Privacy Policy

This Policy applies to personal information processed by Qor as a business under the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (“CCPA/CPRA”), and as a controller under the EU GDPR and UK GDPR. Where Qor processes personal information on behalf of a business customer (e.g., when a customer submits data through the Services for processing), Qor acts as a service provider (CCPA/CPRA) or processor (GDPR), and such processing is governed by the applicable data processing addendum.

This Policy does not cover personal information processed by third parties whose services may be linked from or integrated with the Services. Please review the privacy policies of any third-party services you use.

Your use of our Services is also subject to our Terms of Service, which are hereby incorporated by reference.

1. Scope

This Policy applies to:

• visitors to our website;
• users of the free PQC scanner;
• registered users of paid Services;
• prospects and recipients of our marketing communications;
• attendees at our events; and
• other individuals who interact with Qor in connection with the Services.

2. Information We Collect

2.1 Information You Provide to Us

We collect personal information you provide directly when you:

• Create or manage an account (e.g., name, email address, password, employer, role/title);
• Submit a scan or audit request (e.g., blockchain addresses, contract addresses, wallet identifiers, validator identifiers, RPC endpoints, descriptive context, and any other information you choose to submit);
• Purchase paid Services or make payments (limited transaction information; full payment-card details are collected and processed by our third-party payment processor and are not stored by Qor);
• Communicate with us by email, contact form, support ticket, chat, or phone (the content of your communications, contact details, and any attachments);
• Sign up for newsletters, webinars, demos, marketing communications, or events;
• Apply to join our beta or early-access programs; or
• Respond to surveys or research requests.

2.2 Information Collected Automatically

When you use the Services, we and our service providers may collect certain information automatically, including:

• Device and browser information: IP address, browser type and version, operating system, device identifiers, language settings, time zone, and screen resolution.
• Usage data: Pages and features accessed, links clicked, queries submitted, scan inputs and results, session duration, referring/exit pages, and timestamps.
• Log data: Server logs and diagnostics, including error reports, performance data, and crash data.
• Cookies and similar technologies: See Section 7 for details.

2.3 Information from Third Parties

We may receive personal information from third parties, including:

• Public blockchain networks: Publicly available on-chain data associated with addresses, contracts, and transactions submitted to or analyzed by the Services. We do not consider unencrypted public blockchain data to be personal information in most cases, but we apply this Policy where blockchain data is associated with an identified or identifiable natural person.
• Identity verification and fraud prevention providers, where required by law or contract.
• Single sign-on (SSO) and authentication providers (e.g., Google, Microsoft, GitHub) when you choose to log in using SSO; we receive only the information you authorize.
• Payment processors (e.g., Stripe), who provide us with transaction confirmation, billing identifiers, and limited card details such as card brand and last four digits.
• Marketing, analytics, and enrichment providers who provide leads, firmographic data, or aggregated insights.
• Threat-intelligence and compliance data providers, who provide screening data we use to fulfill our legal obligations (including sanctions screening).

2.4 Categories of Personal Information (CCPA/CPRA)

For purposes of the CCPA/CPRA, we have collected the following categories of personal information about California consumers in the preceding twelve (12) months:

• Identifiers (name, email, account identifier, IP address, online identifier);
• Customer records (billing information, professional contact details);
• Commercial information (records of Services purchased or considered);
• Internet or other electronic network activity information (browsing/usage data, interactions with the Services);
• Professional or employment-related information (employer, job title); and
• Inferences drawn from the above to create a profile about preferences and use of the Services.

We do not knowingly collect or process “sensitive personal information” as defined under the CCPA/CPRA for the purpose of inferring characteristics about consumers.

3. How We Use Personal Information

We use personal information for the following purposes:

• (a) Provide the Services: to set up and maintain accounts, authenticate users, run scans and audits, generate Reports, deliver dashboards and alerts, process transactions, and provide customer support;
• (b) Operate and improve the Services: to monitor performance and security, debug, develop new features, perform analytics, train and tune scoring models, and maintain threat intelligence (using aggregated, de-identified, or pseudonymized data where reasonably possible);
• (c) Communicate with you: to send service and transactional messages, respond to inquiries, send security and policy notices, and (where permitted) send marketing communications;
• (d) Marketing and events: to market the Services, send newsletters, run webinars and events, measure marketing effectiveness, and conduct surveys (with consent where required);
• (e) Security and fraud prevention: to detect, investigate, and prevent fraudulent, unauthorized, malicious, or illegal activity; protect the rights, property, and safety of Qor, our users, and the public; enforce our Terms; and conduct internal audits and risk assessments;
• (f) Compliance: to comply with applicable laws, regulations, legal processes, and binding governmental requests, including export-control, sanctions, anti-money-laundering, and tax obligations;
• (g) Corporate transactions: to evaluate, negotiate, and consummate mergers, acquisitions, financings, reorganizations, and similar transactions; and
• (h) With your consent or as otherwise disclosed at the time of collection.

