Privacy Policy

This Privacy Policy explains how Simplethis s.r.o. ("we", "us", "our"), a company registered in the Slovak Republic (ICO: 50779095, DIC: 2120470440), collects, uses, stores, and protects your personal data when you use the QVIKS platform at qviks.com and any associated subdomains or custom domains (collectively, "the Service").

QVIKS is a business management platform that enables service professionals ("Admins") to manage their client relationships, bookings, and payments. If you are a client of a business that uses QVIKS ("Client"), your business provider is the data controller for your data, and we act as a data processor on their behalf. For data we collect directly (account registration, platform usage), we act as the data controller.

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.

Data Controller: When you create an account on QVIKS or interact with us directly, Simplethis s.r.o. is the data controller responsible for your personal data under the EU General Data Protection Regulation (GDPR).

Data Processor: When an Admin uses QVIKS to manage their clients, we process Client personal data on behalf of the Admin (the data controller). In this capacity, we act as a data processor and process data only as instructed by the Admin and in accordance with our Data Processing Agreement.

If you are a Client and have questions about how your data is used, we recommend contacting the business that manages your account through QVIKS. You may also contact us directly at hello@qviks.com.

Account Information: When you register, we collect your email address and password (stored as a cryptographic hash). If you sign up via Google, we receive your Google account ID and email address.

Profile Information: Your name, avatar image, and dashboard layout preferences.

Contact Information (managed by Admins): First name, last name, email, phone number, physical address, date of birth, social media profiles (Instagram, LinkedIn, YouTube), and any notes or custom data fields the Admin chooses to create.

Booking and Event Data: Event registrations, booking requests, slot preferences, recurring subscription details, and attendance records.

Payment Information: Payment amounts, dates, statuses, and Stripe session identifiers. We do not store credit card numbers or full payment credentials — these are handled exclusively by Stripe.

Communication Data: Internal messages sent through the platform between Admins and Clients.

Technical and Usage Data: IP address (logged in audit trails), browser type, device information, pages visited, actions performed, and timestamps. This data is collected automatically when you use the Service.

Files and Documents: Avatars, logos, workshop images (stored publicly), and invoices, contracts, or other documents uploaded by Admins (stored privately with access controls).

We process your personal data based on the following legal grounds under GDPR Article 6:

Contract Performance (Art. 6(1)(b)): Processing necessary to provide the Service you signed up for — account management, bookings, payments, and communication features.

Legitimate Interest (Art. 6(1)(f)): Platform security, fraud prevention, audit logging, service improvement, and analytics. We balance our interests against your rights and only process data where the impact on you is minimal and expected.

Legal Obligation (Art. 6(1)(c)): Where we are required to retain data for tax, accounting, or regulatory compliance.

Consent (Art. 6(1)(a)): For optional processing such as email marketing via MailerLite. You can withdraw consent at any time without affecting the lawfulness of prior processing.

Providing the Service: Account authentication, managing bookings and events, processing payments, enabling communication between Admins and Clients, and delivering notifications.

Platform Security: Audit logging of actions (including IP addresses) to detect unauthorized access, investigate incidents, and maintain the integrity of the Service.

Service Improvement: Analyzing usage patterns in aggregate to improve features, fix bugs, and enhance the user experience. We do not use your personal data for automated profiling or decision-making.

Email Communications: Admins may use the integrated MailerLite connection to send marketing emails to their subscribers. You can unsubscribe at any time using the link in any marketing email.

Customer Support: Responding to your inquiries and resolving issues with your account.

We share your data only with trusted third-party service providers who are necessary to operate the Service. We do not sell, rent, or trade your personal data to any third party.

Turso (LibSQL): Our primary database provider. All data is stored in the European Union (AWS eu-west-1 region, Ireland). Turso processes data in accordance with their privacy policy and applicable data protection agreements.

Stripe: Handles payment processing. When you make a payment, Stripe receives the necessary transaction data. Stripe is PCI DSS Level 1 certified and processes data under their own privacy policy. We store only payment references (session IDs), not card details.

Vercel: Hosts the QVIKS application and provides blob storage for files (avatars, documents). Vercel processes data under their Data Processing Agreement and privacy policy.

Google: If you use Google Sign-In or Google Calendar integration, Google receives authentication data. Calendar sync requires explicit Admin authorization and can be revoked at any time.

MailerLite: If an Admin connects MailerLite for email marketing, contact data (name, email, subscription status) is synced to MailerLite. MailerLite processes data under their GDPR-compliant privacy policy.

We require all third-party providers to maintain appropriate security measures and to process personal data only as instructed by us. We have Data Processing Agreements in place where required by GDPR.

Our primary database is located in the European Union (Ireland). However, some of our third-party providers (Stripe, Vercel, Google) may process data in the United States or other countries outside the EU/EEA.

Where data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place, including: EU Standard Contractual Clauses (SCCs), adequacy decisions by the European Commission, or the provider's participation in recognized data protection frameworks (e.g., the EU-U.S. Data Privacy Framework).

