Privacy Policy

Last updated: May 29, 2026

Qply is a product of Apptesterhub LLC, a limited liability company formed under the laws of the State of Wyoming, United States (Wyoming Filing ID: 2025-001787922), with its principal office at 75 E 3rd St Ste 7, Sheridan, Wyoming 82801, USA. In this policy, "Qply", "we", "us", and "our" refer to Apptesterhub LLC. We operate qply.io, app.qply.io, and related Qply services.

This policy explains how we collect, use, share, and protect your information when you visit our website, sign up for an account, or use the Qply chat widget embedded on a customer site.

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your data in accordance with the General Data Protection Regulation (GDPR), UK GDPR, and the Swiss Federal Act on Data Protection (FADP). For the purposes of these laws, Apptesterhub LLC is the data controller of your account data and a data processor for chat data collected through the widget on behalf of our customers.

1. Information We Collect

• Account data: name, email address, workspace name, hashed password, and plan selection when you sign up.
• Usage data: conversation logs, analytics events, feature usage, IP address, browser type, and device information.
• Visitor data: when a visitor chats on the embedded widget on a customer website, we collect a pseudonymous visitor ID, chat messages, page URL, referring URL, language, approximate location (country/city level from IP), browser and operating system, and timestamps.
• Visitor acquisition data: on the visitor's first widget load, the widget may capture marketing-attribution parameters present in the landing page URL (utm_source, utm_medium, utm_campaign, utm_term, utm_content) and click identifiers (gclid, fbclid, msclkid, ttclid), along with the cross-site referrer host and the landing URL. This is captured once per visitor (first-touch) and stored only when the customer's site has the widget configured to collect it. When a customer enables our consent-aware mode, this acquisition data is captured only after the visitor has accepted the customer's cookie banner.
• Payment data: processed entirely by Stripe. We store only a customer reference, subscription state, and the last four digits of the payment method. We never see or store raw card numbers or CVV codes.
• Marketing & advertising data: if you arrived from a Google Ads click, we record the associated gclid, gbraid, or wbraid identifier and any UTM parameters so we can attribute sign-ups to specific campaigns.

2. How We Use Your Information

• To provide, operate, and improve the Qply service (contract performance — GDPR Art. 6(1)(b)).
• To send transactional emails including account creation, password resets, billing receipts, and service notices (contract performance).
• To analyze aggregate usage, measure feature adoption, and improve product performance (legitimate interest — GDPR Art. 6(1)(f), unless you decline cookies).
• To respond to support and sales requests (legitimate interest).
• To measure the effectiveness of our advertising campaigns and to show relevant ads to previous visitors (consent — GDPR Art. 6(1)(a), only after you accept cookies).
• To detect and prevent fraud, abuse, and security incidents (legitimate interest).

3. Data Sharing

We do not sell your personal data. We share data only with the following sub-processors, each under a data processing agreement that requires them to protect your information:

• Supabase, Inc. — database, authentication, and file storage. Data stored in an EU region where available. Privacy policy.
• Amazon Web Services, Inc. (AWS Simple Email Service) — transactional email delivery (welcome emails, billing receipts, password resets, service notices). All Qply email is sent from the EU region eu-north-1 (Stockholm, Sweden), so message metadata stays in the EEA. Privacy notice.
• Functional Software, Inc. (Sentry) — application error monitoring and performance tracing for the Qply backend. Stores stack traces, request metadata, and any user identifier we attach to error events. Data hosted in the United States. Privacy policy.
• Stripe, Inc. — payment processing, subscription billing, invoicing. Privacy policy.
• Google LLC — Google Analytics 4 (GA4) — aggregate product analytics and user-journey measurement. GA4 is configured in IP-anonymization mode and processed only after you accept analytics cookies. Privacy policy. You can opt out at any time using the Google Analytics opt-out browser add-on.
• Google LLC — Google Ads — advertising, conversion measurement, and remarketing. Google Ads cookies and identifiers are only set after you accept marketing cookies. Ads privacy policy. You can opt out of personalized ads in Google My Ad Center.
• Meta Platforms, Inc. — Meta Pixel for advertising conversion measurement and remarketing on Facebook and Instagram. The pixel is only loaded after you accept marketing cookies via our cookie banner. Privacy policy. You can opt out of personalized ads in Meta Ad Preferences.
• Microsoft Corporation — Microsoft Universal Event Tracking (UET) for Bing Ads conversion measurement and remarketing. The tag is only loaded after you accept marketing cookies via our cookie banner. Privacy statement. You can opt out of personalised ads in Microsoft Ad Settings.
• Industry-wide opt-out — You may opt out of interest-based advertising from all participating ad networks at once via the Network Advertising Initiative (NAI) opt-out tool and the Digital Advertising Alliance (DAA) opt-out tool.
• Google Cloud / Firebase — authentication (Google Sign-In) and application infrastructure. Privacy policy.
• Third-party large language model providers — used to generate AI chat responses on your behalf. All AI providers operate under enterprise data-processing agreements that prohibit training their models on Qply customer or visitor data. Names of the current AI providers are available to enterprise customers on request.

