Privacy Policy

The controller of the QualityOS platform and processor of your personal data is:

Data-protection contact: legal@qualityos.app. Full company details in the Imprint →

• Identification data: name, email, language, QA role. Purpose: creating and managing your account. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
• Organisation data: company name, customers (OEMs), certifications, product segment, QA team size. Purpose: personalising the AI assistant. Legal basis: performance of a contract.
• Knowledge Base content: documents you upload (control plan, PFMEA, 8D reports, escalation matrices). Purpose: contextual personalisation of AI answers. Legal basis: performance of a contract. Multi-tenant isolation via Row Level Security guarantees other companies cannot see your documents.
• AI conversations (cases + messages): your chat content with the QOS assistant. Purpose: work history, lessons learned. Legal basis: performance of a contract.
• Payment data: Stripe processes all payments. We store only: customer ID, subscription ID, plan, status. We never store card numbers or CVV. Legal basis: performance of a contract.
• Audit log: a hash of the prompt (NOT the text itself), time, plan, rate-limit status, organisation ID. Purpose: security, abuse prevention, IATF 16949 compliance for B2B customers. Legal basis: legitimate interest (Art. 6(1)(f) GDPR).
• Feedback messages: what you send us via the “Write to us” widget. Purpose: support and product improvement. Legal basis: legitimate interest.
• Technical data: IP address, user agent — only for abuse prevention and incident tracking. Legal basis: legitimate interest.

We use the following processors under Art. 28 GDPR. All are GDPR-compliant and host in the EU or have a DPA signed with the EU Standard Contractual Clauses.

We send your conversations to Anthropic only to serve a specific AI request. Anthropic does not use your data to train models (contractually confirmed via the Anthropic Commercial Terms).

Each company sees only its own data. This is enforced at the database level via Row Level Security (RLS) policies in Postgres. No other QualityOS customer — including your company’s competitors — can access your data.

• Active accounts: for the duration of the subscription + 90 days after cancellation (for possible restoration).
• Knowledge Base documents: until you actively delete them, or within 30 days of an account-deletion request.
• Audit log: 24 months (for audit and security requirements).
• Feedback messages: 24 months (for triage and support continuity).
• Invoices and tax documents: 10 years per Slovak Act No. 431/2002 Coll. on accounting.

• Right of access (Art. 15) — get a copy of all your data. Available via Settings → Download my data.
• Right to rectification (Art. 16) — correct inaccurate data in profile Settings.
• Right to erasure / “to be forgotten” (Art. 17) — delete your account and all data via Settings → Delete my account. Carried out within 30 days.
• Right to portability (Art. 20) — export your data in JSON via Settings.
• Right to object (Art. 21) — to processing based on legitimate interest. Email legal@qualityos.app.
• Right to restrict processing (Art. 18) — while an objection is being reviewed.
• Right not to be subject to automated decision-making (Art. 22) — the AI assistant performs supporting decision-making; final decisions are yours. No automated assessments with legal effects.

To exercise any right, email legal@qualityos.app. We respond within 30 days (max. 60 days in complex cases).

Essential (functional) cookies needed to run the app:

• Supabase auth session — keeps you logged in (HttpOnly, Secure).
• qos_demo_count — demo-message counter on the landing page (HttpOnly, 24h expiry).
• qos_tutorial_seen (localStorage) — remembers you’ve seen the welcome tutorial.

Beyond essential cookies we use Google Analytics 4 (analytics cookies, e.g. _ga) to understand traffic and improve the site. It runs via Google Consent Mode: before your consent it operates in a cookieless mode — no analytics cookies (_ga) or identifiers are set. Full measurement including cookies turns on only after you consent (“Accept all”), and you can change or withdraw it any time through the “Cookie settings” link in the footer. We anonymise the IP address. We do not use other marketing trackers (e.g. Facebook Pixel).

• HTTPS only (HSTS preload, 2-year max-age).
• Content Security Policy against XSS attacks.
• Row Level Security for multi-tenant isolation.
• Encryption at rest (Supabase Postgres + Storage).
• Regular security audits and chaos-engineering tests.
• Audit log of all plan changes, document deletions, GDPR requests.

Report a security incident to security@qualityos.app. Responsible disclosure welcome.

If you believe your GDPR rights have been infringed, you have the right to lodge a complaint with the supervisory authority:

We may update this policy when we change processes or add a new sub-processor. We will notify you of material changes by email 30 days in advance. Version 1.0 — 14 May 2026.