This Privacy Policy explains how QTOOL S.r.l. (trading as “Zephyra”) (“Zephyra”, “we”, “us”) collects, uses, discloses, and protects Personal Data when you visit our websites or use our platform and services.

1. Who we are and how to contact us

Controller: QTOOL S.r.l. (Zephyra)

Registered address: Via Sarus 4, 11026 Pont Saint Martin, Italy

Email (privacy): qtool@pec.it or info@qtoolsrl.it

2. Scope

This Policy applies to:

Our websites (including zephyra.tech and app.zephyra.tech).
The Zephyra SaaS platform and related services (the “Services”).
Sales, support, onboarding, and professional services interactions.

3. Roles under data protection laws: Controller vs Processor

3.1 When Zephyra is the Controller

We act as Controller for Personal Data we process to:

Create and manage accounts and workspaces.
Provide customer support and manage the commercial relationship.
Send service communications (security, product, billing, legal notices).
Administer billing, accounting, and tax compliance.
Manage sales and marketing (where permitted).

3.2 When Zephyra is the Processor

When a business customer uploads or inputs data into the Services (“Customer Data”), Zephyra typically processes that data as a Processor on behalf of the customer (the Controller). Customer Data may include files and metadata (e.g., CAD/mesh files, simulation inputs/outputs, project data) and may contain Personal Data if the customer uploads it.

Processor terms are governed by the applicable contract/Order Form and (where applicable) a Data Processing Agreement (DPA).

4. Personal Data we collect

Depending on your interaction with Zephyra, we may collect:

A. Account and identity data Name, business email, phone number, company, job title, country.

B. Authentication and access data Login credentials (stored securely), roles/permissions, workspace membership.

C. Billing and commercial data Billing contact details, invoicing address, VAT/tax identifiers, payment status, purchase history. Payment card data is typically handled by a payment provider (if applicable) and not stored by Zephyra in full.

D. Usage, device, and log data IP address, device/browser identifiers, timestamps, logs, feature usage, diagnostic and security events.

E. Communications Support tickets, emails, call notes, meeting notes, feedback, survey responses.

F. Customer Data (Processor data) Customer-uploaded files/content and related metadata that may include Personal Data if included by the customer.

5. Purposes and legal bases (GDPR/UK GDPR/Swiss law)

We process Personal Data only when we have a lawful basis.

1) Provide the Services and manage accounts Purpose: authentication, workspace administration, access control, service delivery. Legal basis: Contract.

2) Customer support and service operations Purpose: support, troubleshooting, incident management, service communications. Legal basis: Contract and Legitimate Interests (service quality and continuity).

3) Security and abuse prevention Purpose: detect and prevent fraud, misuse, security incidents, and to protect the platform. Legal basis: Legitimate Interests and/or Legal Obligation.

4) Billing, accounting, and tax compliance Purpose: invoicing, collections, accounting records, statutory compliance. Legal basis: Contract and Legal Obligation.

5) Product analytics and improvement Purpose: understand usage, improve performance and reliability, capacity planning. Legal basis: Legitimate Interests. Where required for cookies/trackers: Consent.

6) Sales and marketing (B2B) Purpose: respond to inquiries, outbound sales, newsletters, events follow-ups. Legal basis: Legitimate Interests (where permitted) and/or Consent (where required). You can object to direct marketing at any time.

6. Customer Data and model improvement

When we process Customer Data as a Processor, we process it only on documented instructions from the Customer and as necessary to provide the Services.

We may generate aggregated and anonymized statistics and diagnostics from service usage to operate, secure, and improve the Services (to the extent permitted by law and contract). Where contractually required, we will provide opt-in/opt-out mechanisms for specific improvement uses.

Customers should not upload special category data (e.g., health data, biometric identifiers, sensitive personal data) unless explicitly agreed in writing and covered by appropriate contractual safeguards.

We may share Personal Data with:

A. Service providers (processors/subprocessors) We use service providers for infrastructure, hosting, storage, compute, logging, email delivery, customer support tooling, CRM, analytics, and payment processing. We require appropriate contractual protections and security measures.

Given your deployment model, we may use cloud infrastructure providers in the EU, UK, Switzerland, and the US, including:

Google Cloud Platform (GCP); and
equivalent providers such as Amazon Web Services (AWS) and Microsoft Azure, depending on environment, availability, and customer configuration.

B. Professional advisors Legal counsel, auditors, and accountants where necessary.

C. Authorities Where required by law, or to protect rights, safety, and security.

D. Corporate transactions In connection with a merger, acquisition, financing, reorganization, or sale of assets, subject to appropriate safeguards.

We do not sell Personal Data.

Subprocessor transparency: We maintain an up-to-date list of subprocessors at: /legal/subprocessors.

8. International transfers

Your data may be processed in the EU, UK, Switzerland, and the US (and potentially other locations where our providers operate). When transferring Personal Data outside the EEA/UK/Switzerland, we use appropriate safeguards, which may include:

EU Standard Contractual Clauses (SCCs);
the UK International Data Transfer Addendum (UK IDTA/Addendum); and
supplementary measures where appropriate.

9. Data retention

We retain Personal Data only for as long as needed for the purposes described above:

Account data: retained for the duration of the customer relationship and for a limited period thereafter for audit/dispute purposes (typically 12–24 months, unless required longer).
Billing and tax records: retained for the period required by law (often up to 10 years).
Support communications: retained for 10 years after ticket closure.
Customer Data (Processor): retained as instructed by the Customer and under the contract; customers may request deletion/export subject to contractual and legal constraints. We may delete Customer Data according to contract and operational policies; customers should maintain their own backups.

10. Cookies and similar technologies

We use cookies and similar technologies for:

Strictly necessary functions (authentication, security, session management);
Analytics (to understand usage and improve the Services);
Marketing (only where enabled and permitted).

Where required by law, we provide a cookie banner and allow you to manage preferences. See our Cookie Policy.

11. Security

We apply commercially reasonable technical and organizational measures to protect Personal Data, including access controls, encryption in transit, logging, monitoring, and least-privilege practices. No system is perfectly secure; we cannot guarantee absolute security.

12. Your rights

Depending on your location and applicable law, you may have rights to:

access, rectify, erase, restrict, or object to processing;
data portability (where applicable);
withdraw consent (where processing is based on consent);
lodge a complaint with a supervisory authority.

Contact us to exercise rights. If we process your data as a Processor, we may refer you to your organization (the Controller).

13. Children

The Services are intended for business users and are not directed to children. We do not knowingly collect Personal Data from minors.

14. Changes to this Policy

We may update this Policy from time to time. We will post the updated version and revise the “Last Updated” date. If changes are material, we may provide additional notice (e.g., in-app or by email).