Privacy Policy

This Privacy Policy explains what information we collect, how we use it, and what rights you have.

Qaxa Labs s. r. o. (“Qaxa,” “we,” or “us”) operates the Qaxa collaboration platform and related services. We are the data controller for personal data processed under this Policy, except where we act as a processor for encrypted workspace content.

Information We Collect

We collect only what is necessary to operate Qaxa securely and reliably.

a. Account Information

• Email address (required for registration and authentication)
• Billing information (for Pro plans)

Your email and billing details are stored unencrypted for technical and operational purposes — for example, account recovery, invoices, or notifications.

b. Encrypted Workspace Data

All workspace content — messages, files, notes, and tasks — is end-to-end encrypted. We cannot access or read this content.

c. Usage and Technical Data

We use self-hosted analytics tools that collect anonymous usage metrics (e.g., total storage usage, number of active spaces). No third-party analytics services, such as Google Analytics, are used.

d. Support and Communication

If you contact us (e.g., via email or feedback form), we process your message and contact details to respond.

Our contact forms use a Cloudflare Turnstile CAPTCHA to prevent automated abuse. This tool verifies that a request is from a human visitor without using tracking cookies or profiling.

e. Website Infrastructure and Security

Our public website (qaxa.com) is routed through Cloudflare, which provides content delivery, DDoS protection, and DNS services. When you visit our site, Cloudflare may process limited technical information such as IP address, system configuration, and request metadata to ensure security and reliable performance. These logs are temporary and used solely for threat detection and network protection.

How We Use Your Information

We use your information to:

• Operate and maintain your account
• Provide customer support and respond to inquiries
• Process payments via Stripe or BTCPay Server
• Ensure service stability and prevent abuse
• Comply with legal obligations (e.g., tax and accounting)
• We do not sell, rent, or share your personal data for advertising or marketing.

Legal Bases for Processing

We process your data under the following legal bases (per GDPR, Article 6):

• Contractual necessity — to provide the Qaxa service you signed up for
• Legal obligation — to meet accounting, tax, or regulatory duties
• Legitimate interest — to maintain security, prevent misuse, and improve performance
• Consent — when you choose to contact us or receive communications beyond core functionality

Data Hosting and Security

All Qaxa servers are hosted within the European Union using DigitalOcean infrastructure. We use DigitalOcean Droplets for application servers and Spaces Object Storage for storing encrypted files.

Workspace data is protected with end-to-end encryption, meaning only you and authorized members of your spaces hold the keys to decrypt it. 

Your email and billing data are stored separately from encrypted content and secured using industry-standard encryption in transit and at rest.

DigitalOcean acts as a data processor under Standard Contractual Clauses, ensuring compliance with EU data protection requirements.

You can read more about their data practices at digitalocean.com/legal/privacy-policy.

Payments

Payments for Pro plans are processed by:

• Stripe (for credit card payments)
• BTCPay Server (for Bitcoin and Bitcoin Lightning payments). 

You can read Stripe’s privacy policy at stripe.com/privacy.

Qaxa does not store or process full credit card information. For cryptocurrency payments, only transaction references are retained for verification and accounting.

Our BTCPay Server is self-hosted on our infrastructure, so no payment data is shared with third-party cryptocurrency processors or external gateways.

Data Retention and Deletion

We keep your data only as long as your account is active. When you delete your account:

• All encrypted workspace data is permanently deleted.
• Associated account information (email and billing data) is deleted or anonymized within a reasonable period required by law.

Backups are overwritten automatically as part of the deletion cycle.

Data Sharing and Sub-Processors

We minimize external dependencies. Currently, Qaxa shares data only with:

• Stripe Payments Europe, Limited (payment processing)
• BTCPay Server (payment processing)
• Cloudflare, Inc. (content delivery network and security services for qaxa.com)
• DigitalOcean, LLC (infrastructure and object storage provider)

DigitalOcean and Cloudflare act as data processors under Standard Contractual Clauses and, where applicable, the EU–U.S. Data Privacy Framework, ensuring GDPR-level protection.

No third-party analytics, cloud, or advertising providers have access to user data.

Requests from Authorities

Qaxa Labs s. r. o. may receive lawful requests for information from public authorities. 

Because Qaxa uses end-to-end encryption, we cannot access or disclose the content of encrypted workspace data, even if requested.

If a request concerns non-encrypted data (such as account email, billing information, or limited technical logs), we will:

• verify that the request is legally valid and properly served under Czech or EU law;
• notify the affected user before any disclosure unless legally prohibited from doing so; and
• limit disclosure strictly to what is required by law.

We do not provide voluntary access to user data to any government or law-enforcement agency.

International Access

Qaxa is available globally, but your data is stored in the EU. 

For users outside the EU, processing is based on generally accepted principles of international contract and privacy law, offering protection comparable to GDPR standards.

Your Rights

Under the General Data Protection Regulation (GDPR), you have the right to:

• Access your personal data
• Correct inaccurate or incomplete data
• Delete your account and personal data
• Restrict or object to processing in specific cases
• Port your data to another provider in a structured format

To exercise these rights, contact us. We may request verification to protect your account from unauthorized requests.

Children’s Privacy

Qaxa is not intended for children under 16. We do not knowingly collect data from minors. If you believe a child has provided personal data, contact us immediately so we can delete it.

Changes to This Policy

We may update this Policy from time to time. If changes are significant, we will notify users via email or in-app notice. The latest version is always available at qaxa.com/privacy.

Contact

Qaxa Labs s. r. o. has not appointed a Data Protection Officer.

For all privacy-related inquiries, you can contact our privacy team using our contact form.

Qaxa Labs s. r. o.
Křižíkova 213/44
186 00 Prague 8 – Karlín
Czech Republic

You also have the right to lodge a complaint with the Czech Office for Personal Data Protection (Úřad pro ochranu osobních údajů) if you believe your personal data has been processed unlawfully.