DRAFT - PENDING ATTORNEY REVIEW

This document has not been reviewed by legal counsel. Do not rely on it as final legal advice.

Privacy Policy

Effective date: April 8, 2026 · Last updated: June 12, 2026

1. Overview

QuarryFi is operated by SmashedStudios LLC. This policy explains what information we collect, how we use it, and the choices available to you. QuarryFi is designed to collect development and tax-support metadata, not source code, file contents, private messages, or payment card numbers.

2. Information We Collect

Account, company, and access information:

Name, email address, login provider identifiers, and GitHub username when you connect GitHub.
Company name, subscription tier, role, admin/delegate access settings, and account status.
Session records, CSRF records, magic-link state, OAuth state, and audit events needed for authentication and security.

Repository and development metadata:

Repository names, repository IDs, installation/account metadata, connected project links, and branch names.
Commit SHAs, commit messages, timestamps, author names/emails, additions, deletions, files-changed counts, and related classification status.
File name, path, extension, and change-status metadata may be processed when available for classification evidence. We do not collect source code, code diffs, or file contents.

Plugin heartbeat metadata from Claude Code and Codex:

Project/workspace name, programming language, file type or extension, branch, source plugin, editor type, timestamps, duration, and session ID.
Plugin diagnostics such as plugin version, runtime channel, hook mode, install revision, last contact, last accepted heartbeat, and recent error code.
Seat-scoped status summaries, including recent tracked minutes, active project names, heartbeat counts, and freshness state.

Team, compensation, and tax-support inputs:

Team member names, job titles, work location, Git email mappings, activity schedules, and project assignments.
Date-effective W-2 salary or hourly records, contractor hourly records, contractor flat-fee or milestone allocations, notes, review status, and coverage diagnostics.
Owner/founder status, owner tax-treatment selection, owner payments/draws, allocation dates, review status, and planning-estimate flags.
Tax years, prior-year qualified research expenses, gross receipts, credit estimates, readiness checks, and generated report metadata.

R&E expense information:

Manual expense entries and accepted or needs-review CSV candidates, including date, description, vendor/category inference, amount, tax year, status, and notes.
CSV import audit metadata such as sanitized filename, file size, row counts, accepted/ignored/error counts, SHA-256 file hash, uploader, upload time, and rule version.
Raw CSV uploads are parsed for the import workflow and are not intended to be permanently retained after structured records and audit metadata are created.

Billing and service operations:

Stripe customer IDs, subscription IDs, product IDs, price IDs, promotion-code or coupon metadata, price/tier selections, checkout events, subscription state, billing mode, and portal session metadata.
Generated PDF/document records and private storage keys for documents served through authenticated download routes.
Security, rate-limit, webhook, sync, classification-usage, regulatory-watch, and operator audit records needed to run and protect the Service.

3. Information We Do Not Collect

Source code, code diffs, or file contents.
AI conversation transcripts, prompts, or assistant responses from your editor.
Screenshots, screen recordings, browsing history, or non-development personal files.
Keystroke contents. Plugins send session/activity metadata only.
Full payment card numbers, bank account credentials, Social Security numbers, or government IDs.

4. How We Use Information

Authenticate users, manage sessions, enforce admin access, and secure API routes.
Connect authorized repositories and editor plugins to project and team-member records.
Classify activity against R&D tax-credit criteria and generate support narratives.
Calculate planning estimates for wage, contractor, owner, and R&E expense support.
Run export readiness checks and generate supporting documents for your review and your tax professional.
Process subscription billing through Stripe and provide account support.
Detect abuse, troubleshoot sync/plugin issues, audit admin actions, and maintain platform reliability.

We do not sell personal information. We do not use your information for third-party advertising or cross-context behavioral advertising.

5. Third-Party Services

GitHub: Authentication, repository authorization, installation metadata, and commit metadata.
Google: Google sign-in when used, and Gemini AI classification of commit/activity metadata. We do not send source code.
Stripe: Checkout, subscription management, customer portal, and payment processing. We do not receive or store full card numbers.
Cloudflare: Hosting, Workers, D1 database, KV, R2 private object storage, and edge security infrastructure.

6. Storage and Security

Application data is stored on Cloudflare infrastructure using D1, KV, and private R2 storage.
OAuth tokens are encrypted with AES-256-GCM. API keys are stored as SHA-256 hashes; plaintext API keys are shown only at creation.
Session cookies are HttpOnly, Secure, SameSite=Lax, and expire after 24 hours.
Mutating endpoints use CSRF protection and authenticated routes authorize access to the specific company, seat, project, export, or admin resource.
Generated documents are stored privately and served through authenticated download routes rather than a public bucket.
Admin/operator actions are audited. Admin access is limited by configured admin emails and managed delegate records.

7. Data Retention and Deletion

Session and temporary authentication state expire automatically, generally within 24 hours or after use.
Development activity, compensation records, owner payment records, expense records, tax-support inputs, audit logs, and generated-document records are retained while your account is active because they support tax documentation and audit trails.
Raw expense CSV files are not intended to be permanently retained after parsing. Structured expense records and import audit metadata may remain until deleted or account closure.
Generated documents may remain in private storage until deleted, replaced, or removed through account deletion or a deletion request.
Upon a verified deletion request, we will delete or de-identify account data within 30 days where feasible, unless retention is required for security, billing, legal, dispute, or tax-support reasons.

8. Your Choices and Rights

You may:

Request a copy of account and company data associated with you.
Request correction or deletion of inaccurate information.
Revoke GitHub OAuth or GitHub App access through GitHub.
Deactivate plugin API keys and remove team members or repository connections.
Delete or update compensation, owner payment, contractor allocation, and expense records when the app allows it.

To exercise privacy rights, contact privacy@quarryfi.com. While QuarryFi is operating on the workers.dev preview domain, you may also contact smashedstudiosllc@gmail.com.

API keys are seat-scoped operational credentials. A valid plugin key can submit heartbeats and read the status summaries described above for its assigned team member.

9. Cookies

We use a session cookie (qf_session) for authentication. It is HttpOnly, Secure, SameSite=Lax, and expires after 24 hours. We do not use advertising cookies or third-party analytics cookies.

10. Children

QuarryFi is intended for business users and is not directed to children under 13. Do not use the Service if you are under 13.

11. Changes to This Policy

We may update this policy as the product, vendors, or legal requirements change. Material changes will be communicated by email or in-app notice when practical. Continued use after changes means you accept the updated policy.

12. Contact

Privacy questions: privacy@quarryfi.com or smashedstudiosllc@gmail.com while the pre-launch workers.dev preview is in use.