Privacy Policy
Last Updated: May 28, 2026
1. Data Controller Identity
Qubitz AI is a solution created by Cloud202 ("we", "us", or "our"), which is the data controller of your personal data under the General Data Protection Regulation (GDPR) and UK GDPR.
Controller Contact Details:
- Company: Cloud202
- Email: hello@qubitz.ai
2. Data Protection Officer (DPO)
For all data protection inquiries, rights requests (access, deletion, rectification), opt-out preferences, complaints, or concerns regarding the processing of your personal data, you can contact our Data Protection Officer:
๐ง Contact Our Data Protection Officer
Response Time:
We will respond to your inquiry within 5 business days
What You Can Contact Us About:
- Exercise your GDPR rights (access, deletion, rectification, restriction, portability, objection)
- Questions about how we process your personal data
- Withdraw marketing consent or update opt-out preferences
- Report a data protection concern or file a complaint
- Request a copy of our Data Processing Agreement (DPA)
- Security or privacy questions
We have adopted this Privacy Policy, which determines how we are processing the information collected through Qubitz AI, which also provides the reasons why we must collect certain personal data about you. Therefore, you must read this Privacy Policy before using Qubitz AI.
We take care of your personal data and undertake to guarantee its confidentiality and security.
3. Personal Information We Collect
When you visit Qubitz AI, we automatically collect certain information about your device, including information about your web browser, IP address, time zone, and some of the installed cookies on your device. Additionally, as you browse the Site, we collect information about the individual web pages or products you view, what websites or search terms referred you to the Site, and how you interact with the Site. We refer to this automatically-collected information as "Device Information". Moreover, we might collect the personal data you provide to us (including but not limited to Name, Surname, Address, payment information, etc.) during registration to be able to fulfill the agreement.
3A. Data Minimisation - User Attributes (GDPR Article 5(1)(c))
We strictly adhere to the GDPR principle of data minimisation, which requires that personal data shall be "adequate, relevant and limited to what is necessary" in relation to the purposes for which it is processed.
As a B2B AI security platform, we collect only the personal data attributes that are strictly necessary for account management, service delivery, and compliance. Below is our comprehensive justification for each user attribute we collect:
| User Attribute | Purpose | Necessity Justification | Usage in System |
|---|---|---|---|
| custom:country | User's country of residence | Necessary for:
| - Data region selection - Compliance rule enforcement - UI localization - Regional pricing |
| custom:role | User's job role (e.g., CISO, Security Engineer, Developer) | Necessary for:
| - Permission checks - UI customization - Feature access control - Analytics segmentation |
| custom:role_v2 | User's job role (new normalized schema) | Migration in progress: Standardized role taxonomy with enum values instead of free text. Replaces custom:role (v1).Why both exist: Gradual migration to prevent service disruption. Legacy custom:role will be removed by Q4 2026 once all users migrated. | - Same as custom:role - Structured values (enum) - Better data quality |
| custom:company | User's company name | Necessary for:
| - Invoice generation - Data segregation queries - Team features - Account management |
| custom:company_v2 | User's company (normalized identifier) | Migration in progress: Normalized company identifiers (UUID) to prevent duplicates from typos/variations. Replaces custom:company (v1).Why both exist: Gradual migration to prevent billing/invoicing disruption. Legacy custom:company will be removed by Q4 2026. | - Same as custom:company - UUID-based lookup - Prevents duplicates |
โ What We DO NOT Collect (Data Minimisation Confirmation):
In accordance with GDPR Article 5(1)(c), we deliberately do not collect the following personal data, as it is not necessary for our B2B AI security platform:
- โ Date of birth or age
- โ Home address (country is sufficient for regional compliance)
- โ Gender or marital status
- โ Ethnicity, race, or religion
- โ Political opinions or trade union membership
- โ Health or biometric data
- โ Criminal convictions or offenses
- โ Social media profiles (LinkedIn, Twitter, etc.)
