Privacy Policy

1. Data Controller

Qpath Concept SRL ("we", "us", "our"), a company registered in Romania, is the data controller for personal data processed through DefineProcesses.
Contact: contact@qpath.one

2. Data We Collect

2.1 Authentication Data

When you sign in via Google OAuth, we receive your email address, full name, and profile picture from Google. We do not store passwords.

2.2 Profile Data

You may edit your full name in your account settings.

2.3 Billing Data (Personal)

If you subscribe with personal billing, we collect: full name, email, street address, city, county/state, country, postal code, and phone number.

2.4 Billing Data (Company)

If you subscribe with company billing, we collect: company name, tax ID (CUI), registration number (RegCom), registered address, city, county/state, country, postal code, bank name, IBAN, contact person name, phone number, and billing email.

2.5 User-Generated Content

We store the processes, templates, sections, tasks, subtasks, and other content you create within the Service.

2.6 Team Invitations

When you invite team members, we collect their email address and the role you assign them.

2.7 Waitlist Data

If you join our waitlist, we collect your email address, which is stored in our email marketing platform (MailerLite).

2.8 Analytics Data

With your consent, we collect analytics data to understand how you use the Service and to improve the experience. This includes:

• Usage data: Pages visited, features used, clicks, and navigation patterns.
• Device data: Browser type, operating system, screen resolution, and language.
• IP address: Used to determine approximate location (country, city). IP addresses are not stored long-term by our analytics provider.
• Identity data: If you are logged in and have consented to analytics, we link your analytics data to your account using your user ID, email address, and name. This allows us to understand user journeys and provide better support.
• Session recordings: If you consent to session recording, we record your browsing sessions (mouse movements, clicks, scrolls, page content). All form inputs are masked by default to protect sensitive data.
• Organisation data: Your current organisation ID, name, and plan are associated with analytics events to enable aggregate usage analysis per organisation.

Analytics data is only collected after you give explicit consent via our cookie banner. You can withdraw consent at any time. See our Cookie Policy for details.

2.9 Cookies

We use strictly necessary authentication cookies and, with your consent, analytics cookies. See our Cookie Policy for a full list of cookies and how to manage them.

3. How We Use Your Data

• Provide the Service: Authenticate you, store your content, manage your subscription.
• Billing: Process payments, generate invoices, comply with tax obligations.
• Communication: Send transactional emails (billing receipts, team invitations) and, with your consent, marketing emails (waitlist updates).
• Legal compliance: Fulfill regulatory obligations, prevent fraud, enforce our terms.

4. Lawful Basis (GDPR)

• Contract performance: Processing necessary to provide the Service you signed up for (authentication, content storage, billing).
• Legitimate interest: Service security, fraud prevention, product improvement.
• Legal obligation: Tax and accounting records, responding to lawful requests.
• Consent: Analytics tracking, session recording, and marketing communications (waitlist emails). You may withdraw consent at any time.

5. Third-Party Processors

We share personal data with the following processors, all of which are bound by data processing agreements:

6. International Data Transfers

Some of our processors are located outside the EEA (primarily in the USA). These transfers are protected by Standard Contractual Clauses (SCCs) and/or the EU-US Data Privacy Framework, as applicable.

7. Data Retention

• Account data: Retained while your account is active. Deleted within 30 days of account deletion, except where retention is required by law.
• Billing records: Retained for the period required by Romanian tax law (currently 10 years).
• Waitlist data: Retained until you unsubscribe or we delete the list.
• Analytics data: Retained for up to 12 months. Session recordings are retained for up to 3 months. You can request deletion at any time.
• Server logs: Retained for up to 90 days for security and debugging purposes.

8. Your Rights (GDPR)

If you are in the EEA, you have the right to:

• Access your personal data.
• Rectify inaccurate or incomplete data.
• Erase your data ("right to be forgotten").
• Restrict processing in certain circumstances.
• Data portability — receive your data in a structured, machine-readable format.
• Object to processing based on legitimate interest.
• Withdraw consent for marketing communications at any time.

To exercise any of these rights, contact us at contact@qpath.one. We will respond within 30 days.

You also have the right to lodge a complaint with a supervisory authority. In Romania, this is the ANSPDCP (Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal).

9. California Residents

If you are a California resident, you have additional rights under the CCPA. Please see our California Privacy Notice.

10. Children's Privacy

The Service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

11. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email or a notice within the Service at least 30 days before taking effect.

12. Contact

For privacy-related inquiries:
Qpath Concept SRL
Email: contact@qpath.one