Privacy Policy

Last Updated: May 28, 2026

1. Data Controller Identity

Qubitz AI is a solution created by Cloud202 ("we", "us", or "our"), which is the data controller of your personal data under the General Data Protection Regulation (GDPR) and UK GDPR.

Controller Contact Details:

2. Data Protection Officer (DPO)

For all data protection inquiries, rights requests (access, deletion, rectification), opt-out preferences, complaints, or concerns regarding the processing of your personal data, you can contact our Data Protection Officer:

๐Ÿ“ง Contact Our Data Protection Officer

Email:

hello@qubitz.ai

Subject line: "FAO: Data Protection Officer"

Response Time:

We will respond to your inquiry within 5 business days

What You Can Contact Us About:

  • Exercise your GDPR rights (access, deletion, rectification, restriction, portability, objection)
  • Questions about how we process your personal data
  • Withdraw marketing consent or update opt-out preferences
  • Report a data protection concern or file a complaint
  • Request a copy of our Data Processing Agreement (DPA)
  • Security or privacy questions

We have adopted this Privacy Policy, which determines how we are processing the information collected through Qubitz AI, which also provides the reasons why we must collect certain personal data about you. Therefore, you must read this Privacy Policy before using Qubitz AI.

We take care of your personal data and undertake to guarantee its confidentiality and security.

3. Personal Information We Collect

When you visit Qubitz AI, we automatically collect certain information about your device, including information about your web browser, IP address, time zone, and some of the installed cookies on your device. Additionally, as you browse the Site, we collect information about the individual web pages or products you view, what websites or search terms referred you to the Site, and how you interact with the Site. We refer to this automatically-collected information as "Device Information". Moreover, we might collect the personal data you provide to us (including but not limited to Name, Surname, Address, payment information, etc.) during registration to be able to fulfill the agreement.

3A. Data Minimisation - User Attributes (GDPR Article 5(1)(c))

We strictly adhere to the GDPR principle of data minimisation, which requires that personal data shall be "adequate, relevant and limited to what is necessary" in relation to the purposes for which it is processed.

As a B2B AI security platform, we collect only the personal data attributes that are strictly necessary for account management, service delivery, and compliance. Below is our comprehensive justification for each user attribute we collect:

User AttributePurposeNecessity JustificationUsage in System
custom:countryUser's country of residenceNecessary for:
  • Data residency compliance (GDPR, data sovereignty laws)
  • Regional pricing and currency
  • Routing data to correct AWS region (eu-central-1 for EU users)
  • Localization (language, date formats)
- Data region selection
- Compliance rule enforcement
- UI localization
- Regional pricing
custom:roleUser's job role (e.g., CISO, Security Engineer, Developer)Necessary for:
  • Role-based access control (RBAC)
  • Feature permissions (different roles see different features)
  • Personalized UI and recommendations
  • Product analytics (understanding user personas)
- Permission checks
- UI customization
- Feature access control
- Analytics segmentation
custom:role_v2User's job role (new normalized schema)Migration in progress: Standardized role taxonomy with enum values instead of free text. Replaces custom:role (v1).
Why both exist: Gradual migration to prevent service disruption. Legacy custom:role will be removed by Q4 2026 once all users migrated.
- Same as custom:role
- Structured values (enum)
- Better data quality
custom:companyUser's company nameNecessary for:
  • B2B billing and invoicing (legal requirement)
  • Multi-tenant data isolation
  • Team/organization management
  • Account ownership identification
- Invoice generation
- Data segregation queries
- Team features
- Account management
custom:company_v2User's company (normalized identifier)Migration in progress: Normalized company identifiers (UUID) to prevent duplicates from typos/variations. Replaces custom:company (v1).
Why both exist: Gradual migration to prevent billing/invoicing disruption. Legacy custom:company will be removed by Q4 2026.
- Same as custom:company
- UUID-based lookup
- Prevents duplicates

โœ… What We DO NOT Collect (Data Minimisation Confirmation):

In accordance with GDPR Article 5(1)(c), we deliberately do not collect the following personal data, as it is not necessary for our B2B AI security platform:

