Privacy Policy

This Privacy Policy describes how QTags (“we”, “our”, or “us”) collects, uses, and protects information when you use the QTags mobile application and the website at https://qtags.app (the “Service”).

English is the binding version of this policy. Translations that may be provided for convenience do not modify your rights or our obligations under the English text.

1. Who we are

The Service is operated by Oleg Shakirov (Nicosia, Cyprus), the data controller for the purposes of GDPR and equivalent legislation. You can contact us at os.maintainer@gmail.com.

2. Data we collect

• Account data — your email address (received from Apple Sign-in, Google Sign-in, or email one-time password), and an optional display name and avatar URL you may set in Settings.
• User content — the notes (items), tags, and lists (views) you create in the Service.
• Technical data — record timestamps, authentication session tokens, and minimal server logs used for security and debugging.

We do not use third-party analytics, advertising networks, advertising identifiers, or cross-app tracking. We do not profile you for marketing purposes.

3. How we use your data

• Provide and operate the Service, including syncing your data across your devices.
• Authenticate you securely.
• Enforce account limits and protect against abuse.
• Respond to support requests you send us.
• Comply with legal obligations.

4. Legal basis (GDPR / UK GDPR)

• Performance of a contract (Art. 6(1)(b)) — processing your account and content data is necessary to deliver the Service you signed up for.
• Legitimate interests (Art. 6(1)(f)) — basic security, fraud prevention, abuse detection, and protecting the integrity of the Service.
• Legal obligation (Art. 6(1)(c)) — when we must respond to lawful requests from authorities.

5. Storage and sub-processors

Your data is stored in the European Union (Stockholm, Sweden) on infrastructure operated by Supabase Inc. Supabase processes data on our behalf under a Data Processing Agreement compliant with GDPR Art. 28.

Sub-processors used to operate the Service:

• Supabase Inc. (Singapore; data hosted in Stockholm, Sweden) — database, authentication, file storage.
• Amazon Web Services, Inc. — underlying cloud infrastructure for Supabase, EU (Stockholm) region.
• Vercel Inc. (USA) — web hosting and global content delivery for the public website. Vercel does not store your user content; it serves the application shell.
• Apple Inc. — identity provider when you sign in with Apple.
• Google LLC — identity provider when you sign in with Google.

6. Sharing

We do not sell, rent, or trade your personal data. We do not share it for advertising or marketing. We disclose data only:

• To the sub-processors listed above, under appropriate contractual safeguards.
• To comply with a binding legal obligation (e.g., court order, valid subpoena).
• To protect our rights, safety, or property, or the rights and safety of others.
• With your explicit consent for any other purpose.

7. International transfers

Your user content stays in the European Union (Stockholm). Limited operational data may transfer to the United States through Vercel (website serving) and Apple / Google (identity verification when you sign in). Such transfers rely on Standard Contractual Clausesapproved by the European Commission, the EU–U.S. Data Privacy Framework where applicable, and the providers’ own certifications.

8. Retention

We retain your data for as long as your account is active. When you delete your account, we delete the associated personal data within 30 days. Encrypted backups expire on a rolling schedule within 90 days. Logs are retained for up to 30 days for security purposes.

9. Your rights

Subject to your local law (GDPR, UK GDPR, CCPA/CPRA, LGPD, PIPEDA, and others), you have the right to:

• Access the personal data we hold about you.
• Rectify inaccurate data — many fields are editable from Settings.
• Erase your data (“right to be forgotten”) by deleting your account or contacting us.
• Data portability — use the Export feature in Settings to download your data as a machine-readable JSON file at any time.
• Restrict or object to certain processing.
• Withdraw consent at any time, where processing is based on consent.
• Lodge a complaintwith your local data protection authority. In Sweden, that’s the Swedish Authority for Privacy Protection (IMY) at imy.se.

California residents(CCPA/CPRA): you have the right to know, to delete, to correct, to opt out of the “sale” or “sharing” of personal data (we do neither), and to non-discrimination for exercising these rights.

To exercise any of these rights, email os.maintainer@gmail.com. We aim to respond within 30 days.

10. Children

QTags is not directed at children under 13. We do not knowingly collect personal data from children under 13 (or under 16 in the European Union, depending on the member state). If you believe a child has provided us with personal data, please contact us so we can delete it.

11. Security

Authentication uses industry-standard OAuth 2.0 / OpenID Connect (Apple, Google) or one-time email passwords. Data in transit is encrypted with TLS. Data at rest is encrypted by the underlying infrastructure providers. Despite reasonable safeguards, no method of transmission or storage is 100% secure; we cannot guarantee absolute security.

12. Changes to this policy

We may update this Privacy Policy. Material changes will be notified by email or in-app notice at least 30 days before they take effect. The “Last updated” date at the top of this page reflects the latest revision.

13. Contact

Questions about this policy or to exercise your rights:

• Email: os.maintainer@gmail.com
• Operator: Oleg Shakirov