Privacy Policy

1. Introduction

Qteria ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered document validation platform for the Testing, Inspection, and Certification (TIC) industry.

This policy complies with the General Data Protection Regulation (GDPR) and other applicable data protection laws. By using Qteria, you consent to the data practices described in this policy.

2. Data Controller Information

Company Name: Qteria
Email: privacy@qteria.com
Contact: For privacy-related inquiries, please email us at privacy@qteria.com

3. Personal Data We Collect

We collect and process the following categories of personal data:

3.1 Account Information

• Email address
• Name
• Organization name and details
• User role (Process Manager, Project Handler, Administrator)

3.2 OAuth Authentication Data

• Email address (from Microsoft/Google)
• Name (from Microsoft/Google)
• Profile picture (optional, from OAuth provider)

3.3 Document Data

• Uploaded PDF and DOCX files (certification documents)
• Document metadata (filenames, upload timestamps, file sizes)
• Assessment results and validation criteria
• Evidence links (page numbers, section references)

3.4 Usage and Activity Data

• Audit logs (login events, assessment actions, document uploads)
• Workflow creation and modification history
• Assessment execution timestamps and status

4. Legal Basis for Processing

Under GDPR Article 6, we process your personal data based on the following legal grounds:

• Contractual Necessity: Processing necessary to provide our document validation services
• Legitimate Interest: Fraud prevention, security monitoring, and service improvement
• Consent: Where you have explicitly consented to specific processing activities
• Legal Obligation: Compliance with SOC2, ISO 27001, and other regulatory requirements

5. Data Processing and Storage

5.1 Infrastructure and Services

We use the following trusted third-party services to process and store your data:

• Database: PostgreSQL hosted on Vercel/Neon (EU region recommended)
• File Storage: Vercel Blob with AES-256 encryption at rest
• Backend Hosting: Railway/Render for API services
• Frontend Hosting: Vercel
• Cache: Redis (ephemeral, no long-term storage)

5.2 AI Processing - Zero Retention Agreement

5.3 Security Measures

• Encryption at Rest: All uploaded documents stored with AES-256 encryption (Vercel Blob)
• Encryption in Transit: TLS 1.3 for all data transmission
• Multi-Tenancy Isolation: Organization-level data separation (no data leakage between customers)
• Role-Based Access Control (RBAC): User permissions enforced at database and API level
• Audit Logging: All actions tracked with user context for security and compliance
• Regular Security Assessments: SOC2 Type II certification pathway

6. Third-Party Services and Data Sharing

We share data with the following trusted third-party service providers:

• Vercel: Frontend hosting, database, blob storage - Privacy Policy
• Railway/Render: Backend hosting - Privacy Policy
• Anthropic: AI validation with zero-retention agreement - Privacy Policy
• Microsoft/Google: OAuth authentication - Privacy policies: Microsoft, Google

We do not sell or share your personal data with third parties for marketing purposes.

7. Data Retention

We retain your data for the following periods:

• User Accounts: Retained while account is active; deleted within 30 days of account closure
• PDF Documents: Retained for assessment duration + 90 days, then automatically deleted (configurable per organization)
• Assessment Results: Retained indefinitely for audit trail (GDPR legitimate interest for compliance)
• Audit Logs: Retained for 7 years (SOC2/ISO 27001 requirement)
• AI Processing Data: Zero retention - documents never stored by Anthropic, deleted immediately after processing

You may request early deletion of your data by contacting privacy@qteria.com (subject to legal retention requirements).

8. Your Rights Under GDPR

Under GDPR Chapter III, you have the following rights regarding your personal data:

8.1 Right to Access

You can request a copy of all personal data we hold about you, including account details, assessment history, and uploaded documents.

8.2 Right to Rectification

You can update your profile information, organization details, and account settings at any time through the platform.

8.3 Right to Erasure ("Right to be Forgotten")

You can request deletion of your account and all associated data. We will delete your data within 30 days, subject to legal retention requirements (audit logs may be retained for 7 years for SOC2 compliance).

8.4 Right to Data Portability

You can export your assessment results and workflow configurations in JSON or PDF format.

8.5 Right to Object

You can object to processing of your personal data for legitimate interests. We will cease processing unless we have compelling legitimate grounds.

8.6 Right to Lodge a Complaint

You have the right to lodge a complaint with your local data protection authority if you believe we have violated your privacy rights.

To exercise any of these rights, please contact us at: privacy@qteria.com

9. International Data Transfers

Your data may be processed in the European Union (EU) and the United States (US) depending on our service providers:

• Primary Data Processing: EU region (Neon PostgreSQL, Vercel EU hosting)
• AI Processing: US (Anthropic - zero retention agreement applies)

For data transfers outside the EU, we use Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate data protection.

10. Cookies and Tracking

We use essential cookies to provide our services:

• Essential Cookies: Auth.js session token (httpOnly, secure, necessary for authentication)
• Analytics Cookies: We do not currently use analytics or advertising cookies

You can disable cookies in your browser settings, but this may affect your ability to use the platform.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes via email at least 30 days before they take effect. The "Last Updated" date at the top of this page indicates when the policy was last modified.

Continued use of Qteria after changes take effect constitutes acceptance of the updated Privacy Policy.

12. Contact Us

For privacy-related inquiries, questions about this policy, or to exercise your GDPR rights, please contact us: