1. Information We Collect
1.1 Account information
When you register for an account, we collect:- Email address
- Display name (optional)
- Password (stored as a cryptographic hash — we never store your plaintext password)
- Organization name (optional)
1.2 Usage data
When you use the Service, we automatically collect:- Run configurations submitted to the Service (task descriptions, start URLs, agent selections)
- Test results and issue reports generated by your runs
- CLI version and command invocations (excluding the content of local files not submitted to the server)
- IP address and approximate geolocation
- Browser and operating system information (web dashboard)
- API token usage logs (token ID, timestamp, action — not the token value)
1.3 Target application data
When you run QAOS against a web application, the agent processes and may transmit to our servers:- HTML DOM content of the pages visited
- Screenshots of pages visited
- HTTP response headers
- Cookie names (but not necessarily values, depending on sensitivity classification)
- Console log output
- Accessibility tree data
1.4 Payment information
If you subscribe to a paid plan, payment is processed by Stripe. We do not collect or store credit card numbers. Stripe provides us with limited billing information (last 4 digits, expiry, billing name) for display purposes.2. How We Use Your Information
We use collected information to:- Provide the Service — execute test runs, generate reports, display results in the dashboard
- Authenticate users — verify identity and manage sessions
- Improve the Service — analyze usage patterns to fix bugs and improve features
- Send service communications — run completion notifications, billing receipts, security alerts
- Enforce our Terms of Use — detect and prevent misuse or unauthorized testing
- Comply with legal obligations — respond to lawful requests from authorities
- Sell your personal data to third parties
- Use your run data to train AI models without your explicit consent
- Share your target application data with third parties except as described in Section 4
3. Data Retention
| Data type | Retention period |
|---|---|
| Account information | Until account deletion + 30 days |
| Run reports and results | 90 days (free tier), 1 year (paid tier) |
| Usage logs | 12 months |
| Payment records | 7 years (legal requirement) |
| Deleted account data | Purged within 30 days of deletion request |
4. Information Sharing
We share your information only in the following circumstances:4.1 Service providers
We use third-party services to operate the platform:- Supabase — database hosting (your data is stored in Supabase-managed PostgreSQL)
- Stripe — payment processing
- AWS S3 — file and screenshot storage
- Groq / OpenAI — LLM inference for agent evaluation (page content is sent to these services for analysis)
4.2 Legal requirements
We may disclose your information if required to do so by law, court order, or governmental authority, or if we believe disclosure is necessary to protect our rights, protect your safety or the safety of others, or investigate fraud.4.3 Business transfers
If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your information is transferred and becomes subject to a different privacy policy.5. Data Security
We implement technical and organizational measures to protect your information:- All data is transmitted over HTTPS/TLS
- Passwords are hashed using bcrypt with a minimum work factor of 12
- Database access is restricted to authorized services
- API tokens are stored as cryptographic hashes
- Run data is isolated per account — you cannot access other users’ data
- We conduct regular security reviews
6. Your Rights
Depending on your location, you may have the following rights regarding your personal data:| Right | Description |
|---|---|
| Access | Request a copy of the personal data we hold about you |
| Correction | Request correction of inaccurate or incomplete data |
| Deletion | Request deletion of your account and associated data |
| Portability | Request your data in a machine-readable format |
| Restriction | Request that we stop processing your data in certain ways |
| Objection | Object to processing based on legitimate interests |
7. Cookies
The QAOS web dashboard uses cookies and similar technologies:| Cookie | Purpose | Duration |
|---|---|---|
session | Authentication session | Session |
sb-* | Supabase authentication tokens | 7 days |
theme | Light/dark mode preference | 1 year |
8. Children’s Privacy
The Service is not directed at children under 18 years of age. We do not knowingly collect personal information from minors. If you believe we have inadvertently collected information from a minor, contact us at info@machdel.com and we will delete it promptly.9. International Data Transfers
We are based in Canada and our primary data storage is in Canada. If you access the Service from outside Canada, your information may be transferred to and processed in Canada. We ensure appropriate safeguards are in place for any international transfers. If you are in the European Union, we rely on the Standard Contractual Clauses approved by the European Commission for data transfers outside the EEA.10. Third-Party Links
Our documentation and dashboard may contain links to third-party websites. We are not responsible for the privacy practices of those websites and encourage you to review their privacy policies.11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by posting a notice in the dashboard and updating the “Last updated” date. Continued use of the Service after changes constitute acceptance of the updated policy.12. Contact
For questions or concerns about this Privacy Policy or our data practices: Privacy inquiries: info@machdel.comGeneral support: info@machdel.com Machdel
Polytechnique Montréal
Montréal, Quebec, Canada