Preview: Quoderat is in early access. This site shows the concept and direction — onboarding is manual for now.
Quoderat

Privacy Policy

1. Information We Collect

1.1 Information You Provide

When you create an account, request a pilot, or contact us, we may collect:

  • Name and email address
  • Organization name and role
  • Account credentials (passwords are stored as bcrypt hashes, never in plain text)
  • Communication content when you contact our support

1.2 Information Collected Automatically

When you visit our website or use our platform, we automatically collect:

  • IP address — hashed with SHA-256 before storage; we never store raw IP addresses
  • Device type (desktop, mobile, or tablet) and browser type, derived from your user agent string
  • Pages visited, referrer URL, and viewport dimensions
  • UTM campaign parameters (source, medium, campaign) if present in the URL
  • A randomly generated visitor identifier stored in your browser's localStorage (not a cookie)

1.3 Third-Party Services

We use a self-hosted, privacy-first analytics system. We do not use Google Analytics, Facebook Pixel, or any third-party tracking scripts. Our analytics data never leaves our own infrastructure. For voice features, audio is processed via OpenAI's Realtime API using ephemeral session tokens; no audio is stored on our servers.

2. How We Use Your Information

We process your personal data for the following purposes:

  • Service delivery — to operate your account, execute jobs, and deliver results
  • Analytics — to understand how our platform is used and improve our services (using privacy-preserving, hashed identifiers only)
  • Security — to detect abuse, enforce rate limits, and block bot traffic
  • Communication — to send you service notifications, respond to your inquiries, and provide support

Legal Basis (GDPR Art. 6)

  • Contract performance (Art. 6(1)(b)) — processing necessary to provide our services to you
  • Legitimate interests (Art. 6(1)(f)) — analytics (with hashed identifiers), security, and abuse prevention
  • Consent (Art. 6(1)(a)) — where you have given explicit consent, such as subscribing to communications

3. Data Sharing and Disclosure

We do not sell your personal data. We may share data with:

  • Infrastructure providers — hosting and compute providers who process data on our behalf under data processing agreements
  • AI model providers — when you use Dirigent orchestration or voice features, your prompts and code context are sent to the configured LLM provider (e.g., OpenAI). No personal account data is included in these requests.
  • Legal requirements — when required by law, regulation, or valid legal process

International Transfers

Our primary infrastructure is located in the European Union. When data is transferred to AI model providers located outside the EU/EEA (e.g., OpenAI in the United States), such transfers are protected by Standard Contractual Clauses (SCCs) or equivalent safeguards as required by GDPR Chapter V.

4. Data Retention

  • Account data — retained for the duration of your account plus 30 days after deletion
  • Analytics events — retained for 365 days, then automatically purged
  • Job execution data — retained for the duration of your subscription; purged 90 days after account closure
  • Server logs — retained for 30 days for debugging and security purposes
  • Voice session data — not retained; ephemeral tokens expire within 2 minutes and no audio is stored

When data is deleted, it is removed from our active databases. Encrypted backups may retain data for up to an additional 30 days before being rotated.

5. Your Rights

Under the General Data Protection Regulation (GDPR), you have the following rights:

  • Right of access (Art. 15) — request a copy of the personal data we hold about you
  • Right to rectification (Art. 16) — request correction of inaccurate personal data
  • Right to erasure (Art. 17) — request deletion of your personal data
  • Right to restrict processing (Art. 18) — request limitation of how we process your data
  • Right to data portability (Art. 20) — receive your data in a structured, machine-readable format
  • Right to object (Art. 21) — object to processing based on legitimate interests

To exercise any of these rights, email us at privacy@elk.solutions. We will respond within 30 days.

You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.

6. Cookies and Tracking

Quoderat is designed to be privacy-first. Our tracking system does not use cookies.

What we use instead

  • localStorage — a randomly generated visitor identifier is stored in your browser's local storage to distinguish unique visitors. This data never leaves your browser except as part of analytics events sent to our own servers.
  • sessionStorage — a session identifier to group pageviews within a single browser session. It is automatically cleared when you close the tab.

Essential technical storage

  • Authentication tokens (JWT) stored in localStorage for maintaining your login session
  • User preferences (theme, API configuration) stored in localStorage

Since we do not use tracking cookies or third-party trackers, no cookie consent banner is required under the ePrivacy Directive. You can clear all locally stored data at any time through your browser settings.

7. Security Measures

Technical measures

  • All data in transit is encrypted using TLS 1.2 or higher
  • Passwords are hashed with bcrypt (adaptive cost factor)
  • IP addresses are SHA-256 hashed before storage — raw IPs are never persisted
  • API authentication via bearer tokens and JWT with configurable expiry
  • Rate limiting on all public endpoints to prevent abuse
  • Bot traffic detection and IP blocklist enforcement

Organizational measures

  • Access to production systems is restricted to authorized personnel
  • Infrastructure follows the principle of least privilege
  • Regular dependency audits and security updates

Incident response

In the event of a personal data breach, we will notify the Dutch Data Protection Authority within 72 hours as required by GDPR Art. 33. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay (Art. 34).

8. Contact Information

Data Controller

elk.solutions
The Netherlands

Privacy Inquiries

For questions about this policy or to exercise your data rights, contact us at: privacy@elk.solutions

General Contact

siebe@elk.solutions

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by updating the date below and, where appropriate, provide additional notice via email or through our platform. Your continued use of Quoderat after changes are posted constitutes acceptance of the revised policy.

Last updated: February 19, 2026