Skip to main content

Privacy Policy

Last updated: May 5, 2026

Coroid s.r.o., seated at Slovenská 52/A, 940 02 Nové Zámky, Slovakia (IČO: 48340031) ("we", "us"), is the Data Controller within the meaning of Article 4(7) of Regulation (EU) 2016/679 ("GDPR"). This Privacy Policy explains how we collect, use, and disclose your personal data, and your rights under the GDPR.

For privacy enquiries, contact us at support@quantumbpm.com.

1. Information We Collect

  • Account Information: Name, email address, password (stored as a salted hash), and organization details.
  • Usage Data: Logs of API usage, execution history, and interaction with the web console.
  • Payment Information: Processed by our Merchant of Record, Paddle. We do not access or store your full credit card details.

2. Lawful Basis for Processing

We process your personal data on the following lawful bases under Article 6(1) GDPR:

  • Contract performance (Art. 6(1)(b)): account information, usage data, and payment records — to provide and maintain the Service and to fulfil our contract with you.
  • Legal obligation (Art. 6(1)(c)): retention of invoices and accounting records — to comply with Slovak tax and accounting law.
  • Legitimate interests (Art. 6(1)(f)): security logging, fraud prevention, abuse detection, and aggregate operational analytics — balanced against your fundamental rights and freedoms.

3. Use of Information

We use your information to:

  • Provide and maintain the Service;
  • Process payments and issue invoices;
  • Send service-related notifications (e.g., invoices, password resets, security alerts);
  • Improve the Service and analyse aggregate usage trends;
  • Detect, prevent, and respond to fraud, abuse, and security incidents;
  • Comply with legal obligations.

4. Data Storage and Retention

Your data is primarily stored on secure servers operated by Hetzner Online GmbH in the European Union (Germany / Finland). All data at rest is encrypted; backups are encrypted and access-controlled.

Retention periods

  • Account and personal data: deleted within 30 days after termination of your account.
  • Invoices and accounting records: retained for 10 years from the end of the relevant accounting period, as required by Slovak Act No. 431/2002 Coll. on Accounting (§35) and Act No. 222/2004 Coll. on VAT.
  • Server and security logs: retained for up to 90 days.
  • Encrypted backups: may persist for up to 90 days after deletion of the primary record before being overwritten.

5. Data Sharing

We do not sell your personal data. We may share data with:

  • Merchant of Record (Paddle.com Market Limited): for processing payments and managing subscriptions. Paddle acts as an independent data controller for payment data and as our processor for billing-related activities. See Paddle's Privacy Policy.
  • Hosting Provider (Hetzner Online GmbH): as our processor, hosting the Service infrastructure within the EU.
  • Legal Requirements: if required by law or in response to valid requests by public authorities (e.g., a court or a government agency).

International Transfers

While our primary servers are in the EU, some of our service providers (including Paddle) may process data in countries outside the EU/EEA, including the United States. We rely on:

  • The EU-US Data Privacy Framework for US-based recipients certified to it; and
  • Standard Contractual Clauses approved by the European Commission for transfers to other third countries, supplemented by appropriate technical and organisational measures.

6. Your Rights (GDPR)

You have the following rights under the GDPR:

  • Access (Art. 15) — request a copy of the personal data we hold about you.
  • Rectification (Art. 16) — request correction of inaccurate or incomplete data.
  • Erasure (Art. 17) — request deletion of your personal data.
  • Restriction of processing (Art. 18) — request that we limit how we use your data in certain circumstances.
  • Data portability (Art. 20) — receive your data in a structured, commonly used, machine-readable format.
  • Objection (Art. 21) — object to processing based on our legitimate interests.
  • Withdraw consent (Art. 7(3)) — withdraw consent at any time, without affecting the lawfulness of prior processing.
  • Lodge a complaint (Art. 77) — with a supervisory authority. The competent authority for Slovakia is the Office for Personal Data Protection of the Slovak Republic (Úrad na ochranu osobných údajov SR), Hraničná 12, 820 07 Bratislava, dataprotection.gov.sk.

To exercise these rights, please contact us at support@quantumbpm.com. We will respond within one month, extendable by two further months for complex or numerous requests, in which case we will inform you.

7. Cookies

We use only essential cookies, required for authentication, session management, and security. These are loaded without consent under Article 5(3) of the ePrivacy Directive (necessary for the service requested by the user). We do not currently use analytics, advertising, or tracking cookies.

You can control cookies through your browser settings, although disabling essential cookies may prevent the Service from functioning correctly.

8. Automated Decision-Making

We do not engage in automated decision-making that produces legal or similarly significant effects on you within the meaning of Article 22 GDPR.

9. Data Protection Officer

We are not required to appoint a Data Protection Officer under Article 37 GDPR. For all privacy and data protection enquiries, please contact us at support@quantumbpm.com.

10. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include encryption in transit (TLS) and at rest, access controls, audit logging, and regular review of our security practices. In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the supervisory authority within 72 hours and, where the risk is high, notify you without undue delay (Art. 33–34 GDPR).

11. Changes to This Policy

We may update this Privacy Policy from time to time. The current version will always be posted on this page with an updated "Last updated" date. For material changes that affect your rights or the way we process your data, we will notify registered users by email at least 30 days before the changes take effect.