Privacy Policy

Last updated: 9 June 2026

This Privacy Policy explains how OMG QA ("OMG QA", "we", "us", or "our") collects, uses, shares, and protects personal information when you visit our website, create an account, or use the OMG QA quality platform (the "Service").

Controller and processor. For information about the people who administer and use an account (such as names, emails, and login activity), OMG QA acts as a controller. For the quality data a customer puts into the Service — projects, findings, evidence, comments, test runs — OMG QA acts as a processor on the customer's behalf, and that data is governed by the customer's instructions and our Data Processing Agreement.

1. Information we collect

• Account information — name, work email, organization name, and role. Sign-in uses a one-time passcode emailed to you; we do not store account passwords.
• Customer content — the projects, findings, comments, attachments/evidence (screenshots, traces, logs), test runs, and related metadata you or your agents submit. This is processed on your behalf as described in our DPA.
• Integration data — when you connect a tool (GitHub, Jira, GitLab, Azure DevOps, Slack), the tokens and identifiers needed to sync issues, pull requests, and notifications. Connector secrets are encrypted at rest.
• Billing information — plan, billing contact, and subscription status. Card and bank details are handled by our payment processors (Stripe, Paddle, PayPal); we do not store full card numbers.
• Usage and device data — log data such as IP address, browser type, pages viewed, API/MCP calls, timestamps, and correlation IDs, used to operate, secure, and improve the Service.
• Support communications — messages you send us and their contents.

2. How we use information

• To provide and operate the Service — authentication, processing your findings and test runs, syncing integrations, and delivering notifications.
• To secure the Service — detect and prevent abuse, enforce rate limits and agent governance, and maintain a tamper-evident audit log.
• To bill for paid plans and manage subscriptions.
• To communicate with you — transactional email (sign-in codes, verification, notifications, digests) and important service notices.
• To improve the Service — diagnose issues and understand aggregate usage.
• To comply with legal obligations and enforce our Terms of Service.

3. Legal bases (EEA/UK)

Where the GDPR or UK GDPR applies, we rely on: performance of a contract (to provide the Service you signed up for), legitimate interests (to secure and improve the Service), consent (where required, e.g. certain communications), and legal obligation.

4. How we share information

We do not sell personal information and we do not use your customer content to train third-party models. We share information only with:

• Subprocessors that help us run the Service (cloud database, object storage, email delivery, payments, CDN). The authoritative, current list is published in our Trust Center.
• Integration providers you choose to connect, limited to what the integration requires.
• Authorities, when required by law or to protect rights, safety, and the integrity of the Service.
• A successor, in connection with a merger, acquisition, or asset sale, under continued protection of this Policy.

5. International transfers and data residency

Each organization can pin its data to a residency region (United States or European Union). Where processing crosses borders, transfers rely on the Standard Contractual Clauses incorporated into our DPA. See the Trust Center for details.

6. Security

We protect data with per-organization database isolation, encryption of secrets at rest and TLS in transit, short-lived signed URLs for evidence, passwordless authentication, and a tamper-evident, hash-chained audit log. No method of transmission or storage is perfectly secure, but we work to protect your information and to disclose incidents as required. Report security concerns to [email protected].

7. Retention and deletion

We retain account and customer content for as long as your account is active. On offboarding, an organization's data is exported and then erased within a defined retention window. You can also request export or deletion at any time as described below and in the DPA.

8. Your rights

Subject to applicable law, you may access, correct, delete, export (port), restrict, or object to the processing of your personal information, and withdraw consent where processing is based on it. To exercise these rights, contact [email protected]. If we process data as a processor on a customer's behalf, we will refer your request to that customer. You may also lodge a complaint with your local supervisory authority.

9. Cookies

We use a single first-party, HttpOnly authentication cookie to keep you signed in, and privacy-friendly aggregate analytics. We do not use third-party advertising cookies or cross-site ad tracking.

10. Children

The Service is for business use and is not directed to children under 16. We do not knowingly collect their personal information.

11. Changes to this Policy

We may update this Policy from time to time. Material changes will be posted here with a new "Last updated" date and, where appropriate, notified by email.

12. Contact

Questions or requests: [email protected]. Security matters: [email protected].