QDay Privacy Policy

By using the Services, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree, please do not use the Services.

1. Who we are and how to contact us

Data controller

QDay, Inc.
A Delaware corporation

Contact email (privacy and data rights)

[email protected]

You can also contact us for support at [email protected].

If you are in the EU/EEA, UK, or other regions with data protection laws, QDay, Inc. is the controller of your personal data when you use our Services.

2. Scope of this Privacy Policy

This Privacy Policy applies to personal data we process when you:

• Visit our website or status page
• Create or use a QDay account
• Call our APIs or use our dashboard
• Subscribe to our newsletter
• Receive transactional or marketing emails from us
• Contact us for support or other inquiries

It does not apply to:

• Third-party websites, services, or integrations that you access via QDay
• Data you process in your own systems using Random Data from QDay

We encourage you to review the privacy policies of any third-party services you use with or alongside QDay.

3. Data we collect

3.1 Information you provide to us

We collect the following information directly from you:

Account registration and authentication

• Email address (required to create and maintain your account)
• Authentication information via third-party SSO (we use Auth0 for authentication). We do not store your password; authentication is handled by our identity provider.

We do not require your name, company name, or job title to sign up.

API and subscription management

• Email address associated with your account
• API keys we generate and associate with your account

Payments and billing

Payments are processed by Stripe and similar payment processors. Depending on your subscription, we may receive and/or store:

• Billing name
• Billing address
• Tax IDs / VAT numbers (if provided)
• Limited card details (for example, last 4 digits, card type)

We do not store full payment card numbers; those are handled directly by our payment processor.

Newsletter and communications

If you subscribe to our newsletter or marketing emails (for example, via Ghost):

• Email address
• Your communication preferences (for example, opt-in/opt-out)

Support and correspondence

If you contact us (for example, via email at [email protected]):

• Email address
• Contents of your message and any information you choose to provide
• Our responses and related correspondence

We use Google Workspace for email and may later add a helpdesk tool (for example, Zendesk/Linear). In all cases, the information is used only to respond to and manage your support request.

3.2 Information we collect automatically

When you use our website, dashboard, or APIs, we automatically collect certain information, primarily for security, reliability, and analytics.

API usage logs

For each API call, we may log:

• IP address
• Timestamps of requests
• API key or account identifier
• Request metadata (for example, endpoint path, HTTP method)
• Response status codes and error messages
• User agent and basic device/browser information

Importantly: We do not log or persist the Random Data (seeds) returned by our APIs. Random Data is generated on demand, held only transiently in memory to fulfill your request, and then discarded. It is not stored in our long-lived logs or databases.

Website and product analytics

We use analytics tools (currently Google Analytics and Mixpanel) and an email/marketing platform (including an Instantly pixel) to understand how our site and Services are used, measure performance, and improve the product. These tools may collect:

• IP address (sometimes truncated/anonymized, depending on configuration)
• Device and browser information
• Pages visited and actions taken
• Referring URLs and approximate location (country/region)
• Email opens and link clicks in certain marketing emails

We do not use analytics to extract the contents of API payloads or the Random Data we generate.

3.3 Cookies and similar technologies

We use cookies and similar technologies on our website and dashboard to:

• Maintain your session and authentication state
• Remember certain preferences
• Measure site usage and performance (analytics)
• Support email/marketing activities (for example, Instantly pixel)

These may include:

• Strictly necessary cookies (for example, session cookies that keep you logged in)
• Analytics cookies (for example, Google Analytics, Mixpanel)
• Marketing/measurement cookies (for example, Instantly pixel)

You can control cookies through your browser settings and, where applicable, through in-product cookie controls. If you disable certain cookies, parts of the Services may not function properly.

3.4 Data you send to our APIs

Our APIs are designed to operate on non-personal data and to return Random Data.

You should not submit personal data (such as names, emails, identifiers, or other PII) in API payloads. The QDay API is intended to operate solely on non-personal data.

If you choose to send personal data in API requests contrary to this guidance, we will treat it in accordance with this Privacy Policy, but we may have limited ability to access, modify, or delete data contained inside arbitrary payloads.

3.5 No special categories / sensitive data

We do not intentionally collect:

• Government IDs
• Financial account credentials
• Health information
• Biometric identifiers
• Other special category data under GDPR (for example, data revealing racial or ethnic origin, political opinions, religious beliefs, etc.)

Please do not provide this information to us or submit it via our APIs.

