Privacy Policy

How QLAC handles personal, technical, and usage data when you visit the website or use the platform.

Published legal information for QLAC Audit.

Last updated: 2026-05-11

1. Controller

The controller for QLAC Audit is Fantomid LLC, a New Mexico, USA company operating QLAC Audit, with registered office at 1209 Mountain Road PL NE, STE R, Albuquerque, NM 87110, USA. Privacy contact: privacy@qlacaudit.com.

This policy applies to the QLAC marketing website, application access, forms, trial requests, support communications, and ordinary platform usage.

2. Data we may process

  • Account data: name, email, encrypted password, language, currency, role, and account status.
  • Contact and company data: organization, country, associated project, submitted messages, and support context.
  • Billing and subscription data: plan, billing cycle, currency, checkout status, Paddle events, invoices, and required tax data. QLAC does not store card or bank details.
  • Project technical data: audited URLs, declared stack, lab Lighthouse results, indexation checks, reports, evidence, uploaded files, and related activity.
  • Security data: access logs, audit trail, abuse events, rate limits, session changes, 2FA, and authorized downloads.
  • Cookies and preferences: language, currency, cookie consent, and strictly necessary preferences.

3. Purposes and legal bases

We process data to create and manage accounts, provide the service, run measurements and audits, generate reports, enforce plan limits, manage billing, provide support, prevent abuse, and protect the platform.

Typical legal bases are contract performance or pre-contractual steps, legal obligations, legitimate interests in security and service improvement, and consent for non-essential cookies, marketing communications, or optional integrations.

4. Providers and international transfers

QLAC may rely on hosting, transactional email, storage, monitoring, consent-based analytics, Paddle for payments, and AI or automation providers only where the functionality is enabled and documented.

Where a provider operates outside the EEA or processes data from third countries, appropriate safeguards must be reviewed, such as standard contractual clauses, data processing agreements, supplementary measures, or equivalent mechanisms.

5. Retention

  • Account and subscription data: while the relationship is active and for the period required for legal obligations or claims.
  • Reports, evidence, and measurements: while the project is active or according to the applicable plan, retention policy, or deletion request.
  • Security logs and audit trail: for a reasonable period for traceability, abuse prevention, compliance, and incident response.
  • ZIP files, artifacts, and temporary credentials: limited retention with scheduled cleanup when no longer needed.
  • Analytics: according to the tool used and subject to consent where required.

6. Rights

You may request access, rectification, erasure, objection, restriction, portability, and withdrawal of consent where processing is based on consent. You may also complain to the competent supervisory authority.

To exercise privacy rights, contact privacy@qlacaudit.com. The Client Portal includes data export and deletion request features to support operational handling of requests, without replacing legal assessment.

7. Security

QLAC applies reasonable controls: authentication, separation between Backoffice and Client Portal, role-based access policies, private storage, authorized download controllers, no execution of uploaded code, encrypted secrets, and audit logs.

No system can guarantee absolute security. QLAC describes measures, limitations, and responsibilities without claiming certifications it has not obtained or promising zero risk.

8. Contact and changes

Support contact: support@qlacaudit.com. Privacy contact: privacy@qlacaudit.com. Material changes to this policy will be published with an update date and, where necessary, communicated through reasonable channels.

9. International privacy notice

This policy is the global notice for international users, customers, and visitors. If a regional law grants additional rights, QLAC will apply the relevant regional supplement without reducing the rights described in the global notice.

QLAC does not sell personal data and does not share personal data for cross-context behavioral advertising. If this changes in the future, the policy, cookie banner, and opt-out mechanisms must be updated before enabling that practice.

10. Regional supplements

  • EU/EEA: where the GDPR applies, QLAC will document controller or processor role, legal basis, rights, retention, international transfers, and safeguards such as adequacy decisions, standard contractual clauses, or supplementary measures.
  • UK: before materially targeting the United Kingdom, QLAC must validate a UK-specific supplement and any required contact or representative details against an approved official source. Until then, the global notice and equivalent contractual safeguards apply where appropriate.
  • US / California: if the CCPA/CPRA applies, California residents may exercise rights to know, delete, correct, limit sensitive information use, and opt out of sale or sharing. QLAC honors Global Privacy Control for sale, behavioral advertising sharing, and marketing where applicable.
  • Brazil: under LGPD, QLAC will handle rights to confirmation, access, correction, anonymization, blocking, deletion, information about sharing, and withdrawal of consent where applicable.
  • Canada: QLAC will apply meaningful consent, identified purposes, access, correction, safeguards, limited retention, and complaint handling principles where PIPEDA or equivalent obligations apply.
  • Australia: QLAC will align processing with transparency, limited collection, appropriate use and disclosure, security, correction, and access principles where the Australian Privacy Principles apply.
  • Singapore: QLAC will account for consent, notification, purpose limitation, accuracy, protection, retention, transfer, and accountability obligations where the PDPA applies.
  • Japan: QLAC will document purpose specification, proper acquisition, security controls, third-party transfer restrictions, disclosure, correction, and suspension of use where APPI applies.
  • Other regions / LATAM: QLAC will handle regional requests through the privacy channel using transparency, minimization, purpose limitation, security, limited retention, and risk-proportionate response principles.

11. Do Not Sell or Share My Personal Information

QLAC does not sell personal data and currently does not share personal information for cross-context behavioral advertising. Paddle payments, hosting, email, security, or consent-based analytics providers are not treated by QLAC as a sale of personal information.

When the browser sends Global Privacy Control, QLAC treats it as an opt-out signal for sale, behavioral advertising sharing, and marketing where legally relevant. Rejecting non-essential cookies means analytics and marketing are not loaded.

12. Future product notices

  • AI-assisted analysis: if enabled, QLAC must explain provider, data sent, purpose, limits, retention, human review, and how to exclude sensitive data.
  • Repository access: GitHub/GitLab must require explicit consent, minimal permissions, traceability, encrypted tokens, and visible revocation.
  • RUM / Real User Monitoring: if field measurement is enabled, it must be distinguished from lab Lighthouse data, require consent where applicable, and describe data, sampling, retention, and providers.