Privacy Policy
Last updated: February 17, 2026
1. Introduction
QualMill ("we," "our," or "us") is operated by H2i Digital. This Privacy Policy explains how we collect, use, and protect your information when you use our qualitative research platform.
2. Information We Collect
Account Information: Email address and authentication credentials when you create an account.
Content You Upload: Interview transcripts, documents, research objectives, discussion guides, stimuli descriptions, and writing samples you provide for style training.
Generated Content: Reports, summaries, and analysis generated through the Service.
Usage Data: Information about how you interact with the Service, including features used and actions taken.
Payment Information: Processed securely by Stripe. We do not store your full credit card number.
3. How We Use Your Information
We use your information to:
- Provide and operate the Service
- Process your transcripts and generate reports using AI
- Apply your style preferences to generated content
- Process payments and manage your subscription
- Send transactional emails (account verification, password resets)
- Respond to support requests
We do not use your content to train our own AI models. We do not use third-party analytics or tracking tools that collect or analyze your uploaded content.
4. Content Ownership
Content you upload remains your property. We will not use your content outside your account context, except as necessary to provide the Service or comply with legal requirements. You retain all intellectual property rights to your uploaded materials and generated outputs.
5. Security Measures
We implement the following security controls to protect your data:
- Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
- Encryption at rest: Data stored in our database is encrypted at rest by our infrastructure providers.
- Authentication: Secure session management with automatic expiration. Passwords are never stored in plain text.
- Row-level security: Database access is enforced at the row level, ensuring users can only access their own data.
- Access controls: Internal access to customer data is role-based, restricted to authorized personnel, and logged for review.
- Infrastructure: Hosted on Vercel and Supabase, both of which maintain SOC 2 Type II compliance.
6. AI Processing & Third-Party Services
QualMill uses Anthropic's API to process transcripts and generate reports. This is governed by Anthropic's Commercial Terms — Anthropic does not train models on API customer data unless explicitly consented.
Text content sent to Anthropic for processing may include:
- Extracted transcript text (from interviews you upload)
- Research objectives (if provided)
- Discussion guide content (if provided)
- Stimuli descriptions (if provided)
- Style training samples (if provided)
- Project and respondent classification labels (markets, audiences, segments)
- Your questions and instructions in the Report Workspace
When you upload files, QualMill extracts the text content locally — original files are not sent to or stored by Anthropic.
For full details, see Anthropic's Privacy Policy.
7. Subprocessors
We use the following third-party services to operate QualMill:
| Service | Purpose | Data Shared | Compliance |
|---|---|---|---|
| Supabase | Database & authentication | All stored content | SOC 2 Type II |
| Vercel | Application hosting | Request metadata, logs | SOC 2 Type II |
| Anthropic | AI processing | Text content (see Section 6) | Commercial Terms |
| Stripe | Payment processing | Email, payment method | PCI DSS Level 1 |
| Resend | Transactional email | Email address, message content | — |
All subprocessors are located in the United States. Compliance documentation for Supabase and Vercel is available on their respective trust/security pages.
8. Data Retention & Deletion
We retain your data for as long as your account is active or as needed to provide the Service. You can delete your account and all associated data at any time from your account settings. Deletion is initiated immediately and completed in accordance with our data retention practices.
We maintain limited database backups for operational resilience. Deleted data may persist in encrypted backups for up to 7 days before being permanently removed. Backups are encrypted and access-controlled consistent with our security measures.
9. Your Rights
You have the right to:
- Access your personal data
- Correct inaccurate data
- Delete your data
- Export your data
- Object to processing
To exercise these rights, contact us at support@qualmill.app.
10. HIPAA Disclaimer
QualMill is not HIPAA compliant and does not offer a Business Associate Agreement (BAA). Do not upload protected health information (PHI) or any data subject to HIPAA regulations.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by email or through the Service.
12. Contact Us
If you have questions about this Privacy Policy or our data practices, contact us at:
Email: support@qualmill.app