QGUID/v0
Claim a QGUID

Legal · v1.0

Privacy Policy.

We collect what's necessary, hold what's yours lightly, and never sell your data.

Last updated: 2026-05-09 · See also Terms of Service

  1. § 01

    Summary

    We collect the minimum data needed to operate the registry and resolver. We never sell personal data. Your private keys are held by you, not by us. You can export or delete your data at any time.

  2. § 02

    Data we collect

    (a) Account data: email, hashed password (argon2id), OAuth identifier if you sign in with Google. (b) Registry data: subnames you issue, their public keys, anchor block, status. (c) Operational logs: IP address, user agent, request path, status code, retained 30 days for abuse and reliability. (d) Billing data: handled by our payment processor; we store last-4 and a token only.

  3. § 03

    What we do not collect

    We do not collect your private keys. We do not collect browsing activity outside our domains. We do not run third-party advertising trackers. We do not use your data to train AI models.

  4. § 04

    Legal bases (GDPR Art. 6)

    Contract performance for account, registry, and resolver services. Legitimate interest for security logs and abuse prevention. Consent for optional product emails. Legal obligation for tax and sanctions compliance.

  5. § 05

    How we use data

    To operate and secure the Services, prevent fraud and abuse, communicate operational notices, comply with law, and improve reliability. We do not use personal data for advertising or share it with advertisers.

  6. § 06

    Sub-processors

    Cloudflare (edge + DDoS), Supabase (managed Postgres + auth), Stripe (billing), Postmark (transactional email), Sentry (error monitoring, IPs scrubbed). Current list at /privacy/subprocessors. We require GDPR-compliant DPAs with all sub-processors.

  7. § 07

    International transfers

    We are headquartered in the U.S. and process data in the U.S. and E.U. Transfers from the EEA, U.K., and Switzerland are governed by the EU Standard Contractual Clauses and the U.K. Addendum.

  8. § 08

    Retention

    Account data: while your account is active, plus 24 months. Registry data: indefinitely (the resolver is a public good). Logs: 30 days. Billing records: 7 years (tax requirement). On deletion request, we anonymize within 30 days, except where law requires retention.

  9. § 09

    Your rights (GDPR / UK GDPR / CCPA)

    Access, rectification, erasure, restriction, portability, objection, and withdrawal of consent. California residents: right to know, delete, correct, opt-out of "sale" or "sharing" (we do neither), and non-discrimination. Submit requests to privacy@qguid.xyz; verified requests answered within 30 days.

  10. § 10

    Cookies

    Strictly necessary cookies for session management. No analytics or advertising cookies by default. If we enable privacy-respecting analytics in the future (e.g. Plausible), we will update this section and provide opt-out controls.

  11. § 11

    Security

    TLS 1.3 in transit, AES-256 at rest, argon2id for password hashing, hardware-backed signing keys for the resolver, regular third-party audits. See /security for posture details. Breach notifications within 72 hours where required.

  12. § 12

    Children

    The Services are not directed to children under 16. We do not knowingly collect personal data from children. Contact privacy@qguid.xyz to request deletion of any such data.

  13. § 13

    Changes

    Material changes will be announced via email and on the website at least 30 days before they take effect.

  14. § 14

    Contact & DPO

    Privacy questions: privacy@qguid.xyz · EU Representative: VeraSafe Ireland Ltd., Unit 3D North Point House, North Point Business Park, New Mallow Road, Cork T23 AT2P, Ireland.