Signup gift · sign up to discover your discount
qotify.ioqotify.io
Get started

Privacy Policy

Last updated: May 13, 2026

1. Who We Are

This Privacy Policy explains how Qotify ("we", "us", "our") collects, uses, shares, and protects personal data when you visit our website, create an account, or use the Qotify service, an AI tool that analyses screenshots of prediction-market orderbooks (collectively, the "Service").

For the purposes of the EU General Data Protection Regulation ("GDPR") and the UK GDPR, Qotify is the "controller" of personal data described in this Policy. You can reach us at qotify.io@gmail.com.

2. Data We Collect

2.1 Account data

  • Email address, provided during sign-up (email + password) or fetched from your Google account when you sign in with Google OAuth.
  • Display name and profile image, only if returned by Google OAuth.
  • Password hash, for email/password accounts. We never store the plain password; it is hashed via the Better Auth library before any storage.
  • OAuth tokens, access and refresh tokens issued by Google, used only to verify your identity at sign-in.
  • Account state, timestamps for terms acceptance, onboarding completion, last in-app notification seen, account creation and updates.

2.2 Service usage data

  • Conversations, title and metadata of each analysis you start.
  • Messages, the text content of your prompts and our AI responses, the structured analysis payload returned by the model, and the input/output token counts.
  • Image uploads, the screenshots you upload for analysis, stored on Cloudflare R2 along with file size, MIME type, and image dimensions.
  • Follow lists, wallet addresses you choose to track.
  • Web-push subscriptions, endpoint and cryptographic keys provided by your browser if you enable push notifications.
  • Cancellation feedback, when you cancel, we record the reason you selected and any free-text comment you optionally provide.

2.3 Subscription and billing data

Payment is processed by our payment provider Whop. We never see or store your full card number, CVV, or banking details. From Whop we receive only the membership identifier, the plan, the subscription status (active, past_due, canceled, expired), and the current period end date, enough to grant and revoke access.

2.4 Technical and session data

  • Session tokens, IP address, and user agent, created and stored when you sign in, to authenticate subsequent requests and detect abuse.
  • Server logs, short-lived logs of HTTP requests retained for operational and security purposes.

2.5 Cookies and similar technologies

  • Session cookie, set by Better Auth to keep you signed in. Strictly necessary.
  • qotify_locale , remembers your language preference (en / fr).
  • qotify_pending_session , a short-lived cookie (24 hours, SameSite=Lax) that links a guest upload to the account you create afterwards. Cleared once the upload is claimed.

We do not currently use third-party advertising or cross-site tracking cookies. If we add analytics or marketing cookies in the future, we will update this Policy and, where required, present a consent banner before any non-essential cookie is set.

3. How We Use Your Data

We process the data described above for the following purposes:

  • Provide the Service, authenticate your account, generate AI analyses on the screenshots you upload, deliver follow-up answers, and let you review past conversations.
  • Process payments and manage subscriptions, verify your subscription status, react to renewal, cancellation, pause, and past-due events from Whop.
  • Operate, secure, and improve the Service, investigate bugs, prevent fraud and abuse, monitor usage limits (daily analysis cap), and improve product quality.
  • Communicate with you, send transactional emails (account, payment, support) and, in the future, optional product updates if you opt in.
  • Comply with legal obligations, keep records as required by applicable law, respond to lawful requests, and enforce our Terms.

4. Legal Bases (GDPR)

If you are in the EU, EEA, or UK, we rely on the following legal bases under Article 6 GDPR:

  • Performance of a contract (Art. 6(1)(b)), to deliver the Service you purchased, including account creation, AI analysis, subscription management, and customer support.
  • Legitimate interests (Art. 6(1)(f)), to secure the Service, prevent abuse, debug issues, and improve product quality. We balance these interests against your rights and freedoms.
  • Legal obligation (Art. 6(1)(c)), to comply with applicable law (e.g., tax, accounting, lawful requests).
  • Consent (Art. 6(1)(a)), for optional features that require it, such as web-push notifications or, if introduced in the future, non-essential cookies and marketing communications. You may withdraw consent at any time.

5. AI Model Processing

To generate analyses, we send your prompts, your uploaded screenshots (as image URLs retrieved from our storage), and conversation context to a third-party AI provider accessed via OpenRouter (our gateway). The current default model is x-ai/grok-4.3; we may switch providers or models without notice to improve quality.

The AI provider processes this data solely to return the analysis to us in real time. We do not authorise, and contractual terms with OpenRouter and downstream providers generally prohibit, using your prompts or images to train their models. The provider may, however, retain short-lived logs for abuse detection in accordance with its own policies.

