Quash.ai ("Quash", "we", "us", or "our") is a Miami‑based fintech company that provides AI‑driven credit risk evaluation and financial inclusion services to institutional customers such as banks, finance companies, micro‑finance institutions, and retailers (collectively, "Customers"). We process data on behalf of our Customers to help them assess credit risk and make data‑driven lending decisions.
This Privacy Policy describes how we handle personal data in connection with our websites (including quash.ai), our web‑based applications, and our APIs provided to Customers. For most services, Quash acts as a data processor on behalf of its institutional Customers, who act as data controllers and remain responsible for providing appropriate privacy notices to end‑users and applicants.
Depending on how our services are used, we may process the following categories of personal data on behalf of Customers:
• Identification and contact data (e.g., name, ID numbers, contact details) included in loan or credit applications.
• Financial and credit‑related data (e.g., historical repayment behaviour, loan performance, credit bureau information) provided by Customers or their data providers.
• Alternative / digital footprint data derived from email and phone usage, where enabled by the Customer and subject to applicable law and consent mechanisms.
• Technical and usage data related to access and use of our applications and APIs (e.g., IP address, logs, device/browser information) for security and operational purposes.
We also process limited business contact data (e.g., work email, name, role) of Customer personnel who access our platforms.
We use personal data, primarily as a processor on behalf of Customers, to:
• Ingest, store, transform, and enrich data for credit risk modelling and analytics.
• Train, test, validate, and operate AI models and decisioning flows that provide credit risk scores and related outputs to Customers.
• Provide and operate our APIs and web‑based applications through which Customers submit data and retrieve scores or decisions.
• Maintain and improve the security, availability, and performance of our platforms (including logging, monitoring, incident detection, and fraud prevention).
• Comply with legal, regulatory, and contractual obligations applicable to Quash and its Customers in the jurisdictions where they operate.
Where we act as a controller (for example, for our own website analytics, sales, and marketing), we use data to operate and improve our business, respond to inquiries, and communicate with prospective and existing Customers.
When providing our services, Quash processes personal data on behalf of its institutional Customers in order to enable credit risk evaluation and related analytics. This processing ("data processing" or "processing of personal data") includes, as applicable: collection, receipt, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, combination, restriction, erasure, and deletion of personal data, as instructed by the relevant Customer.
As a general rule, Quash acts as a data processor / service provider and our Customers act as data controllers (or equivalent concepts under applicable law). Customers are responsible for providing appropriate privacy notices to data subjects (such as applicants and borrowers), obtaining any required consents, and determining the lawful bases and purposes for which personal data is processed. Quash processes personal data only:
• For the purposes described in this Privacy Policy and in the applicable agreement with the Customer.
• In accordance with the documented instructions of the Customer, except where otherwise required by applicable law.
Where Quash acts as a data controller (for example, for business contact data of Customer personnel, website visitors, or prospects), we process such data for clearly defined purposes such as operating our website, managing customer relationships, providing support, improving our services, and complying with legal obligations. In these cases, we limit processing to what is necessary, apply appropriate safeguards, and respect applicable data protection rights.
Quash is incorporated in the United States and serves primarily institutional Customers in Latin America. When processing personal data from Mexico, Brazil, Chile, Colombia, and other Latin American countries, we support our Customers in meeting applicable data protection requirements, including:
• Mexico: Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP).
• Brazil: Brazilian General Data Protection Law (LGPD).
• Chile: Personal Data Protection Law 21.719.
• Colombia: Statutory Law 1266 of 2008 (financial and credit information).
• Other Latin American jurisdictions: National data protection, consumer protection, and financial regulations applicable where Customers operate.
Customers remain responsible for determining the appropriate legal basis (such as consent, contractual necessity, or legitimate interest) for processing their end‑users' data and for complying with local notification and consent requirements. Quash supports this compliance through appropriate technical and organizational measures as described in this Privacy Policy and in our Data Processing Agreements (DPA).
We use trusted cloud and SaaS providers to host and operate our services, including:
• Cloud infrastructure and data platforms (e.g., AWS, Databricks).
• Productivity and collaboration tools (e.g., Google Workspace, ClickUp).
• Source code repositories and CI/CD tooling (e.g., GitHub).
These providers act as subprocessors and are contractually required to implement appropriate technical and organizational measures to protect personal data. A current list of our subprocessors is available upon request and is updated regularly.
We may also share data with credit bureaus or data providers as instructed by Customers and in line with contractual restrictions. We do not sell personal data to third parties for marketing or commercial purposes.
Customer data may be processed in data centers located outside the country of origin, including in the United States and other jurisdictions, subject to appropriate contractual safeguards. Where required by local data protection laws, we work with Customers to implement data transfer mechanisms (such as Standard Contractual Clauses or other approved mechanisms) and contractual protections consistent with applicable requirements.
Quash maintains an Information Security Management System (ISMS) aligned with ISO/IEC 27001:2022, covering:
• Cloud infrastructure and data processing environments (AWS, Databricks).
• Identity and access management, authentication, and authorization controls.
• Encryption of data in transit and at rest.
• Segmentation of data by Customer to ensure isolation.
• Secure development practices, code review, and CI/CD controls.
• Logging, monitoring, and incident detection.
• Incident response and management procedures.
• Vendor and third‑party risk management.
We apply these measures to protect personal data against unauthorized access, disclosure, alteration, loss, or destruction. Security measures are regularly reviewed and updated to address evolving threats.
We retain personal data for as long as necessary to provide services under our agreements with Customers or as required by applicable law. Retention periods are defined in collaboration with Customers and may vary by use case and jurisdiction. At the end of the engagement or upon Customer instruction, data is deleted or anonymized in accordance with agreed procedures and applicable legal requirements.
End‑users, applicants, and other data subjects who wish to exercise rights over their personal data (such as access, correction, deletion, objection, portability, or restriction of processing) should generally contact the relevant Customer (e.g., their bank or lender), who acts as the primary data controller.
Quash supports Customers in fulfilling data subject requests by:
• Providing mechanisms to facilitate access requests, deletions, and corrections where technically feasible.
• Assisting Customers in responding to regulatory inquiries or audits related to data subject rights.
• Maintaining documentation of data processing activities and safeguards in support of Customers' compliance obligations.
Where legally required and technically feasible, Quash will respond directly to data subject requests that cannot be adequately addressed through the Customer.
Our websites may contain links to third‑party websites or services. This Privacy Policy applies only to Quash.ai and its services; we are not responsible for the privacy practices of third‑party sites. We encourage you to review their privacy policies before providing any personal information.
Our services are designed for institutional Customers and are not intentionally directed at children or minors. We do not knowingly collect or process personal data of individuals under the age of 18 except as reasonably necessary in the context of credit applications by such individuals to our Customers. If we become aware that we have collected personal data of a minor inappropriately, we will take steps to delete such data promptly.
For questions about this Privacy Policy, our privacy practices, or to exercise data subject rights (for Quash‑controlled data), you can contact us at:
Email: security@quash.ai
Website: https://quash.ai
For data subject requests related to Quash‑processed data on behalf of Customers, please contact the relevant Customer (your bank, lender, or other financial institution).
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or other factors. The updated version will be indicated by an updated "last updated" date and will be effective as soon as it is accessible on this page. We encourage you to review this Privacy Policy periodically to stay informed of how we protect your information.
