Qribo

Privacy Policy

Last updated: May 17, 2026

This Policy explains how Qribo collects, uses, and protects the personal information of the Service's users. It is aligned with the Personal Data Protection Law (Costa Rica, Law 8968), the General Data Protection Regulation (GDPR, EU 2016/679), and the California Consumer Privacy Act (CCPA).

1. Data controller

The controller of your data is Grupo CM SRL (corporate ID 3-102-961780, San José, Costa Rica), owner of the Qribo product, with contact email privacidad@qribo.com. For payments, the additional controller is Paddle.com Market Limited (United Kingdom), Merchant of Record.

2. Data we collect

Data you provide to us

  • Account: first name, last name, email, phone (optional), hashed password (Argon2/PBKDF2), company name.
  • Payment: processing is done by Paddle. Qribo does not store card numbers; we only receive tokenized identifiers, the last 4 digits, and the card's country.
  • Operational data: assets, templates, reports, photos, signatures, tasks, inspection GPS locations, and contact data of external clients that you choose to upload.

Data we collect automatically

  • Technical logs: IP, user-agent, timestamps, session identifiers, errors, and Service events.
  • Usage telemetry: which screens are used, latencies, frequency of use. Anonymized when possible.
  • Cookies and similar: see the Cookie Policy.

3. Purposes of processing

  • Provide the contracted Service.
  • Authenticate and authorize users.
  • Process payments and billing through Paddle.
  • Send operational communications (verification, password recovery, alerts, receipts).
  • Send reports by email to external clients' contacts when the Customer configures it (automatic sending feature).
  • Improve the Service (aggregated and anonymized analytics).
  • Comply with legal obligations and protect our rights.

4. Legal basis

  • Performance of the contract: to provide the Service you contracted.
  • Consent: for optional commercial communications and non-essential cookies.
  • Legitimate interest: for security, fraud prevention, and product improvement.
  • Legal compliance: tax records and responses to authorities.

5. Sharing with third parties

We do not sell or rent your data. We share it only with providers that help us operate:

  • Paddle — payment and tax processing.
  • Cloudflare R2 — storage of images, signatures, and PDFs.
  • Firebase Cloud Messaging — push notifications.
  • Transactional email provider — email delivery (SendGrid, Postmark, or similar).
  • Infrastructure providers — hosting, database, monitoring.

6. International transfers

Some of our providers are located outside Costa Rica. Transfers are carried out under standard contractual clauses (SCC) or adequacy decisions where applicable.

7. Retention period

  • Active account: for the entire duration of the contract.
  • After cancellation: 60 days so you can export your data, after which it is deleted or anonymized.
  • Logs: 12 months.
  • Billing: 5 years (tax obligation).

8. Your rights

You may exercise at any time:

  • Access to your data.
  • Rectification of inaccurate data.
  • Erasure ("right to be forgotten").
  • Objection to processing.
  • Portability (export your data in JSON/CSV format).
  • Restriction of processing.
  • Withdraw consent where applicable.

To exercise them, write to privacidad@qribo.com. We respond within the following 30 days.

9. Security

Encryption in transit (TLS 1.2+), encryption at rest, multi-tenant logical separation, passwords hashed with modern algorithms, rotating JWT tokens with expiration, and backend access auditing.

10. Minors

The Service is not directed at minors under 16. If we discover we have collected data from a minor without their guardians' consent, we delete it.

11. Changes to this policy

We will notify you by email or within the Service when we make material changes. The "last updated" date at the top always indicates the current version.

12. Contact

For any inquiry about privacy or the exercise of rights:
privacidad@qribo.com