Privacy Policy

This Policy covers personal information processed by Quads Lab in connection with the Service. By creating an account, signing in via Discord, joining a waitlist, purchasing a subscription, or running a licensed copy of one of our desktop clients, you acknowledge that we will handle your information as described here.

This Policy does not cover:

• Data handled by third parties you choose to integrate with (Stripe, Discord, GitHub, Anthropic, OpenAI, OpenRouter, Ollama, etc.). Their privacy policies govern that data.
• Data stored locally on your own device by our desktop clients (project files, ideas, plans, scripts, local SQLite databases). That content stays on your machine unless you explicitly send it somewhere.
• Brand-operated storefronts and properties. If you bought a Quads Lab product through a partner brand, that brand has its own privacy policy that governs its side of the relationship.

This section is the conspicuous, scannable summary required by California law (CCPA/CPRA) and is intended as a quick reference for everyone. The full detail is in the sections that follow.

Categories of personal information we collect:

• Identifiers: Discord user ID, Discord username and display name, email address, internal user ID, locally generated device UUID, IP address (logged at the edge), and — if you link a Strava account — your Strava athlete ID.
• Commercial information: subscription tier, status, trial-end date, current period-end date, Stripe customer ID, Stripe subscription/price IDs, invoice URLs. Not card numbers — those go directly to Stripe.
• Internet/network activity: license-verification telemetry (OS name and version, build ID, current product, device UUID, request IP), session cookies, CSRF cookies.
• Geolocation: approximate, derived from IP at the network edge (city/region level at most). We do not collect precise GPS location.
• Inferences: aggregate, non-identifying product analytics (e.g. how many devices are on a given tier).
• Activity data (Strava-linked accounts only): when you opt in to the Strava integration, we receive activity events from Strava and fetch the corresponding activity detail — name, sport type, distance, moving time, elapsed time, elevation gain, average/max speed, average/max heart rate, kudos and achievement counts, the route summary polyline, and any photos you attached on Strava.
• Customer support content: anything you send us in a support ticket or email.
• Audit log entries: records of admin actions, subscription state transitions, and license activations/deactivations.

Sources of this information:

• Directly from you (waitlist, signup, support, account settings).
• From Discord, when you sign in via OAuth.
• From Stripe, when you subscribe or your subscription changes.
• From Strava, when you link your Strava account (athlete profile data and activity events delivered via Strava's Webhook Events API).
• Automatically from the Service (license verification, session/CSRF cookies, edge logs).
• From a brand storefront, if you purchased through one.

Purposes:

• Operate the Service (provision subscriptions, deliver licenses, enforce device limits, push minimum-build update gates).
• Bill via Stripe.
• Communicate with you about your account and security.
• Provide support.
• Detect fraud and abuse.
• Maintain aggregate, non-identifying product analytics.
• Comply with legal obligations.

Recipients/categories of third parties:

• Stripe (payment processing).
• Discord (OAuth identity, only when you sign in).
• GitHub (only if you explicitly connect it for issue sync).
• Our cloud infrastructure provider (currently Railway).
• LLM providers (Anthropic, OpenAI, OpenRouter, or local Ollama) — only when you yourself invoke them from your local app. Quads Lab does not send your data to LLM providers.
• Brand integrators, when you purchased through a brand and the brand needs to know your subscription state.
• Legal/governmental authorities, when validly required.
• A successor entity, in the event of a merger, acquisition, or asset sale.

Sale or "sharing" for cross-context behavioral advertising: None. We do not sell your personal information and we do not share it for cross-context behavioral advertising.

Sensitive personal information: We do not knowingly collect sensitive personal information (such as government IDs, precise geolocation, biometric data, health data, or contents of mail/email/messages other than support tickets you send us). We do not use any data for inferences about your character or psychology.

Retention: See section 9 for category-specific retention periods.

When you create an account, we collect:

• Via Discord OAuth: your Discord user ID, username, display name, and the email address Discord shares with us. We use this to identify you, send transactional email, and match you to your subscription.
• Via direct email signup or waitlist: your email address. We use it to contact you about the product and your account.

If you sign in with Discord, we do not store a password for you. We rely on Discord for authentication via OAuth 2.0 with PKCE.

You can update your account email at https://quadslab.io/account.

Payments are processed by Stripe. When you subscribe:

• We send Stripe what it needs to bill you (your email and an internal customer reference).
• Stripe sends us back a customer ID (stripeCustomerId) and metadata about your subscription: tier, status, trial-end date, current period-end date, and the relevant Stripe price/subscription IDs.
• We store that metadata against your account so we can grant you access to the right product and tier.

We never see, store, or transmit your card number, CVC, expiration date, or full PAN. All card data is entered into Stripe's PCI-compliant vault via Stripe.js or Stripe Checkout and never touches our servers.

