Privacy Policy
Effective date: February 19, 2026 | Last updated: February 19, 2026
Qwick Cert, Inc. (“Qwick Cert”, “we”, “our”, or “us”) operates the Qwick Cert platform — a developer-experience layer for Windows code signing via Microsoft Azure Artifact Signing. This Privacy Policy describes how we collect, use, store, and share personal data when you use our website, dashboard, API, and CLI (collectively, the “Service”).
1. Data Controller
Qwick Cert, Inc. is the data controller for personal data processed in connection with your use of the Service. For questions about this policy or to exercise your rights, contact us at privacy@qwickcert.com.
2. Information We Collect
2.1 Account and Identity Data
- Email address and display name (provided at registration or via OAuth)
- OAuth provider tokens (Microsoft or Google) — used only to authenticate you
- Organization name, billing email, and billing address
2.2 Azure Integration Data
To enable code signing, we store Azure service principal credentials (client ID, tenant ID, and a temporary client secret) in encrypted storage (Supabase Vault, AES-256). These credentials are scoped to signing operations and are revoked immediately after each signing session completes or is abandoned.
2.3 Signing Activity Data
- File metadata submitted for signing: file name, file size, and a SHA-256 hash of the file. We do not receive the file contents themselves.
- Signing operation status, duration, and result (success, failure, timeout, or abandoned)
- Source of signing requests (CLI, GitHub Action, dashboard, or API key)
- IP address and user-agent associated with signing sessions
- Device fingerprints (optional, when enabled by your organization's policy)
2.4 Billing Data
Payment processing is handled by Stripe. We store only your Stripe customer ID and subscription metadata (plan tier, billing period, status). We never store raw credit card numbers.
2.5 Log and Usage Data
- API request logs (endpoint, HTTP status, timestamp, IP address)
- CLI version and operating system metadata sent in the
User-Agentheader - Authentication events (sign-in, sign-out, token rotation)
2.6 Cookies
We use only functionally necessary cookies. The dashboard sets a session cookie via Supabase Auth to maintain your login session. We do not use advertising or analytics cookies.
3. How We Use Your Data
| Purpose | Legal Basis (GDPR) |
|---|---|
| Providing the code-signing Service | Performance of contract |
| Authenticating your identity | Performance of contract |
| Billing and subscription management | Performance of contract / Legal obligation |
| Security monitoring and fraud prevention | Legitimate interests |
| Sending transactional emails (invitations, alerts) | Performance of contract |
| Legal compliance and audit logs | Legal obligation |
| Service improvement (aggregated, anonymized) | Legitimate interests |
4. Data Sharing and Sub-processors
We share data with third-party sub-processors necessary to operate the Service. A complete list is available at qwickcert.com/legal/sub-processors. We do not sell personal data. We do not share personal data with third parties for their own marketing purposes.
We may disclose data if required by law, a court order, or a governmental authority, or to protect the rights, property, or safety of Qwick Cert, our users, or the public.
5. Data Retention
- Account data: Retained for the life of your account plus 90 days after deletion, then purged.
- Signing operation logs: Retained for 24 months for audit purposes, then anonymized.
- Azure credentials: Revoked and deleted within seconds to minutes after each signing session. No long-term storage.
- API request logs: Retained for 90 days.
- Billing records: Retained for 7 years to satisfy legal and tax obligations.
6. Data Security
We use industry-standard security measures including TLS 1.2+ in transit, AES-256 encryption at rest for sensitive credentials (via Supabase Vault), row-level security on all database tables, and short-lived credentials that are revoked immediately after use. We conduct periodic security reviews and maintain a responsible disclosure policy at security@qwickcert.com.
7. International Transfers
Qwick Cert is headquartered in the United States. Our sub-processors may process data in the United States and the European Economic Area. Where we transfer data from the EEA to the US, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission. See our Data Processing Agreement and Sub-processor list for details.
8. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
- Access: Request a copy of the personal data we hold about you.
- Rectification: Correct inaccurate or incomplete data.
- Erasure: Request deletion of your data (subject to legal retention obligations).
- Portability: Receive your signing history in a machine-readable format via
GET /api/v1/me/export. - Restriction / Objection: Restrict or object to certain processing activities.
- Withdraw consent: Where processing is based on consent, you may withdraw at any time.
To exercise any of these rights, email privacy@qwickcert.com. We will respond within 30 days (or within the timeframe required by applicable law).
9. California Privacy Rights (CCPA / CPRA)
California residents may request disclosure of the categories and specific pieces of personal information we have collected, request deletion, and opt out of any “sale” or “sharing” of personal information (we do not sell or share personal information for cross-context behavioral advertising). To exercise these rights, contact privacy@qwickcert.com.
10. Children's Privacy
The Service is intended for business and developer use and is not directed to individuals under the age of 16. We do not knowingly collect personal data from children.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or a prominent notice in the dashboard at least 14 days before the change takes effect. Continued use of the Service after the effective date constitutes acceptance of the revised policy.
12. Contact
Qwick Cert, Inc.
Email: privacy@qwickcert.com
For EU/UK inquiries: dpo@qwickcert.com