Privacy Policy

Q360 ("we", "us", "our") provides a multi-tenant Quality Management System delivered as a hosted SaaS platform. This Privacy Policy explains what information we collect, how we use it, and the choices you have.

1. Information we collect

Account information. When you create an account we collect your name, email address, organisation name and role. If you sign in via a third-party identity provider we receive the basic profile fields that provider returns.

Customer content. When you use Q360 you upload documents, records, audit findings, training records, supplier data and other content ("Customer Content"). Customer Content is processed on behalf of your organisation, which is the controller of that data.

Usage data. We collect basic technical information such as IP address, browser type, pages viewed and timestamps for security, diagnostics and product improvement.

Billing. If you purchase a paid plan, payment is processed by Stripe. We do not store full card numbers; we receive a token and basic metadata (last four digits, expiry, billing country).

2. How we use information

We use the information we collect to provide and operate the Q360 service, authenticate users, secure the platform, deliver notifications you opt into, comply with legal obligations and improve the product. We do not sell personal information.

3. Data hosting and sub-processors

Q360 is hosted on Supabase (PostgreSQL, Auth, Storage, Edge Functions) and Vercel (web hosting and CDN). Email is delivered via our email sub-processor. Payment processing is provided by Stripe. A current list of sub-processors is available on request.

4. Security

We protect data with row-level security at the database, scoped API keys, HMAC-signed webhooks, encryption in transit (TLS) and encryption at rest. Access to production systems is limited to authorised personnel.

5. Retention

We retain Customer Content for as long as your organisation maintains an active subscription. Upon termination, Customer Content is deleted within 90 days unless a longer retention period is required by law or by an active legal hold you have configured within Q360.

6. Your rights

Depending on where you live, you may have the right to access, correct, delete or export your personal data, and to object to or restrict certain processing. To exercise these rights, contact us at the email below. If your data is held within an organisation account, please contact that organisation's administrator first.

7. International transfers

Q360 may transfer data across regions where our hosting providers operate. Where required, we rely on Standard Contractual Clauses or equivalent mechanisms.

8. Changes

We may update this Privacy Policy from time to time. Material changes will be communicated by email or in-product notice at least 30 days before they take effect.

9. Contact

Questions about this policy? Email privacy@q360.io.