Privacy Policy

1. Scope

This Privacy Policy applies to personal data processed through quietQ web applications, APIs, and related services, including support interactions (for example email support, bug reports, and diagnostic materials submitted to us). It does not apply to third-party services that you access independently from quietQ. quietQ is intended for business use only and is not offered to consumers as defined under EU consumer protection law.

2. Controller and Contact

Data Controller: quietQ s.p., Partizanska ulica 10, 1410 Zagorje ob Savi, Slovenia. For privacy requests and data-protection inquiries, contact hello@quietq.com. quietQ currently has not appointed a Data Protection Officer (DPO) because this is not legally required for our current scope; if this changes, we will publish updated DPO contact details in this policy. quietQ generally acts as controller for account-level and service-operation data, and as processor for workspace-level data processed on behalf of business customers acting as controllers.

3. Categories of Data We Process

Depending on how you use quietQ, we may process:

• Identity and account data: first name, last name, email, profile title, avatar URL, organization slug, role, account status.
• Workspace and collaboration data: organization and space memberships, invitations, roles, questions, comments, assignments, tags, accepted-answer metadata, and archival events.
• Consent and compliance data: consent type/version, acceptance timestamp, and available technical context (for example, IP and user-agent).
• Security and authentication data: refresh-token sessions, login-attempt metadata, magic-link tokens, audit events, and related technical signals.
• Notification and preference data: notification settings, reminder settings, theme, date and time formatting preferences, and idle-timeout preferences.
• Technical metadata: IP address, user-agent, timestamps, and event metadata used for security, reliability, and diagnostics.
• Support data: correspondence, support tickets, screenshots, attached files, and logs voluntarily shared with support.
• Device and environment metadata: operating system, locale, time zone, and screen or viewport characteristics used for compatibility, accessibility, diagnostics, and UX improvements.
• Billing and transaction data (for paid plans): billing contact name, legal entity name, billing address, VAT/tax identifiers, invoice references, and payment status metadata. quietQ does not store full payment-card numbers.

quietQ does not intentionally require or seek special categories of personal data as defined in GDPR Article 9 for normal operation of the Service.

4. Why We Process Personal Data

We process personal data for the following purposes:

• to register accounts and authenticate users;
• to provide organization/workspace collaboration features;
• to store, retrieve, and structure questions and accepted answers;
• to manage invitations, memberships, roles, and access controls;
• to send notifications and due-date reminders;
• to provide customer support and service communications;
• to monitor and improve service performance, reliability, and security;
• to prevent abuse, unauthorized access, and fraud;
• to comply with legal obligations and enforce contractual rights.

5. Legal Bases (EEA/UK)

Where applicable under GDPR or equivalent laws, we process personal data under one or more of these legal bases: performance of a contract, legitimate interests, legal obligation, and consent (including recorded acceptance of legal terms where required). Legitimate interests may include product and service improvements, platform security, abuse prevention, limited operational analytics that do not rely on non-essential cookies, and ensuring reliable operation of the Service. Contractual necessity generally applies to account access, collaboration, and core product delivery; legitimate interests generally apply to security logs, diagnostics, abuse prevention, and service reliability controls.

6. Processors, Hosting, and International Transfers

quietQ uses the following infrastructure providers:

• Neon for PostgreSQL database hosting;
• Render for API/server hosting;
• Vercel for web-application hosting and delivery.

Personal data may be processed in jurisdictions where these providers operate. Where required, we rely on contractual and organizational safeguards for cross-border transfers, including Standard Contractual Clauses (SCCs) or equivalent legal mechanisms. Our list of processors may change from time to time; we will provide notice of material changes by reasonable means. A current subprocessor list is available as a separate document upon request at hello@quietq.com.

7. Data Retention

We retain personal data only for as long as necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements. Typical retention ranges are:

• account and workspace data: for the lifetime of the account, then deletion workflow;
• audit logs: typically 12 to 24 months;
• security/authentication logs: typically 6 to 24 months;
• support correspondence and attachments: typically up to 24 months;
• notification and preference settings: for account lifetime unless deleted earlier;
• backup copies: typically 30 to 90 days, overwritten on rotation;
• consent records: up to 5 years where needed for compliance and legal defense.

Specific retention may differ where law, contractual obligations, incident response, or legitimate legal claims require longer storage.

8. Security Measures

We apply technical and organizational controls to protect personal data, including access controls, role-based authorization, logging and monitoring, token/session management, and reasonable safeguards appropriate to the nature of the processed data. Data is protected in transit using TLS encryption, and at rest using infrastructure-level encryption provided by hosting and database providers (including Neon and other platform controls where applicable). quietQ also performs periodic internal access reviews for production systems.

9. Your Privacy Rights

Depending on applicable law, you may have rights to:

• access your personal data;
• correct inaccurate personal data;
• delete personal data (subject to legal exceptions);
• restrict or object to certain processing;
• receive a portable copy of your data where applicable;
• withdraw consent where processing is consent-based;
• receive information about automated decision-making where applicable. quietQ does not currently use solely automated decision-making that produces legal or similarly significant effects on individuals and does not perform profiling in the sense of GDPR Article 22.

To exercise rights, contact hello@quietq.com. We may request verification before fulfilling requests and will respond within one (1) month, with extensions permitted by law (up to two additional months for complex requests). Verification may include matching account email, organization-admin confirmation, or other proportionate identity checks. You also have the right to lodge a complaint with a supervisory authority (see Section 13).

10. Cookies and Similar Technologies

quietQ may use essential technical mechanisms required for authentication, session continuity, and security. If non-essential cookies or analytics are introduced, we will provide additional notice and controls where required by law. quietQ does not currently use non-essential analytics cookies or tracking pixels in emails. If quietQ introduces analytics or marketing cookies in the future, users will be presented with a consent banner designed to comply with GDPR and ePrivacy requirements.

11. Children’s Data

The Service is not intended for children under 16 years of age (or higher age threshold where required by local law). If we learn that personal data has been provided in violation of this policy, we will take appropriate action, including deletion where legally required.

12. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated by in-app notice, email, or other reasonable methods. Continued use of the Service after the effective date of the revised policy constitutes acknowledgment of the updated policy.

13. Complaints

If you believe your rights have been violated, contact us first so we can address your concern. You may also lodge a complaint with your local data-protection authority where applicable, including the Information Commissioner of the Republic of Slovenia (Informacijski pooblascenec), where relevant.

14. DPA and Customer Roles

For business customers, quietQ may process personal data as a processor on behalf of the customer acting as controller. In such cases, data processing terms are governed by a separate Data Processing Agreement (DPA), which supplements this policy. quietQ's standard DPA template is available upon request at hello@quietq.com.

15. Backup, Disaster Recovery, and Account Closure

quietQ maintains periodic backups and disaster-recovery procedures to support service resilience. Backups are retained for limited periods and used only for recovery, continuity, and security operations. After account closure, production data is deleted within a reasonable operational period, while residual backup copies are removed on backup rotation cycles.

16. Security Incidents and Notification

quietQ maintains incident-response procedures for security events. Where required by law, we will notify competent supervisory authorities and affected customers/users of personal data breaches without undue delay, including GDPR Articles 33 and 34 timelines where applicable.