Privacy Policy

Last updated: April 1, 2026

1. Overview

The operator of Q-loop (hereinafter “Operator”) complies with applicable personal information protection laws and safeguards users' personal information. This policy explains how personal information of service users (Customers and Respondents) is collected, used, retained, and deleted.

2. Personal Information Collected and How

2-1. Customers (account holders)

Item	Purpose	Required
Email address	Account verification, service sign-in	Required
Password (stored encrypted)	Account security	Required
Company / team name	Understanding service usage	Optional
Payment information	Credit purchase processing	Required on purchase
Service usage records (surveys created, credit history)	Service provision, dispute resolution	Auto-collected

* Payment details (e.g., card numbers) are not stored by the Operator directly; they are handled by Lemon Squeezy.

2-2. Respondents (survey participants)

Respondents may participate in surveys without an account. The following information is collected:

Survey response content (text)
Access time and session state (anonymous session ID)

Directly identifying information such as names, email addresses, or phone numbers of Respondents is not collected. Response content is accessible to the Customer who created the survey.

3. Purposes for Using Personal Information

Member registration and sign-in processing
Providing survey creation, distribution, response, and analysis services
Credit purchase and payment history management
Service quality improvement and statistical analysis (in aggregated, non-identifiable form)
Detection of Terms violations and service protection

4. Retention and Deletion of Personal Information

Retention period

Item	Retention period
Customer account information	Until account deletion is requested
Survey and response data	For the duration of the Customer's account (immediately deleted upon request)
Payment records	5 years under applicable consumer protection laws
Log records (API usage history)	90 days

Deletion method

Electronic files are permanently deleted using methods that prevent recovery. Account deletion requests are processed via the service settings or by emailing the Operator.

5. Disclosure and Entrustment to Third Parties

The Operator entrusts personal information processing to the following companies for service provision:

Provider	Purpose	Location
Supabase, Inc.	Database storage and authentication	USA
Lemon Squeezy (Lemonsqueezy, LLC)	Payment processing (Merchant of Record)	USA
Anthropic, PBC	AI follow-up question generation and response analysis (Claude API)	USA
Vercel, Inc.	Service hosting and server processing	USA
Upstash, Inc.	Request rate limiting (IP-based, non-identifiable)	USA

These companies process personal information solely within the scope necessary for service provision and are prohibited from using it for other purposes. Survey response content is transmitted to the Anthropic API for AI analysis. Anthropic's data processing policy can be found at anthropic.com/privacy.

6. User Rights

Customers may exercise the following rights at any time:

Right of access: Request to review the status of their personal information processing
Right to rectification: Request correction of inaccurate information
Right to erasure: Request deletion of account and related data
Right to restriction: Request to stop processing personal information for specific purposes

Rights may be exercised by emailing the Operator and will be processed within 10 business days. Note that information required to be retained by law may not be immediately deleted.

7. Technical Measures for Personal Information Protection

Passwords are stored as one-way bcrypt hashes
Data in transit is encrypted via HTTPS (TLS)
Database Row Level Security (RLS) is applied — Customers can only access their own data
Service API keys (Claude, Supabase service_role, etc.) are managed server-side only — never exposed to the client
Access control: Respondent write requests are processed exclusively through dedicated API routes

8. Cookies and Sessions

① The Service uses httpOnly cookies to maintain login state. These cookies expire when the browser is closed or the user signs out.
② An anonymous session ID is used to identify Respondent sessions and does not directly identify individuals.
③ No third-party cookies for analytics or advertising purposes are used.

9. Children Under 14

The Service is not directed at children under the age of 14, and the Operator does not intentionally collect personal information from such children. If the Operator becomes aware that personal information from a child under 14 has been collected, it will be deleted immediately.

10. Policy Updates

If this policy is updated, prior notice will be provided via an announcement within the Service. For significant changes, separate notice may be given by email.

Privacy inquiries: sin2664@gmail.com