  • โŒ Date of birth or age
  • โŒ Home address (country is sufficient for regional compliance)
  • โŒ Gender or marital status
  • โŒ Ethnicity, race, or religion
  • โŒ Political opinions or trade union membership
  • โŒ Health or biometric data
  • โŒ Criminal convictions or offenses
  • โŒ Social media profiles (LinkedIn, Twitter, etc.)
  • โŒ Profile photos or images
  • โŒ Education level or certifications
  • โŒ Personal phone number (only collected if user voluntarily provides for MFA)
  • โŒ Personal interests, hobbies, or preferences unrelated to service

Necessity Review and Audit:

Our Data Protection Officer reviews the necessity of all collected personal data attributes annually to ensure continued compliance with data minimisation principles. If any attribute becomes unnecessary, it will be removed from collection and existing data will be deleted.

Last Review: May 28, 2026
Next Review: May 28, 2027
Reviewed By: Data Protection Officer

4. Purposes and Lawful Basis for Processing

We process your personal data for specific purposes and based on lawful grounds under GDPR Article 6. Below is a comprehensive list of all processing activities, the data involved, and the legal basis for each:

Processing ActivityPersonal Data ProcessedLawful Basis (GDPR Art. 6)Explanation
Account creation and managementName, email address, password (hashed), phone number, company name, roleContract performance (Art. 6(1)(b))Necessary to create your account and provide access to our services
Service delivery (pentesting, compliance, architecture analysis)Application configurations, pentest results, security scan data, architecture diagramsContract performance (Art. 6(1)(b))Processing is necessary to deliver the security assessment services you requested
Payment processing and billingBilling contact information, payment card data (tokenized via Stripe), transaction history, invoicesContract performance (Art. 6(1)(b))Necessary to process payments for the services you purchase
Customer support and communicationEmail, name, support tickets, correspondenceContract performance (Art. 6(1)(b))Necessary to respond to your inquiries and provide customer support
Security monitoring and fraud preventionIP addresses, device information, login attempts, session data, access logsLegitimate interests (Art. 6(1)(f))We have a legitimate interest in protecting our systems and preventing unauthorized access or fraud
Website analytics and service improvementsDevice information, browser type, IP address, pages visited, usage patternsLegitimate interests (Art. 6(1)(f))We have a legitimate interest in understanding how users interact with our service to improve it
Compliance and audit logsAccess logs, API calls, system events, transaction recordsLegal obligation (Art. 6(1)(c))Required by GDPR, ePrivacy Directive, and other data protection regulations to maintain audit trails
Tax and accounting recordsInvoices, payment records, billing informationLegal obligation (Art. 6(1)(c))Required by UK tax law and financial regulations to retain records for 7 years
Product recommendations and personalizationUsage history, service preferences, behavioral patternsLegitimate interests (Art. 6(1)(f))We have a legitimate interest in providing relevant service recommendations. You can opt out via /api/me/opt-out
Legal claims and dispute resolutionAny personal data relevant to legal proceedingsLegitimate interests (Art. 6(1)(f))We have a legitimate interest in establishing, exercising, or defending legal claims

Understanding Your Rights Based on Lawful Basis:

  • Consent (Art. 6(1)(a)): You can withdraw consent at any time without affecting the lawfulness of processing before withdrawal
  • Contract (Art. 6(1)(b)): Processing is necessary to provide the service; you cannot object, but you can request deletion after contract ends
  • Legal Obligation (Art. 6(1)(c)): We must retain this data by law; deletion requests may be denied or delayed
  • Legitimate Interests (Art. 6(1)(f)): You have the right to object to processing based on our legitimate interests (Art. 21)

๐Ÿ“ง Marketing Communications - Current Status:

We do not currently send marketing communications, newsletters, or promotional emails. All emails you receive from us are transactional (account notifications, service updates, security alerts) and are sent based on Contract performance (Art. 6(1)(b)) or Legal obligation (Art. 6(1)(c)).

If we introduce marketing communications in the future, we will obtain your explicit consent (Art. 6(1)(a)) before sending any marketing emails. You will be able to opt in via a clear checkbox during signup or in your account settings, and withdraw consent at any time.

