Privacy Policy

Last updated: March 23, 2026

This Privacy Policy explains how qkconvert ("we", "us", "our") collects, uses, and protects your personal information when you use our API and related services ("Service"). We are committed to protecting your privacy and handling your data responsibly.

1. Information We Collect

Information you provide

Data	Purpose	Stored as
Email address	Account identity, login, notifications	Plaintext
Password	Account authentication	Argon2id hash (irreversible)
API keys	Programmatic API access	SHA-256 hash (irreversible)

Information from OAuth providers

If you sign in with Google or GitHub, we receive your email address and basic profile information (name, if available). We use this solely to create and authenticate your account. We do not access your Google contacts, Drive files, GitHub repositories, code, or any data beyond basic profile information.

Information collected automatically

Data	Purpose	Retention
IP address	Rate limiting, abuse prevention	30 days (request logs)
API request metadata	Usage metering, billing, analytics	Duration of account
Session tokens	Portal authentication	24 hours (auto-purged)

Request metadata includes: endpoint called, HTTP method, response status code, response time, and timestamp. It does not include request or response bodies.

2. Files You Upload

We do not store your files. This is a core design principle of the Service.

Files are held in memory only for the duration of the API request
Files are not written to disk at any point
Files are not stored in any database or object storage
Files are not retained, cached, or logged after the response is returned
We do not access, review, analyze, or use the content of your files for any purpose other than performing the requested operation
We do not use your files for training, analytics, or service improvement

When the processed result is returned to you, the original and processed file data is released from memory.

3. How We Use Your Information

Provide the Service: authenticate requests, process files, track usage
Billing: meter credits consumed, report usage to Stripe for invoicing
Security: rate limiting, abuse detection, account lockout after failed login attempts
Communications: account verification emails, password reset emails, quota alerts, and billing notifications. We do not send marketing emails
Service improvement: aggregate, anonymized usage statistics (e.g. total requests per endpoint) to understand which features are used. No individual user data is used for this purpose

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, we process your data under the following legal bases:

Processing activity	Legal basis
Account creation and authentication	Contract performance
Usage metering and billing	Contract performance
Rate limiting and security	Legitimate interest (service protection)
Transactional emails	Contract performance
Anonymized analytics	Legitimate interest (service improvement)

5. Information Sharing

We do not sell, rent, or trade your personal information. We share data only with:

Third party	Data shared	Purpose
Stripe	Email, usage totals	Payment processing and billing
Google	OAuth tokens (during login only)	Account authentication
GitHub	OAuth tokens (during login only)	Account authentication

Payment information (credit card numbers, billing address) is sent directly to Stripe and is subject to Stripe's Privacy Policy. We never receive, store, or have access to your full credit card number.

We may disclose information if required by law, court order, or government request.

6. Security Measures

We implement industry-standard security measures to protect your data:

Passwords: Hashed using Argon2id, a memory-hard algorithm resistant to brute-force and GPU attacks. We never store passwords in plaintext
API keys: Hashed using SHA-256 before storage. The raw key is shown once at creation and is never stored or retrievable. Only a short prefix is kept for identification
Data in transit: All connections are encrypted via TLS (HTTPS). Unencrypted HTTP requests are rejected in production
Sessions: Server-side sessions using httpOnly, Secure, SameSite=Strict cookies. Session tokens are hashed before storage
Account protection: Accounts are locked after 5 failed login attempts with a 15-minute cooldown
Infrastructure: Minimal attack surface with a single compiled binary, no unnecessary services, and database access restricted to the application
File handling: Files processed in memory only, never written to disk or persistent storage

Despite these measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security of your data.

7. Data Retention

Data type	Retention period
Account data (email, password hash)	Until account deletion
API keys	Until revoked or account deletion
Usage records	Duration of account (needed for billing)
Request logs (IP, path, status)	30 days (auto-purged)
Session tokens	24 hours (auto-purged)
Rate limit records	25 hours (auto-purged)
Email verification tokens	24 hours
Password reset tokens	1 hour
Uploaded files	Not retained (in-memory only)

When you delete your account, we remove your personal data within 30 days. Anonymized, aggregate usage data may be retained for analytics.

8. Cookies and Sessions

We use a single, essential cookie:

session_token: An httpOnly, Secure cookie used to authenticate your developer portal session. It expires after 24 hours. This is not a tracking cookie and contains no personal information - it is a random token linked to your session server-side

We do not use advertising cookies, analytics cookies, or any third-party tracking scripts. We do not use Google Analytics or similar services.

9. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

All users

Access: View your account data, API keys (prefixes), and usage records in the developer dashboard
Correction: Update your email or password in account settings
Deletion: Request account deletion by contacting us. We will remove your data within 30 days
Data export: Request a copy of your personal data by contacting us

EEA and UK residents (GDPR)

Right to erasure ("right to be forgotten")
Right to data portability
Right to restrict processing
Right to object to processing based on legitimate interest
Right to lodge a complaint with your local data protection authority

Australian residents

Right to access personal information we hold about you (APP 12)
Right to request correction of inaccurate information (APP 13)
Right to complain to the Office of the Australian Information Commissioner (oaic.gov.au)

To exercise any of these rights, email privacy@qkconvert.dev.

10. International Data Transfers

qkconvert is operated from Australia. Your data may be transferred to and processed in countries other than your own, including:

Australia: Where our infrastructure is hosted
United States: Where Stripe, Google, and GitHub process data

These transfers are necessary to provide the Service. Stripe maintains Standard Contractual Clauses (SCCs) and other safeguards for international transfers. For transfers to Australia, we rely on the Australian Privacy Act which provides comparable data protection standards.

11. Children's Privacy

The Service is not directed at children under 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or a notice on the Service at least 30 days before the changes take effect. The "Last updated" date at the top indicates the most recent revision.

13. Contact

For privacy-related questions, requests, or complaints:

Email: privacy@qkconvert.dev
General: support@qkconvert.dev

We aim to respond to privacy requests within 30 days.