qahuman.back to home
PRIVACY POLICY

Privacy Policy

Last updated: April 2026

1. What we collect

We collect the minimum data needed to run the platform:

  • Account data — email address, display name, handle, avatar, bio, headline.
  • Tester profile data — devices, niches, languages, timezone, sample work URLs.
  • Job data — app details, briefs, temporary test credentials, bug reports, and messages between makers and testers.
  • Payment data — processed by Stripe. We store Stripe account IDs and transaction references but never card numbers.
  • Usage data — page views and basic analytics via Vercel Analytics. No third-party trackers.

2. How we use it

  • To operate the marketplace — matching makers with testers, delivering reports, processing payments.
  • To send transactional emails — proposals, approvals, changes requested, daily digest.
  • To compute gamification stats — XP, levels, ratings, badges, leaderboard rankings.
  • To prevent abuse — rate limiting, honeypot spam detection, ban enforcement.

3. Who sees your data

  • Other users — your public profile (name, handle, headline, avatar, level, ratings, reviews) is visible to anyone. Email is never shown publicly.
  • Your counterparty — when you work a job, the other party sees your messages, report content, and rating.
  • Stripe — payment processing. See Stripe's privacy policy.
  • Resend — transactional email delivery. See Resend's privacy policy.
  • Vercel — hosting and analytics. See Vercel's privacy policy.
  • Cloudflare — media storage (R2). See Cloudflare's privacy policy.

We do not sell your data. We do not run ads. We do not use your data for AI training.

4. Data retention

Your data is kept for as long as your account is active. If you delete your account, we remove your personal data within 30 days. Job records and ratings may be anonymized and retained for platform integrity.

5. Your rights

  • Access — email us to request a copy of your data.
  • Correction — update your profile at any time in Settings.
  • Deletion — email us to request account deletion.
  • Portability — we can export your data in JSON format on request.

6. Cookies

We use a single session cookie (qa_session) to keep you logged in. No tracking cookies. No cookie banners needed.

7. Security

Data is encrypted in transit (TLS) and at rest (Neon Postgres, Cloudflare R2). Sessions are server-side with cryptographically random tokens. Passwords are not used — authentication is email-based. For app access, founders should always use temporary or sandbox credentials and rotate them after the job.

8. Contact

Questions? Email privacy@qahuman.com.