Privacy Policy
This privacy policy explains how AI Research & Technology Lab GmbH ("we", "us", or "qualcode.ai") collects, uses, and protects your personal data when you use our service. We are committed to protecting your privacy and processing your data in accordance with the General Data Protection Regulation (GDPR) and Austrian data protection law.
1. Data Controller
The controller responsible for data processing on this website is:
AI Research & Technology Lab GmbH
Enzersdorfer Strasse 25
A-2340 Modling
Austria
Email: legal@qualcode.ai
2. Data We Collect
2.1 Account Data
When you register for an account, we collect:
- Email address
- Name (optional)
- Password (stored in hashed form only)
- Institution/organization (optional)
- Account creation date and last login time
2.2 Survey Data You Upload
When you use our coding service, you upload survey response data for AI-assisted coding. This data may contain personal data of your survey respondents. You are the data controller for this data, and we act as a data processor on your behalf. Please see our Data Processing Agreement for details.
2.3 Usage and Technical Data
We automatically collect:
- IP address (collected for security purposes, anonymized via truncation after request processing)
- Browser type and version
- Operating system
- Date and time of access
- Pages visited and actions taken
- Error logs for debugging purposes
2.4 Payment Data
Payment processing is handled by Stripe. We store only a reference to your Stripe customer ID and transaction history (amounts, dates). We do not store credit card numbers or bank account details.
3. Purpose and Legal Basis of Processing
| Purpose | Data Categories | Legal Basis |
|---|---|---|
| Account creation and management | Account data | Contract performance (Art. 6(1)(b) GDPR) |
| Providing the coding service | Survey data, usage data | Contract performance (Art. 6(1)(b) GDPR) |
| Payment processing | Payment data | Contract performance (Art. 6(1)(b) GDPR) |
| Credit balance management | Transaction history | Contract performance (Art. 6(1)(b) GDPR) |
| Technical operation and security | Technical/log data | Legitimate interest (Art. 6(1)(f) GDPR) |
| Legal compliance | Account, payment data | Legal obligation (Art. 6(1)(c) GDPR) |
| Service improvement | Anonymized usage data | Legitimate interest (Art. 6(1)(f) GDPR) |
4. AI Processing Disclosure
Our service uses artificial intelligence to code survey responses. Your survey data is processed by:
- OpenAI - US-based provider with EU Standard Contractual Clauses
- Anthropic - US-based provider with EU Standard Contractual Clauses
According to their Data Processing Addenda and API terms, both AI providers process data transiently for classification purposes only and do not use your data to train their models. Survey data is transmitted via encrypted connections. OpenAI and Anthropic may retain request logs for abuse detection (up to 30 days) per their API terms, but data is not stored in their core AI models.
Important: You must ensure you have a lawful basis to share respondent data with AI services. This may require appropriate disclosures in your survey consent forms.
5. Data Sharing and Third-Party Processors
We share data with the following processors, all operating under data processing agreements:
| Processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Amazon Web Services EMEA SARL | Hosting infrastructure | Frankfurt, Germany (eu-central-1) | EU-based, GDPR compliant |
| OpenAI, Inc. | AI classification (Rater A) | USA | EU Standard Contractual Clauses |
| Anthropic, PBC | AI classification (Rater B) | USA | EU Standard Contractual Clauses |
| Stripe, Inc. | Payment processing | Ireland/USA | EU Standard Contractual Clauses, PCI-DSS |
| Resend, Inc. | Transactional email (account notifications, password resets) | USA | EU Standard Contractual Clauses |
We do not sell your data to third parties. We do not use your data for advertising purposes.
6. International Data Transfers
Your data is primarily stored and processed in the European Union (Frankfurt, Germany). When data is transferred to the United States (for AI processing and payments), we rely on:
- EU Standard Contractual Clauses (SCCs) approved by the European Commission
- Additional technical measures including encryption in transit and at rest
- Contractual commitments from processors not to access or use data beyond processing instructions
We conduct Transfer Impact Assessments (TIAs) to evaluate risks under Schrems II. Our current TIA is available at qualcode.ai/tia.
7. Data Retention
| Data Type | Retention Period | Reason |
|---|---|---|
| Account data | Duration of account + 30 days after deletion request | Service provision, recovery period |
| Survey data (your uploads) | Until you delete it, or 30 days after account deletion | Your control, service provision |
| Coding results | Until you delete the project, or 30 days after account deletion | Service provision |
| Payment/transaction records | 7 years after transaction | Austrian tax law (BAO Section 132) |
| Credit transaction audit log | 7 years | Financial audit trail, legal compliance |
| Server logs | 90 days | Security, debugging |
| Access logs | 90 days | Security audit trail |
8. Your Rights Under GDPR
You have the following rights regarding your personal data:
Right of Access (Art. 15 GDPR)
You can request a copy of all personal data we hold about you.
Right to Rectification (Art. 16 GDPR)
You can request correction of inaccurate or incomplete data.
Right to Erasure (Art. 17 GDPR)
You can request deletion of your data. Note: We cannot delete financial transaction records required by law, and accounts with credit transaction history are soft-deleted (deactivated) rather than fully deleted to maintain audit integrity.
Right to Restriction (Art. 18 GDPR)
You can request that we limit processing of your data in certain circumstances.
Right to Data Portability (Art. 20 GDPR)
You can request your data in a structured, machine-readable format (JSON or CSV).
Right to Object (Art. 21 GDPR)
You can object to processing based on legitimate interests.
Right to Withdraw Consent
Where processing is based on consent, you can withdraw it at any time.
To exercise these rights: Contact us at legal@qualcode.ai. We will respond within 30 days.
9. Supervisory Authority
If you believe we have violated your data protection rights, you have the right to lodge a complaint with the competent supervisory authority:
Osterreichische Datenschutzbehorde
Barichgasse 40-42
1030 Vienna
Austria
Email: dsb@dsb.gv.at
Website: www.dsb.gv.at
10. Security Measures
We implement appropriate technical and organizational measures to protect your data:
- Encryption in transit (TLS) and at rest (industry-standard encryption)
- Password hashing using industry-standard algorithms
- Regular security updates and vulnerability monitoring
- Access controls with comprehensive audit logging for authentication, admin actions, and data exports
- EU-based hosting (AWS Frankfurt, eu-central-1)
- Regular backups with encrypted storage
11. Cookies and Tracking
We use only essential cookies required for the service to function:
- Session cookie: Maintains your login session (essential, expires on browser close)
- Theme preference: Remembers your light/dark mode choice (local storage, no expiry)
We do not use advertising cookies, tracking pixels, or third-party analytics tools that track individual users.
12. Children's Privacy
Our service is intended for professional researchers and is not directed at children under 16 years of age. We do not knowingly collect personal data from children.
13. Changes to This Policy
We may update this privacy policy from time to time. We will notify registered users of material changes via email. The "Last updated" date at the top of this page indicates when the policy was last revised.
14. Contact
For any privacy-related questions or requests, please contact:
AI Research & Technology Lab GmbH
Attn: Data Protection
Enzersdorfer Strasse 25
A-2340 Modling
Austria
Email: legal@qualcode.ai