Privacy Policy

Last updated: December 10, 2025

QAstell ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your information when you use our security auditing library and related services.

1. Information We Collect

Important: We do not directly collect or store your personal data. All customer information is collected and managed by our payment processor, LemonSqueezy, who acts as the data controller for purchase transactions.

1.1 Account & Payment Information (via LemonSqueezy)

When you purchase a license, LemonSqueezy collects the following on our behalf:

• Name and email address
• Company name (if applicable)
• Billing address
• Payment details (credit card, etc.)

We do not have direct access to your payment details. LemonSqueezy handles all payment processing, license delivery, and customer data storage in accordance with their own privacy policy. Please review LemonSqueezy's Privacy Policy for details on how they handle your data.

1.2 Usage Data

Our library may collect anonymous usage statistics to help us improve the product:

• Number of scans performed (for license enforcement)
• Library version
• Error reports (opt-in only)

We do not collect or transmit any data about the websites you scan, including URLs, page content, or security findings.

1.3 Website Analytics

Our website does not use cookies, tracking pixels, or client-side analytics scripts. We do not track individual visitors. Any traffic analysis is performed server-side by our hosting provider using anonymized server logs, in compliance with GDPR.

2. How Your Information Is Used

We do not directly collect, store, or process any user data. QAstell runs entirely on your infrastructure and makes no network calls.

Third-party services that may collect data on our behalf:

• LemonSqueezy (payment processor): Collects payment and billing information to process transactions and deliver licenses
• Cloudflare (security/CDN): May collect IP addresses and request metadata for security purposes
• Hosterion (hosting provider): May maintain server logs containing IP addresses and request data

Both Cloudflare and Hosterion provide anonymized analytics. While we can technically see data like IP addresses and server requests, we don't actively use this information - we're focused on building a great product, not analyzing traffic patterns. We already know most of our website traffic comes from AI-related crawlers anyway.

We may access your email address through LemonSqueezy's merchant dashboard solely to respond to support requests you initiate.

3. Data Sharing

We do not sell your personal information. We may share your information only in the following circumstances:

• Payment Processor: LemonSqueezy processes payments on our behalf
• Legal Requirements: When required by law or to protect our rights
• Business Transfers: In connection with a merger, acquisition, or sale of assets

4. Data Security

We implement the following measures to protect your information:

• HTTPS encryption: All website traffic is encrypted using TLS/SSL
• Cloudflare protection: DDoS mitigation and web application firewall
• Email encryption: Opportunistic TLS for all outgoing emails (encrypted when recipient servers support it)
• No data collection: QAstell runs entirely on your infrastructure and makes no network calls
• Offline license validation: License keys are verified locally using cryptographic signatures, no server communication required
• Supply chain protection: Due to recent supply chain attacks targeting npm publishers, we have enabled 2FA authentication that requires a physical security key which is stored securely when not in use
• Endpoint security: Our development machines are always kept up-to-date and protected by Bitdefender security solutions
• Credential hygiene: We do not store tokens or secrets - they are regenerated when needed

However, no method of transmission over the Internet is 100% secure.

5. Data Retention

Since we do not directly collect or store user data, we have no personal information to retain. Data handled by third parties is subject to their respective retention policies:

• LemonSqueezy: Retains purchase and billing records according to their privacy policy
• Cloudflare: Security logs retained per their privacy policy
• Hosterion: Collects general website traffic information (server logs) per their hosting terms
• Email correspondence: Support emails are stored offline after tickets are resolved. We're building a great product and thoroughly testing it, so we expect minimal support inquiries.

6. Your Rights (GDPR)

If you are located in the European Economic Area (EEA), you have certain data protection rights under the General Data Protection Regulation (GDPR):

• Access: Request copies of your personal data
• Rectification: Request correction of inaccurate data
• Erasure: Request deletion of your personal data
• Restriction: Request restriction of processing
• Data Portability: Request transfer of your data
• Objection: Object to processing of your personal data

To exercise these rights, please contact us at hello@qastell.eu.

7. International Transfers

While QAstell is operated from Germany (EU), our third-party service providers may process data in other jurisdictions:

• LemonSqueezy: Based in the United States (Salt Lake City, Utah), now owned by Stripe. Payment data may be processed in the US under EU-US Data Privacy Framework
• Cloudflare: US-based company with global infrastructure. Operates under EU-US Data Privacy Framework
• Resend: Email delivery service, US-based
• Hosterion: Based in Romania (EU), with datacenters in the EU, UK, and US

We do not directly transfer any personal data internationally, as we do not collect it. Any transfers are handled by the third-party services listed above under their respective data protection agreements.

8. Children's Privacy

Our services are not directed to individuals under 16. We do not knowingly collect personal information from children.

9. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Since we do not collect user contact information, we will not send email notifications about policy changes. We encourage you to review this page periodically.

10. Contact Us

If you have any questions about this Privacy Policy, please contact us:

• Email: hello@qastell.eu