Privacy Policy
This policy explains how we handle personal data when you use qear.ai and its subdomains (the "Service"). Privacy requests: [email protected].
1. Our two roles
We act as controller for your account and billing data, and as processor for the content you submit to be verified ("Input"). If your Input contains personal data, you are the controller of it and we process it on your behalf. Do not submit special-category or high-risk personal data without a lawful basis and a DPA with us.
2. What we collect
- Account data: email, name, company (optional), hashed API keys, authentication data.
- Billing data: subscription tier and transaction records (full card data held only by our payment processor).
- Usage data: API call metadata — endpoints, timestamps, token/atom counts, latency, cost, verdicts, quota usage, diagnostic logs.
- Input: the prompts/answers/claims you submit for verification.
- Cookies: essential cookies for authentication and session.
3. Legal bases
Providing and securing the Service and managing your account — performance of a contract. Billing and record-keeping — contract and legal obligation. Monitoring, abuse prevention, reliability — legitimate interests. Optional product emails — consent, withdrawable anytime.
4. How we use Input
Input is processed to generate a verdict and citation, and is sent to the sub-processors listed below solely to perform verification. [Confirm retention: state whether Input is stored and for how long, or processed transiently.] We do not sell your data or use your Input to train foundation models.
5. International transfers
Some sub-processors are located outside the EEA (notably the United States). Where we transfer personal data outside the EEA, we rely on appropriate safeguards — Standard Contractual Clauses and/or an applicable adequacy decision.
6. Sub-processors
See our full Sub-processor List. In summary: Cloudflare (hosting), Supabase (database/auth), Groq and Voyage AI (model inference/embeddings), Stripe (payments), Resend (email).
7. Retention
Account data: for the life of your account and a reasonable period after. Billing records: as required by law. Usage/diagnostic logs: [period], then deleted or anonymised. On account deletion we anonymise identity data and delete or anonymise associated records, retaining only what law requires.
8. Your rights (GDPR)
You have the right to access, rectify, erase, restrict, port, and object to processing, and to withdraw consent. We provide self-service data export and account deletion in-app or via [email protected]. Business customers may request a Data Processing Agreement. You may lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or your local supervisory authority.
9. Security
We use access controls, hashing of API keys, encrypted transport, and least-privilege service credentials. We will notify affected users and authorities of a personal-data breach as required by law.
10. Children
The Service is not directed to children under 16 and we do not knowingly collect their data.
11. Changes and contact
We may update this policy; material changes will be notified. Questions or requests: [email protected].