Our top priority is customer data security, and, as such, we may process only minimal user data, only as much as it is absolutely necessary to maintain the website. Information collected automatically is used only to identify potential cases of abuse and establish statistical information regarding website usage. This statistical information is not otherwise aggregated in such a way that it would identify any particular user of the system.

You can visit the website without telling us who you are or revealing any information, by which someone could identify you as a specific, identifiable individual. If, however, you wish to use some of the website's features, or you wish to receive our newsletter or provide other details by filling a form, you may provide personal data to us, such as your email, first name, last name, city of residence, organization, telephone number. You can choose not to provide us with your personal data, but then you may not be able to take advantage of some of the website's features. For example, you won't be able to receive our Newsletter or contact us directly from the website. Users who are uncertain about what information is mandatory are welcome to contact us via hello@qubitz.ai.

5. Data Retention Periods

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, in accordance with GDPR Article 5(1)(e) (storage limitation principle). Below are specific retention periods for each data category:

Data CategoryRetention PeriodReason for RetentionDeletion Method
Account information (name, email, profile)Active account + 30 days after deletion requestContract performance; 30-day grace period for accidental deletionsPermanent deletion from DynamoDB and backups
Session data (cookies, tokens)30 days from last activitySecurity monitoring, fraud preventionAutomatic expiration and deletion
Pentest reports and security scan results2 years after test completion dateCustomer needs for historical comparison and compliance reportingPermanent deletion from S3 and DynamoDB
Architecture diagrams and configurationsDuration of active service + 90 daysService delivery; backup for dispute resolutionPermanent deletion from storage
Audit logs and access records7 yearsLegal obligation (GDPR Art. 30, ePrivacy Directive, UK data protection law)Anonymization after 7 years (removing identifiers)
Payment records and invoices7 years from transaction dateLegal obligation (UK tax law, financial regulations)Secure deletion after 7 years
Chat conversations and messages (AI discovery, use cases, research)90 days from creation dateService functionality (chat history context); data minimisation after 90 daysAutomatic deletion via DynamoDB TTL (Time-To-Live)
Marketplace pending registrations90 days from creation dateAWS Marketplace signup flow; abandoned registrations cleaned upAutomatic deletion via DynamoDB TTL
Support tickets and correspondence3 years from ticket closureQuality assurance, dispute resolution, service improvementPermanent deletion after 3 years
Security incident logs2 years from incident dateSecurity improvement, pattern analysis, breach notification complianceAnonymization after 2 years
Backup copies (all data)90 days rolling retentionBusiness continuity, disaster recoveryAutomatic expiration; backups older than 90 days are permanently deleted

Important Notes on Data Retention:

  • Right to erasure: You can request earlier deletion by exercising your right to erasure (see section 8 below), except where retention is required by law (audit logs, tax records)
  • Backup deletion: Data deleted from active systems remains in backups for up to 90 days before permanent removal
  • Anonymization vs. deletion: Some data (audit logs, security logs) is anonymized rather than deleted to preserve statistical insights while removing personal identifiers
  • Automatic deletion: All retention periods are enforced automatically; no manual intervention required

6. Recipients and Sub-processors

To provide our services, we share your personal data with trusted third-party service providers (sub-processors) who process data on our behalf:

Sub-processorPurposeLocationSafeguards
Amazon Web Services (AWS)Cloud hosting & infrastructureEU (primary), USStandard Contractual Clauses (SCCs)
Anthropic (Claude AI / Amazon Bedrock)AI model processingUSAWS Bedrock Data Processing Agreement
Amazon CognitoAuthentication & user managementEU (primary), USStandard Contractual Clauses (SCCs)
GitHubCode repository hosting (if applicable)USStandard Contractual Clauses (SCCs)

All sub-processors are carefully selected and bound by data processing agreements that ensure they handle your data securely and in compliance with GDPR.

