Privacy Policy

Read the agreements, policies, and terms that govern your use of the Just QA platform.

JustQA Platform

Privacy Policy

Last updated: 13 May 2026

Welcome to the JustQA Privacy Policy (the "Policy").

This Policy explains how Nerqis Ltd, a company incorporated under the laws of the Republic of Cyprus, with registered office at 7 Magdanis Street, Flat/Office 101, Kato Polemidia, 4152 Limassol, Cyprus and registration number HE487200 (the "Company", "we", "us", or "our"), collects, uses, stores, shares, protects, and otherwise processes personal data in connection with the JustQA platform, website, software-as-a-service solution, AI-assisted testing features, subscriptions, usage credits, support services, and related services (together, the "Platform" or the "Services").

This Policy applies to visitors, registered users, customers, business users, account administrators, workspace members, trial users, and individuals whose personal data may be submitted to or processed through the Platform.

We process personal data in accordance with Regulation (EU) 2016/679 (the "GDPR"), applicable Cyprus data protection legislation, and other applicable privacy and data protection laws.

1. Who We Are

The Platform is operated by:

NERQIS LTD
Magdani 7, Office 101
4152 Limassol
Cyprus
Email: [email protected]

For privacy-related requests, including requests to exercise data protection rights, please contact us at [email protected].

2. Our Role Under Data Protection Law

Depending on the context, NERQIS may act either as a data controller or as a data processor.

2.1 When We Act as Data Controller

We act as a data controller when we determine the purposes and means of processing personal data, including where we process personal data for:

  • account creation and user authentication;
  • subscription management, billing records, and payment confirmations;
  • customer support and communications;
  • website analytics, diagnostics, security, and fraud prevention;
  • marketing communications, where permitted by law;
  • compliance with legal obligations;
  • administration of our business and enforcement of our Terms.

2.2 When We Act as Data Processor

Where a business customer, workspace owner, or organisation uploads, submits, generates, or otherwise processes personal data through the Platform for its own purposes, including personal data contained in websites, test scenarios, prompts, instructions, bug reports, logs, screenshots, automated test outputs, or other uploaded materials ("Customer Data"), we generally process such Customer Data on behalf of that customer as a data processor.

In that case, the customer is responsible for ensuring that it has a lawful basis to upload and process such Customer Data through the Platform and for providing any required notices to relevant individuals.

Where required, the processing of Customer Data on behalf of business customers is governed by our Data Processing Agreement (DPA). If there is a conflict between this Policy and the DPA regarding Customer Data processed on behalf of a business customer, the DPA will prevail for that processing.

3. Scope of This Policy

This Policy applies to personal data processed by NERQIS in connection with JustQA.

It does not apply to:

  • third-party websites, platforms, tools, or services that are not controlled by us;
  • payment providers' own processing of payment card or banking information;
  • customer-controlled systems, websites, applications, repositories, or environments tested using the Platform;
  • personal data processed by business customers as independent controllers.

Where you access third-party services through links or integrations, those third parties may process your personal data under their own privacy policies.

4. Personal Data We Collect

We collect only personal data that is reasonably necessary to provide, secure, maintain, improve, and administer the Platform, comply with legal obligations, and protect our rights and users.

4.1 Account and Identity Data

We may collect:

  • name;
  • email address;
  • password or authentication credentials;
  • account ID;
  • organisation or company name;
  • role, job title, or workspace role;
  • profile details and account settings;
  • authentication provider identifiers, where you sign in through a third-party login provider.

4.2 Business and Workspace Data

For business accounts and workspaces, we may collect:

  • workspace name;
  • team member names and email addresses;
  • administrator and permission settings;
  • invite records;
  • workspace activity;
  • plan, subscription, and usage limits;
  • billing contact details;
  • company address and tax-related details, where applicable.

4.3 Subscription, Billing, and Transaction Data

We may collect and maintain limited billing and transaction records, including:

  • subscription plan;
  • billing cycle;
  • purchase confirmations;
  • invoice details;
  • internal transaction identifiers;
  • payment status;
  • refund or chargeback records;
  • usage credit or coin balance;
  • allocation, consumption, expiry, and top-up records for usage credits.

Payments are processed by authorised third-party payment providers. We do not collect, store, or process full payment card numbers, CVV codes, or banking credentials.

