Privacy Policy

1. Introduction

QNP ("we", "us", "our") operates the qnp.ai platform and API services. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our services. This policy applies to all users worldwide, including those protected by the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), Brazil's Lei Geral de Proteção de Dados (LGPD), Turkey's Kişisel Verilerin Korunması Kanunu (KVKK), South Korea's Personal Information Protection Act (PIPA), and other applicable data protection laws.

2. Data Controller

QNP is the data controller for the personal data processed through this service. For questions or requests regarding your data, contact us at [email protected].

3. Data We Collect

We collect the following categories of personal data:

• Account Information — Email address, name (from OAuth providers such as Google or Apple), and authentication credentials.
• Usage Logs — API request metadata including timestamps, model used, token counts, latency, status codes, and cost. We do not store the content of your API requests or responses.
• API Request Metadata — Endpoint accessed, API key used (hashed), source IP address, and response status for security and rate limiting.
• Billing Information — Payment details are processed and stored by Stripe. We do not store your full credit card number.
• Device & Browser Data — When you use our web dashboard, we may collect browser type, operating system, and device type for error monitoring (Sentry), only with your explicit consent.

4. Legal Basis for Processing

We process your data based on the following legal grounds:

• Contract Performance — To provide our API services, manage your account, and process billing.
• Legitimate Interest — For security, fraud prevention, rate limiting, and service improvement.
• Consent — For non-essential cookies, error monitoring (Sentry), and marketing communications. You may withdraw consent at any time.
• Legal Obligation — To comply with tax, accounting, and regulatory requirements.

5. Cookie Usage

We use the following categories of cookies:

• Strictly Necessary — HTTP-only JWT authentication cookies for session management. These cannot be disabled.
• Analytics & Monitoring — Sentry error tracking and performance monitoring. Enabled only with your explicit consent.
• Functional — Theme preferences and UI customizations. Enabled only with your consent.

We do not use advertising or third-party tracking cookies. We do not sell your personal information. You can manage your cookie preferences at any time via the cookie banner or your dashboard settings. We honor the Global Privacy Control (GPC) browser signal.

6. Data Retention

• API request logs — Retained for 30 days, then automatically deleted.
• Account data — Retained for as long as your account is active.
• Billing records — Retained for 7 years as required by tax regulations.
• After account deletion — Personal data is removed within 30 days. Billing records are anonymized and retained per legal requirements.

7. Third-Party Services

We share data with the following processors:

• Stripe — Payment processing and subscription management. Stripe Privacy Policy
• Sentry — Error tracking and performance monitoring (only with consent). Sentry Privacy Policy
• Cloudflare — CDN, DDoS protection, and load balancing. Cloudflare Privacy Policy
• LLM Providers — Your API requests are forwarded to upstream providers (OpenAI, Anthropic, Google, etc.) according to their respective privacy policies. We do not store prompt or response content.

8. International Data Transfers

Our servers are located in multiple regions (United States, Asia). Data may be transferred to and processed in countries other than your own. We ensure adequate safeguards are in place for international data transfers in compliance with applicable laws.

9. Your Rights

Depending on your jurisdiction, you may have the following rights:

All Users

• Access — Request a copy of all personal data we hold about you.
• Correction — Request correction of inaccurate personal data.
• Deletion — Delete your account and associated data from your dashboard settings.
• Export — Download your personal data in JSON format from your dashboard settings.
• Restrict Processing — Request that we limit how we process your data.

EU/EEA Residents (GDPR)

• Data Portability — Receive your data in a structured, machine-readable format.
• Object to Processing — Object to processing based on legitimate interest.
• Withdraw Consent — Withdraw consent at any time without affecting prior processing.
• Lodge a Complaint — File a complaint with your local Data Protection Authority.

California Residents (CCPA/CPRA)

• Right to Know — Know what personal information is collected, used, and disclosed.
• Right to Delete — Request deletion of personal information.
• Right to Opt-Out — We do not sell or share your personal information. No opt-out is required.
• Non-Discrimination — We will not discriminate against you for exercising your rights.

Turkey Residents (KVKK)

• Right to Learn — Learn whether your personal data has been processed.
• Right to Request Information — Request information about processing activities.
• Right to Correction — Request correction of incomplete or inaccurate data.
• Right to Deletion — Request deletion or destruction of your personal data.
• Right to Object — Object to processing that produces an adverse result exclusively through automated systems.

Brazil Residents (LGPD)

• All rights equivalent to GDPR including access, correction, anonymization, portability, and deletion.
• Right to Information — Information about entities with which personal data has been shared.
• Right to Revoke Consent — Revoke consent at any time.

To exercise any of these rights, use the self-service options in your dashboard settings or contact us at [email protected]. We will respond within 30 days (or within the timeframe required by your local law).

10. Data Security

We implement industry-standard security measures including encryption in transit (TLS 1.2+), hashed API keys (bcrypt), encrypted secrets at rest, access controls, and regular security audits. However, no method of transmission over the Internet is 100% secure.

11. Children's Privacy

Our service is not directed to individuals under 18 years of age. We do not knowingly collect personal data from children. If we learn that we have collected data from a child, we will delete it promptly.

12. Do Not Sell or Share

We do not sell, rent, or share your personal information with third parties for their marketing purposes. This applies to all users regardless of jurisdiction.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting the new policy on this page and updating the "Last updated" date. For material changes, we will provide notice via email or a prominent banner on our site.

14. Contact

If you have questions about this Privacy Policy or wish to exercise your data rights:

• Email — [email protected]
• Self-service — Dashboard Settings (account deletion, data export, cookie preferences)