3.1 Legal Bases for Processing (EEA/UK)

If you are located in the European Economic Area, United Kingdom, or Switzerland, we rely on the following legal bases under GDPR (and the UK GDPR):

• Providing the Services to you (or your employer) — Contractual necessity
• Marketing, analytics, product improvement, security — Legitimate interests
• Cookies and certain marketing (where required) — Consent
• Compliance with legal obligations — Legal obligation
• Vital interests in rare emergencies — Vital interests

You have the right to object to processing based on legitimate interests as described in Section 9.

4. How We Share Personal Information

We do not sell personal information in exchange for monetary consideration. We share personal information only as described below:

4.1 Service Providers

We share personal information with vendors and service providers that perform services on our behalf, such as cloud hosting, security, analytics, customer support, payment processing, identity verification, communications, and marketing automation. These service providers are contractually bound to use personal information only as instructed by us and to maintain appropriate safeguards.

We share personal information with the following categories of service providers and sub-processors that help us deliver and support the Services: cloud infrastructure and hosting (MongoDB Atlas), content delivery and security (Cloudflare), payment processing (Stripe), email and communications (Resend), and product analytics (PostHog).

A full, up-to-date list of our sub-processors — including their functions, locations, and processing purposes — is available upon request by emailing privacy@qortrace.com or, for customers with a Data Processing Addendum, as set forth in that Addendum. We notify customers of new sub-processors in accordance with our DPA obligations.

4.2 Business Customers and Authorized Users

If you access the Services through an organization (e.g., your employer), we may share information about your use of the Services with that organization. The organization’s privacy policy, not this Policy, governs the organization’s use of your information.

4.3 Affiliates

We may share personal information with our corporate affiliates for the purposes described in this Policy.

4.4 Legal, Compliance, and Safety

We may disclose personal information when we believe in good faith that disclosure is necessary to:

• comply with a legal obligation, court order, subpoena, or governmental request;
• enforce our Terms or other agreements;
• detect, prevent, or address fraud, security, or technical issues; or
• protect the rights, property, or safety of Qor, our users, or others.

4.5 Corporate Transactions

We may disclose or transfer personal information to a successor or acquirer in connection with a merger, acquisition, financing, reorganization, sale of assets, bankruptcy, or similar transaction. We will require any successor to honor this Policy with respect to information transferred.

4.6 With Your Consent

We may share personal information for any other purpose disclosed to you at the time of collection or with your consent.

4.7 Aggregated and De-Identified Data

We may share aggregated, anonymized, or de-identified data that does not identify you for any lawful purpose, including research, benchmarking, threat-intelligence, and marketing.

4.8 No Sale or Sharing for Cross-Context Behavioral Advertising

Qor does not “sell” personal information in exchange for monetary consideration and does not “share” personal information for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA. To the extent any analytics or advertising cookies used on our website (see Section 7) constitute a “sale” or “share” under applicable law, you can opt out by following the instructions in Sections 7 and 9.

5. International Data Transfers

Qor is headquartered in the United States, and we and our service providers may process personal information in the United States and other countries. Where we transfer personal information from the EEA, UK, or Switzerland to a country that has not received an adequacy determination, we rely on appropriate safeguards, including the European Commission’s Standard Contractual Clauses and the UK International Data Transfer Addendum, supplemented as necessary by additional contractual, technical, and organizational measures. You may request a copy of the safeguards we use by contacting us at privacy@qortrace.com.

6. Data Retention

We retain personal information for as long as necessary to fulfill the purposes for which it was collected, including to provide the Services, comply with our legal, accounting, tax, or reporting obligations, and resolve disputes. Specific retention periods depend on the type of personal information and the context of processing. When personal information is no longer needed, we securely delete or anonymize it. We may retain de-identified or aggregated data indefinitely. Customer-controlled data submitted through paid Services is retained in accordance with the applicable Order and our data processing addendum.

7. Cookies and Similar Technologies

7.1 What We Use

We and our service providers use cookies, pixels, tags, local storage, software development kits, and similar technologies (“Cookies”) to operate the Services, recognize you, remember your preferences, secure the Services, measure performance, and (where permitted) deliver marketing. Cookies fall into four general categories:

• Strictly Necessary Cookies that enable core functionality such as authentication, session management, and security;
• Functional Cookies that remember preferences and improve user experience;
• Analytics/Performance Cookies that measure how users interact with the Services; and
• Marketing Cookies (limited; used only where you have consented) that may help us communicate with you about products and services that may interest you.

7.2 Your Choices

You can manage Cookies through your browser settings, or by using our cookie preferences tool (where available on the Site). You can also review industry opt-out tools such as the Network Advertising Initiative, Digital Advertising Alliance, and European Interactive Digital Advertising Alliance.

The Site also recognizes the Global Privacy Control (“GPC”) signal where required by law. Disabling certain Cookies may impair functionality of the Services.

