Legal

Privacy Policy

Last updated: 2026-05-25

We're not lawyers, but we've worked hard to make this readable. If anything's unclear, email matt@qualigate.app and we'll explain it in plain English.

1. Who we are

"Qualigate", "we", and "us" mean Qualigate, a product of Lexlogos LLC, a Delaware limited liability company. This policy covers two things:

  • Qualigate Agency — custom AI agents and apps we design, build, and host for clients under a Master Services Agreement and SOW.
  • Trace by Qualigate — our self-serve, AI-powered end-to-end testing SaaS at qualigate.app/trace.

Where the two have different rules (especially around data isolation), we'll call it out explicitly.

2. What we collect

Account info

  • Email address, name, and (optionally) company name.
  • Profile picture if you sign in with Google OAuth.
  • A hashed password if you use email/password auth.

Usage data

  • Test runs you trigger, credits you use, and the rough performance of those runs.
  • Application logs (errors, request paths, timestamps) so we can debug and keep the service running.
  • API key usage for CI/CD integrations.

Payment info

Payments are handled by Stripe. We never see or store your full card number. We do keep the Stripe customer ID, your subscription tier, and your invoice history.

Test execution data

  • The natural-language test steps you write.
  • Screenshots and video recordings of test runs against the website you're testing.
  • DOM snippets and page text the AI looks at while deciding what to do next.
  • The prompts we send to Anthropic and the AI responses we get back.
  • Credentials you save for tests (e.g. login usernames and passwords) — these are encrypted at rest using Supabase Vault / AES-256-GCM.

For agency clients

When we build custom agents for you, we may also handle: lists of contacts and prospects, CRM records, OAuth tokens to your connected tools (Apollo, HubSpot, Salesforce, Gmail, Google Calendar, etc.), and whatever else is scoped in your SOW.

3. How we use it

We use the data above to:

  • Run the Service — execute your tests, show you the results, deliver agency workflows.
  • Send service emails (alerts on test failures, billing receipts, security notices, invitations from teammates).
  • Process payments and manage subscriptions.
  • Debug issues, monitor performance, and keep the platform running.
  • Improve our product based on aggregate usage patterns (not your specific content).
  • Respond to your support questions.

We do not sell your data, and we do not use your test content, recordings, or client data to train AI models — ours or anyone else's.

4. Per-client isolation (Agency)

For agency engagements, your data lives in your own environment. That means:

  • A separate Convex deployment (or a per-customer namespace, depending on what your SOW specifies).
  • Optional dedicated VPS hosting on request.
  • OAuth tokens you grant us (Apollo, HubSpot, Salesforce, Gmail, Google Calendar, etc.) are stored encrypted at rest using Supabase Vault and are never shared across clients.
  • Your prompts, lists, and outputs stay in your environment and aren't commingled with other clients' data.
What this means in plain EnglishYour data and your integrations are yours alone. We don't mix them with other clients' data, even by accident.

5. Third-party services we rely on

We use the following services to deliver Qualigate. Each one is a sub-processor of your data and has its own privacy practices.

  • Convex — database, backend, and authentication.
  • Stripe — payment processing.
  • Resend — transactional email (alerts, invitations, receipts).
  • Anthropic — Claude AI inference for test execution. Test runs send page screenshots and DOM snippets to Anthropic's API. Anthropic does not use this content for model training under their commercial API terms.
  • Trigger.dev — background jobs that run your tests.
  • Vercel — hosting and CDN.
  • Upstash — rate limiting.

When you connect third-party integrations (Jira, Linear, Slack, Gmail, etc.) we store the OAuth token for that connection, encrypted at rest. We only call those APIs to perform the action you asked us to perform.

6. How we keep your data safe

  • All traffic is encrypted in transit with TLS.
  • Sensitive secrets (test credentials, OAuth tokens, email provider API keys) are encrypted at rest using Supabase Vault / AES-256-GCM.
  • Authentication tokens for Trace by Qualigate are stored in browser localStorage (not cookies), so the session never leaves your device unless you're making an API call.
  • Production access is restricted to the founder team, behind MFA.
  • We monitor for unauthorized access and will notify affected customers without unreasonable delay if a breach occurs.

No system is perfectly secure. If you notice a vulnerability, please email matt@qualigate.app.

7. How long we keep things

  • Account data: kept while your account is active, then deleted within 30 days of a deletion request (subject to legal hold for tax/financial records, which we retain for 7 years).
  • Test recordings & screenshots: Free plan retains 30 days; Starter and Pro retain 90 days. Business and Enterprise can extend retention by contract.
  • Test results (pass/fail metadata): retained with your account so your history stays intact.
  • AI conversation logs: retained alongside the corresponding test run, deleted with it.
  • Application logs: 90 days.
  • Agency client data: per the retention terms in your SOW.
What this means in plain EnglishRecordings expire pretty quickly. Ask us to delete anything, and we'll do it within 30 days unless we're legally required to keep it longer.

8. Your rights

You have the right to:

  • Access the personal data we hold about you.
  • Correct anything that's wrong.
  • Delete your account and the personal data tied to it.
  • Export your data in a portable format.
  • Object to processing or withdraw consent where we rely on consent.
  • Lodge a complaint with your local data protection authority (e.g. an EU Member State DPA, the UK ICO, or under CCPA/CPRA the California AG).

To exercise any of these, email matt@qualigate.app. We'll get back to you within 30 days.

9. Cookies and storage

The marketing site (qualigate.app) sets only essential cookies: a session preference cookie and (server-side) a CSRF token cookie when you submit a form. We don't run third-party advertising or behavioural-tracking cookies on the marketing site.

The Trace by Qualigate dashboard stores your authentication session in localStorage (handled by Convex Auth) — not a cookie. You can clear it anytime through your browser's site settings.

10. GDPR, CCPA, and DPAs

For the marketing site, we act as a data controller for the limited personal data you give us (e.g. your email when you book a discovery call).

For Trace by Qualigate customer test data, and for all agency client data, we act as a data processor — you decide what data goes in, and we process it on your instructions.

We offer a Data Processing Addendum (DPA) on request for Business and Enterprise Trace customers and for all agency clients. Email matt@qualigate.app.

11. International transfers

Our infrastructure is based in the United States. If you're outside the U.S., your data will be transferred to and processed in the U.S. We rely on appropriate safeguards (including Standard Contractual Clauses where applicable) for transfers from the EU, UK, and Switzerland.

12. Children's privacy

Qualigate isn't designed for, marketed to, or knowingly used by anyone under 16. We don't knowingly collect personal data from children. If you believe we have, email us and we'll delete it.

13. Changes to this policy

We may update this policy. For material changes (new sub-processors, new data we collect, new uses) we'll email account holders or post a notice in-app before they take effect. The "Last updated" date at the top will always reflect the current version. See our Terms of Service for the legal framework.

14. Contact

Lexlogos LLC (Delaware) — d/b/a Qualigate

Email: matt@qualigate.app