4.4 User Content and Customer Data

The Platform allows users to upload, submit, generate, analyse, and process content for automated software testing and AI-assisted testing purposes. This may include:

  • website URLs;
  • page content and metadata;
  • prompts, instructions, and testing requirements;
  • test scenarios and test cases;
  • bug reports;
  • screenshots or page captures;
  • logs and diagnostic outputs;
  • generated automated tests;
  • test execution results;
  • project names and workflow information;
  • other materials submitted to the Platform.

Such content may contain personal data depending on what the customer or user submits. Users and customers are responsible for ensuring that they have the necessary rights, permissions, notices, and lawful basis to submit such content to the Platform.

4.5 AI Feature Data

When you use AI-assisted features, we may process:

  • prompts and instructions;
  • selected website or application content;
  • test generation parameters;
  • AI-generated outputs;
  • feedback on generated outputs;
  • usage patterns related to AI features;
  • error logs and performance data.

We use this data to provide the AI-assisted features, generate test outputs, maintain safety and security, troubleshoot issues, improve user experience, and monitor service performance.

We do not use your User Content or Customer Data to train shared or general AI models that benefit other users unless you have explicitly consented or agreed otherwise in writing.

4.6 Usage and Activity Data

We may collect information about how users interact with the Platform, including:

  • pages and features accessed;
  • test generation activity;
  • number and type of test runs;
  • feature interactions;
  • workspace activity;
  • clicks and navigation events;
  • search queries within the Platform;
  • session duration;
  • usage credit consumption;
  • subscription-related activity;
  • preferences and saved settings.

4.7 Device, Technical, and Log Data

We may collect:

  • IP address;
  • browser type and version;
  • device type;
  • operating system;
  • time zone;
  • approximate location derived from IP address;
  • language settings;
  • log files;
  • crash reports;
  • diagnostic data;
  • performance data;
  • security events;
  • cookie and local storage identifiers.

4.8 Cookies, Analytics, and Tracking Technologies

Because JustQA operates as a web-based service, we may use cookies, local storage, SDKs, pixels, tags, log files, and similar technologies to:

  • operate the Platform;
  • keep users logged in;
  • remember preferences;
  • secure accounts;
  • detect fraud or abuse;
  • measure performance;
  • analyse usage;
  • diagnose bugs and service issues;
  • improve functionality.

These technologies may include analytics and monitoring tools such as Google Analytics, Sentry, or similar services.

Where required by law, non-essential cookies and tracking technologies will be used only with consent. More information may be provided in our Cookies and Tracking Technologies Notice.

4.9 Communications Data

We may collect and process communications with us, including:

  • support messages;
  • emails;
  • contact form submissions;
  • feedback;
  • survey responses;
  • complaint and dispute correspondence;
  • records of messages we send to you and your interaction with them.

4.10 Marketing Data

Where permitted by law, we may process:

  • marketing preferences;
  • email engagement data;
  • product interest information;
  • campaign interaction data;
  • consent and opt-out records.

We do not sell personal data and do not use personal data for behavioural advertising unless expressly stated and, where required, consent has been obtained.

4.11 Information From Third Parties

We may receive limited personal data from:

  • authentication providers;
  • payment processors;
  • analytics and diagnostics providers;
  • fraud prevention providers;
  • business customers or workspace administrators;
  • users who invite or refer you;
  • publicly available business sources, where relevant for B2B communications.

5. Special Categories of Personal Data

The Platform is not designed to collect or process special categories of personal data, such as health data, biometric data, genetic data, racial or ethnic origin, political opinions, religious beliefs, trade union membership, or data concerning sex life or sexual orientation.

Users and customers must not intentionally submit special categories of personal data to the Platform unless they have a valid lawful basis and all required safeguards under applicable law.

We do not knowingly collect biometric identifiers and do not access biometric data stored on users' devices.

6. How We Use Personal Data and Legal Bases

We process personal data only where we have a lawful basis under applicable data protection law.

6.1 To Provide and Operate the Platform

We use personal data to:

  • create and manage accounts;
  • authenticate users;
  • provide access to workspaces;
  • deliver automated testing and AI-assisted features;
  • analyse websites and generate tests;
  • process test instructions and outputs;
  • manage subscriptions and usage credits;
  • provide customer support;
  • maintain user preferences.

