Privacy policy

Last reviewed: 2026-04-27.

Controller

The controller for personal data processed by this site is the operator of qms.best. Contact: privacy@qms.best. Postal address available on request.

Data we process and why

Newsletter and gated downloads

• Data: email address, the slug of the requested template, timestamp, IP address (used only for rate-limiting; not stored beyond 30 days).
• Lawful basis: Article 6(1)(a) GDPR — consent.
• Retention: until you unsubscribe, or 24 months after your last engagement, whichever is sooner.
• Processor: Resend (audience hosting + transactional email). Resend's DPA governs the processor relationship.

Membership

• Data: email address, Stripe customer ID, subscription tier and status, login session metadata.
• Lawful basis: Article 6(1)(b) — contract.
• Retention: for the duration of the membership and 7 years thereafter for tax / contract law obligations.
• Processor: Stripe (payments). Stripe holds payment metadata under its own controller / processor split per its terms.

Site analytics

• Data: aggregated, privacy-first analytics — no cookies, no personal identifiers, no cross-site tracking.
• Lawful basis: Article 6(1)(f) — legitimate interest in understanding aggregate site usage.
• Retention: raw events 12 months; aggregates indefinitely.
• Processor: Plausible (own standalone instance — independent infrastructure).

Sponsor click-through (optional)

• Data: aggregated click counts per sponsor — no personal identifiers.
• Lawful basis: Article 6(1)(f) — legitimate interest in measuring sponsor placement effectiveness.
• Retention: 24 months.

Recipients and transfers

• Resend — transactional and marketing email processor.
• Stripe — payments.
• Cloudflare — CDN and hosting infrastructure.

Where personal data is transferred outside the EU/EEA, we rely on Standard Contractual Clauses adopted by the European Commission and supplementary measures where required. The list of subprocessors is maintained and reviewed at least annually.

Your rights

Under the GDPR you have the right to:

• Access the personal data we hold about you (Article 15).
• Rectify inaccurate data (Article 16).
• Erasure (Article 17).
• Restriction of processing (Article 18).
• Data portability (Article 20).
• Object to processing on legitimate-interest grounds (Article 21).
• Withdraw consent (Article 7(3)) — for the newsletter, this is the unsubscribe link in every email.
• Lodge a complaint with a supervisory authority (Article 77).

To exercise any right, email privacy@qms.best. We respond within 30 days.

Cookies

qms.best does not set cookies for tracking. We may set strictly necessary cookies for membership login sessions where you have authenticated. We do not use any third-party advertising or analytics cookies.

Children

This site is aimed at QMS practitioners. We do not knowingly process personal data of children under 16.

Changes

Material changes to this policy are notified to subscribers by email and surfaced on the home page. Non-material wording changes are published silently with an updated review date.