4. How we use your information (purposes and legal bases)

We use the information we collect for the following purposes:

4.1 To provide and maintain the Services

• Creating and managing your account
• Authenticating you via SSO (Auth0)
• Generating API keys and processing API requests
• Measuring usage for rate limiting, quotas, and billing
• Sending transactional communications (for example, account notices, security alerts, billing emails)

Legal bases (GDPR): performance of a contract; legitimate interests.

4.2 To secure the Services and prevent abuse

• Monitoring for suspicious or abusive activity
• Detecting and preventing fraud, abuse, and security incidents
• Protecting the integrity and availability of our infrastructure

Legal bases (GDPR): legitimate interests; legal obligations (where applicable).

4.3 To improve and develop the Services

• Analyzing aggregated and pseudonymous usage data
• Understanding how developers and customers interact with our APIs and website
• Debugging issues and improving performance, features, and documentation

Legal bases (GDPR): legitimate interests.

We do not use Random Data returned by the APIs for profiling or other secondary purposes.

4.4 To communicate with you

• Sending transactional messages (for example, service announcements, security or billing notices)
• Sending product updates, educational content, and marketing communications if you have opted in
• Responding to your support requests and questions

You can opt out of marketing emails at any time by using the unsubscribe link in the email or contacting us at [email protected].

Legal bases (GDPR): performance of a contract; legitimate interests; consent (for marketing where required).

4.5 Legal, compliance, and defense

• Maintaining business and financial records
• Complying with tax, accounting, and other legal obligations
• Responding to lawful requests from public authorities
• Establishing, exercising, or defending legal claims

Legal bases (GDPR): legal obligations; legitimate interests.

5. How we share information

We do not sell your personal information for money. We also do not sell or share personal information in the sense of exchanging it for targeted advertising, as those terms are defined in some privacy laws, to the best of our knowledge.

We may share your information in the following limited circumstances:

5.1 Service providers (processors)

We use trusted third-party service providers to help us operate and improve the Services. These include:

• Infrastructure and hosting providers (for example, Cloudflare, Google Cloud Platform, managed Postgres on Neon, object storage providers)
• Authentication providers (Auth0)
• Payment processors (Stripe)
• Email and newsletter providers (for example, Ghost, Mailgun or comparable services)
• Analytics and monitoring providers (for example, Google Analytics, Mixpanel, uptime/status and error monitoring tools)
• Productivity and support tools (for example, Google Workspace; future helpdesk systems if implemented)

These providers process personal data only on our behalf and in accordance with our instructions for purposes such as hosting, authentication, payments, analytics, email delivery, and support.

5.2 Business transfers

If we are involved in a merger, acquisition, financing, restructuring, sale of assets, or similar corporate transaction, your information may be transferred as part of that transaction, subject to appropriate confidentiality protections.

5.3 Legal and safety

We may disclose information about you if we reasonably believe it is necessary to:

• Comply with applicable laws, regulations, or legal processes
• Respond to lawful requests from public authorities
• Protect the rights, property, or safety of QDay, our users, or the public
• Enforce our Terms of Service or other agreements

6. International data transfers

We are based in the United States, and our infrastructure and service providers are primarily located in the United States and Canada, with some services potentially operating in other regions (for example, the EU) depending on provider configuration.

If you are located outside the United States and use our Services, your personal data may be transferred to and processed in countries that may have different data protection laws than your country of residence.

Where required by applicable law (such as the GDPR), we implement appropriate safeguards for international data transfers, which may include:

• Standard contractual clauses approved by the European Commission or UK authorities
• Data processing agreements with our service providers
• Technical and organizational measures to protect your personal data

7. Data retention

We retain personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. In particular:

• Account information (including email and API keys): Retained for as long as your account is active. If you request deletion of your account, we will delete or anonymize your account data within a reasonable period, subject to any legal obligations to retain certain information.
• API and system logs (including IP addresses and usage metadata): Retained for up to 12 months for security, debugging, and operational analytics, unless a longer period is needed to investigate specific incidents or comply with legal obligations.
• Billing and payment records: Retained for at least 2 years, or longer where required by applicable tax and accounting laws.
• Support emails and related correspondence: Retained for up to 2 years after the last communication on a ticket, unless we need to keep them longer for legal or security reasons.

We may retain aggregated or anonymized data (that can no longer be used to identify you) indefinitely.

