contacting: email: security@quey.me for non-emergency security.

14.2 Customer Privacy Questions. Privacy-related questions and requests may be directed to: email: privacy@quey.me for general privacy inquiries.

14.3 Emergency Security Incidents. For emergency security situations requiring immediate attention: call 911; report incidents to local law enforcement if criminal activity is suspected; and email urgent security matters to emergency-security@quey.me for immediate response.