# Privacy Policy

**Effective Date:** May 5, 2026  
**Last Updated:** May 5, 2026

---

## 1. Introduction

NetraScale Ltd ("NetraScale," "we," "us," or "our") operates the QDayRisk platform. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Service.

We are committed to protecting your privacy and complying with applicable data protection laws, including:

- UK General Data Protection Regulation (UK GDPR)
- EU General Data Protection Regulation (EU GDPR)
- California Consumer Privacy Act (CCPA)
- Personal Information Protection and Electronic Documents Act (PIPEDA) - Canada

**Data Controller:**  
NetraScale Ltd (UK Company)  
NetraShield Inc. (Canadian entity)

---

## 2. Information We Collect

### 2.1 Information You Provide

**Account Information:**
- Name
- Email address
- Password (encrypted)
- Organization name (if applicable)
- Job title or role (optional)

**Assessment Data:**
- Industry and sector information
- Organization size and type
- Geographic location
- Technology infrastructure details
- Security posture information
- Regulatory compliance requirements
- Responses to assessment questions

**Payment Information:**
- Billing name and address
- Payment method details (processed by Stripe)
- Transaction history

**Communications:**
- Support requests and correspondence
- Feedback and survey responses
- Email communications

### 2.2 Automatically Collected Information

**Usage Data:**
- Pages visited and features used
- Time spent on pages
- Click patterns and navigation paths
- Assessment progress and completion
- Referral sources

**Device Information:**
- IP address
- Browser type and version
- Operating system
- Device type (desktop, mobile, tablet)
- Screen resolution
- Language preferences

**Cookies and Tracking:**
- Authentication cookies (essential)
- Preference cookies
- Analytics cookies
- Session identifiers

### 2.3 Information from Third Parties

We may receive information from:

- **Authentication providers:** If you sign up using OAuth
- **Payment processors:** Transaction confirmations from Stripe
- **Business partners:** If you access the Service through a partner
- **Public sources:** Company information for business verification

---

## 3. How We Use Your Information

### 3.1 Service Provision

We use your information to:

- Create and manage your account
- Authenticate your identity
- Provide quantum threat assessments
- Generate risk reports and recommendations
- Process payments and maintain billing records
- Send service-related emails (confirmations, updates, security alerts)

### 3.2 Service Improvement

We use information to:

- Improve assessment accuracy and relevance
- Develop new features and capabilities
- Analyze usage patterns and trends
- Train and improve AI models (using anonymized data)
- Optimize user experience and interface
- Conduct research and development

### 3.3 Communications

We use your email to:

- Send account notifications
- Deliver assessment results
- Provide customer support
- Send important service updates
- Share security alerts (if applicable)

**Marketing Communications:**  
We will only send marketing emails if you opt in. You can unsubscribe at any time.

### 3.4 Legal Compliance

We may use information to:

- Comply with legal obligations
- Enforce our Terms of Service
- Protect our rights and property
- Prevent fraud and abuse
- Respond to legal requests
- Ensure platform security

---

## 4. Legal Basis for Processing (GDPR)

We process your personal data based on:

| Purpose | Legal Basis |
|---------|-------------|
| Account creation and service delivery | Contract performance |
| Payment processing | Contract performance |
| Service improvement and analytics | Legitimate interests |
| Marketing communications | Consent |
| Legal compliance | Legal obligation |
| Fraud prevention | Legitimate interests |
| Security and system integrity | Legitimate interests |

---

## 5. How We Share Your Information

### 5.1 Service Providers

We share information with trusted third-party service providers:

**Infrastructure and Hosting:**
- **Vercel:** Application hosting and delivery
- **Supabase:** Database and authentication services
- **Cloudflare:** CDN and security (if applicable)

**Communications:**
- **Resend:** Email delivery service

**AI Processing:**
- **Anthropic:** Claude AI API for assessment generation

**Payment Processing:**
- **Stripe:** Payment processing and billing

**Analytics (if implemented):**
- **Vercel Analytics:** Usage analytics
- **PostHog / Mixpanel:** Product analytics (if added)

All service providers are contractually obligated to:
- Use data only for specified purposes
- Maintain appropriate security measures
- Comply with applicable data protection laws
- Delete data when no longer needed

### 5.2 Business Transfers

If NetraScale is involved in a merger, acquisition, or asset sale, your information may be transferred. We will provide notice before your information is transferred and becomes subject to a different privacy policy.

### 5.3 Legal Requirements

We may disclose information if required to:

- Comply with legal process (subpoena, court order)
- Enforce our Terms of Service
- Protect our rights, property, or safety
- Protect users or the public from harm
- Prevent or investigate fraud or security issues

### 5.4 With Your Consent

We may share information with third parties if you explicitly consent.

### 5.5 Anonymized Data

We may share aggregated, anonymized data that cannot identify you:

- Industry trends and statistics
- Research and publications
- Service improvement insights
- Business analytics

---

## 6. Data Retention

We retain your information for as long as:

- Your account is active
- Needed to provide the Service
- Required by law or regulation
- Necessary for legitimate business purposes

**Specific Retention Periods:**

| Data Type | Retention Period |
|-----------|------------------|
| Account information | Duration of account + 30 days |
| Assessment data | Duration of account + 90 days |
| Payment records | 7 years (tax/legal requirements) |
| Support communications | 3 years |
| Usage logs | 90 days |
| Security logs | 1 year |
| Marketing communications | Until opt-out |

After retention periods expire, we securely delete or anonymize your information.