8. Security

We take reasonable and appropriate technical and organizational measures to help protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include, among others:

• Using TLS encryption for data in transit
• Using cloud providers that support encryption at rest
• Limiting access to production systems and data to a small set of authorized personnel
• Enforcing access controls, authentication, and (where applicable) multi-factor authentication
• Monitoring for unusual or suspicious activity

However, no system or service can be guaranteed 100% secure. You are responsible for safeguarding the credentials (for example, API keys) that you use to access the Services and for using appropriate security controls in your own systems.

9. Your rights and choices

9.1 Account and communication preferences

• Marketing emails: You can opt out of marketing emails at any time by clicking the unsubscribe link in those emails or contacting us at [email protected]. You will still receive transactional or service-related emails (for example, security alerts, billing notices) that are necessary to provide the Services.
• Newsletter: You can unsubscribe from our newsletter at any time using the link in the email or contacting us.

9.2 Access, correction, and deletion

Depending on your location and applicable law (including GDPR, UK GDPR, and CCPA/CPRA), you may have the right to:

• Request access to the personal data we hold about you
• Request correction of inaccurate or incomplete personal data
• Request deletion of your personal data
• Object to or request restriction of certain processing
• Request data portability (a copy of your data in a structured, commonly-used format)

You can make these requests by contacting us at [email protected]. To request deletion of your account, you can email [email protected]. We may ask you to verify your identity before responding to certain requests.

We will respond to your request in accordance with applicable law. Some data may be retained where we have a legal obligation or a compelling legitimate interest to do so (for example, billing records or security logs).

10. Additional information for residents of the EU/EEA and UK (GDPR)

If you are in the EU/EEA or UK, you have additional rights under data protection law:

• The right to lodge a complaint with your local supervisory authority if you believe our processing of your personal data violates applicable law.
• The right to know the legal bases on which we process your personal data (described in Section 4).
• The right to object to processing based on our legitimate interests, and, where we process data based on consent, the right to withdraw consent at any time (without affecting the lawfulness of processing before withdrawal).

To exercise any of these rights, contact us at [email protected].

11. Additional information for California residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the CPRA, may give you certain rights regarding your personal information. In this section, personal information has the meaning given in the CCPA/CPRA.

11.1 Categories of personal information we collect

In the past 12 months, we may have collected the following categories of personal information:

• Identifiers: email address, IP address, API key, account identifiers
• Internet or network activity information: API usage logs, device/browser information, pages visited, actions taken
• Commercial information: records of subscriptions or purchases (if applicable)
• Payment/billing information: billing name, billing address, limited card details (via our payment processor)
• Inferences and usage analytics: derived from your interactions with the Services (primarily aggregated or pseudonymous)

We collect these categories from the sources and for the purposes described in Sections 3 and 4.

11.2 Your CCPA/CPRA rights

Subject to certain limitations, you have the right to:

• Know the categories of personal information we collect, the purposes for which we use it, and the categories of third parties with whom we share it
• Access specific pieces of personal information we hold about you
• Delete personal information we have collected from you (subject to legal and operational exceptions)
• Correct inaccurate personal information
• Opt out of sale or sharing of personal information (to the extent applicable)
• Non-discrimination for exercising your rights

To exercise these rights, contact us at [email protected] and specify that you are making a request under the CCPA/CPRA. We may need to verify your identity before responding.

11.3 Sale or sharing of personal information

We do not sell your personal information for money. We also do not believe that our use of analytics and measurement tools constitutes a sale or sharing of your personal information as those terms are defined under CCPA/CPRA. If our practices change in a way that is considered a sale or sharing, we will update this Privacy Policy and provide you with appropriate options to opt out.

12. Children's privacy

Our Services are designed for developers and businesses and are not directed at children under the age of 16 (or lower age if specified by local law). We do not knowingly collect personal data from children.

If you believe that a child has provided us with personal data, please contact us at [email protected], and we will take steps to delete such information where required by law.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we do so, we will revise the Last updated date at the top of this Policy.

If we make material changes, we will provide additional notice (for example, via email or by posting a notice on our website or dashboard) where required by law.

Your continued use of the Services after the updated Privacy Policy becomes effective will constitute your acknowledgment of the changes and your agreement to the updated Policy.

14. Contact us

If you have any questions or concerns about this Privacy Policy or our privacy practices, or if you wish to exercise your data protection rights, you can contact us at: [email protected]

Support-related questions: [email protected]