8. Security

We implement and maintain administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. These safeguards include encryption in transit, access controls, network segmentation, and security monitoring. However, no method of transmission over the internet or method of electronic storage is fully secure, and we cannot guarantee absolute security. You are responsible for safeguarding your account credentials and notifying us promptly of any suspected unauthorized access.

9. Your Privacy Rights

Depending on where you reside, you may have certain rights with respect to your personal information, including the rights described below. We will respond to verifiable requests as required by applicable law.

9.1 Rights Available Under Most Laws

To the extent applicable under law, you may have the following or similar rights:

• Access / Know: Request access to, or a copy of, the personal information we hold about you, including the categories of information collected, sources, purposes, and recipients.
• Correction / Rectification: Request that we correct inaccurate or incomplete personal information.
• Deletion / Erasure: Request that we delete personal information about you, subject to certain exceptions (e.g., to complete a transaction, comply with legal obligations, detect fraud, or exercise free-speech rights).
• Portability: Request a copy of certain personal information in a portable, machine-readable format.
• Restriction / Objection: Request that we restrict or object to certain processing.
• Withdraw Consent: Where we rely on consent, you may withdraw it at any time (without affecting the lawfulness of prior processing).
• Non-Discrimination: You will not be subject to discriminatory treatment for exercising your privacy rights.

9.2 Additional Rights Under CCPA/CPRA (California Residents)

California residents may have the right to:

• Know the categories and specific pieces of personal information we have collected, sold, or shared, and the categories of sources and recipients;
• Delete personal information, subject to legal exceptions;
• Correct inaccurate personal information;
• Opt out of any “sale” or “sharing” of personal information (we do not sell or share for cross-context behavioral advertising);
• Limit our use of “sensitive personal information” (we do not use sensitive personal information for inferential purposes);
• Designate an authorized agent to submit requests on their behalf; and
• Not be retaliated against or denied service for exercising any of these rights.

We honor verified GPC signals from California residents as a request to opt out of any sale or sharing, where applicable.

9.3 Additional Rights Under GDPR / UK GDPR

In addition to the rights described in Section 9.1, individuals in the EEA, UK, or Switzerland have the right to lodge a complaint with their local supervisory authority. A list of EU authorities is available at edpb.europa.eu/about-edpb/board/members_en.

9.4 How to Exercise Your Rights

To exercise any of the rights described above, please email us at privacy@qortrace.com or use the request form (if available) on the Site. We may need to verify your identity before fulfilling your request, including by requiring additional information. If we deny your request, we will explain why to the extent required by law. You may appeal a denial by responding to our denial email with the subject line “Appeal.” Authorized agents must provide written proof of authority.

10. Automated Decision-Making

Qor does not engage in automated decision-making that produces legal or similarly significant effects on individuals within the meaning of GDPR Article 22. The scoring outputs of the Services are advisory only and are not used to make decisions about individuals.

11. Children’s Privacy

The Services are not directed to children under the age of sixteen (16), and we do not knowingly collect personal information from children. If we learn that we have collected personal information from a child without verifiable parental consent, we will promptly delete it. If you believe we may have collected information from a child, please contact us at privacy@qortrace.com.

12. Do Not Track

Some browsers offer a “Do Not Track” (“DNT”) setting. Because no industry standard for DNT has been adopted, we do not currently respond to DNT signals. We do honor GPC signals as described in Sections 7 and 9.

13. Changes to This Policy

We may update this Policy from time to time. If we make material changes, we will notify you by posting the updated Policy on the Site with a new “Last Updated” date, and where appropriate, by email or other means. Your continued use of the Services after the effective date of the updated Policy constitutes acceptance.

14. Contact Us

If you have questions, comments, or requests about this Policy or our privacy practices, please contact us:

Qor Corporation
Attn: Privacy Officer
Email: privacy@qortrace.com
Website: www.qortrace.com

15. Supplemental Notices for Specific Jurisdictions

In addition to the disclosures above, residents of the following jurisdictions may have additional rights or be entitled to additional disclosures:

• California: Sections 4.8 and 9.2; and the “Shine the Light” law (Cal. Civ. Code § 1798.83), under which California residents may request information about disclosures of personal information to third parties for those third parties’ direct marketing purposes. To make such a request, contact privacy@qortrace.com.
• Colorado, Connecticut, Utah, Virginia, Texas, Oregon, Montana, and other U.S. states with comprehensive privacy laws: Residents have rights of access, correction, deletion, portability, and opt-out of targeted advertising, sale, and certain profiling, consistent with applicable state law. Submit requests as described in Section 9.4.
• Nevada: Nevada residents may opt out of certain sales of “covered information” as defined under Nevada law by contacting privacy@qortrace.com. We do not currently sell covered information.
• Brazil (LGPD), Canada (PIPEDA), Japan (APPI), Australia (Privacy Act), and other jurisdictions: Qor will respond to verified data subject requests consistent with applicable law.