For Stripe's own privacy practices, see https://stripe.com/privacy.

Each licensed desktop client periodically posts to our /api/license/verify endpoint so we can confirm your subscription is active, enforce per-tier device limits, and push minimum-build force-update gates when a build is no longer safe to run.

Each verification request includes:

• A device UUID generated locally by the client. This is a random identifier — it is not a hardware fingerprint and does not identify your machine outside our system.
• The OS name and version (e.g. "Windows 11", "macOS 14.4").
• The build ID of the client.
• The product the client represents (e.g. QuadFlow).
• The IP address of the request, which is logged at the network edge for rate limiting and abuse detection.

We use this telemetry to:

• Confirm an active subscription.
• Enforce device limits per your tier.
• Force-update clients running unsafe builds.
• Detect abuse (e.g. one license being used across hundreds of devices).

We do not use license telemetry for advertising or sell it to anyone.

Some categories of data that other software companies routinely collect, we deliberately do not. This is structural — these things never reach our servers in the first place.

• Card data. Stripe handles all of it. We never receive card numbers, CVCs, expirations, or full PANs.
• AI prompts and outputs. When you use QuadFlow's agent terminals (Claude Code, Codex, OpenRouter-routed models, local Ollama, etc.), your prompts and the model's responses go directly from your desktop client to the LLM provider you chose. Quads Lab does not proxy, mirror, log, or store any of that traffic. Whatever the provider's privacy policy says is what governs that data — we have no copy.
• Local project files and source code. QuadFlow reads and writes your local filesystem. We do not upload your repos, files, or working tree to any Quads Lab server.
• Local PM tool data. Ideas, plans, projects, and scripts you create with the desktop client are stored in a local SQLite database on your machine. They are not synced to us.
• Browsing across other sites. We do not run third-party advertising or cross-site tracking pixels.
• Device fingerprints. The device UUID we use for license enforcement is a random value generated on your machine, not a fingerprint of your hardware or browser.

We use cookies sparingly and only for things the Service cannot function without:

• Session cookies (HTTP-only, SameSite=Lax): keep you signed in.
• CSRF / OAuth state cookies: protect the OAuth sign-in flow.

We do not use:

• Third-party advertising cookies.
• Cross-site tracking pixels.
• Browser fingerprinting.
• Analytics cookies that identify you personally.

Because we only use strictly necessary cookies, you do not need to consent to non-essential cookies — we don't set any. You can clear cookies in your browser at any time; doing so will sign you out.

We use the categories of personal information described above for the following purposes:

• Operate the Service. Provision subscriptions, issue and verify licenses, enforce device limits, push minimum-build update gates.
• Billing. Hand the necessary minimum to Stripe so it can charge you, and reconcile Stripe's response back to your account.
• Communicate with you. Send transactional emails (account changes, security alerts, billing notices, subscription state transitions). We do not send marketing email without a separate opt-in.
• Support. Read and respond to support tickets and emails.
• Security and abuse prevention. Rate-limit endpoints, detect license abuse, investigate suspicious activity, and maintain audit logs of sensitive admin and account actions.
• Aggregate product analytics. Understand how the product is used in aggregate (e.g. how many devices are on each tier). These aggregates are non-identifying.
• Comply with the law. Respond to valid legal process and meet tax, accounting, and regulatory obligations.

We keep personal information only as long as we need it for the purposes described above, or as required by law.

• Account data (your User record, Discord identifiers, email): kept for the life of your account.
• Account deletion: when you delete your account via the in-app flow at https://quadslab.io/account or via /api/account/delete, we process the deletion within 30 days, with these exceptions:
• Records we are required to retain by law (for example, billing and tax records, which we keep up to 7 years to satisfy IRS and similar requirements).
• Audit logs of security-sensitive events, retained up to 2 years for fraud prevention and security.
• Webhook event payloads delivered to brand integrators or stored for our own retry/queue handling: retained for 30 days.
• Support tickets: retained for 2 years after resolution, unless you ask us to delete them sooner.
• License-verification logs: retained only as long as needed for abuse detection and rate-limit windows; older entries are pruned.

If law requires longer retention than the periods above, we will retain only what the law requires and only for as long as the law requires.

