QACE

Privacy Policy

Last updated: April 2026

Template notice. This document describes our good-faith data practices and is modelled on GDPR principles. It should be reviewed by qualified privacy counsel before being relied upon for formal compliance certification.

1. Who is the data controller?

For data you submit on the platform (articles, prompts, settings), you — the client organization — are the data controller and we act as your data processor under the Data Processing Agreement available at /legal/dpa. For account data (email, login history, billing contact), we act as the data controller.

2. What we collect

Account & identity. Email, display name, role on each client workspace, login timestamps, password hash (never the plaintext password), 2FA secrets.

Usage telemetry. Pages visited, actions taken, feature flags, error reports (via Sentry, with secrets scrubbed before transmission), anonymized product analytics (via Posthog where enabled).

Content. Articles, keywords, persona settings, pSEO templates, connected CMS configuration, generated HTML, quality reports.

Credentials you entrust us with. API keys for third-party AI providers (Anthropic, OpenAI, Gemini, Pinecone, DataForSEO, Placid), CMS access tokens (Webflow, WordPress, webhooks). These are encrypted at rest with AES-256-GCM using a key derived via scrypt, and only decrypted in-memory at the moment they are needed to serve a job. They are never returned to the browser, never logged, and scrubbed from error reports via lib/sentry-scrub.ts.

We do not collect. Payment information (billed out of band), real names beyond what you voluntarily provide, biometric data, government IDs.

3. Why we collect it (legal bases)

  • Performance of contract (Art. 6(1)(b) GDPR) — to deliver the Services you signed up for.
  • Legitimate interest (Art. 6(1)(f)) — to secure the platform, prevent fraud, and improve reliability through error reporting and anonymized analytics.
  • Legal obligation (Art. 6(1)(c)) — to respond to valid legal requests and preserve records where required.
  • Consent (Art. 6(1)(a)) — where you explicitly opt in, such as marketing emails or session replay.

4. Sub-processors

We host infrastructure on a small number of trusted sub-processors. The current list is published in our Data Processing Agreement at /legal/dpa and includes at a minimum: Supabase (database + auth), Vercel (hosting), Trigger.dev (background jobs), Upstash (rate limiting), Resend (transactional email), and Sentry (error reporting). We notify client administrators at least 30 days in advance of any new sub-processor being added.

5. Data residency

Primary database storage is located in the region chosen at onboarding (EU or US). Some sub-processors, notably AI providers, may process request payloads in a different region for the duration of a single request. Where your AI provider supports regional endpoints, configure the endpoint URL on your client workspace to keep inference in your preferred region.

6. Data retention

  • Active articles and settings are retained for the lifetime of your client workspace plus 30 days after termination.
  • Audit logs are retained for 12 months.
  • Error reports (Sentry) are retained for 90 days.
  • Backups are retained via Supabase Point-in-Time Recovery for up to 7 days (14 days on higher tiers).
  • On client deletion, data is hard-deleted within 30 days, including all rows in articles, client_config, client_secrets, client_personas, client_prompts, client_integrations, client_invitations, and associated audit trail.

7. Your rights (GDPR)

If you are in the European Economic Area, the United Kingdom, or another jurisdiction with similar protections, you have the right to:

  • Access (Art. 15) — request a copy of the personal data we hold about you. Use the “Export all data” button in Settings → Data, or email us.
  • Rectification (Art. 16) — correct inaccurate data.
  • Erasure (Art. 17) — request hard deletion of your account and all associated data. Use the “Delete account” button in Settings → Data.
  • Restriction (Art. 18) — ask us to pause processing while a dispute is resolved.
  • Portability (Art. 20) — receive your data in a structured, machine-readable format (JSON export).
  • Objection (Art. 21) — object to processing based on legitimate interest.
  • Lodge a complaint — with your local data protection authority.

To exercise any of these rights, email privacy@qace.app. We respond within 30 days.

8. Security

We protect your data with transport encryption (TLS 1.2+), at-rest encryption (AES-256-GCM for secrets, managed disk encryption for databases), row-level security policies on every multi-tenant table, service-role access scoped to backend processes only, rate limiting on authentication endpoints, optional 2FA for administrator accounts, an audited secret rotation procedure, and point-in-time recovery backups. Incidents affecting personal data are notified to client administrators within 72 hours of confirmation, consistent with Art. 33 GDPR.

9. Cookies

See our Cookie Policy for the exhaustive list of cookies we set and how to control them.

10. Contact

Data Protection inquiries: privacy@qace.app.
General support: hello@qace.app.