We may also disclose information if required by law, court order, or to protect the safety of users or the public.

4. International Data Transfers

Qply is established in the United States, and several of our sub-processors are also headquartered in the United States. When we transfer your data from the EEA, United Kingdom, or Switzerland to the United States or any other country outside those regions, we rely on one or more of the following safeguards:

• EU Standard Contractual Clauses (SCCs) and UK International Data Transfer Addendum (IDTA) with each sub-processor.
• EU–US Data Privacy Framework — Google and Stripe are certified under the DPF, providing an additional lawful basis for transfers to the United States.
• Supplementary technical measures including encryption in transit (TLS 1.2+) and at rest (AES-256), plus minimization of data shared with each processor.

4a. Customer Responsibility and Roles

When the Qply chat widget is embedded on a customer's website, the customer (not Apptesterhub LLC) is the data controller for end-user and visitor data collected through their widget. Customers are responsible for:

• Posting an appropriate privacy notice on their own site that discloses Qply's role.
• Obtaining any required consent from their end users (including cookie consent in the EEA, UK, and Switzerland) before the widget loads.
• Complying with applicable data protection laws, including GDPR, UK GDPR, Swiss FADP, CCPA/CPRA, and any sector-specific rules that apply to their business.
• Configuring data retention, deletion, and access controls within their Qply workspace as required by those laws.

Apptesterhub LLC acts as a data processor for chat data under our Data Processing Agreement and is not responsible for our customers' independent compliance obligations or for any misuse of the Service by a customer in violation of these Terms or applicable law.

To help customers meet their consent obligations, the Qply widget supports a consent-aware mode (enabled by adding data-consent-required="true" to the embed script) that defers all non-essential data collection — IP-based geolocation, browser metadata, and acquisition tracking — until the customer's cookie banner reports that the visitor has consented. Customers can also configure a pre-chat disclosure shown above the chat input (for example: "By starting a chat, you agree to our privacy policy"), which is visible to every visitor before they send their first message.

5. Data Retention

• Account data: retained while your account is active, plus 90 days after closure for dispute resolution and backup rotation.
• Conversation logs: 12 months on the Starter plan, 24 months on Growth, and 36 months on Pro. You can delete individual conversations or your entire workspace at any time from the dashboard.
• Analytics data (GA4): retained for 14 months at the event level, then aggregated.
• Advertising data (Google Ads): attribution identifiers (gclid, _gcl_aw cookie) retained for up to 90 days; remarketing audiences expire after 540 days of inactivity.
• Billing records: retained for 7 years as required by tax and accounting law.

You can request earlier deletion at any time by emailing [email protected]. We honor deletion requests within 30 days, subject to legal retention obligations.

6. Cookies and Similar Technologies

We use the following categories of cookies. When you visit qply.io from the EEA, UK, or Switzerland, all non-essential cookies are disabled by default until you give explicit consent via our cookie banner (Google Consent Mode v2).