We share personal information only with the following categories of recipients, and only to the extent needed:

• Stripe — payment processing. Privacy: https://stripe.com/privacy.
• Discord — OAuth identity (only when you sign in). Privacy: https://discord.com/privacy.
• GitHub — only if you explicitly connect GitHub for issue sync. Privacy: https://docs.github.com/privacy.
• Cloud infrastructure provider (currently Railway). Your data is encrypted in transit and at rest while hosted there.
• LLM providers (Anthropic, OpenAI, OpenRouter, or local Ollama). To repeat: Quads Lab does not send your data to any LLM provider. When you use an AI agent terminal in our desktop client, your local app sends your prompt directly to the provider you configured. Their privacy policy governs that data.
• Brand integrators. If you purchased a subscription through a brand storefront, when your subscription transitions (trial start, activation, cancellation, etc.) we emit a webhook event to the brand. Those events contain your user ID, the product key, tier, status, current period-end, trial expiration, and Stripe price/invoice URLs. The brand needs this so they can confirm your purchase and grant you the access you bought. Each brand has its own privacy policy.
• Legal authorities. We may disclose information when we believe in good faith that disclosure is required by valid subpoena, court order, or other legal process, or is reasonably necessary to protect the rights, safety, or property of Quads Lab, our users, or the public.
• Successor entity. In the event of a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of our assets, your information may be transferred as part of that transaction, subject to this Policy or a successor policy at least as protective.

We do not sell your personal information. We do not "share" your personal information for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA.

Quads Lab supports a "brand integrator" model where partner brands can resell or bundle our products under their own storefront. If you purchased through a brand, please note:

• We share subscription event data with that brand via webhook so they can fulfill your purchase. Events include user ID, product key, tier, status, current period-end, trial expiration, and Stripe price/invoice URLs.
• We do not share your AI prompts, project files, support tickets, or anything outside the listed event payload.
• The brand operates under its own privacy policy. Once event data reaches the brand, the brand becomes an independent controller of that data for purposes governed by its policy.

If you don't want a brand to receive these events, the practical option is to cancel your subscription with that brand. Email [email protected] if you have questions.

If you choose to link your Strava account to your Quads Lab account, we collect and process additional data to deliver activity announcements into the Discord channels you've authorized:

What we collect from Strava:

• Strava athlete ID — Strava's unique identifier for your account.
• OAuth tokens — long-lived access and refresh tokens issued by Strava, stored encrypted at rest. These let us fetch activity details and stay connected without you re-authorizing every six hours.
• Activity detail — when Strava notifies us via its Webhook Events API that you've completed an activity, we fetch the activity's details (name, sport type, distance, moving time, elapsed time, elevation gain, average/max speed, average/max heart rate, kudos and achievement counts, the route summary polyline, and any photos you attached on Strava) and store them.

How we use it:

• Refresh your Strava access token before it expires (Strava tokens last six hours) using your stored refresh token.
• When Strava pushes a webhook event indicating a new or updated activity for your account, we fetch that activity once and deliver an announcement embed to the Discord channel(s) configured by the moderators of the community you're linked into.
• Audit-log connect, disconnect, and post events for security and abuse prevention.

What we do NOT do:

• We request read-only access from Strava. We do not modify, create, upload, or delete anything on your Strava account on your behalf.
• We do not share your Strava data with any third party other than relaying activity-announcement embeds to the Discord channels you authorized.
• We do not collect Strava data we don't need for the announcement feature — no follower or following graphs, no segment efforts you didn't post, no historical training load, and no health/wellness data beyond what is attached to an individual posted activity.
• We do not use Strava data for advertising, profiling, or training any machine-learning model.

Disconnecting. You can disconnect Strava at any time by:

• Running /strava unlink in Discord;
• Disconnecting from your Quads Lab account settings at https://quadslab.io/account; or
• Revoking the Quads Lab application directly in Strava's app settings at https://www.strava.com/settings/apps.

When you disconnect:

• We delete your stored Strava access and refresh tokens within 24 hours.
• We stop receiving and processing future Strava events for your account.
• Previously posted Discord messages are not automatically deleted — they remain in the channel where they were posted. To remove them, ask a moderator of that channel or delete your own messages where Discord permits.
• Activity event records we retained for queue/retry purposes are pruned within 30 days.

Strava's role. Strava is an independent third party. Their handling of your activities, profile, and other Strava data is governed by Strava's own privacy policy at https://www.strava.com/legal/privacy. When we receive data from Strava on your behalf, we process it as described above. If you have questions about Strava's processing, contact Strava directly.

We take reasonable and appropriate measures to protect your information:

• TLS in transit. All traffic to Quads Lab endpoints is encrypted in transit.
• Encryption at rest. Our database is hosted on Postgres with disk encryption provided by our infrastructure host.
• OAuth + PKCE. Sign-in via Discord uses OAuth 2.0 with PKCE; users who sign in via Discord do not have a password stored with us.
• Session cookies are HTTP-only and SameSite=Lax.
• PCI scope minimization. All card data is handled by Stripe in its PCI-compliant vault. Our systems are not in PCI scope for cardholder data.
• Audit logging. Sensitive admin actions and security-relevant events are logged for review.

No system is perfectly secure. If we ever experience a security incident affecting your information, we will notify you in accordance with applicable law.

