Privacy policy.
1. The short version
We collect what we need to operate QB BrandOS for you: your email, the brand information you enter into the tools, and the minimum behavioural signal we need to bill you and improve the product. We don't sell your data, we don't advertise to you, and we don't profile you beyond what the tools require to function. You can delete everything at any time by emailing me@qtmbg.com.
2. Who's responsible
Data controller: Nizzar Ben Chekroune, operating as Quantum Branding (France). Contact: me@qtmbg.com.
3. Data we collect
| Category | What we collect | Source |
|---|---|---|
| Account | Email address, first name, optional last name, magic-link sign-in events | You enter it; Supabase Auth records it |
| Brand Profile (QBP) | Your brand name, archetype, manifesto, personas, voice notes, sensory profile, visual direction — everything you type into a Phase 01 tool | You enter it; stored in profiles.qbp |
| Usage | Which tools you completed and when (tool_completions), your tier, subscription status, last active timestamp |
System records as you use it |
| Signal Scan results | Your 8 question answers, computed score, grade, top gap, moment phase | You enter; computed by the app; stored in Supabase |
| Payment | Stripe customer id, subscription id, subscription status, plan name. We never see or store your card number. | Stripe webhook |
| Email engagement | Whether emails we send are delivered, opened, clicked, bounced, unsubscribed | Resend |
| Technical | IP address, browser user-agent, page-load timestamps as part of normal HTTP request logs (hosting only, not used for tracking) | Vercel access logs |
| Aggregate usage | Pageviews, page paths, referrer, country, device type. Cookieless. No persistent identifier. IP hashed and discarded. | Vercel Web Analytics + Speed Insights |
We do not collect: government ID, payment card numbers (Stripe handles those), health data, sexual orientation, religious or political views, or any special-category data under GDPR Article 9. If a tool asks you something you'd prefer not to answer, don't answer it. The tools work fine without filling every field.
4. Why we collect it (lawful basis)
- Performance of a contract (GDPR Art. 6(1)(b)) — Account, QBP, usage, payment data: needed to deliver the service you signed up for.
- Legitimate interest (Art. 6(1)(f)) — Email engagement and technical logs: needed to keep the service running, debug issues, and prevent abuse. We've balanced this against your privacy interests and judged the impact minimal.
- Consent (Art. 6(1)(a)) — Marketing emails (newsletter, drip campaigns). You can withdraw consent at any time by unsubscribing in the email footer or emailing us.
- Legal obligation (Art. 6(1)(c)) — Records we have to keep for tax, accounting, or in response to a lawful request.
5. Third parties we share data with
QB BrandOS runs on infrastructure provided by these processors. Each handles a slice of your data on our behalf, governed by a Data Processing Addendum (DPA):
| Processor | What they handle | Region |
|---|---|---|
| Vercel | Hosting, edge functions, request logs, cookieless web analytics, speed insights | Global (EU edge nodes) |
| Supabase | Auth, profiles database, storage | EU (Frankfurt) |
| Stripe | Payment processing, billing portal | EU + USA |
| Resend | Transactional email (magic links, welcome, results, receipts, lock confirmations) | EU (eu-west-1) |
| Anthropic | AI inference for tool outputs (Claude) | USA |
We don't share your personal data with anyone for marketing or profiling. We don't sell data. If a processor is subpoenaed or asked by a government to disclose data, that's between them and the requesting authority — we'll be told to the extent legally possible.
For transfers to processors outside the EU/EEA, we rely on Standard Contractual Clauses (SCCs) and the processor's own compliance commitments.
6. Where data is stored
Your account and Brand Profile are stored in Supabase's Frankfurt region (EU). Transactional emails go through Resend's EU-West region. Stripe handles payment data on its global infrastructure but stores European customers' financial records in the EU. Anthropic processes your tool inputs on US infrastructure under SCCs; the input is used only to generate the response and is not retained for training (per Anthropic's API terms).
7. How long we keep it
| Data type | Retention |
|---|---|
| Active account data | For as long as your account is active |
| Cancelled subscription | 30 days, then archived to a minimal billing record |
| Account deletion request | Action within 30 days; full deletion within 90 days (some processor backups can take that long to expire) |
| Billing records | 10 years from invoice date (French commercial law) |
| Email engagement | Retained as long as the marketing list contains your address; deleted on unsubscribe + 90 days |
| Server access logs | 30 days at Vercel's default retention |
8. Your rights
Under GDPR (and equivalent rights elsewhere), you have:
- Right of access — Ask for a copy of all personal data we hold about you
- Right to rectification — Correct any data that's wrong
- Right to erasure ("right to be forgotten") — Delete your data, subject to legal retention obligations
- Right to restrict processing — Pause our use of your data while a dispute is resolved
- Right to data portability — Get a copy of your data in a machine-readable format (we export your QBP as JSON on request)
- Right to object — Stop processing based on legitimate interest or for marketing
- Right to withdraw consent — Cancel any consent you previously gave (e.g. marketing emails)
- Right not to be subject to automated decision-making — We don't make decisions about you based solely on algorithms; humans can review any output
Exercise any of these by emailing me@qtmbg.com. We'll respond within 30 days. There's no charge unless the request is clearly excessive.
9. Cookies and localStorage
QB BrandOS does not use third-party tracking cookies. We use the browser's localStorage to store:
qb_session— your Supabase auth token (only after sign-in)qb_qbp— your in-progress Brand Profile so you don't lose work between sessionsqb_completions— which Phase 01 tools you've finishedqb_user_tier,qb_sub_status— your subscription tier, refreshed from the server on each loadqb_first_name,qb_apikey— convenience caches you set explicitly
These are functional, not tracking. They never leave your browser unless they're sent to the server as part of an API call. Clearing your browser data clears them all.
Stripe and Supabase may set their own cookies on their own domains (Stripe Checkout, the Supabase Auth callback). Those are governed by Stripe's and Supabase's privacy policies.
10. Security
HTTPS everywhere. Auth via magic links (no passwords to leak). API keys for AI providers and payment processors stored only as Vercel environment variables and never exposed to the client. Supabase Row Level Security ensures one user can only read their own profile. Webhook signatures verified with HMAC-SHA256.
Despite all that, no system is fully secure. If we ever experience a personal-data breach that creates a risk to your rights, we'll notify the relevant supervisory authority within 72 hours of becoming aware, and notify affected users without undue delay where required.
11. Children
QB BrandOS is not directed at children under 16. We don't knowingly collect data from anyone under that age. If you believe a child has created an account, email us and we'll delete it.
12. Changes to this policy
We'll update the "Last updated" date at the top when this policy changes. For material changes that affect how we handle existing customer data, we'll email you 30 days before the change takes effect.
13. Contact and complaints
For any data-related question or request: me@qtmbg.com.
If you believe we have not handled your data properly, you can lodge a complaint with your local data-protection authority. In France, that's the CNIL. We'd appreciate the chance to fix things first by emailing us.