Legal

Privacy Policy

Last updated: 21 April 2026

This Privacy Policy explains how QA Madness Sp. z o.o. ("QA Madness", "we", "us", or "our") collects, uses, and protects personal data when you interact with the website accessibility.qamadness.com (the "Site"). It is drafted in line with the EU General Data Protection Regulation (GDPR) and the Polish Personal Data Protection Act, and reflects the standards we hold ourselves to when we audit other people's products.

Contents

Who we are
What data we collect
How we use your data
Legal basis for processing
Third parties & international transfers
Data retention
Your rights
Cookies & similar technologies
Security
Children
Changes to this policy
Contact

1. Who we are

The data controller for personal data collected through this Site is:

QA Madness Sp. z o.o.
Aleje Jerozolimskie 151, office 10
02-326 Warsaw, Poland
National Court Register (KRS): 0000989034
Phone: +48 791 505 768
Data protection contact: support@qamadness.com

2. What data we collect

We collect only what we need to respond to you and deliver our services:

2.1 Data you provide via forms

When you use our Get Sample Report or Request Full Audit forms, you share:

Name (full name)
Business email
Company name (sample report form)
Website URL (audit request, optional)
Message / project details (audit request, optional)
Consent to processing (audit request)

2.2 Data collected automatically

IP address and request metadata processed by Cloudflare and Cloudflare Turnstile for security, bot protection, and to prevent form abuse. No persistent IP log is kept on our servers beyond short-lived access logs.
Language preference stored in a first-party cookie (lang) to remember the locale you selected.
Cookie-consent choice stored in your browser's local storage.
Operational logs on our hosting platform (Railway) for error diagnosis and uptime, typically rotated within days.

We do not collect government IDs, payment card data, health information, or any special-category personal data through this Site.

3. How we use your data

Purpose	What it means
Deliver the Sample Report	Validate your email (format, MX, non-disposable) and send the sample report PDF link via Resend.
Respond to audit inquiries	Contact you within 24 hours to scope the engagement, send a quote, or schedule a discovery call.
CRM & lead management	Store your submission in HubSpot so our team can follow up coherently and maintain one record per contact.
Security & fraud prevention	Cloudflare Turnstile verifies you are not a bot; we block disposable-email domains and domains without mail records.
Service improvement	Aggregated, non-identifying analysis of which forms are used and error patterns (where applicable, with consent).

4. Legal basis for processing (GDPR Article 6)

Consent (Art. 6(1)(a)) - for the audit-request form, where you tick the consent checkbox; and for non-essential cookies if you click "Accept" in the cookie banner.
Performance of a contract / pre-contractual steps (Art. 6(1)(b)) - to deliver the sample report you requested or to respond to your audit inquiry.
Legitimate interest (Art. 6(1)(f)) - for security, bot protection, and brief operational logging needed to run the Site safely.

5. Third parties & international transfers

We share personal data with the following processors strictly to provide the Site and the services you request. Each processor is bound by a Data Processing Agreement (DPA) and EU Standard Contractual Clauses (SCCs) where applicable.

Processor	Purpose	Location
HubSpot, Inc.	CRM & lead storage	USA (SCCs in place)
Resend	Transactional email delivery (sample report)	USA / EU (EU region configured)
Cloudflare, Inc.	DNS, CDN, DDoS protection, Turnstile bot verification	Global edge network; EU servers for EU visitors
Railway	Application hosting	EU (Ireland, eu-west-1)

We do not sell personal data and do not share it with advertisers.

6. Data retention

Form submissions (HubSpot records) - retained for up to 24 months from last contact, unless you request earlier deletion or the relationship continues.
Transactional emails (Resend logs) - retained per Resend's standard policy, typically up to 30 days of content and longer for delivery metadata.
Operational and access logs - typically rotated within 30 days.
Browser-stored preferences (lang cookie, consent) - remain in your browser until you clear them or their expiry (12 months).

7. Your rights (EU/EEA residents)

Under GDPR you have the right to:

Access the personal data we hold about you.
Rectify inaccurate or incomplete data.
Erase your data ("right to be forgotten") where applicable.
Restrict or object to certain processing activities.
Portability - receive a copy in a structured, machine-readable format.
Withdraw consent at any time, without affecting the lawfulness of prior processing.
Lodge a complaint with your local supervisory authority. In Poland that is the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, uodo.gov.pl.

To exercise any of these rights, email support@qamadness.com. We will respond within 30 days.

8. Cookies & similar technologies

This Site uses a minimal set of technologies in your browser:

Name	Purpose	Type	Lifetime
`lang`	Remember the language you selected	Strictly necessary (functional)	12 months
`cookie_consent` (localStorage)	Record your cookie-banner choice	Strictly necessary	Until cleared
Cloudflare Turnstile tokens	Verify you are not a bot before submitting a form	Strictly necessary (security)	Session

Strictly necessary cookies are used without consent under GDPR Art. 5(3) ePrivacy exception. If we add analytics or marketing cookies in the future (Google Analytics, HubSpot tracking), they will only be loaded after you choose "Accept" in the cookie banner.

9. Security

We are ISO/IEC 27001:2022 certified. All traffic is served over HTTPS with modern TLS; forms are protected by Cloudflare Turnstile; CRM access is restricted to authorized staff; credentials are stored in secrets management, not in code. We use the principle of least privilege and review access periodically.

10. Children

This Site is a B2B service targeted at companies and professionals. It is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided personal data, contact us and we will delete it.

11. Changes to this policy

We may update this policy to reflect changes in our practices or the law. The "Last updated" date at the top of the page will indicate the revision. Material changes will be highlighted on the Site.

12. Contact

For any questions about this Privacy Policy or to exercise your rights, please email support@qamadness.com or call +48 791 505 768.

Governing law for this Site and our processing of your personal data: Poland (Republic of Poland), with the GDPR applying across the EU/EEA.