Privacy Policy

Last updated: December 2025

Plain-language summary
We collect only what we need to run Tough Choice, keep it secure, improve it, and (if you purchase) process payments. We do not sell your personal data.

1. Who we are (Data Controller)

QDF AS
Henrik Ibsens gate 90, 0255 Oslo, Norway
Email: [email protected]

For users in the EU/EEA, QDF AS is the data controller for personal data processed under this Privacy Policy.

2. What data we collect

2.1 Data you provide

Account data (if you create an account): e.g., email address and authentication-related details.
Support communications: information you include when you contact us (email and message content).
Payments (if you purchase): billing-related information handled primarily by our payment processor (see Section 6).

2.2 Data collected automatically

Usage data: e.g., pages/screens viewed, feature usage, timestamps, approximate device/browser information.
Device and log data: e.g., IP address, user agent, error logs, and diagnostic data.
Cookies / similar technologies: see Section 5.

2.3 Abuse-prevention and security data (Proof-of-Work)

To protect the Service and prevent abuse, we may use technical measures such as computational challenges (including proof-of-work). Proof-of-work is verified in real time to validate requests.

We do not store proof-of-work challenge/response data. Any proof-of-work values are processed transiently (e.g., in memory) for verification and then discarded.

Note: Like most web services, our servers may still process standard technical information (such as IP address, user agent, and timestamps) in ordinary server logs for security, diagnostics, and abuse prevention.

3. How we use your data (purposes)

Provide and operate the Service (accounts, authentication, core functionality).
Security and abuse prevention (fraud detection, rate limiting, proof-of-work verification, incident response).
Improve and maintain the Service (analytics, debugging, performance monitoring).
Customer support (responding to questions and requests).
Payments (if you buy a subscription or paid feature).
Legal compliance (responding to lawful requests, enforcing terms, protecting rights).

4. Legal bases for processing (GDPR/EEA)

Where GDPR applies, we process personal data under one or more of these legal bases:

Contract: to provide the Service you request (e.g., account functionality).
Legitimate interests: to secure, maintain, and improve the Service (including anti-abuse and analytics), balanced against your rights.
Consent: where required for non-essential cookies/analytics (depending on your cookie choices).
Legal obligation: when we must comply with law.

5. Cookies and analytics

We may use cookies and similar technologies to run the Service, remember preferences, and understand usage. Where required, you can control non-essential cookies via your browser settings and/or any cookie preference tools we provide.

5.1 Analytics providers (if enabled)

Google Analytics

Used to understand how users interact with the Service and to improve performance.

Google Privacy Policy: https://policies.google.com/privacy
Firebase (Google)

Used for app analytics and diagnostics.

Google Privacy Policy: https://policies.google.com/privacy

How Google uses data from partners: https://policies.google.com/technologies/partner-sites
Statcounter

Used for web traffic analysis.

Statcounter policy: https://statcounter.com/about/legal/

6. Payments

If we offer paid features, payments are processed by third-party payment processors. We do not store your full payment card details. Payment processors handle card data under their own privacy policies.

Stripe

Stripe Privacy Policy: https://stripe.com/privacy

7. Sharing of personal data

We may share personal data only as necessary to operate the Service, for example with:

Service providers / processors (analytics, hosting, security, customer support tools).
Payment processors (if you purchase).
Authorities where required by law, or to protect rights and safety.

We do not sell your personal data.

8. International transfers

Some service providers may process data outside Norway/EEA. Where that happens, we use appropriate safeguards required by GDPR (for example, standard contractual clauses) to protect your data.

9. Data retention

We keep personal data only as long as needed for the purposes described in this policy, including security, legal compliance, and dispute handling. Retention periods vary depending on the type of data and purpose.

Proof-of-work challenge/response values are not stored. Standard security and diagnostic logs (which may include IP address, user agent, timestamps, and error information) are retained only for as long as necessary for security, abuse prevention, troubleshooting, and legal compliance, and then deleted or anonymized where feasible.

10. Your rights (EU/EEA)

If you are in the EU/EEA, you have rights including:

Access to your personal data
Correction (rectification)
Deletion (erasure), in certain cases
Restriction of processing, in certain cases
Data portability, in certain cases
Objection to processing based on legitimate interests
Withdrawal of consent (where processing is based on consent)

You can exercise these rights by contacting us at [email protected]. We may need to verify your identity before responding.

You also have the right to complain to your local data protection authority. In Norway, this is the Norwegian Data Protection Authority (Datatilsynet).

11. Security

We use reasonable technical and organizational measures to protect personal data. No method of transmission or storage is 100% secure, but we work to prevent unauthorized access, disclosure, or loss.

12. Children

The Service is intended for adults. We do not knowingly collect personal data from children. If you believe a child has provided personal data, contact us and we will take appropriate steps to delete it.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. If changes are material, we will provide reasonable notice. The “Last updated” date at the top indicates when it was last revised.

14. Contact

Questions about privacy or requests to exercise your rights:
Email: [email protected]