OSQ International Inc.Validated OS · AI Advisory Group · The Validated Mind

Privacy Policy

Last updated: July 7, 2026

This Privacy Policy explains how OSQ International Inc. ("OSQ", "we", "us") collects, uses, discloses, and safeguards information across our brands and properties — Validated OS (validatedos.com and the associated advisory application), AI Advisory Group (aiadvisorygroup.com), and The Validated Mind (thevalidatedmind.com) (together, the "Services"). It applies to all of these properties, which are jointly operated by OSQ, and describes the choices you have about your information. This single policy covers all three; where a specific section applies only to the Validated OS application (for example, connected accounts), that is noted.

Validated OS is a business-to-business advisory tool used by advisors and their client organizations. Much of the information in the platform is client data supplied by advisors about the organizations and people they work with. Where an advisor or their firm is the party that decides how that data is used, they act as the data controller and we act as their service provider / processor; we handle that data on their instructions and under our agreement with them.

1. Information we collect

We collect the following categories of information:

  • Account & profile information. Name, email address, role, password (managed and hashed by our authentication provider), multi-factor authentication settings, and an optional profile photo.
  • Client & organization records. Information advisors enter about the organizations and people they serve — contacts, roles, engagements, decisions, notes, tasks, meetings, and related activity.
  • Assessment data. Results of decision and personality assessments (for example VALID™, EJI, DI360, Big Five), and voluntary demographic fields used for research benchmarking. Providing demographic information is optional.
  • Billing information. Subscription and payment details are processed by our payment provider (Stripe). We do not store full payment card numbers on our systems.
  • Connected-account data. If you connect a third-party account (such as Google Calendar), we access and store data from that account as described in the "Google user data" section below.
  • Usage, device, and log data. IP address, browser and device type, pages viewed, and actions taken, collected to operate, secure, and improve the Service.
  • Cookies. We use strictly necessary cookies for authentication and security, and (on our public marketing pages) optional analytics cookies subject to your consent.

2. How we use information

  • To provide, maintain, and secure the Service and your account.
  • To sync and display data you have asked us to connect (e.g. meetings from a connected calendar).
  • To process payments, manage subscriptions, and administer assessment credits.
  • To generate reports, insights, and analytics for advisors about their clients and engagements.
  • To improve the platform and, in de-identified or aggregated form, to advance research behind our assessments.
  • To communicate with you about your account, security, and service updates.
  • To comply with legal obligations and enforce our terms.

We do not sell personal information, and we do not use the content of connected accounts for advertising.

3. Google user data (connected Google accounts)

If you connect a Google account (for example, to sync your calendar), our use of information received from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements.

  • What we access. With your explicit consent, read-only access to your Google Calendar events (scope calendar.readonly) and your Google account email address (to label the connection).
  • How we use it. Only to identify meetings involving the people already in your workspace and record those meetings on the corresponding client files. We match meeting attendees to existing contacts by email; we do not create new contacts from your calendar, and we do not read the calendars of anyone other than the connecting user.
  • How we store it. OAuth access and refresh tokens are encrypted at rest. Synced meeting details (title, time, description, and matched attendee) are stored on the relevant client's activity timeline within your workspace.
  • How we share it. We do not sell Google user data, do not use it for advertising, and do not share it with third parties except the infrastructure subprocessors needed to run the Service (hosting and database), and only as necessary to provide the calendar-sync feature you enabled. We do not use Google user data to train generalized artificial-intelligence or machine-learning models.
  • Your control. You can disconnect at any time from Profile → Connections, which stops future syncing and deletes the stored tokens; you can also revoke access from your Google account permissions.

4. How we share information

We share information only as follows:

  • Within your workspace. Data is visible to authorized users of the advisor firm or organization it belongs to, according to their roles and permissions.
  • Service providers (subprocessors). Vetted vendors that host and operate the platform on our behalf — including cloud hosting and database (Supabase, Vercel), payments (Stripe), transactional email (Resend), and AI features (Anthropic). These providers may process data only to perform services for us and are bound by confidentiality and data-protection obligations.
  • Legal & safety. When required by law, legal process, or to protect the rights, property, or safety of our users, the public, or us.
  • Business transfers. In connection with a merger, acquisition, financing, or sale of assets, subject to this Policy.

5. Data retention

We retain personal information for as long as your account is active or as needed to provide the Service, and thereafter as required to comply with legal obligations, resolve disputes, and enforce agreements. Advisors can delete client records they control; generated report files are purged automatically within 24 hours of creation. On account closure we delete or de-identify personal data within a reasonable period, except where retention is legally required.

6. Security

We use administrative, technical, and physical safeguards designed to protect information, including encryption in transit, encryption of sensitive secrets (such as OAuth tokens) at rest, role-based access controls, audit logging of key actions, and support for multi-factor authentication. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

7. Your rights & choices

Depending on where you live, you may have rights to access, correct, delete, port, or restrict the processing of your personal information, and to object to certain processing or withdraw consent. Residents of the EEA/UK (under the GDPR) and of California (under the CCPA/CPRA) have specific rights, including — for California — the right not to be discriminated against for exercising them. We do not sell or "share" personal information as those terms are defined under California law.

Where we process data on behalf of an advisor or organization (as their processor), please direct rights requests to that party; we will assist them in responding. Otherwise, contact us using the details below.

8. International data transfers

We operate in the United States and may process and store information there and in other countries where our service providers operate. Where required, we rely on appropriate safeguards (such as standard contractual clauses) for cross-border transfers.

9. Children

The Service is intended for business use by adults and is not directed to children. We do not knowingly collect personal information from children under 16. If you believe a child has provided us information, contact us and we will delete it.

10. Changes to this Policy

We may update this Policy from time to time. Material changes will be reflected by updating the "Last updated" date above and, where appropriate, by additional notice. Your continued use of the Service after changes take effect constitutes acceptance of the revised Policy.

11. Contact us

Questions, requests, or complaints about this Policy or your data can be sent to privacy@aiadvisorygroup.com or via aiadvisorygroup.com/connect.