The Service is available globally. If you access QVIKS from outside the EU, your data may be transferred to and processed in the EU. By using the Service, you acknowledge this transfer.

We retain your personal data only for as long as necessary to fulfill the purposes described in this policy, or as required by law.

Active Accounts: Your data is retained for the duration of your account. If you are a Client, your data is retained as long as the Admin maintains your record.

Deleted Accounts: When you delete your account or an Admin deletes your contact record, we permanently remove your personal data and all associated records (notes, bookings, payment references, custom fields) from our database. Some data may persist in encrypted backups for up to 30 days before automatic deletion.

Audit Logs: Activity logs (including IP addresses) are retained for up to 12 months for security and compliance purposes, after which they are automatically purged.

Legal Requirements: We may retain certain data longer where required by applicable tax, accounting, or legal obligations (typically up to 10 years for financial records under Slovak law).

MailerLite and Stripe: Data synced to third-party services is subject to their respective retention policies. Deleting your data from QVIKS does not automatically delete it from these services — Admins are responsible for managing data in their connected third-party accounts.

If you are located in the EU/EEA or if GDPR applies to you, you have the following rights regarding your personal data:

Right of Access (Art. 15): You can request a copy of all personal data we hold about you. Use the "Export My Data" feature in your account settings, or email us at privacy@qviks.com.

Right to Rectification (Art. 16): You can update or correct your personal data through your account settings, or by contacting us.

Right to Erasure (Art. 17): You can delete your account and all associated data through the "Delete Account" option in your account settings. We will process deletion requests within 30 days.

Right to Restriction of Processing (Art. 18): You can request that we temporarily stop processing your data while we resolve a dispute or verify accuracy.

Right to Data Portability (Art. 20): You can export your data in a structured, commonly used, machine-readable format (JSON) through your account settings.

Right to Object (Art. 21): You can object to processing based on legitimate interest. We will stop processing unless we demonstrate compelling legitimate grounds.

Right to Withdraw Consent (Art. 7): Where processing is based on consent (e.g., marketing emails), you can withdraw consent at any time.

To exercise any of these rights, use the self-service tools in your account settings or contact us at hello@qviks.com. We will respond to your request within 30 days. If we need more time (up to 60 additional days for complex requests), we will inform you.

Depending on your location, you may have additional rights under local privacy laws:

California (CCPA/CPRA): You have the right to know what personal information we collect and why, to request deletion, to opt out of the sale of personal information (we do not sell your data), and to non-discrimination for exercising your rights. To make a request, email hello@qviks.com.

Brazil (LGPD): You have similar rights to those under GDPR, including access, correction, deletion, and data portability.

Australia (Privacy Act): You have the right to access and correct your personal information, and to complain about a breach of the Australian Privacy Principles.

For all jurisdictions, contact us at hello@qviks.com to exercise your rights.

QVIKS uses a minimal set of cookies strictly necessary for the Service to function:

Session Cookie (qviks-session): An HTTP-only, secure cookie that authenticates your session. This cookie is essential for the Service and cannot be disabled. It expires after 30 days of inactivity.

We do not use advertising cookies, tracking pixels, or third-party analytics cookies. We do not participate in cross-site tracking or behavioral advertising.

If we introduce optional analytics or marketing cookies in the future, we will update this policy and implement a cookie consent mechanism before activation.

We implement appropriate technical and organizational measures to protect your personal data, including:

Passwords are hashed using bcrypt with industry-standard work factors. We never store plaintext passwords.

All data in transit is encrypted via HTTPS/TLS. Database connections use encrypted protocols.

Session tokens are stored in HTTP-only cookies with Secure and SameSite flags to prevent cross-site attacks.

File storage uses separate public and private stores — sensitive documents (invoices, contracts) are stored privately and require authentication to access.

Access controls enforce role-based permissions: Clients can only access their own data, Admins can only access data within their organization.

Audit logging tracks all significant actions for security monitoring and incident response.

While we take data security seriously, no method of electronic transmission or storage is 100% secure. If you discover a security vulnerability, please report it to hello@qviks.com.

QVIKS is not directed at children under the age of 16. We do not knowingly collect personal data from children. If an Admin stores data about minors (e.g., a child client in an educational or coaching context), the Admin is responsible for ensuring they have appropriate parental or guardian consent.

If you believe we have inadvertently collected data from a child without appropriate consent, please contact us at hello@qviks.com and we will promptly delete it.

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable laws. When we make material changes, we will notify you by posting the updated policy on this page with a revised "Last updated" date.

For significant changes that affect your rights, we will provide additional notice through the Service (e.g., an in-app notification or email). We encourage you to review this policy periodically.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Simplethis s.r.o., Slovak Republic

Email: hello@qviks.com

For GDPR-related inquiries, you may also contact your local Data Protection Authority. The lead supervisory authority for Simplethis s.r.o. is the Office for Personal Data Protection of the Slovak Republic (Úrad na ochranu osobných údajov Slovenskej republiky).