Privacy Policy

This Privacy Policy describes how Qpher, Inc. ("Qpher", "we", "us") collects, uses, stores, and shares personal data when you use the Qpher PQC Security Cloud platform, including the API (api.qpher.ai), User Portal (portal.qpher.ai), marketing site (qpher.ai), and documentation (docs.qpher.ai). We are committed to protecting your privacy and handling your data transparently. This policy applies to all users of the Service, including account holders, administrators, and visitors to our websites.

Qpher acts in two distinct data roles depending on the category of data: **Controller**: Qpher is the data controller for customer account data (email, name, company), billing and payment data (invoices, payment history, Stripe customer ID), and API usage and audit logs (request counts, error logs, tenant activity). The legal bases are legitimate interest (GDPR Art. 6(1)(f)), contract performance (Art. 6(1)(b)), and legal obligation (Art. 6(1)(c)). **Processor**: Qpher is a data processor for customer-encrypted data (ciphertext processed via the KEM encrypt API), PQC cryptographic keys (Kyber768/Dilithium3 key pairs managed by the KMS), and customer plaintext submitted for encryption (transient, never stored or logged). The legal basis is contract performance (Art. 6(1)(b)). A Data Processing Agreement (DPA) is available at /legal/dpa.

**Account Information**: Email address, full name, company name, and password (stored as bcrypt hash with cost factor >= 12). **Billing Information**: Plan selection, billing interval, payment method metadata (card last four digits, expiry). Full payment card details are handled exclusively by Stripe and never reach Qpher servers. **Usage Data**: API request counts, endpoint usage, response times, error rates, and tenant-level activity logs. **Cryptographic Data (as Processor)**: Ciphertext produced by KEM encryption, digital signatures produced by Dilithium signing, and PQC key pairs (public keys stored in the database, private keys stored encrypted in the KMS secure enclave). Customer plaintext submitted to the /kem/encrypt endpoint is transient and is never stored, logged, or persisted. **Website Analytics**: Page views, referrer information, and approximate country (via Plausible Analytics, which is cookie-free and collects no personally identifiable information).

**Contract Performance (Art. 6(1)(b))**: Processing account data and cryptographic data is necessary to provide the Service as agreed in the Terms of Service. **Legitimate Interest (Art. 6(1)(f))**: Processing usage data and audit logs is necessary for platform security, abuse prevention, and service improvement. We have conducted a legitimate interest assessment and determined that these interests do not override data subject rights. **Legal Obligation (Art. 6(1)(c))**: Retaining billing records and invoices for 7 years is required for tax compliance. **Consent**: We rely on consent only where required by law (e.g., for optional marketing communications). Consent may be withdrawn at any time.

We use your data to: (a) provide and maintain the Service, including account management, authentication, and API access, (b) process billing and payments through Stripe, (c) enforce plan limits and rate limiting, (d) generate audit logs for security and compliance, (e) monitor platform performance and availability, (f) send transactional emails (account verification, password reset, security alerts, billing notifications), (g) improve the Service based on aggregated, anonymized usage patterns, and (h) comply with legal obligations. We do not sell personal information to third parties. We do not use customer cryptographic data (ciphertext, keys) for any purpose other than providing the requested cryptographic operations.

Qpher shares data with the following sub-processors: - **Stripe, Inc.** (USA, EU-US Data Privacy Framework): Payment processing. Receives customer name, email, billing address, and tokenized payment card data. - **Resend, Inc.** (USA): Transactional email delivery. Receives recipient email address and email content. - **Upstash, Inc.** (regional, configurable): Rate limiting via Redis. Receives hashed IP addresses and tenant IDs. - **Cloud Provider (AWS/GCP)**: Infrastructure hosting. All platform data is encrypted at rest and in transit. - **Plausible Analytics** (EU, Germany): Privacy-focused website analytics. Receives page views, referrer, and approximate country. No personally identifiable information or cookies. - **BetterStack** (EU): Uptime monitoring and status page. Receives API endpoint URLs and response times only. We provide 30 days advance notice via email and in-portal notification before adding new sub-processors. Enterprise customers with custom DPA terms may object per their contractual agreement.

We retain data for the following periods: tenant metadata and API key hashes are retained while the account is active and permanently deleted 30 days after account deletion. PQC public keys follow the same retention. PQC private key files are securely deleted (overwritten with random data, then deleted) within 30 days. Audit logs are retained for 180 days on a rolling basis. Invoices and billing records are retained for 7 years for tax compliance. User personal data is deleted within 30 days of an account deletion request. Prometheus metrics are retained for 15 days (hot) and 90 days (cold), then anonymized by removing tenant_id labels.

If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights: - **Right to Access (Art. 15)**: Request a copy of your personal data via the portal data export feature. - **Right to Rectification (Art. 16)**: Update your profile information in the portal settings. - **Right to Erasure (Art. 17)**: Request account deletion; processing completes within 30 days. - **Right to Restrict Processing (Art. 18)**: Request account suspension (API access disabled, data preserved). - **Right to Data Portability (Art. 20)**: Export your public keys and encrypted data via the portal export feature. - **Right to Object (Art. 21)**: Object to processing based on legitimate interest by contacting privacy@qpher.ai. To exercise these rights, use the portal settings or contact privacy@qpher.ai. We respond to requests within 30 days. You also have the right to lodge a complaint with your local supervisory authority.

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA): - **Right to Know (Section 1798.100)**: Request information about the categories and specific pieces of personal information we collect. Use the same data export mechanism as GDPR Art. 15. - **Right to Delete (Section 1798.105)**: Request deletion of your personal information. We process requests within 30 days. - **Right to Opt-Out of Sale (Section 1798.120)**: Qpher does not sell personal information to third parties. - **Right to Non-Discrimination (Section 1798.125)**: We do not discriminate in pricing or service quality based on the exercise of privacy rights. Categories of personal information collected: identifiers (email, name), commercial information (billing records), and internet activity (API usage logs). To exercise your rights, use the portal settings or contact privacy@qpher.ai.

We implement the following security measures to protect your data: (a) all data in transit is encrypted via TLS 1.2+ (TLS 1.3 preferred), (b) all data at rest is encrypted, including PQC private keys encrypted with AES-256-GCM, (c) passwords are hashed with bcrypt (cost factor >= 12), (d) API keys are stored as HMAC-SHA256 hashes, never in plaintext, (e) application-level tenant isolation ensures no cross-tenant data access, (f) a zero trust policy engine evaluates every API request, (g) audit logs track all security-relevant operations with 180-day retention, and (h) the platform undergoes annual penetration testing by an independent third-party firm.

Qpher is based in the United States. If you are accessing the Service from outside the United States, your data may be transferred to and processed in the United States. For transfers from the EEA/UK to the US, we rely on: (a) the EU-US Data Privacy Framework (DPF) where our sub-processors are certified, (b) Standard Contractual Clauses (SCCs) as approved by the European Commission, and (c) supplementary technical measures including encryption in transit and at rest. Enterprise customers may negotiate additional data transfer safeguards in their DPA.

For privacy-related inquiries, data subject requests, or complaints: - **Privacy Team**: privacy@qpher.ai - **Security Team**: security@qpher.ai - **General Inquiries**: sales@qpher.ai - **Postal Address**: Qpher, Inc. [Address to be added upon incorporation] We aim to respond to all privacy inquiries within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the Service. Material changes will be communicated via email to the account holder and through an in-portal notification at least 30 days before taking effect. The current version of the Privacy Policy is always available at qpher.ai/legal/privacy. We encourage you to review this policy periodically. Your continued use of the Service after changes take effect constitutes your acceptance of the updated policy.