- โ Profile photos or images
- โ Education level or certifications
- โ Personal phone number (only collected if user voluntarily provides for MFA)
- โ Personal interests, hobbies, or preferences unrelated to service
Necessity Review and Audit:
Our Data Protection Officer reviews the necessity of all collected personal data attributes annually to ensure continued compliance with data minimisation principles. If any attribute becomes unnecessary, it will be removed from collection and existing data will be deleted.
Last Review: May 28, 2026
Next Review: May 28, 2027
Reviewed By: Data Protection Officer
4. Purposes and Lawful Basis for Processing
We process your personal data for specific purposes and based on lawful grounds under GDPR Article 6. Below is a comprehensive list of all processing activities, the data involved, and the legal basis for each:
| Processing Activity | Personal Data Processed | Lawful Basis (GDPR Art. 6) | Explanation |
|---|---|---|---|
| Account creation and management | Name, email address, password (hashed), phone number, company name, role | Contract performance (Art. 6(1)(b)) | Necessary to create your account and provide access to our services |
| Service delivery (pentesting, compliance, architecture analysis) | Application configurations, pentest results, security scan data, architecture diagrams | Contract performance (Art. 6(1)(b)) | Processing is necessary to deliver the security assessment services you requested |
| Payment processing and billing | Billing contact information, payment card data (tokenized via Stripe), transaction history, invoices | Contract performance (Art. 6(1)(b)) | Necessary to process payments for the services you purchase |
| Customer support and communication | Email, name, support tickets, correspondence | Contract performance (Art. 6(1)(b)) | Necessary to respond to your inquiries and provide customer support |
| Security monitoring and fraud prevention | IP addresses, device information, login attempts, session data, access logs | Legitimate interests (Art. 6(1)(f)) | We have a legitimate interest in protecting our systems and preventing unauthorized access or fraud |
| Website analytics and service improvements | Device information, browser type, IP address, pages visited, usage patterns | Legitimate interests (Art. 6(1)(f)) | We have a legitimate interest in understanding how users interact with our service to improve it |
| Compliance and audit logs | Access logs, API calls, system events, transaction records | Legal obligation (Art. 6(1)(c)) | Required by GDPR, ePrivacy Directive, and other data protection regulations to maintain audit trails |
| Tax and accounting records | Invoices, payment records, billing information | Legal obligation (Art. 6(1)(c)) | Required by UK tax law and financial regulations to retain records for 7 years |
| Product recommendations and personalization | Usage history, service preferences, behavioral patterns | Legitimate interests (Art. 6(1)(f)) | We have a legitimate interest in providing relevant service recommendations. You can opt out via /api/me/opt-out |
| Legal claims and dispute resolution | Any personal data relevant to legal proceedings | Legitimate interests (Art. 6(1)(f)) | We have a legitimate interest in establishing, exercising, or defending legal claims |
Understanding Your Rights Based on Lawful Basis:
- Consent (Art. 6(1)(a)): You can withdraw consent at any time without affecting the lawfulness of processing before withdrawal
- Contract (Art. 6(1)(b)): Processing is necessary to provide the service; you cannot object, but you can request deletion after contract ends
- Legal Obligation (Art. 6(1)(c)): We must retain this data by law; deletion requests may be denied or delayed
- Legitimate Interests (Art. 6(1)(f)): You have the right to object to processing based on our legitimate interests (Art. 21)
๐ง Marketing Communications - Current Status:
We do not currently send marketing communications, newsletters, or promotional emails. All emails you receive from us are transactional (account notifications, service updates, security alerts) and are sent based on Contract performance (Art. 6(1)(b)) or Legal obligation (Art. 6(1)(c)).
If we introduce marketing communications in the future, we will obtain your explicit consent (Art. 6(1)(a)) before sending any marketing emails. You will be able to opt in via a clear checkbox during signup or in your account settings, and withdraw consent at any time.
Our top priority is customer data security, and, as such, we may process only minimal user data, only as much as it is absolutely necessary to maintain the website. Information collected automatically is used only to identify potential cases of abuse and establish statistical information regarding website usage. This statistical information is not otherwise aggregated in such a way that it would identify any particular user of the system.
You can visit the website without telling us who you are or revealing any information, by which someone could identify you as a specific, identifiable individual. If, however, you wish to use some of the website's features, or you wish to receive our newsletter or provide other details by filling a form, you may provide personal data to us, such as your email, first name, last name, city of residence, organization, telephone number. You can choose not to provide us with your personal data, but then you may not be able to take advantage of some of the website's features. For example, you won't be able to receive our Newsletter or contact us directly from the website. Users who are uncertain about what information is mandatory are welcome to contact us via hello@qubitz.ai.
5. Data Retention Periods
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, in accordance with GDPR Article 5(1)(e) (storage limitation principle). Below are specific retention periods for each data category:
| Data Category | Retention Period | Reason for Retention | Deletion Method |
|---|---|---|---|
| Account information (name, email, profile) | Active account + 30 days after deletion request | Contract performance; 30-day grace period for accidental deletions | Permanent deletion from DynamoDB and backups |
| Session data (cookies, tokens) | 30 days from last activity | Security monitoring, fraud prevention | Automatic expiration and deletion |
| Pentest reports and security scan results | 2 years after test completion date | Customer needs for historical comparison and compliance reporting | Permanent deletion from S3 and DynamoDB |
| Architecture diagrams and configurations | Duration of active service + 90 days | Service delivery; backup for dispute resolution | Permanent deletion from storage |
| Audit logs and access records | 7 years | Legal obligation (GDPR Art. 30, ePrivacy Directive, UK data protection law) | Anonymization after 7 years (removing identifiers) |
| Payment records and invoices | 7 years from transaction date | Legal obligation (UK tax law, financial regulations) | Secure deletion after 7 years |
| Chat conversations and messages (AI discovery, use cases, research) | 90 days from creation date | Service functionality (chat history context); data minimisation after 90 days | Automatic deletion via DynamoDB TTL (Time-To-Live) |
| Marketplace pending registrations | 90 days from creation date | AWS Marketplace signup flow; abandoned registrations cleaned up | Automatic deletion via DynamoDB TTL |
| Support tickets and correspondence | 3 years from ticket closure | Quality assurance, dispute resolution, service improvement | Permanent deletion after 3 years |
| Security incident logs | 2 years from incident date | Security improvement, pattern analysis, breach notification compliance | Anonymization after 2 years |
| Backup copies (all data) | 90 days rolling retention | Business continuity, disaster recovery | Automatic expiration; backups older than 90 days are permanently deleted |
Important Notes on Data Retention:
- Right to erasure: You can request earlier deletion by exercising your right to erasure (see section 8 below), except where retention is required by law (audit logs, tax records)
- Backup deletion: Data deleted from active systems remains in backups for up to 90 days before permanent removal
- Anonymization vs. deletion: Some data (audit logs, security logs) is anonymized rather than deleted to preserve statistical insights while removing personal identifiers
- Automatic deletion: All retention periods are enforced automatically; no manual intervention required
6. Recipients and Sub-processors
To provide our services, we share your personal data with trusted third-party service providers (sub-processors) who process data on our behalf:
| Sub-processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud hosting & infrastructure | EU (primary), US | Standard Contractual Clauses (SCCs) |
| Anthropic (Claude AI / Amazon Bedrock) | AI model processing | US | AWS Bedrock Data Processing Agreement |
| Amazon Cognito | Authentication & user management | EU (primary), US | Standard Contractual Clauses (SCCs) |
| GitHub | Code repository hosting (if applicable) | US | Standard Contractual Clauses (SCCs) |
All sub-processors are carefully selected and bound by data processing agreements that ensure they handle your data securely and in compliance with GDPR.
