Privacy Policy
Effective Date: March 24, 2026 · Last Updated: March 24, 2026
QMS Base, Inc. (“Company,” “we,” “us,” or “our”) is committed to protecting the privacy of our users. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the QMS Base platform (“Service”). This policy applies to all users of the Service, including administrators, team members, and visitors to our website.
By using the Service, you consent to the data practices described in this policy. If you do not agree, please do not use the Service.
1. Information We Collect
1.1 Information You Provide
- Account information: Name, email address, company name, job title, and password when you register for an account.
- Billing information: Payment card details and billing address, processed and stored by Stripe, Inc. We do not store full credit card numbers on our servers.
- QMS data: Documents, CAPA records, audit records, nonconformity reports, complaint records, training records, supplier data, equipment records, and any other data you enter into the Service as part of your quality management activities.
- Communications: Content of emails, support tickets, and messages you send to us.
- Survey and feedback data: Responses to NPS surveys, feature requests, and other feedback mechanisms.
1.2 Information Collected Automatically
- Usage data: Pages visited, features used, actions taken, timestamps, and session duration.
- Device information: Browser type, operating system, device type, screen resolution, and IP address.
- Log data: Server logs including IP addresses, access times, and referring URLs.
2. How We Use Your Information
We use the information we collect to:
- Provide, operate, and maintain the Service.
- Process transactions and send related billing information.
- Send transactional emails (e.g., password resets, document review reminders, audit notifications).
- Provide customer support and respond to inquiries.
- Improve, personalize, and expand the Service.
- Analyze usage patterns to improve user experience and develop new features.
- Detect, prevent, and address technical issues and security threats.
- Send optional marketing communications (only with your consent; you may opt out at any time).
- Comply with legal obligations.
We do not sell your personal information to third parties. We do not use your QMS data to train machine learning models outside of providing the Service to you.
3. Data Storage and Infrastructure
Your data is stored on Supabase, which maintains SOC 2 Type II compliance. Supabase infrastructure is hosted in the United States (US-East region) on Amazon Web Services (AWS). All data is encrypted at rest using AES-256 and encrypted in transit using TLS 1.2+.
The Service application is hosted on Vercel, which provides edge-network deployment and maintains SOC 2 Type II compliance.
Database backups are performed automatically and retained for disaster recovery purposes.
4. Data Retention
- Active accounts: We retain your data for as long as your account is active and as needed to provide the Service.
- After cancellation: We retain your data for 30 days after account cancellation to allow for data export. After that period, your data is permanently deleted from our production systems within 90 days (backup systems may retain encrypted copies for up to 180 days for disaster recovery).
- Billing records: Transaction records are retained for 7 years to comply with tax and accounting obligations.
- Usage analytics: Aggregated, non-identifiable usage data may be retained indefinitely for product improvement.
5. Data Deletion Rights
You have the right to request deletion of your personal data. To exercise this right:
- Self-service: Organization administrators can delete individual records, documents, and user accounts through the Service's settings interface.
- Full account deletion: Contact us at privacy@qmsbase.com to request complete deletion of your Organization and all associated data. We will process deletion requests within 30 days.
Please note that we may retain certain information as required by law or for legitimate business purposes (e.g., billing records, fraud prevention).
6. Cookies and Tracking Technologies
6.1 Essential Cookies
We use essential cookies to maintain your authenticated session and ensure the Service functions properly. These cookies are strictly necessary and cannot be disabled.
6.2 Analytics Cookies
We use Google Analytics to understand how visitors interact with our website and Service. Google Analytics uses cookies to collect anonymous usage data including pages visited, time on site, and referring sources. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.
6.3 How to Manage Cookies
Most web browsers allow you to control cookies through their settings. Please note that disabling essential cookies may impair the functionality of the Service.
7. Third-Party Services
We share data with the following third-party service providers, only as necessary to operate the Service:
| Provider | Purpose | Data Shared |
|---|---|---|
| Supabase | Database and authentication | All application data (encrypted at rest) |
| Vercel | Application hosting | Request logs, IP addresses |
| Stripe, Inc. | Payment processing | Billing name, email, payment method, transaction amounts |
| Resend | Transactional email delivery | Recipient email address, email content |
| Google Analytics | Website and usage analytics | Anonymous usage data, IP address (anonymized) |
Each third-party provider is bound by their own privacy policy and data processing agreements. We require all providers to maintain appropriate security measures.
8. GDPR Compliance (European Economic Area)
If you are located in the European Economic Area (EEA), the following provisions apply:
- Legal basis for processing: We process your personal data based on: (a) performance of a contract (providing the Service); (b) our legitimate interests (improving the Service, security); and (c) your consent (marketing communications).
- Your rights: You have the right to access, rectify, erase, restrict processing of, and port your personal data. You also have the right to object to processing and to withdraw consent at any time.
- Data transfers: Your data is transferred to and stored in the United States. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate protection for cross-border data transfers.
- Data Protection Officer: For GDPR-related inquiries, contact privacy@qmsbase.com.
- Supervisory authority: You have the right to lodge a complaint with your local data protection authority.
9. CCPA Compliance (California)
If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with specific rights:
- Right to know: You may request that we disclose the categories and specific pieces of personal information we have collected about you.
- Right to delete: You may request deletion of your personal information, subject to certain exceptions.
- Right to opt out of sale: We do not sell personal information. If this changes, we will provide an opt-out mechanism.
- Non-discrimination: We will not discriminate against you for exercising your CCPA rights.
To exercise your rights, contact us at privacy@qmsbase.com. We will respond within 45 days.
10. Security
We implement industry-standard security measures to protect your data, including:
- TLS 1.2+ encryption for all data in transit.
- AES-256 encryption for data at rest.
- Role-based access controls within the application.
- Regular security assessments and code reviews.
- Automated vulnerability scanning.
- Secure software development lifecycle practices.
Despite these measures, no method of transmission or storage is completely secure. If you discover a security vulnerability, please report it to security@qmsbase.com.
11. Children's Privacy
The Service is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 18, we will take steps to delete that information promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a prominent notice on the Service at least 30 days before the changes take effect. Your continued use of the Service after the effective date of the revised policy constitutes your acceptance of the changes.
13. Contact Us
If you have questions, concerns, or requests related to this Privacy Policy or our data practices, please contact us:
- Email: privacy@qmsbase.com
- Support: qmsbase.com/support