Privacy Policy

Last updated: June 2, 2026

1. Who We Are

Quaterio is operated by Triple Down AB, org. nr 559333-6091, registered in Stockholm, Sweden. We are the data controller for the personal data processed through our Service. You can reach us at our contact page or by email at hello@quaterio.com.

2. What We Collect

We collect the following categories of personal data:

  • Account information: name, email address and authentication credentials when you create an account
  • Billing information: payment details processed securely through Stripe. We never store or have access to your full card number
  • Usage data: anonymized, cookieless analytics collected via our self hosted Umami instance (page views, feature usage, Core Web Vitals). This data cannot be used to identify individual users. Only collected if you grant Measurement consent
  • Session recordings: a sampled subset of visits (around 25%) is recorded via rrweb, hosted on our self hosted Umami instance. Recordings capture page interactions (clicks, scroll, navigation) with text inputs and form fields masked by default. Recordings are retained for 30 days and used only to identify usability issues. Only collected if you grant Measurement consent
  • Content: documents, templates and media you create or upload to the Service
  • Technical data: IP address, browser type and device information for security, error tracking and performance purposes
  • Contact and lead data: email address and selected preferences when you submit our contact form or sign up for guides

3. How We Use Your Data

We use your data to:

  • Provide, maintain and improve the Service
  • Process payments and manage subscriptions
  • Send service updates, security notices and transactional emails
  • Respond to support and contact requests
  • Detect and prevent abuse, fraud and security incidents
  • Comply with legal obligations

We do not use your data for advertising. We do not build advertising profiles. We do not sell your data.

4. Legal Basis (GDPR)

We process your data based on:

  • Contract: processing necessary to provide the Service you signed up for
  • Legitimate interest: improving the Service, preventing abuse and ensuring security
  • Legal obligation: tax, accounting and regulatory requirements under Swedish and EU law
  • Consent: optional communications such as product guides, which you can opt out of at any time

5. Data Sharing and Sub-processors

We do not sell your personal data. We share data only with service providers (sub-processors) who help us operate the Service:

ProviderPurposeLocation
SupabaseDatabase and authenticationEU (Frankfurt)
VercelApplication hostingGlobal (edge)
StripePayment processingUS/EU
ResendTransactional email deliveryUS
Google reCAPTCHABot detection on contact formUS
Umami (self hosted)Cookieless analytics and sampled session replay (rrweb)EU

All sub-processors are bound by data processing agreements. Where data is transferred outside the EU, adequate safeguards are in place (Standard Contractual Clauses or equivalent).

6. International Data Transfers

Some of our sub-processors are based in the United States. Where personal data is transferred outside the European Economic Area, we ensure appropriate safeguards are in place, including EU Standard Contractual Clauses (SCCs) and the sub-processor's own compliance certifications.

7. Data Retention

We retain your account data for as long as your account is active. After account deletion, we retain data for 30 days before permanent removal to allow for recovery. Billing records are retained for 7 years as required by Swedish accounting law. Anonymized analytics data is retained indefinitely as it cannot be linked to any individual. Session recordings are retained for 30 days, then automatically deleted.

8. Your Rights

Under the GDPR, you have the right to:

  • Access the personal data we hold about you
  • Rectify inaccurate or incomplete data
  • Erase your data (right to be forgotten)
  • Port your data to another service in a machine readable format
  • Object to or restrict certain processing
  • Withdraw consent at any time for consent based processing

To exercise these rights, contact us at our contact page. We will respond within 30 days. You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY) at imy.se.

9. Cookies and Consent

We use a minimal set of essential cookies. We do not use advertising or tracking cookies. Optional analytics and session recording run only after you grant Measurement consent through our consent banner. You can change or withdraw consent at any time. See our Cookie Policy for details.

10. Security

We use industry standard security measures including encrypted data transmission (TLS), hashed credentials (bcrypt), hashed API tokens (SHA-256), role based access controls and row level security at the database layer. We conduct regular security reviews and promptly address vulnerabilities.

11. Children

The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us and we will delete it promptly.

12. Changes

We may update this policy from time to time. We will notify you of material changes via email or through the Service at least 30 days before they take effect. The “last updated” date at the top of this page reflects the most recent revision.

13. Contact

For privacy related questions or to exercise your rights, contact us at our contact page or by email at hello@quaterio.com.