Privacy Policy

This Privacy Policy explains how {COMPANY_ENTITY} (“QorTrace,” “we,” “us”) collects, uses, shares, and protects personal information when you use the QorTrace web app, APIs, certificates, and related services (the “Service”).

For purposes of the EU/UK General Data Protection Regulation (GDPR / UK GDPR), QorTrace is the controller of personal data we collect about you in connection with the Service. For purposes of the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), QorTrace is the business.

1. Information We Collect

(a) Account & identity data

• Name, email address, password hash, organization, role.
• Two-factor authentication (TOTP) secret, recovery codes.
• Marketing-cadence preferences and unsubscribe state.

(b) Customer Content you submit

• Wallet addresses you scan and the chains they belong to.
• Smart-contract source code, GitHub repository URLs, and uploaded zip archives submitted for audit.
• Project names, contract addresses, contact details, and logos for co-branded certificates.

(c) Billing data

• Stripe customer ID, plan, seat count, transaction history. We do not store full card numbers; payments are tokenized and processed directly by Stripe.

(d) Service usage & technical data

• IP address (hashed and truncated for rate limiting and abuse prevention), user-agent, language, referrer.
• Pages viewed, features used, audit and certificate events, signed-in status.
• Server logs, error reports, and request IDs for diagnostics.

(e) Cookies & similar technologies

See our Cookie Policy for the complete list and your control options. By default we set only strictly necessary cookies; analytics cookies are used only after you grant consent via our cookie banner.

2. How We Use Information

• Provide the Service — run scans and audits, generate certificates and reports, deliver continuous monitoring alerts, and operate the customer dashboard.
• Account & security — authenticate you, protect against brute-force attacks, prevent fraud and abuse, maintain audit trails.
• Billing — process payments, calculate metered usage, send invoices and receipts.
• Service communications — send transactional emails (audit delivery, certificate delivery, password reset, billing receipts).
• Product improvement — aggregated, de-identified analytics to understand which features are valuable and where users encounter friction (only with your consent).
• Marketing — only when you opt in; you can un-subscribe per-cadence or globally from /account/settings.
• Legal & compliance — comply with applicable law, respond to lawful requests, defend our rights.

3. Legal Bases (GDPR / UK GDPR)

• Contract — to provide the Service you have requested (running audits, delivering reports, processing payments).
• Legitimate interest — security monitoring, fraud prevention, basic service-improvement analytics where balanced against your rights.
• Consent — analytics and marketing cookies, marketing emails. You may withdraw consent at any time; this does not affect the lawfulness of prior processing.
• Legal obligation — tax records, accounting, responding to lawful regulatory requests.

4. How We Share Information

We share personal information only with the categories of recipients below, and only as necessary for the stated purpose:

We never sell your personal information. We will share information with law enforcement only where compelled by valid legal process.

5. International Transfers

QorTrace is operated from the United States. If you access the Service from outside the U.S., your information will be transferred to and processed in the U.S. and other jurisdictions where our service providers operate. Where transfers are subject to GDPR / UK GDPR, we rely on Standard Contractual Clauses or other lawful transfer mechanisms with each sub-processor.

6. Retention

• Account data — for the lifetime of your account plus up to 12 months after deletion for billing and audit-log continuity.
• Audit submissions and reports — retained for the lifetime of your account so you can re-download. You may delete individual audits from your dashboard.
• Server logs — up to 30 days for diagnostics and security.
• Marketing preferences — retained on a permanent suppression list so we honor unsubscribes even after account deletion.

7. Your Rights

Depending on your jurisdiction, you may have rights to access, correct, delete, port, or restrict the processing of your personal information, and to object to processing or withdraw consent. EU/UK residents have the right to lodge a complaint with their supervisory authority. California residents have rights under CCPA/CPRA, including the right to opt out of “sharing” for cross-context behavioral advertising (we do not engage in such sharing today).

To exercise any right, email privacy@qortrace.com. We respond within 30 days; we may need to verify your identity before acting on a request.

8. Children

The Service is not directed to children under 16, and we do not knowingly collect personal information from them. If you believe a child has provided us information, please contact privacy@qortrace.com and we will delete it.

9. Security

We employ industry-standard administrative, technical, and physical safeguards: TLS 1.2+ in transit, encryption at rest at the database layer, role-based access control, mandatory two-factor authentication on admin accounts, and rate-limited APIs. No system is perfectly secure; we maintain an active responsible-disclosure program and encourage security researchers to participate.

10. Changes

We may update this Privacy Policy from time to time. Material changes will be communicated by email or in-app banner at least seven (7) days before they take effect. The “Last updated” date at the top of this page reflects the most recent revision.

11. Contact & EU Representative

Email privacy@qortrace.com or write to {COMPANY_ENTITY}, {COMPANY_ADDRESS}. Our EU/UK Article 27 representative is {EU_REPRESENTATIVE}.