Strictly necessary (always on) — required for the site to function:

• ai_chat_admin_token — authentication session for the dashboard (local storage, not a cookie).
• qply_consent — remembers your cookie preference so we don't prompt you again (expires after 180 days).
• ai_chat_visitor_id_* — pseudonymous visitor identifier set by the chat widget so you don't restart from scratch on every page (local storage, scoped per customer site).
• qplyConsent_* — used by the chat widget when a customer enables consent-aware mode, to remember whether the visitor accepted the customer's cookie banner.
• Stripe — __stripe_mid, __stripe_sid for fraud prevention during checkout.

Analytics (optional, consent required) — measure product usage:

• _ga, _ga_82JGKXF4XK — Google Analytics 4 session and user identification (expires after 13 months).

Advertising (optional, consent required) — measure ad campaigns and enable remarketing:

• _gcl_aw — Google Ads click identifier for conversion tracking (expires after 90 days).
• _gcl_au — Google Ads conversion linker (expires after 90 days).
• _fbp — Meta Pixel browser identifier for conversion tracking and remarketing on Facebook and Instagram (expires after 90 days). Set by the Meta Pixel only after you accept marketing cookies.
• _uetsid, _uetvid — Microsoft UET session and visitor identifiers for Bing Ads conversion tracking and remarketing (session cookie and 13 months respectively). Set by the UET tag only after you accept marketing cookies.
• MUID — Microsoft user identifier used by UET for cross-site analytics and ad personalisation (expires after 13 months). Set only after you accept marketing cookies.
• qply_attribution — stores your original campaign source (gclid, UTM parameters) for 90 days so we can attribute sign-ups to ad campaigns on qply.io.
• ai_chat_attribution_* — used by the chat widget on customer sites to remember the visitor's first-touch acquisition source (UTM parameters, gclid/fbclid/msclkid/ttclid, referrer, landing URL) so the customer can see where chat conversations originated. Only written when the customer's site has captured this data on first visit.

You can withdraw consent at any time by clearing the qply_consent cookie in your browser and reloading the page, or by emailing [email protected].

7. Your Rights Under GDPR, UK GDPR, and Swiss FADP

If you are in the EEA, UK, or Switzerland, you have the following rights regarding your personal data:

• Right of access — request a copy of the personal data we hold about you.
• Right to rectification — correct inaccurate or incomplete data.
• Right to erasure — request deletion of your data ("right to be forgotten"), subject to legal retention obligations.
• Right to restrict processing — limit how we use your data while a dispute is resolved.
• Right to data portability — receive your data in a structured, machine-readable format.
• Right to object — to processing based on legitimate interest, including direct marketing.
• Right to withdraw consent — where processing is based on consent (analytics, advertising), withdraw it at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint — with your local data protection authority. For EU residents, find yours at edpb.europa.eu. UK residents: ico.org.uk.

To exercise any of these rights, email [email protected]. We respond within 30 days and will not charge a fee unless your request is manifestly unfounded or excessive.

8. California Residents (CCPA / CPRA)

California residents have the right to know what personal information we collect, to delete it, to correct it, to opt out of "sale" or "sharing" of personal information, and to non-discrimination for exercising these rights. Qply does not sell personal information for monetary consideration. Some ad-tracking activities (Google Ads remarketing) may qualify as "sharing" under CPRA — you can opt out by declining cookies in our banner or by emailing [email protected].

9. Security

All data is encrypted in transit (TLS 1.2 or higher) and at rest (AES-256). Access to production systems is restricted to authorized personnel, protected by multi-factor authentication, and logged for audit. We conduct regular security reviews and apply software updates promptly. No system is perfectly secure — we recommend using a strong, unique password for your Qply account.

10. Children's Privacy

Qply is not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, email [email protected] and we will delete it promptly.

11. Changes to This Policy

We may update this policy from time to time. Material changes will be notified by email (for account holders) or by a prominent banner on qply.io. The "Last updated" date at the top indicates when the policy was last revised.

12. Contact

Questions about this policy, data protection, or to exercise your rights? You can reach us at:

• Email: [email protected] (for EU/UK data protection inquiries, please put "GDPR Request" in the subject line)
• Mailing Address:
  Apptesterhub LLC, 75 E 3rd St Ste 7, Sheridan, WY 82801, USA

We respond to all privacy requests within 30 days.