**Account Deletion:**  
You can request account deletion at any time. Upon deletion:
- Your account will be deactivated immediately
- Personal data will be deleted within 30 days
- Some data may be retained if required by law

---

## 7. Data Security

We implement appropriate technical and organizational measures to protect your information:

### 7.1 Technical Measures

- **Encryption:** Data encrypted in transit (TLS/SSL) and at rest
- **Authentication:** Secure password hashing (bcrypt)
- **Access Controls:** Role-based access limitations
- **Network Security:** Firewalls and intrusion detection
- **Vulnerability Management:** Regular security assessments
- **Backup:** Regular encrypted backups

### 7.2 Organizational Measures

- Employee training on data protection
- Confidentiality agreements with staff and contractors
- Limited access to personal data (need-to-know basis)
- Incident response procedures
- Vendor security assessments
- Regular security audits

### 7.3 Your Responsibility

You are responsible for:

- Maintaining the confidentiality of your password
- Notifying us of any unauthorized access
- Using secure networks when accessing the Service
- Keeping your contact information current

**No system is 100% secure.** While we implement industry-standard security measures, we cannot guarantee absolute security.

---

## 8. International Data Transfers

### 8.1 Transfer Mechanisms

Your information may be transferred to and processed in countries outside your residence, including:

- **United States:** Vercel hosting, Anthropic AI processing
- **European Union:** Supabase infrastructure
- **United Kingdom:** NetraScale operations

We ensure adequate protection through:

- **Standard Contractual Clauses (SCCs):** EU-approved data transfer agreements
- **UK International Data Transfer Agreement (IDTA):** For UK transfers
- **Adequacy Decisions:** Transfers to countries deemed adequate by UK/EU
- **Service Provider Certifications:** SOC 2, ISO 27001, etc.

### 8.2 Your Rights

If you are in the EEA, UK, or other jurisdictions with specific data transfer requirements, you have rights regarding international transfers. Contact us for more information.

---

## 9. Your Privacy Rights

### 9.1 General Rights

Depending on your location, you may have the following rights:

**Access:** Request a copy of your personal data  
**Rectification:** Correct inaccurate or incomplete data  
**Erasure:** Request deletion of your data ("right to be forgotten")  
**Restriction:** Limit how we process your data  
**Portability:** Receive your data in a portable format  
**Objection:** Object to certain processing activities  
**Withdraw Consent:** Withdraw consent for consent-based processing  
**Complaint:** Lodge a complaint with a supervisory authority  

### 9.2 UK GDPR Rights

If you are in the UK, you can:

- Contact the UK Information Commissioner's Office (ICO)
- Request information about automated decision-making
- Object to direct marketing

**ICO Contact:**  
Website: https://ico.org.uk  
Phone: 0303 123 1113

### 9.3 CCPA Rights (California Residents)

If you are a California resident, you have the right to:

- Know what personal information we collect
- Know whether we sell or share personal information (we do not)
- Access your personal information
- Delete your personal information
- Opt-out of sales (not applicable - we don't sell data)
- Non-discrimination for exercising your rights

**Shine the Light Law:** You can request information about data shared with third parties for marketing purposes.

### 9.4 PIPEDA Rights (Canadian Residents)

If you are in Canada, you have the right to:

- Access your personal information
- Challenge the accuracy of your information
- Withdraw consent
- File a complaint with the Privacy Commissioner of Canada

**Privacy Commissioner of Canada:**  
Website: https://priv.gc.ca  
Phone: 1-800-282-1376

### 9.5 Exercising Your Rights

To exercise your rights:

**Email:** privacy@netrascale.com  
**Subject:** Privacy Rights Request  
**Include:** Your name, email, and specific request

We will respond within:
- **30 days** (UK GDPR, general)
- **45 days** (CCPA, extendable to 90 days)
- **30 days** (PIPEDA)

We may need to verify your identity before processing requests.

---

## 10. Cookies and Tracking

### 10.1 Types of Cookies

**Essential Cookies (Required):**
- Authentication and session management
- Security and fraud prevention
- Service functionality

**Functional Cookies (Optional):**
- User preferences
- Language settings
- Display preferences

**Analytics Cookies (Optional):**
- Usage statistics
- Performance monitoring
- Feature adoption tracking

**Marketing Cookies (Optional with consent):**
- Currently not used
- Would require explicit consent if implemented

### 10.2 Cookie Management

**Browser Controls:**  
Most browsers allow you to:
- View and delete cookies
- Block all cookies
- Block third-party cookies
- Receive cookie notifications

**Disabling Essential Cookies:** May prevent use of the Service

**Third-Party Cookies:**  
Our service providers may set cookies. Review their privacy policies:
- Vercel: https://vercel.com/legal/privacy-policy
- Supabase: https://supabase.com/privacy
- Stripe: https://stripe.com/privacy

---

## 11. Children's Privacy

The Service is not intended for children under 18. We do not knowingly collect information from children.

