Privacy Policy

This policy applies to:

• Visitors of qubiz.net and its subdomains
• Account holders of Qubiz Cloud (including workspace members)
• Anyone contacting us via support, email, or social channels

It does not apply to content customers deploy on Qubiz Cloud. For that content, the customer is the Data Controller and Qubiz is the Data Processor acting under the customer's instructions.

Data you provide

• Account: email, full name, username, password (stored hashed + salted), phone number
• Payment: handled by Stripe (we never store full card numbers), only customer_id, payment_method_id, last 4 digits, brand, expiry
• Workspace: workspace name, billing email, member roles
• User-defined content: project/service names, environment variables (encrypted at rest)

Data collected automatically

• Usage logs: timestamp, IP, user agent, action
• Cookies and sessions: see "Cookies" below
• Service telemetry: usage metrics, billing events

• Provide Qubiz Cloud per contract and secure the platform
• Issue receipts and process payments
• Detect abuse, fraud, brute force attempts
• Improve the product through aggregate (non-identifying) analytics
• Send essential notifications (billing, security, incidents), not marketing unless you opt in

• Performance of contract:for data needed to deliver the service
• Consent:for marketing communications and opt-in beta programs
• Legitimate interest:security logs, fraud detection, aggregate analytics
• Legal obligation:tax invoicing, lawful authority requests

We use the following Data Processors as needed:

• Stripe:payment processing (PCI-DSS compliant)
• Cloudflare:CDN, DDoS protection, Turnstile bot defense
• Sentry:error monitoring (we deliberately exclude credentials and PII)

We do not sell your personal data. We only disclose to authorities under valid legal process.

Our primary servers are located in Thailand, region ap-southeast-1 (Bangkok). Some processors (Stripe, Cloudflare, Sentry) may process data in other jurisdictions. We use standard contractual clauses to safeguard such transfers.

• Account data: lifetime + 90 days after account deletion (for reversibility / clean shutdown)
• Payment + invoices: 7 years per Thai tax law
• Security logs: 12 months
• Database backups: rolling 30 days

Under PDPA, you have the right to:

• Access:request a copy of your personal data
• Rectification:correct inaccurate data
• Erasure:request deletion (subject to legal limits)
• Object:to processing based on legitimate interest
• Portability:receive data in a machine-readable format
• Withdraw consent:for processing based on consent

Send requests to privacy@qubiz.net. We respond within 30 days.

We use only essential cookies:

• Session:httpOnly JWT for authentication
• Theme:your selected dark/light mode
• Locale:your selected language (th/en)

We do not use third-party tracking cookies for advertising.

• TLS 1.2+ on every endpoint, HSTS preload
• Passwords stored with Argon2id + per-user salt
• Secrets/env vars encrypted at rest with AES-256-GCM
• TOTP-based 2FA available on every account
• Audit log on role, billing, and secret changes

The service is not directed to users under 18. If we discover we hold a minor's data without parental consent, we delete it immediately.

We may update this policy periodically. For material changes, we provide at least 30 days' email notice before they take effect. The latest update date is shown at the top of this page.

Questions about this policy or to exercise your rights:

Qubiz Technology Co., Ltd.
Email: privacy@qubiz.net