Regardless of where you live, you can exercise the following rights with respect to your personal information:

• Access: ask what we have about you.
• Correction: ask us to fix inaccurate data.
• Deletion: ask us to delete your account and associated data, subject to the legal retention exceptions in section 9.
• Portability: ask for a machine-readable copy of the personal data you provided.
• Restriction / objection: ask us to limit certain processing.

To exercise any of these rights, email [email protected] or use the in-app account deletion flow at https://quadslab.io/account. We will verify your identity (typically by confirming control of the email on the account) and respond within the time required by applicable law.

We will not retaliate against you for exercising any of these rights.

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

• Right to know the categories and specific pieces of personal information we have collected about you, the categories of sources, the purposes, and the categories of recipients. Section 2 of this Policy is our standing notice at collection.
• Right to delete your personal information, subject to legal retention exceptions.
• Right to correct inaccurate personal information.
• Right to opt out of the sale or sharing of personal information. We do not sell or share your personal information for cross-context behavioral advertising, so there is nothing to opt out of, but if that ever changes we will provide a clear opt-out mechanism.
• Right to limit the use of sensitive personal information. We do not use sensitive personal information to infer characteristics about you, so there is nothing to limit.
• Right to non-discrimination for exercising any of the above rights. We will not deny you the Service, charge you a different price, or give you a lesser product because you exercised a privacy right.

You may use an authorized agent to submit a request on your behalf. We will require reasonable proof of authorization.

To exercise these rights, email [email protected].

If you are in the European Economic Area, United Kingdom, or Switzerland, the GDPR or UK GDPR applies to our processing of your personal data.

Lawful bases. We process personal data on the following bases:

• Performance of a contract — to provide the Service to you (account, license verification, billing, support).
• Legitimate interests — to keep the Service secure, prevent abuse and fraud, and maintain aggregate, non-identifying analytics. We have balanced these interests against your rights.
• Consent — where we ever ask for it (for example, optional marketing email). You can withdraw consent at any time.
• Legal obligation — to comply with tax, accounting, and other applicable laws.

Your rights. In addition to the rights listed in section 14, you have the right to:

• Object to processing based on legitimate interests.
• Withdraw consent at any time where processing is based on consent.
• Lodge a complaint with your local data protection supervisory authority.

EU representative. Our representative in the European Union for GDPR purposes is [EU_REPRESENTATIVE].

International transfers. Quads Lab is based in the United States and our hosting infrastructure is in the United States. When we transfer personal data from the EEA, UK, or Switzerland to the U.S. or other countries, we rely on appropriate safeguards such as the Standard Contractual Clauses approved by the European Commission, and the UK Addendum where applicable.

Residents of Virginia, Colorado, Connecticut, Utah, Oregon, Texas, Montana, and other states with comprehensive consumer privacy laws have rights similar to those described in section 15, including the right to access, delete, correct, and obtain a portable copy of personal data, and the right to opt out of targeted advertising, sale, and certain profiling.

We do not engage in targeted advertising, sale of personal data, or profiling that produces legal or similarly significant effects, so several of these opt-outs do not apply in practice. To exercise any state-law right that does apply to you, email [email protected]. Where state law provides an appeal mechanism for denied requests, you may appeal by replying to our response within the time period stated in that response.

Quads Lab is a U.S. company and our infrastructure is located in the United States. If you access the Service from outside the United States, you understand that your information will be transferred to, stored, and processed in the United States and other countries where we and our service providers operate.

Where required by applicable law, we use appropriate safeguards (such as Standard Contractual Clauses for transfers from the EEA, the UK Addendum for transfers from the UK, and equivalent mechanisms for transfers from Switzerland) to protect your information.

The Service is not directed to children under 13 (or under 16 in the EEA), and we do not knowingly collect personal information from children. If you believe a child has provided us with personal information, email [email protected] and we will delete it. Parents and guardians may also email that address to make requests on a child's behalf.

We do not use your personal information for automated decision-making that produces legal or similarly significant effects on you. License verification involves automated checks (active subscription, device count, minimum build), but those checks act on your subscription state — not on inferences about you — and you can contact support to dispute any outcome.

Some browsers offer "Do Not Track" or Global Privacy Control (GPC) signals. Because we do not engage in cross-site tracking or sell or share personal information for cross-context behavioral advertising, these signals do not change our behavior — there is nothing for them to opt you out of.

We may update this Privacy Policy from time to time. When we do, we will update the version and effective date shown at the top of this page. For material changes, we will also notify you by email or via an in-app banner before the change takes effect, where reasonably possible. Your continued use of the Service after a change becomes effective means you accept the updated Policy.

Questions, complaints, or requests about this Policy or your personal information:

• Email: [email protected]
• EU Representative (GDPR Art. 27): [EU_REPRESENTATIVE]

We will respond within the time required by applicable law.