← Back to home

Privacy Policy

Last updated: May 12, 2026

1. Who We Are

QuotaWatch is operated by Paulo Cristo, an individual software developer based in the European Union. For the purposes of EU data protection law (GDPR), Paulo Cristo acts as the data controller for personal data processed through this service.

Contact: paulocristo@me.com

2. Data We Collect

We collect the minimum data required to provide the service:

Account data

When you register: your email address and a hashed password. If you sign up via OAuth (Google, GitHub), we receive your name and email from the provider.

Usage / telemetry data

API call metadata your SDK sends us: provider name, endpoint path, HTTP status code, timestamp, and your project identifier. We never receive or store the contents of your API requests or responses.

Billing data

If you subscribe to a paid plan, payment processing is handled by Stripe. We store only a Stripe customer ID and subscription status — not card numbers or full payment details.

Cookies & analytics

We use essential cookies for authentication (session tokens). With your consent, we may use analytics cookies to understand how the product is used. See Section 7 for details.

3. Legal Basis for Processing (GDPR)

Under the GDPR, we rely on the following legal bases:

  • Contract performance (Art. 6(1)(b)): Processing account and usage data is necessary to provide the service you signed up for.
  • Legitimate interests (Art. 6(1)(f)): Security monitoring, fraud prevention, and product improvement.
  • Consent (Art. 6(1)(a)): Analytics and non-essential cookies — only after you opt in via the cookie banner.
  • Legal obligation (Art. 6(1)(c)): Where required by applicable law (e.g. invoicing, tax records).

4. How We Use Your Data

  • To authenticate you and maintain your account
  • To display your API usage data on the dashboard
  • To send threshold alerts (email / webhook) you have configured
  • To process payments and manage subscriptions
  • To send essential transactional emails (password reset, billing receipts)
  • To improve and debug the service

We do not sell your data. We do not use your data for advertising or share it with third parties for their own marketing purposes.

5. Data Retention

Account data is kept for as long as your account is active. You can delete your account at any time from the Settings page. Upon deletion, personal data is removed within 30 days, except where retention is required by law (e.g. invoicing records, kept for up to 7 years under EU VAT rules).

Usage telemetry is retained according to your plan (30 days on Free, 1 year on Pro/Team) and is deleted after the retention window.

6. Your Rights Under GDPR

If you are in the EU/EEA, you have the following rights:

  • Access: Request a copy of the data we hold about you.
  • Rectification: Correct inaccurate data.
  • Erasure ("right to be forgotten"): Request deletion of your data.
  • Restriction: Ask us to limit how we use your data.
  • Portability: Receive your data in a machine-readable format.
  • Objection: Object to processing based on legitimate interests.
  • Withdraw consent: Withdraw analytics consent at any time via cookie settings.

To exercise any of these rights, email us at paulocristo@me.com. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection authority.

7. Cookies

We use two categories of cookies:

Essential cookies (always active)

  • qw-session — authentication session token. Expires on sign-out or after 30 days.
  • qw-csrf — CSRF protection token.

Analytics cookies (consent required)

With your consent, we use privacy-respecting analytics to measure product usage. You can change your preference at any time by clicking "Cookie settings" in the footer.

No third-party advertising cookies are used.

8. Third-Party Services

We use the following sub-processors:

  • Stripe — Payment processing. Stripe Privacy Policy
  • Hetzner — Cloud hosting (servers located in the EU).
  • Resend / Amazon SES — Transactional email delivery.

All sub-processors are contractually bound to process data only as instructed and to maintain appropriate security measures.

9. International Transfers

Our servers are hosted in the EU (Hetzner, Germany/Finland). If any data transfer outside the EEA occurs (e.g., via a US-based sub-processor), it is protected by Standard Contractual Clauses (SCCs) or equivalent safeguards under GDPR Chapter V.

10. Security

We implement appropriate technical and organisational measures: HTTPS in transit, bcrypt password hashing, access controls, and regular dependency audits. No transmission over the internet is 100% secure — if you discover a security issue, please disclose it responsibly to paulocristo@me.com.

11. Changes to This Policy

We may update this policy as the service evolves. Material changes will be communicated by email or in-app notice at least 14 days before they take effect. The "last updated" date at the top always reflects the current version.

12. Contact

Questions about this privacy policy? Email us at paulocristo@me.com.