Privacy Policy

1.1 Account Information

When you create an account, we collect your name, email address, password (stored as a bcrypt hash — we never store plaintext passwords), organization name, and billing details. If you are invited as a portal user by an agency or business, we collect the information provided during that invitation process.

1.2 Platform Integration Data

QWEB connects to third-party platforms on your behalf. When you authorize an integration, we may collect and store:

• Social media accounts — page/profile IDs, access tokens, post content, engagement metrics, and audience demographics from Meta (Facebook and Instagram), and other connected social platforms.
• Advertising platforms — campaign structures, ad spend, performance metrics, audience targeting data, and creative assets from Meta Ads, Google Ads, and other connected ad platforms. API credentials and access tokens are encrypted at rest using AES-256-GCM.
• Analytics platforms — website traffic data, user behavior metrics, conversion data, and audience segments from Google Analytics (GA4), and other analytics services.
• E-commerce platforms — order data, revenue figures, product performance, customer counts, and refund information from Shopify, WooCommerce, and similar platforms.
• Email marketing platforms — subscriber lists, campaign performance (open rates, click rates, bounces), flow/automation data, and template content from Klaviyo, Mailchimp, and similar services.
• Email accounts — when you connect an email account (Gmail, Outlook, iCloud, etc.) for inbox management, we access message headers, sender/recipient information, subject lines, and message bodies to enable classification, routing, and AI-assisted responses.

1.3 AI-Generated Content

Our Service uses artificial intelligence to generate marketing content, including social media posts, ad copy, email campaigns, images, marketing strategies, and analytical insights. We store this generated content, along with the prompts and context used to create it, as part of your account data.

1.4 Usage Data

We automatically collect information about how you interact with the Service, including pages visited, features used, actions taken (such as creating tasks, running agents, or generating reports), timestamps, browser type, device information, and IP address.

1.5 Financial Data

If you use our invoicing or financial tracking features, we store invoice details, payment records, expense data, time entries, and related financial information that you enter into the platform. We do not directly process credit card numbers — payment processing is handled by our third-party payment processor.

We use the information we collect for the following purposes:

• To provide, operate, and maintain the Service, including all marketing automation features.
• To generate AI-powered content, strategies, insights, and recommendations tailored to your connected platforms and data.
• To sync data from your connected integrations and display unified dashboards and analytics.
• To manage advertising campaigns, email marketing, and social media publishing on your behalf when you enable automated features.
• To classify and route incoming emails, generate AI draft responses, and manage your inbox.
• To process invoices, track payments, and generate financial reports.
• To send you service-related notifications, alerts (such as budget warnings or performance reports), and administrative messages.
• To monitor and analyze usage patterns to improve the Service.
• To detect, prevent, and address technical issues and security threats.
• To comply with legal obligations and enforce our terms of service.

We share data with the following categories of third-party service providers, solely to operate the Service:

3.1 AI Providers

To generate marketing content, analyze data, and provide intelligent recommendations, we send prompts containing your business context (such as brand voice, audience data, performance metrics, and post history) to the following AI providers:

• Anthropic (Claude models) — for content generation, analysis, and strategic planning.
• Google (Gemini models) — for content generation, analysis, and image understanding.
• OpenAI (GPT models and DALL-E) — for content generation and image creation.

These providers process data according to their respective privacy policies and data processing agreements. We do not send your raw integration credentials (API keys, access tokens) to AI providers — only business context necessary for content generation.

3.2 Platform Integrations

When you connect third-party platforms (Meta, Google, Shopify, Klaviyo, WooCommerce, Mailchimp, and others), we exchange data with those platforms using their official APIs to sync metrics, publish content, manage campaigns, and perform actions you authorize. Each platform's own privacy policy governs their handling of your data.

3.3 Payment Processing

We use Stripe to process subscription payments. When you provide payment information, it is sent directly to Stripe and is subject to Stripe's privacy policy. We do not store your full credit card number on our servers.

3.4 Infrastructure Providers

We use cloud hosting providers to run our infrastructure. Your data is stored on servers secured with industry-standard measures. We may also use content delivery networks and monitoring services to ensure reliability and performance.