AI outputs are generated automatically and may be incorrect, incomplete, or biased. See our Terms of Service for the full disclaimer regarding AI-generated content.

6. Sharing of Personal Data, Sub-Processors

We do not sell personal data. We share data only with the following categories of recipients, each acting as a processor on our behalf:

  • Neon, managed Postgres database hosting (account data, conversations, metadata).
  • Cloudflare R2, object storage for uploaded screenshots.
  • OpenRouter and the underlying AI provider (currently xAI forgrok-4.3), AI inference for analyses.
  • Whop, checkout, subscription management, payment processing, and related communications to you regarding billing.
  • Google, only if you choose to sign in with Google OAuth.
  • Vercel, application hosting and CDN.
  • Resend, transactional email delivery (currently kept on standby for future transactional flows).
  • Browser push services (e.g., Apple, Google, Mozilla), only when web push is enabled, to deliver notifications to your device.

We may also disclose personal data: (a) to comply with a legal obligation, court order, or lawful request; (b) to protect the rights, property, or safety of Qotify, our users, or others; or (c) in connection with a merger, acquisition, or sale of assets, in which case we will require the acquirer to honour this Policy.

7. International Data Transfers

The processors listed above are based in or operate from the United States and other countries outside the EU/EEA/UK. When we transfer personal data outside the EU/EEA/UK, we rely on appropriate safeguards permitted under applicable law, such as the European Commission's Standard Contractual Clauses, the UK's International Data Transfer Addendum, or equivalent mechanisms. You may request a copy of the relevant safeguards by contacting us.

8. Data Retention

  • Conversations, messages, and uploaded screenshots are automatically deleted 30 days after they are created. Deletion cascades through our database and removes the underlying objects from Cloudflare R2.
  • Account data (email, name, password hash, subscription state, follow list, push subscription, cancellation feedback) is kept while your account exists. If you delete your account, we delete or anonymise account data without undue delay, except where retention is required by law (e.g., accounting records).
  • Server logs and security telemetry are retained for a short period (typically a few days to a few weeks) and then deleted or aggregated.
  • Payment and billing records are kept by Whop and by us for as long as required by tax, accounting, and consumer-protection law (typically up to 10 years in the EU).

9. Your Rights

Subject to applicable law, you have the following rights regarding your personal data:

  • Access, request a copy of the personal data we hold about you.
  • Rectification, correct inaccurate or incomplete data.
  • Erasure("right to be forgotten"), ask us to delete your data, subject to legal retention obligations.
  • Restriction, ask us to limit how we use your data while a request is being resolved.
  • Portability, receive your data in a structured, commonly used, machine-readable format.
  • Objection, object to processing based on legitimate interests.
  • Withdraw consent, at any time, for processing based on consent.
  • Complain, lodge a complaint with your local data-protection authority (in France, the CNIL, cnil.fr).

To exercise any of these rights, email qotify.io@gmail.com from the address associated with your account. We will respond within the timeframes required by applicable law (one month under the GDPR, extendable by two further months for complex requests).

10. California Privacy Rights

California residents have specific rights under the California Consumer Privacy Act (CCPA), as amended by the CPRA, including the right to know what personal information we collect, to delete personal information, to correct inaccurate information, and not to be discriminated against for exercising those rights. We do not "sell" or "share" personal information for cross-context behavioural advertising as those terms are defined under California law. To exercise your California rights, contact us at the email above.

11. Security

We implement administrative, technical, and physical safeguards designed to protect your personal data, including encrypted transport (HTTPS/TLS), hashed credentials, scoped access keys, role-based access control to production systems, and short-lived time-bound storage for screenshots. No method of transmission or storage over the internet is 100% secure; we cannot guarantee absolute security. If we become aware of a personal data breach affecting your data, we will notify you and the competent authorities as required by applicable law.

12. Children

The Service is not directed to children. You must be at least 18 years old (or the age of majority in your jurisdiction) to use Qotify, in line with our Terms. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.

13. Automated Decision-Making

The Service produces automated analyses of the screenshots you upload. These analyses are informational only and do not produce legal or similarly significant effects on you within the meaning of Article 22 GDPR. You are free to accept, reject, or ignore any AI output. We do not engage in automated profiling that would have a significant effect on you.

14. Changes to This Policy

We may update this Policy from time to time. The "Last updated" date at the top reflects the most recent revision. For material changes, we will take reasonable steps to inform you (for example, by email or an in-app notice) before the change takes effect. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.

15. Contact

For any privacy question, request, or complaint, email qotify.io@gmail.com. Please include the email address associated with your Qotify account so we can locate your records.