Legal bases: performance of a contract; legitimate interests; where applicable, processing on behalf of a customer under a DPA.

6.2 To Process Subscriptions, Payments, Credits, and Refunds

We use limited billing and transaction data to:

  • administer subscriptions;
  • allocate usage credits or coins;
  • record credit consumption and expiry;
  • process invoices and receipts;
  • verify payment status;
  • handle refunds, chargebacks, and billing disputes;
  • maintain accounting and tax records.

Legal bases: performance of a contract; compliance with legal obligations; legitimate interests.

6.3 To Provide AI-Assisted Features

We process prompts, instructions, website content, test scenarios, generated outputs, and related usage data to:

  • generate automated tests;
  • analyse websites or application flows;
  • process user instructions;
  • provide AI-assisted outputs;
  • improve reliability, safety, and performance of AI-assisted features;
  • troubleshoot errors and prevent misuse.

Legal bases: performance of a contract; legitimate interests; where applicable, processing on behalf of a customer under a DPA.

We do not use Customer Data or User Content to train shared or general AI models for other users unless you have explicitly consented or agreed otherwise in writing.

6.4 To Secure the Platform and Prevent Abuse

We process data to:

  • monitor security events;
  • detect unauthorised access;
  • prevent fraud, spam, scraping, abuse, and misuse of AI features;
  • enforce usage limits;
  • investigate suspicious activity;
  • protect the Platform, users, and third parties.

Legal bases: legitimate interests; compliance with legal obligations.

6.5 To Improve and Develop the Platform

We may use usage data, diagnostic data, aggregated data, and anonymised data to:

  • understand feature performance;
  • improve reliability and functionality;
  • develop new features;
  • improve user experience;
  • identify and fix technical issues;
  • evaluate service performance.

Where possible, we use aggregated or anonymised data that does not identify any individual or business.

Legal bases: legitimate interests; consent where required; anonymised data is not personal data under GDPR once irreversibly anonymised.

Where we rely on legitimate interests as a legal basis, we carry out a balancing assessment to ensure that such interests are not overridden by the rights and freedoms of individuals.

6.6 To Communicate With You

We may use personal data to:

  • send service messages;
  • respond to support requests;
  • provide security alerts;
  • send billing notices;
  • notify you about changes to the Platform, Terms, policies, or subscriptions;
  • provide administrative information.

Legal bases: performance of a contract; legitimate interests; compliance with legal obligations.

6.7 To Send Marketing Communications

Where permitted, we may send product updates, offers, newsletters, and promotional communications.

You may opt out of marketing communications at any time. Service-related and transactional messages may still be sent where necessary.

Legal bases: consent where required; legitimate interests where permitted by law.

6.8 To Comply With Law and Enforce Rights

We may process personal data to:

  • comply with legal obligations;
  • respond to lawful requests from authorities;
  • maintain tax and accounting records;
  • resolve disputes;
  • enforce our Terms, Refund Policy, and other policies;
  • protect our legal rights and interests.

Legal bases: compliance with legal obligations; legitimate interests; establishment, exercise, or defence of legal claims.

7. AI, Automation, and Model Training

JustQA includes AI-assisted features that may generate tests, test scenarios, explanations, recommendations, or other outputs.

AI-generated outputs may be inaccurate, incomplete, or unsuitable for a particular use case. Users are responsible for reviewing, validating, and testing outputs before relying on them.

We do not use User Content or Customer Data to train shared or general AI models that benefit other users unless you have explicitly consented or agreed otherwise in writing.

We may use anonymised or aggregated data, diagnostic information, and performance metrics to improve the Platform, provided such data does not identify you, your users, your business, or your confidential materials.

Where we use third-party AI infrastructure or service providers, such providers may process submitted data only as necessary to provide the Services to us and subject to contractual confidentiality, security, and data protection obligations.

Where AI features are powered or supported by third-party service providers, such providers process data solely for the purpose of providing services to us and are contractually prohibited from using such data for training their own models or for independent purposes.

Where AI-assisted features rely on third-party providers, such providers may include AI infrastructure or model providers located in the European Economic Area or in jurisdictions such as the United States.

These providers process data strictly on our behalf and are contractually restricted from using such data to train their own models or for independent purposes.

8. Customer Data and Uploaded Content

Users and business customers retain ownership of content they upload, submit, create, or generate through the Platform.