If you believe we have collected information from a child under 18:
- Contact us immediately at privacy@netrascale.com
- We will delete the information promptly
- We will terminate the account

Parents/guardians have the right to:
- Review information collected from their child
- Request deletion of that information
- Refuse further collection or use

---

## 12. Do Not Track

Some browsers have "Do Not Track" features. We currently do not respond to Do Not Track signals because there is no consistent industry standard for compliance.

---

## 13. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for:

- Third-party privacy practices
- Third-party content or services
- Information you provide to third parties

Review third-party privacy policies before providing information.

---

## 14. AI and Automated Decision-Making

### 14.1 AI Processing

We use Anthropic's Claude AI to:
- Generate risk assessments
- Provide recommendations
- Analyze threat landscapes
- Create customized reports

**How It Works:**
- You provide assessment inputs
- Claude processes inputs to generate outputs
- Outputs are presented to you for review

**Your Control:**
- All AI processing is initiated by you
- You can review outputs before accepting
- You can modify or reject AI recommendations
- Final decisions are always yours

### 14.2 Data Used for AI

We may use anonymized, aggregated data to:
- Improve assessment quality
- Train internal models
- Enhance recommendations

**We do NOT:**
- Use your personal data to train third-party AI models without consent
- Share identifiable assessment data with AI providers
- Use your data for AI training purposes beyond service improvement

### 14.3 Limitations

AI outputs may:
- Contain errors or inaccuracies
- Require verification by experts
- Not be suitable for all situations
- Need human judgment and oversight

You should not rely solely on AI-generated assessments for critical decisions.

---

## 15. Data Breach Notification

If we experience a data breach affecting your personal information:

**We will:**
- Investigate the breach promptly
- Notify affected users within 72 hours (if required by law)
- Notify relevant supervisory authorities
- Provide information about the breach and mitigation steps
- Take steps to prevent future breaches

**You should:**
- Change your password if credentials may be compromised
- Monitor your accounts for suspicious activity
- Contact us if you have questions or concerns

---

## 16. Business Contacts

If you are a business contact (not a service user):

**Information we collect:**
- Name, title, company
- Business email and phone
- Communication history

**How we use it:**
- Business relationship management
- Contract performance
- Marketing (with consent)

**Your rights:** Same as described in Section 9

---

## 17. Changes to This Privacy Policy

We may update this Privacy Policy to reflect:

- Changes in our practices
- Legal or regulatory requirements
- New features or services
- Feedback from users

**How we notify you:**
- Email notification to registered users
- Notice on our website
- Notice within the Service
- Update to "Last Updated" date

**Material changes:** We will provide at least 30 days' notice

**Your acceptance:** Continued use after changes take effect constitutes acceptance

---

## 18. Contact Information

**Privacy Inquiries:**  
Email: privacy@netrascale.com  
Subject: Privacy Policy Inquiry

**Data Protection Officer:**  
Email: dpo@netrascale.com

**General Support:**  
Email: support@netrascale.com  
Website: https://www.netrascale.com

**UK Entity:**  
NetraScale Ltd  
[UK Registered Address]  
Company Number: [Company Registration Number]

**Canadian Entity:**  
NetraShield Inc.  
[Canadian Registered Address]

**Supervisory Authorities:**

**UK:**  
Information Commissioner's Office (ICO)  
Website: https://ico.org.uk  
Phone: 0303 123 1113

**Canada:**  
Privacy Commissioner of Canada  
Website: https://priv.gc.ca  
Phone: 1-800-282-1376

**EU (if applicable):**  
Contact your local data protection authority

---

## 19. Supplemental Privacy Notices

### 19.1 California Residents

**Categories of Personal Information Collected:**
- Identifiers (name, email, IP address)
- Commercial information (payment history)
- Internet activity (usage data)
- Professional information (job title, industry)

**Sources:** Directly from you, automatically collected, third-party services

**Business Purposes:** As described in Section 3

**Categories Shared:** As described in Section 5

**Sales of Personal Information:** We do not sell personal information

**Right to Opt-Out:** Not applicable (no sales)

**Financial Incentives:** We do not offer financial incentives for personal information

### 19.2 Nevada Residents

We do not sell personal information as defined by Nevada law. You have the right to opt-out of sales (if we ever engage in sales). Contact privacy@netrascale.com to exercise this right.

---

## 20. Glossary

**Personal Data/Information:** Information that identifies or can identify you  
**Processing:** Any operation performed on personal data  
**Controller:** Entity that determines purposes and means of processing  
**Processor:** Entity that processes data on behalf of controller  
**Consent:** Freely given, specific, informed agreement  
**Legitimate Interests:** Legal basis for processing without consent  
**Anonymization:** Making data non-identifiable  
**Pseudonymization:** Replacing identifiers with pseudonyms  

---

**By using QDayRisk, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and disclosure of your information as described.**

---

*Last Updated: May 5, 2026*  
*Version: 1.0*

**For questions or concerns about this Privacy Policy, please contact us at privacy@netrascale.com**