We implement robust security measures to protect your data:

• Encryption at rest — all integration credentials (API keys, access tokens, OAuth tokens) are encrypted using AES-256-GCM before storage. Encryption keys are managed separately from the database.
• Encryption in transit — all data transmitted between your browser and our servers is protected with TLS (HTTPS). We enforce HTTPS on all endpoints with automatically managed SSL certificates.
• Password security — user passwords are hashed using bcrypt with appropriate salt rounds. We never store or log plaintext passwords.
• Access controls — authentication is enforced via JSON Web Tokens (JWT). Portal users have role-based access (viewer, editor, admin) to limit data exposure.
• Infrastructure security — our servers are protected by firewalls, intrusion detection (Fail2ban), and restricted SSH access. Database access is limited to internal networks only.

While we strive to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to promptly addressing any security incidents.

We retain your data for as long as your account is active or as needed to provide the Service. Specific retention periods include:

• Account data — retained for the duration of your account. Upon account deletion, personal data is removed within 30 days, except where retention is required by law.
• Integration metrics — historical performance data from connected platforms is retained for the lifetime of the integration connection. You may disconnect an integration at any time, after which synced data will be deleted within 30 days.
• AI-generated content — content created by our AI agents is retained as part of your account data until you delete it or close your account.
• AI usage logs — records of AI API calls (token counts, costs, duration, agent names) are retained for 12 months for billing and audit purposes.
• Content intelligence patterns — AI-extracted content patterns (engagement trends, optimal posting times, format insights) automatically expire after 30 days and are regenerated as needed.
• Email data — synced emails are retained for the duration of the email account connection. Disconnecting an email account removes synced data within 30 days.

Depending on your jurisdiction, you may have the following rights regarding your personal data:

6.1 Under the GDPR (European Economic Area)

• Right of access — request a copy of the personal data we hold about you.
• Right to rectification — request correction of inaccurate or incomplete data.
• Right to erasure — request deletion of your personal data ("right to be forgotten").
• Right to restrict processing — request that we limit how we use your data.
• Right to data portability — receive your data in a structured, machine-readable format.
• Right to object — object to processing based on legitimate interests or for direct marketing.
• Right to withdraw consent — where processing is based on consent, withdraw it at any time.

Our legal bases for processing include: performance of a contract (providing the Service), legitimate interests (improving the Service, security), consent (where applicable), and compliance with legal obligations.

6.2 Under the CCPA (California)

• Right to know — request disclosure of the categories and specific pieces of personal information we have collected.
• Right to delete — request deletion of your personal information.
• Right to opt out — opt out of the "sale" of personal information. We do not sell your personal information to third parties.
• Right to non-discrimination — we will not discriminate against you for exercising your CCPA rights.

To exercise any of these rights, please contact us at privacy@qwebmaster.com. We will respond to verified requests within 30 days (or within the timeframe required by applicable law).

We use the following types of cookies and similar technologies:

• Essential cookies — required for authentication, session management, and core functionality. These cannot be disabled without breaking the Service.
• Functional cookies — store your preferences, such as selected dashboard views, filters, and UI settings.
• Analytics cookies — help us understand how the Service is used so we can improve it. We may use privacy-focused analytics tools that do not track individual users across websites.

We do not use third-party advertising trackers or sell data collected through cookies. You can manage cookie preferences through your browser settings. Disabling essential cookies may prevent you from using the Service.

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected data from a child under 16, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us at privacy@qwebmaster.com.

Your data may be transferred to and processed in countries other than your country of residence. Our servers and third-party service providers (including AI providers and cloud infrastructure) may be located in the United States or other jurisdictions. When we transfer data internationally, we ensure appropriate safeguards are in place, including standard contractual clauses approved by the European Commission where required, and compliance with applicable data transfer frameworks.

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users without undue delay and no later than 72 hours after becoming aware of the breach, in accordance with GDPR Article 33. We will also notify the relevant supervisory authority where required. Notification will include the nature of the breach, categories of data affected, likely consequences, and measures taken to address it.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by posting the updated policy on this page with a revised "Last updated" date. For significant changes, we will also send a notification through the Service or via email. We encourage you to review this policy periodically. Your continued use of the Service after any changes constitutes acceptance of the updated policy.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Privacy inquiries: privacy@qwebmaster.com
• General inquiries: hello@qwebmaster.com
• Company: QWEB Inc.

For GDPR-related requests, we aim to respond within 30 days. For CCPA-related requests, we will respond within 45 days as required by law.