We process User Content and Customer Data solely for the purposes of:

  • providing the Services;
  • analysing websites or applications submitted by users;
  • generating automated tests;
  • processing instructions submitted through AI-assisted features;
  • maintaining account functionality;
  • ensuring security and preventing misuse;
  • troubleshooting and support;
  • complying with legal obligations;
  • improving performance using anonymised or aggregated data.

We do not access, use, or disclose User Content or Customer Data for unrelated purposes.

9. Sharing Personal Data

We do not sell personal data.

We may share personal data only as described below and only where necessary.

9.1 Service Providers

We may share personal data with trusted service providers that help us operate the Platform, including providers of:

  • cloud hosting and infrastructure;
  • database storage;
  • payment processing;
  • billing and invoicing;
  • analytics;
  • diagnostics and crash reporting;
  • AI infrastructure or model hosting;
  • email delivery;
  • customer support;
  • authentication;
  • security and fraud prevention;
  • SMS or email verification;
  • logging and monitoring.

Such providers may access personal data only as needed to perform services for us and must process it under contractual confidentiality, security, and data protection obligations.

9.2 Payment Processors

Payments are processed by third-party payment providers. These providers process payment information under their own terms and privacy policies.

We receive only limited transaction metadata, such as payment confirmation, subscription status, customer ID, invoice information, and payment status, as needed to provide the Platform and maintain records.

9.3 Workspace Administrators and Business Customers

If your account is part of a business workspace, the workspace owner or administrator may access certain information about your account and activity, including:

  • name and email address;
  • workspace role;
  • invitation status;
  • usage activity;
  • generated tests or project activity;
  • access permissions;
  • subscription or billing-related workspace information.

If you use the Platform through an organisation, that organisation may be responsible for certain processing of your personal data.

9.4 Legal and Regulatory Disclosures

We may disclose personal data where required or permitted by law, including to:

  • courts;
  • regulators;
  • law enforcement agencies;
  • tax authorities;
  • government bodies;
  • professional advisers.

We may also disclose data where necessary to protect rights, safety, security, users, the Platform, or third parties.

9.5 Business Transfers

If we are involved in a merger, acquisition, financing, reorganisation, sale of assets, or similar business transaction, personal data may be transferred as part of that transaction, subject to appropriate confidentiality and data protection safeguards.

10. International Data Transfers

Personal data may be processed in countries outside the European Economic Area (EEA), including where our service providers, infrastructure, or support providers are located.

Where personal data is transferred outside the EEA, we implement appropriate safeguards in accordance with GDPR, which may include:

  • adequacy decisions adopted by the European Commission;
  • Standard Contractual Clauses approved by the European Commission;
  • transfer impact assessments where required;
  • contractual, organisational, and technical security measures;
  • other lawful transfer mechanisms under applicable data protection law.

You may contact us to request further information about safeguards used for international transfers. Such transfers may include processing by service providers located in jurisdictions such as the United States or other countries outside the EEA.

11. Data Retention

We retain personal data only for as long as reasonably necessary for the purposes described in this Policy, unless a longer retention period is required or permitted by law.

Retention periods may vary depending on the type of data and the reason for processing.

As a general guide:

  • account data is retained for the duration of the account and for up to 30–90 days after account closure, unless a longer retention period is required by law or necessary to resolve disputes or enforce agreements;
  • billing, invoice, and tax records are retained for the period required by applicable accounting and tax laws;
  • security logs, diagnostics, and technical data are typically retained for up to 30–90 days, unless required for security investigations or legal compliance;
  • support communications are retained for up to 12–24 months for customer service, dispute resolution, and legal record purposes;
  • User Content and Customer Data are retained while necessary to provide the Services or as configured by the customer, unless deletion is requested or required by law;
  • anonymised and aggregated data may be retained indefinitely where it no longer identifies any individual or business.

These retention periods may be extended where necessary to comply with legal obligations, resolve disputes, enforce agreements, or protect our legal rights.

When personal data is no longer required, we delete, anonymise, or securely isolate it in accordance with applicable law and our internal procedures.

Backup copies may persist for a limited period before being overwritten or deleted in the ordinary course of backup cycles.

12. Security

We implement appropriate technical and organisational measures designed to protect personal data against unauthorised access, loss, misuse, alteration, disclosure, or destruction.

