DRAFT — PENDING ATTORNEY REVIEW
This document has not been reviewed by legal counsel. Do not rely on it as final.
Privacy Policy
Effective date: April 8, 2026 · Last updated: April 23, 2026
1. Overview
2. Data We Collect
We collect metadata only. We never collect source code, file contents, or conversation transcripts.
From GitHub (via OAuth):
- User profile (name, email, username)
- Repository names and metadata
- Commit messages, timestamps, author info, branch names
- Line count changes (additions/deletions)
From available editor plugins (Claude Code, Codex):
- Project name (workspace folder name only)
- Programming language
- File extension (e.g., .ts, .py — not the file path or name)
- Git branch name
- Timestamps and duration
- Editor type
From plugin status checks (API key authenticated):
- Last heartbeat timestamp for the assigned team member
- Recent tracked-minute summaries (last 24 hours and last 7 days)
- Recent active project names and session summaries for that assigned team member
Account and billing:
- Email address, name, GitHub username
- Company name, team member names and roles
- Salary/hourly rate data (for credit calculation)
- Stripe customer and subscription IDs (payment processing handled entirely by Stripe)
3. What We Never Collect
- Source code or file contents
- Full file paths
- AI conversation contents or prompts
- Screenshots or screen recordings
- Keystrokes beyond activity detection
- Browsing history
- Personal files unrelated to development
4. How We Use Your Data
- Track and classify R&D development activity
- Calculate estimated R&D tax credits
- Generate Form 6765 supporting documentation
- Provide dashboard analytics
- Process billing via Stripe
- Send service-related communications
We do not sell your data. We do not use your data for advertising. We do not share your data with third parties except as required to provide the Service (Stripe for billing, Google Gemini for AI classification — see Section 6).
5. Data Storage and Security
- Data is stored on Cloudflare infrastructure (D1 database, KV store, R2 storage)
- OAuth tokens are encrypted with AES-256-GCM
- API keys are stored as SHA-256 hashes (plaintext never stored)
- Sessions use cryptographically random IDs with 24-hour expiry
- All connections use HTTPS/TLS
- CSRF protection on all mutating endpoints
6. Third-Party Services
- GitHub: OAuth authentication and repository data. Subject to GitHub’s privacy policy.
- Stripe: Payment processing. We never see or store your full card number. Subject to Stripe’s privacy policy.
- Google Gemini: AI classification of activity blocks. We send commit messages and activity metadata (not source code) for classification. Subject to Google’s AI terms.
- Cloudflare: Infrastructure hosting. Subject to Cloudflare’s privacy policy.
7. Data Retention
- Activity data is retained for the duration of your subscription plus 90 days
- Generated documents are retained for 30 days after creation
- Upon account deletion, all data is permanently removed within 30 days
8. Your Rights
You may:
- Request a copy of all data we hold about you
- Request correction of inaccurate data
- Request deletion of your account and all associated data
- Revoke GitHub OAuth access at any time
- Deactivate API keys at any time
To exercise these rights, contact privacy@quarryfi.com.
API keys are seat-scoped operational credentials. A valid plugin key can submit heartbeats and read the status summaries described above for its assigned team member.
9. Cookies
qf_session) for authentication. It is HttpOnly, Secure, SameSite=Lax, and expires after 24 hours. We do not use tracking cookies, analytics cookies, or third-party cookies.