7. International Data Transfers

Your personal data may be transferred to, and processed in, countries outside the European Economic Area (EEA) and United Kingdom, including the United States. These transfers are protected by appropriate safeguards:

  • Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses with all non-EEA processors (AWS, Anthropic, GitHub)
  • Adequacy Decisions: Where applicable, we rely on adequacy decisions by the European Commission recognizing certain countries as providing adequate data protection
  • Technical Safeguards: All data in transit is encrypted using TLS 1.3, and data at rest is encrypted using AES-256

Additionally, if you are a European resident, we note that we are processing your information in order to fulfill contracts we might have with you (for example, if you make an order through the Site), or otherwise to pursue our legitimate business interests listed above.

8. Your Rights

If you are a European resident, you have the following rights related to your personal data:

  • The right to be informed โ€“ about how your data is being processed (this policy)
  • The right of access โ€“ to request a copy of all personal data we hold about you (available via /api/me/data-export endpoint)
  • The right to rectification โ€“ to correct inaccurate or incomplete data
  • The right to erasure ("right to be forgotten") โ€“ to request deletion of your data
  • The right to restrict processing โ€“ to limit how we use your data
  • The right to data portability โ€“ to receive your data in a machine-readable format
  • The right to object โ€“ to object to processing based on legitimate interests or direct marketing
  • Rights in relation to automated decision-making and profiling โ€“ to not be subject to decisions based solely on automated processing

How to Exercise Your Rights: To exercise any of these rights, please contact us at hello@qubitz.ai or hello@qubitz.ai. We will respond to your request within 30 days.

9. Right to Lodge a Complaint

If you believe we have not handled your personal data in accordance with data protection law, you have the right to lodge a complaint with a supervisory authority:

UK Information Commissioner's Office (ICO):

If you are located in the EU/EEA, you can also contact your local data protection authority. A list of supervisory authorities is available at https://edpb.europa.eu/about-edpb/board/members_en.

10. Automated Decision-Making

We may use AI-powered features (via Amazon Bedrock and Claude AI) to assist with application generation, code suggestions, and content recommendations. These automated processes are used to enhance your experience but do not make decisions that produce legal effects or similarly significantly affect you without human oversight.

You have the right to request human review of any automated decision, express your point of view, and contest the decision. To exercise this right, please contact us at hello@qubitz.ai.

11. Information Security

We secure information you provide on computer servers in a controlled, secure environment, protected from unauthorized access, use, or disclosure. We implement industry-standard security measures including:

  • Encryption: All data in transit is encrypted using TLS 1.3; data at rest is encrypted using AES-256
  • Access Controls: Role-based access controls (RBAC) limit data access to authorized personnel only
  • Authentication: Multi-factor authentication (MFA) for administrative access
  • Monitoring: Continuous security monitoring and logging of access to personal data
  • Incident Response: Documented procedures for detecting, responding to, and notifying about data breaches
  • Regular Audits: Periodic security assessments and penetration testing

However, no data transmission over the Internet or wireless network can be guaranteed to be 100% secure. While we strive to protect your personal data, we cannot guarantee absolute security.

12. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33 and 34.

13. Links to Other Websites

Our website may contain links to other websites that are not owned or controlled by us. Please be aware that we are not responsible for such other websites or third parties' privacy practices. We encourage you to be aware when you leave our website and read the privacy statements of each website that may collect personal information.

14. Legal Disclosure

We will disclose any information we collect, use or receive if required or permitted by law, such as to comply with a subpoena or similar legal process, and when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request. Such disclosures are made in accordance with GDPR Article 6(1)(c) (legal obligation) or Article 6(1)(f) (legitimate interests).

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. We will notify you of any material changes by:

  • Updating the "Last Updated" date at the top of this policy
  • Sending an email notification to registered users (for significant changes)
  • Displaying a prominent notice on our website

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

16. Contact Information

If you would like to contact us to understand more about this Policy or wish to contact us concerning any matter relating to individual rights and your Personal Information, you may contact us:

Email:

hello@qubitz.ai

For data protection or privacy rights requests, please mark your email "FAO: Data Protection Officer"

This Privacy Policy is compliant with the General Data Protection Regulation (GDPR) (EU) 2016/679 and the UK GDPR as incorporated into UK law under the Data Protection Act 2018.