Quibo
Sign inStart free

Privacy Policy

Last updated: May 2026

This Privacy Policy explains how Quibo ("we", "us") collects, uses, discloses, and protects personal data when you use our website and services. We are committed to GDPR (EU/UK), CCPA/CPRA (California), LGPD (Brazil), PIPEDA (Canada), and POPIA (South Africa) compliance by default.

1. Data controller

Quibo acts as the data controller for the personal data of our account holders, and as a data processor for the content (articles, keywords, brand profiles) you create using our services. Contact: dpo@quibo.cc.

2. What we collect

  • Account data: email, full name (optional), date of birth, password hash, marketing opt-in choice.
  • Organization data: organization name, plan, billing identifiers.
  • Content you create: keywords, articles, brand profiles extracted from your sites.
  • Connector credentials: tokens for the CMS you connect (WordPress, Sanity, Framer), encrypted at rest with AES-256-GCM.
  • Usage and audit data: login times, IP addresses (kept for 30 days, then scrubbed), security events.
  • Cookies: see our Cookie Policy.

3. Lawful basis (GDPR Art. 6)

  • Contract: providing the Service you signed up for.
  • Legitimate interest: securing the Service, preventing fraud and abuse.
  • Consent: marketing emails, non-essential cookies, optional features.
  • Legal obligation: tax records, audit log retention.

4. How we use your data

  • Provide, maintain, and improve the Service.
  • Authenticate you and protect your account.
  • Generate, schedule, and publish content on the sites you connect.
  • Send service emails (password resets, security alerts) and, only with your consent, marketing emails.
  • Comply with legal obligations and respond to lawful requests.

5. Sub-processors

We use the following sub-processors. Transfers outside the EU rely on Standard Contractual Clauses (SCC). The complete and current list is at security/sub-processors.

  • Supabase (EU, Frankfurt) — database and authentication.
  • Vercel (multi-region) — hosting.
  • Anthropic (US) — LLM generation.
  • Exa, DataForSEO, Firecrawl, fal.ai (US) — search, keyword data, web crawling, image generation.
  • Stripe (US) — payment processing.
  • Inngest (US) — workflow orchestration.
  • Sentry (EU option) — error monitoring (PII scrubbed).

6. Your rights

Wherever you are, you can exercise these rights from /app/settings/privacy:

  • Access: download your data as a ZIP (Art. 15).
  • Rectification: edit profile fields directly (Art. 16).
  • Erasure: delete your account, with a 30-day grace period to reverse (Art. 17).
  • Portability: same JSON export, ready to import elsewhere (Art. 20).
  • Restriction / objection: opt out of marketing emails (Art. 18, 21).
  • Automated decision-making: articles are AI-generated based on keywords you accept; you retain editorial control (Art. 22).

California (CCPA/CPRA): we do not sell your personal information. You have the right to know, delete, correct, and limit the use of sensitive personal information. Use the "Do not sell or share" link in our footer to exercise these rights.

7. Data residency and transfers

Database and storage are hosted in the EU (Frankfurt) by default. LLM and analytics providers process data in the US under SCC. We do not transfer data to jurisdictions without an adequacy decision or appropriate safeguards.

8. Retention

  • Account data: until deletion.
  • Articles, keywords, brand profiles: until you delete them or your account.
  • Audit logs: up to 6 years (legal obligation), then anonymized.
  • Backups: 30 days rolling.
  • IPs in operational logs: 30 days, then scrubbed.

9. Security

AES-256-GCM at rest for credentials. TLS 1.3 in transit with HSTS preload. Postgres row-level security on every table. Audit logging. SSRF and CSP hardening. Penetration test at launch and annually. See /security for details and how to report a vulnerability.

10. Breach notification

We notify the relevant supervisory authority within 72 hours of becoming aware of a personal-data breach (GDPR Art. 33). When the breach poses a high risk to you, we will notify you directly (Art. 34).

11. Children

The Service is not intended for users under 16. We use an age gate at sign-up. If you believe a child has created an account, contact us and we will remove it.

12. Changes to this policy

We will email account holders before any material change takes effect. The "Last updated" date above always reflects the current version.

13. Contact

Data Protection Officer: dpo@quibo.cc. EU supervisory authority complaints: contact the data protection authority where you live or work.