Currently in private beta.

Privacy Policy

Last updated:

Plain-English summary: We collect what we need to run the service. We don't sell your data. We use AI providers (OpenAI, Anthropic) under no-train contracts. You can export or delete your data anytime.

This Privacy Policy explains how Qone ("we", "us") collects, uses, and protects information when you use our website and services.

1. What we collect

Account information

  • Name, work email, profile photo (if provided)
  • Workspace name, subdomain, country, language preference
  • Role (Owner, Admin, Member, Guest)

Workspace data

  • Tasks, projects, comments, time entries you create
  • Employee records, attendance, leave records, payroll data
  • Invoices, payments, expenses
  • AI agent decisions and reasoning

Usage data

  • Login times, IP address, browser, device type
  • Page views, feature usage (via PostHog analytics)
  • Error events (via Sentry, with PII scrubbed)

2. How we use your data

  • Operate the service (create your workspace, sync with Slack, etc.)
  • Provide AI agent features (passes task/team data to OpenAI/Anthropic under no-train contracts)
  • Send service emails (welcome, EOD digest, security alerts)
  • Improve the product (aggregate usage patterns, never individual)
  • Comply with legal obligations

We do not sell your data, share it with advertisers, or use it to train external AI models.

3. AI processing

Qone uses OpenAI and Anthropic for AI inference. Specifically:

  • Task descriptions, team capacity data, and decision context are sent to these providers for agent reasoning
  • Both providers operate under no-training contracts — your data is NOT used to improve their models
  • You can opt-out of AI features per workspace (Settings → Agents → Disable)
  • PII redaction filter strips sensitive patterns (SSN, credit card, phone) before LLM calls

4. Your rights (GDPR-aligned)

  • Right to access: Download all your data anytime (Settings → Data → Export). Includes profile, workspace, AI decisions.
  • Right to rectification: Edit your profile, workspace settings, content at any time.
  • Right to erasure: Delete your account anytime (Settings → Danger zone). Soft-deleted 30 days, then permanent.
  • Right to portability: Export in JSON/CSV formats.
  • Right to object: Email [email protected] with specific concerns.

5. Data location & retention

Currently US-East (AWS). EU data residency option in Business plan from Q3 2026.

Retention:

  • Active accounts: indefinite
  • Soft-deleted: 30 days, then permanent erasure
  • Audit logs: 1 year minimum (for SOC 2)
  • Backups: 7 days point-in-time + 30 days snapshots

AI-Powered Features

We may use third-party artificial intelligence (AI) service providers to power AI features within the Service, such as text generation, summarization, or automation. These providers process data solely to deliver the requested functionality and do not use your data to train their models unless explicitly stated.

We process your personal data on the following legal bases (article references apply to EU/UK users under GDPR; equivalent grounds apply under other applicable laws):

  • Performance of a contract (Art 6(1)(b)) — providing your account, service delivery, and billing
  • Legitimate interest (Art 6(1)(f)) — security monitoring, error tracking, and product improvement
  • Legal obligation (Art 6(1)(c)) — financial record-keeping (7-year retention for tax compliance)
  • Consent (Art 6(1)(a)) — analytics cookies (PostHog), which you may withdraw at any time

5. Data Storage and Security

We implement reasonable technical and organizational measures to protect your data. However, no system is completely secure.

Your data may be transferred to and processed in countries other than your own, including where our infrastructure and service providers operate. We implement appropriate safeguards for such transfers in accordance with applicable data protection laws.

In the event of a data breach likely to result in a risk to your rights and freedoms, we will notify relevant authorities and affected users as required by applicable law.

6. Data Sharing

We do not sell your personal data. We may share information with:

  • Payment processors (e.g., Paddle)
  • Infrastructure providers (hosting, analytics)
  • Authorities if required by law

View our full sub-processor list →

6. Subprocessors

Full list at qone.work/trust. Summary:

  • AWS (database, compute)
  • Cloudflare (CDN, file storage)
  • OpenAI + Anthropic (AI inference)
  • Resend (transactional email)
  • Slack (your OAuth connection)
  • Paddle (billing)
  • Sentry (errors), PostHog (analytics)

7. Security

See Trust & Security for current status. Highlights:

  • TLS 1.3 in transit, encrypted at rest
  • Passwords hashed with bcrypt (12 rounds)
  • Audit log of all state-changing actions
  • Multi-tenant isolation (app-layer + Postgres RLS)
  • SOC 2 Type II audit in progress (Q2 2027)

8. Children

Qone is not directed at children under 16. We do not knowingly collect data from children.

8. Automated Decision-Making

We do not make decisions based solely on automated processing that produce legal or similarly significant effects on you.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notice before they take effect.

10. Contact

Qone by QDNEmail: [email protected]
Website: https://qone.work

11. Cookies and Tracking

We use essential cookies to operate the Service (e.g., session authentication). We may use analytics tools to understand usage patterns. You can disable non-essential cookies in your browser settings.

View our full cookie policy →

12. Your Privacy Rights

Depending on your location, you may have rights regarding your personal data under applicable privacy laws (including GDPR, CCPA, LGPD, PDPA, and similar frameworks). These rights may include:

  • Right to access your personal data
  • Right to correct inaccurate data
  • Right to request deletion of your data
  • Right to data portability (where applicable)
  • Right to restrict or object to processing
  • Right to opt out of sale of personal data (we do not sell personal data)

To exercise these rights, please contact us at [email protected]. We will respond within the timeframe required under applicable data protection laws.

Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority in your country of residence or workplace. EU/EEA users can find their supervisory authority at edpb.europa.eu.

Withdrawing Consent

Where processing is based on consent (e.g., analytics cookies), you may withdraw it at any time using the "Manage cookies" link in the website footer. Withdrawal does not affect processing carried out before withdrawal.

13. Slack Integration Data

When you connect Qone to your Slack workspace, we collect and process the following data on behalf of your organization:

  • Bot access token — used to send notifications and post messages on behalf of your workspace
  • Workspace metadata — team ID, team name, and workspace icon
  • User email addresses — used to match Slack users to Qone accounts
  • Slack user IDs — used to deliver direct message notifications
  • Channel names and IDs — used when you link a Slack channel to a Qone project

This data is used solely to deliver notifications, enable slash commands, and support Slack-based task creation within Qone.

All Slack workspace data (tokens, user identities, channel links) is permanently deleted when you disconnect the Slack integration from your workspace settings.

Bot tokens are stored securely in our database and are never exposed in API responses, logs, or client-side code.

Our Slack integration complies with Slack's API Terms of Service and App Directory requirements.

9. Changes

We'll notify users by email of material changes. Continued use after notice constitutes acceptance.

10. Contact

For privacy questions: [email protected]. We respond within 30 days (often 24 hours).

Data Protection Officer: not currently designated. We will appoint one when processing scale requires per GDPR.