7. International Data Transfers
Your personal data may be transferred to, and processed in, countries outside the European Economic Area (EEA) and United Kingdom, including the United States. These transfers are protected by appropriate safeguards:
- Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses with all non-EEA processors (AWS, Anthropic, GitHub)
- Adequacy Decisions: Where applicable, we rely on adequacy decisions by the European Commission recognizing certain countries as providing adequate data protection
- Technical Safeguards: All data in transit is encrypted using TLS 1.3, and data at rest is encrypted using AES-256
Additionally, if you are a European resident, we note that we are processing your information in order to fulfill contracts we might have with you (for example, if you make an order through the Site), or otherwise to pursue our legitimate business interests listed above.
8. Your Rights
If you are a European resident, you have the following rights related to your personal data:
- The right to be informed โ about how your data is being processed (this policy)
- The right of access โ to request a copy of all personal data we hold about you (available via
/api/me/data-exportendpoint) - The right to rectification โ to correct inaccurate or incomplete data
- The right to erasure ("right to be forgotten") โ to request deletion of your data
- The right to restrict processing โ to limit how we use your data
- The right to data portability โ to receive your data in a machine-readable format
- The right to object โ to object to processing based on legitimate interests or direct marketing
- Rights in relation to automated decision-making and profiling โ to not be subject to decisions based solely on automated processing
How to Exercise Your Rights: To exercise any of these rights, please contact us at hello@qubitz.ai or hello@qubitz.ai. We will respond to your request within 30 days.
9. Right to Lodge a Complaint
If you believe we have not handled your personal data in accordance with data protection law, you have the right to lodge a complaint with a supervisory authority:
UK Information Commissioner's Office (ICO):
- Website: https://ico.org.uk/make-a-complaint/
- Phone: +44 303 123 1113
- Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom
If you are located in the EU/EEA, you can also contact your local data protection authority. A list of supervisory authorities is available at https://edpb.europa.eu/about-edpb/board/members_en.
10. Automated Decision-Making
We may use AI-powered features (via Amazon Bedrock and Claude AI) to assist with application generation, code suggestions, and content recommendations. These automated processes are used to enhance your experience but do not make decisions that produce legal effects or similarly significantly affect you without human oversight.
You have the right to request human review of any automated decision, express your point of view, and contest the decision. To exercise this right, please contact us at hello@qubitz.ai.
11. Information Security
We secure information you provide on computer servers in a controlled, secure environment, protected from unauthorized access, use, or disclosure. We implement industry-standard security measures including:
- Encryption: All data in transit is encrypted using TLS 1.3; data at rest is encrypted using AES-256
- Access Controls: Role-based access controls (RBAC) limit data access to authorized personnel only
- Authentication: Multi-factor authentication (MFA) for administrative access
- Monitoring: Continuous security monitoring and logging of access to personal data
- Incident Response: Documented procedures for detecting, responding to, and notifying about data breaches
- Regular Audits: Periodic security assessments and penetration testing
However, no data transmission over the Internet or wireless network can be guaranteed to be 100% secure. While we strive to protect your personal data, we cannot guarantee absolute security.
12. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33 and 34.
13. Links to Other Websites
Our website may contain links to other websites that are not owned or controlled by us. Please be aware that we are not responsible for such other websites or third parties' privacy practices. We encourage you to be aware when you leave our website and read the privacy statements of each website that may collect personal information.
14. Legal Disclosure
We will disclose any information we collect, use or receive if required or permitted by law, such as to comply with a subpoena or similar legal process, and when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request. Such disclosures are made in accordance with GDPR Article 6(1)(c) (legal obligation) or Article 6(1)(f) (legitimate interests).
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. We will notify you of any material changes by:
- Updating the "Last Updated" date at the top of this policy
- Sending an email notification to registered users (for significant changes)
- Displaying a prominent notice on our website
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.
16. Contact Information
If you would like to contact us to understand more about this Policy or wish to contact us concerning any matter relating to individual rights and your Personal Information, you may contact us:
Email:
For data protection or privacy rights requests, please mark your email "FAO: Data Protection Officer"
This Privacy Policy is compliant with the General Data Protection Regulation (GDPR) (EU) 2016/679 and the UK GDPR as incorporated into UK law under the Data Protection Act 2018.