These measures may include:

  • encryption in transit;
  • access controls;
  • authentication controls;
  • role-based access restrictions;
  • logging and monitoring;
  • vulnerability management;
  • secure development practices;
  • employee confidentiality obligations;
  • limited access based on business need;
  • incident response procedures;
  • vendor security review processes.

No method of electronic transmission or storage is completely secure. We cannot guarantee absolute security, but we maintain safeguards proportionate to the nature of the data and risks involved.

Users are responsible for maintaining the confidentiality of their login credentials and for securing their own systems, devices, applications, and websites connected to or tested through the Platform.

13. Cookies and Similar Technologies

We use cookies and similar technologies to provide, secure, maintain, and improve the Platform.

Cookies may be:

  • strictly necessary, required for login, security, session management, and core functionality;
  • functional, used to remember preferences and settings;
  • analytics, used to understand usage and improve performance;
  • marketing, used only if introduced in the future and where legally permitted.

Where required by applicable law, we obtain consent before using non-essential cookies or tracking technologies.

You may manage cookies through browser settings and, where available, through our cookie consent tools. Disabling some cookies may affect Platform functionality.

More information may be provided in our Cookies and Tracking Technologies Notice.

14. Your Rights

Subject to applicable law and any limitations that may apply, you may have the following rights regarding your personal data:

14.1 Right of Access

You may request confirmation as to whether we process your personal data and request a copy of such data.

14.2 Right to Rectification

You may request correction of inaccurate or incomplete personal data.

14.3 Right to Erasure

You may request deletion of your personal data where permitted by law.

14.4 Right to Restriction

You may request that we restrict processing of your personal data in certain circumstances.

14.5 Right to Object

You may object to processing based on legitimate interests or direct marketing.

14.6 Right to Data Portability

Where applicable, you may request to receive certain personal data in a structured, commonly used, machine-readable format.

14.7 Right to Withdraw Consent

Where processing is based on consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

14.8 Rights Related to Automated Decision-Making

You may have rights regarding automated decision-making that produces legal or similarly significant effects. The Platform does not currently make decisions based solely on automated processing that produce legal or similarly significant effects on users.

14.9 Right to Lodge a Complaint

You may lodge a complaint with a data protection authority. In Cyprus, the competent authority is the Office of the Commissioner for Personal Data Protection.

Contact: [email protected]

15. Exercising Your Rights

To exercise your rights, contact us at:

[email protected]

We may ask you to verify your identity before responding. We will respond within the timeframe required by applicable law.

If your personal data is processed by us on behalf of a business customer, we may refer your request to that customer or assist the customer in responding, depending on the circumstances and applicable law.

16. Business Customers and End-User Requests

If you are an individual whose personal data has been submitted to the Platform by a business customer, such as through a tested website, test scenario, prompt, bug report, log, or uploaded material, that business customer may be the controller of your personal data.

In such cases, you should contact the relevant business customer directly to exercise your rights. We will assist business customers in handling valid data subject requests as required under our DPA and applicable law.

17. Children

The Platform is not intended for individuals under the age of 18.

We do not knowingly collect personal data from children under 18. If we become aware that we have collected personal data from a person under 18, we will take reasonable steps to delete such data, unless retention is required by law.

If you believe that a person under 18 has provided personal data to us, please contact us at [email protected].

18. Marketing Communications

Where permitted by law, we may send you product updates, newsletters, offers, and other marketing communications.

You may opt out at any time by using the unsubscribe link in our emails, adjusting communication preferences where available, or contacting us.

Even if you opt out of marketing communications, we may still send service, security, billing, and administrative messages.

19. Do Not Sell or Share Personal Data

We do not sell personal data.

We do not share personal data with third parties for their independent behavioural advertising purposes unless expressly stated and, where required, with your consent.

20. Changes to This Policy

We may update this Policy from time to time to reflect changes in our Services, legal requirements, technologies, or business practices.

When we update this Policy, we will change the "Last updated" date above.

Where changes materially affect your privacy rights or how we process personal data, we will provide reasonable notice, which may include notice through the Platform or by email. Where required by law, we will obtain consent before applying changes.

21. Contact Us

For questions, concerns, complaints, or requests regarding this Policy or our privacy practices, please contact:

NERQIS LTD
Magdani 7, Office 101
4152 Limassol
Cyprus
Email: [email protected]