Privacy notice

Last updated: 2026-05-23

This notice explains how Quaze collects, uses, shares, and protects your information when you use the Quaze service or visit quaze.io. Quaze ("we", "us", "our") is the controller of your account information and the processor of the tenant data you upload.

1. Information we collect

We collect three categories of information:

  • Account information: name, work email, company, job title, and similar details you provide when you sign up, fill out a sales form, or contact us.
  • Tenant data: the SBOMs, finding statuses, triage justifications, comments, team and component metadata, and configuration you upload to or generate inside Quaze.
  • Operational telemetry: server logs, IP address, user-agent, request paths, error traces, and metrics needed to operate, secure, and debug the service.
  • Analytics (opt-in): if you accept analytics cookies in the consent banner on quaze.io, we use Google Analytics 4 to understand which pages help visitors. Analytics is off by default. We do not run advertising cookies and do not share data with ad networks. See section 9 for details.

2. How we use it

We use your information to:

  • operate, secure, and improve the Quaze service for you;
  • match SBOMs against vulnerability intelligence and produce the findings, evidence packs, and notifications you've configured;
  • communicate with you about your account, security alerts, and material changes to the service;
  • handle billing, taxes, and customer support;
  • comply with legal obligations and respond to lawful requests.

We do not sell your information. We do not use your tenant data to train shared machine-learning models.

3. Legal bases (for EEA / UK users)

Where the GDPR applies, we rely on the following legal bases: performance of a contract (operating the service you signed up for), legitimate interests (securing and improving the service, preventing abuse), legal obligation (tax, accounting, lawful requests), and consent (where required, e.g. for non-essential cookies).

4. Sharing and sub-processors

We rely on a small set of vetted sub-processors to deliver the service:

  • cloud infrastructure provider, for hosting, storage, and managed databases;
  • payment processor, for subscription billing and invoicing;
  • transactional email provider, for sign-in emails, notifications, and scheduled reports;
  • contact-form provider (Web3Forms), which handles delivery of messages from the "Talk to sales" form on quaze.io.

A current list with named providers is on the security page. Enterprise customers can request the detailed list, contractual terms, and a Data Processing Agreement (DPA).

We may also disclose information when required by law, subpoena, or court order, or to protect the rights, property, or safety of Quaze, our customers, or the public. Where legally permitted, we will notify you first.

5. International transfers

Quaze runs on a major cloud provider in the region we set up for your account. Some of our sub-processors are located outside the region your data is hosted in. Where personal data is transferred internationally from the EEA or UK, we rely on Standard Contractual Clauses or other lawful transfer mechanisms.

6. Retention

Account information is retained while your account is active and for a short period after closure to handle billing, disputes, and legal obligations. Tenant data inside the platform follows the retention windows of your subscription plan: 7 days on Free, 90 days on Starter, 1 year on Team, and 3 years on Enterprise. Operational logs are retained for the period needed to debug, audit, and secure the service.

7. Security

We encrypt data in transit (modern TLS) and at rest. Access by Quaze personnel is least-privilege and audited. We use multi-factor authentication for our internal systems and run vulnerability scans and dependency checks on Quaze itself. More detail is on the security page.

No system is perfect. Report a suspected security issue to security@quaze.io and we will acknowledge within two business days.

8. Your rights

Depending on where you are based, you may have rights to access, correct, port, or delete your personal data, to object to or restrict certain processing, and to withdraw consent. To exercise these rights, contact us at legal@quaze.io. Where Quaze processes data on behalf of a customer (you are an end user of a customer's Quaze workspace), please contact that customer first; we will support them in responding.

EEA / UK users may also lodge a complaint with their local supervisory authority.

9. Cookies and analytics

quaze.io uses cookies in two categories:

  • Necessary cookies keep the site working. They are always on and cannot be turned off.
  • Analytics cookies (Google Analytics 4) help us see which pages help visitors. They are off by default. The first time you visit we show a consent banner; you can accept, reject, or change your preferences at any time via the "Cookie settings" link in the footer.

We use Google's Consent Mode v2: until you grant analytics consent, no measurement signals are sent to Google. We do not run advertising or cross-site tracking cookies and we do not share data with advertising networks. The Quaze application uses session cookies and local storage to keep you signed in and to remember your preferences.

10. Children

Quaze is intended for use by businesses, not children. We do not knowingly collect personal data from anyone under 16.

11. Changes to this notice

We may update this notice from time to time. The "Last updated" date at the top of this page reflects the latest version. Material changes will be announced through the in-app notice or by email at least 30 days in advance.

12. Contact

For questions or to exercise any of your rights under this notice, write to legal@quaze.io.

See also: Terms of service · Security & trust