Qualithm — Privacy Policy
Qualithm

Privacy Policy

Effective Date: 3 June 2026

Introduction

This Privacy Policy (“Policy”) explains how Qualithm Ltd. (“Qualithm”, “we”, “us”, “our”) collects, uses, shares, and protects Personal Data when you access or use our products, platforms, applications, interfaces, and related offerings (the “Services”).

By using the Services, you agree to this Policy. If you do not agree, you must stop using the Services.

This Policy forms part of our Terms of Service and should be read together with our Cookie Policy and Data Processing Addendum (where applicable).

If there is a conflict between this Policy and the Terms of Service, this Policy controls for matters relating to privacy and Personal Data handling. If there is a conflict between this Policy and the Data Processing Addendum, the Data Processing Addendum controls where Qualithm acts as Processor on your behalf.

Scope

This Policy applies to all Personal Data processed through the Services, including:

  • Account holders and Users;
  • Devices connected to the Services;
  • end users interacting with your systems via our platform;
  • visitors to websites and APIs operated by Qualithm.

Definitions

  • Personal Data — Any information relating to an identified or identifiable natural person.
  • Processing — Any operation performed on Personal Data (such as collection, storage, use, disclosure, deletion).
  • Controller — The party determining the purposes and means of Processing.
  • Processor — The party Processing Personal Data on behalf of a Controller.
  • Device — Any hardware object, virtual agent, or simulator connected to the Services.
  • Sub-Processor — A third party engaged to process Personal Data on our behalf.

Roles and Responsibilities

Our Responsibilities

We act as:

  • a Controller for Personal Data we process for our own purposes, such as:
    • account administration and billing;
    • analytics and service improvement;
    • security, abuse detection, and fraud prevention.
  • a Processor when we process Personal Data strictly on your documented instructions under the Data Processing Addendum.

Your Responsibilities

You act as Controller for Personal Data you or your Users submit to the Services. You must:

  • ensure all Personal Data is collected lawfully;
  • provide appropriate privacy notices to your end users;
  • maintain a lawful basis for Processing Personal Data through the Services;
  • provide lawful instructions to us when we act as Processor.

Information We Collect

Personal Data

  • Contact Information: name, email address, phone number.
  • Account Information: login credentials, authentication data, preferences, role and access settings.
  • Usage Information: IP address, device identifiers, logs, timestamps, feature usage, and similar telemetry.
  • Communication Data: support requests, feedback, and other correspondence with us.
  • Billing Data: transaction details and payment confirmations (payment information is processed by trusted third-party providers; we do not store full card numbers).

Device & Telemetry Data

Devices connected to the Services may submit telemetry such as diagnostic logs, sensor data, events, and metadata (for example, firmware version or configuration). You are responsible for ensuring Device data is lawful to collect and process.

Non-Personal Data

We may collect aggregated or anonymised information that cannot reasonably be used to identify an individual. We may use this data to understand usage patterns and improve the Services.

How We Use Personal Data

We use Personal Data to:

  • provide, operate, and maintain the Services;
  • authenticate Users and secure Accounts;
  • deliver notifications, updates, and service-related communications;
  • provide support and respond to inquiries;
  • perform analytics and improve performance and features;
  • prevent, detect, and investigate abuse, fraud, and security incidents;
  • comply with legal, regulatory, and contractual obligations.

We may send optional marketing or promotional communications where permitted by law. You can opt out of marketing at any time using unsubscribe links or by contacting us.

Sharing and Disclosure

Sub-Processors and Service Providers

We do not sell Personal Data. We may share Personal Data with:

  • Sub-Processors: trusted third parties that provide infrastructure, hosting, email delivery, monitoring, payments, and similar services. Our current list is published at Sub-Processors.
  • Service Providers: vendors working on our behalf under confidentiality and data-protection obligations.

Legal or Safety Requirements

We may disclose Personal Data where we believe it is reasonably necessary to:

  • comply with applicable laws or lawful requests from authorities;
  • enforce our Terms of Service or other agreements;
  • protect the rights, property, or safety of Qualithm, our users, or the public.

Business Transfers

If we are involved in a merger, acquisition, or asset sale, Personal Data may be transferred as part of that transaction, subject to safeguards that maintain at least the same level of protection.

Cookies and Tracking Technologies

We use cookies and similar technologies to operate and improve the Services. These include:

Security and reliability telemetry required to operate and protect the Services (for example, error monitoring and CSP violation reporting) is treated as essential operational processing.

  • Essential cookies for core functionality such as authentication and security; and
  • Optional cookies for analytics, preferences, and (where applicable) marketing, used only where you have provided valid consent.

For more detail, including specific cookie types and durations, see our Cookie Policy. You can manage your cookie preferences at any time.

International Data Transfers

We may transfer Personal Data to countries other than the one in which it was originally collected, including New Zealand, the European Economic Area (EEA), the United States, and other regions where we or our Sub-Processors operate.

When we transfer Personal Data internationally, we use appropriate safeguards, such as:

  • Standard Contractual Clauses (SCCs);
  • the UK International Data Transfer Agreement (IDTA) or Addendum; or
  • other mechanisms recognized under applicable data-protection laws.

Data Retention and Deletion

We retain Personal Data only for as long as necessary to:

  • provide the Services;
  • fulfill the purposes described in this Policy; or
  • comply with legal, regulatory, or accounting requirements.

In general, account-level data is retained while your Account is active. When you close your Account or request deletion, we delete or anonymise Personal Data within a reasonable period (usually within 30 days), except where we are legally required or permitted to retain it.

Backup copies are removed on a rolling basis, typically within 30–90 days.

Your Rights

Depending on your jurisdiction, you may have the right to:

  • access your Personal Data;
  • request correction of inaccurate or incomplete data;
  • request deletion of your Personal Data;
  • request portability of certain Personal Data;
  • object to or request restriction of Processing; and
  • withdraw consent where Processing is based on consent.

You can exercise these rights by contacting privacy@qualithm.com. We may need to verify your identity before responding. Some rights may be subject to limitations under applicable law.

Security

We maintain administrative, technical, and physical safeguards designed to protect Personal Data, including:

  • encryption in transit and at rest where appropriate;
  • access controls and least-privilege practices;
  • logging and monitoring for suspicious activity;
  • vulnerability management and secure development practices; and
  • incident-response procedures.

If we become aware of a security incident involving Personal Data, we will investigate and notify you and, where required, regulators in accordance with applicable laws.

Enforcement and Liability

Nothing in this Policy overrides the liability limitations and allocations set out in the Terms of Service or Data Processing Addendum (where applicable).

Changes to This Policy

We may update this Policy from time to time to reflect operational, legal, or regulatory changes. Material changes will be communicated with reasonable advance notice, typically at least 30 days, unless a shorter period is required by law or for security or operational reasons.

Continued use of the Services after that notice period constitutes acceptance.

Governing Law

This Policy is governed by the laws of New Zealand. Any disputes arising out of or relating to this Policy are subject to the exclusive jurisdiction of the New Zealand courts, without prejudice to rights you may have under mandatory local law.

Contact

Privacy & Data Protection: privacy@qualithm.com
Legal: legal@qualithm.com
Security: security@qualithm.com