Legal Compliance & Regulations
How qwip Complies with Privacy Laws Worldwide
Last Updated: December 2025
Table of Contents
- GDPR Compliance (European Union)
- CCPA Compliance (California)
- COPPA Compliance (Children)
- Other Regulations
- International Data Transfers
- Data Protection Officer
- Regulatory Updates
- Transparency Reports
- Certifications
1. GDPR Compliance (European Union)
Regulation: General Data Protection Regulation (EU) 2016/679
Our Status: ✅ Compliant by Design
Core GDPR Requirements
| Article | Requirement | How We Comply | Status |
|---|---|---|---|
| Art. 5(1)(a) | Lawfulness, fairness, transparency | Clear privacy documentation, open source | ✅ |
| Art. 5(1)(b) | Purpose limitation | Only for platform analytics | ✅ |
| Art. 5(1)(c) | Data minimization | Only anonymous session IDs | ✅ |
| Art. 5(1)(d) | Accuracy | N/A (no personal data) | ✅ |
| Art. 5(1)(e) | Storage limitation | Auto-delete after 30 days | ✅ |
| Art. 5(1)(f) | Integrity and confidentiality | TLS encryption, secure storage | ✅ |
| Art. 6 | Lawful basis for processing | Legitimate interest (Art. 6(1)(f)) | ✅ |
| Art. 7 | Consent | Optional server features, can disable | ✅ |
| Art. 15 | Right of access | View local storage, request server data | ✅ |
| Art. 16 | Right to rectification | N/A (no personal data) | ✅ |
| Art. 17 | Right to erasure | Clear session data anytime | ✅ |
| Art. 18 | Right to restriction | Disable server features | ✅ |
| Art. 20 | Right to data portability | Export local storage JSON | ✅ |
| Art. 21 | Right to object | Disable all tracking | ✅ |
| Art. 25 | Data protection by design | Local-first processing | ✅ |
| Art. 32 | Security of processing | TLS 1.3, encryption, anonymization | ✅ |
| Art. 33 | Breach notification | 72-hour notification commitment | ✅ |
Lawful Basis for Processing
We rely on: Legitimate Interest (Art. 6(1)(f))
Our legitimate interest:
- Improve service quality
- Measure platform usage
- Report metrics to investors
Assessment (3-part test):
- Purpose test: ✅ Legitimate business interest (analytics)
- Necessity test: ✅ Minimal data collection (session IDs only)
- Balancing test: ✅ Low impact on users (anonymous, can opt-out)
Conclusion: Our minimal anonymous analytics are proportionate and justified.
Alternative basis NOT needed:
- Consent (Art. 6(1)(a)): Not required for anonymous analytics
- Contract (Art. 6(1)(b)): No contract (free service)
- Legal obligation (Art. 6(1)(c)): No legal requirement
GDPR Rights Exercise
How Users Can Exercise Their Rights:
| Right | How to Exercise | Our Response Time |
|---|---|---|
| Right to access (Art. 15) | Email: privacy@qwip.io | 30 days max |
| Right to rectification (Art. 16) | N/A (no personal data) | N/A |
| Right to erasure (Art. 17) | Settings → Clear Session Data | Immediate |
| Right to restrict (Art. 18) | Disable server features | Immediate |
| Right to portability (Art. 20) | Export browser storage | Immediate |
| Right to object (Art. 21) | Disable all tracking | Immediate |
Example Access Request Response:
Subject: GDPR Access Request Response
Dear User,
We have received your request for access to personal data under GDPR Article 15.
Our findings:
- Session ID: a3f2b1c4-5d6e-7f8g-9h0i-1j2k3l4m5n6o (random, anonymous)
- Images analyzed: 47
- Preferred model: "cifake"
- Last activity: 2025-12-28T10:30:00Z
This is the entirety of data we have that could potentially relate to you.
Note that the session ID is anonymous and not linked to your identity.
You have the right to request deletion at any time.
Best regards,
qwip Privacy TeamData Protection Impact Assessment (DPIA)
Required for high-risk processing: ✅ Completed
Assessment Result:
| Factor | Risk Level | Justification |
|---|---|---|
| Type of data | ⬤ Low | Only anonymous session IDs |
| Scope of processing | ⬤ Low | Small amount of data per user |
| Context | ⬤ Low | Voluntary browser extension |
| Purposes | ⬤ Low | Analytics only, no profiling |
Conclusion: Low risk - DPIA not legally required, but completed for transparency.
Mitigation measures:
- Anonymization (random session IDs)
- Auto-deletion (30 days)
- User controls (disable anytime)
- Transparency (open source)
Contact for GDPR Inquiries
Data Protection Officer (when appointed): dpo@qwip.io
Supervisory Authority (EU):
- Your country's data protection authority
- List of EU DPAs
Right to lodge complaint: Users have the right to complain to their local supervisory authority if they believe we violate GDPR.
2. CCPA Compliance (California)
Regulation: California Consumer Privacy Act (2018) + CPRA Amendments (2020)
Our Status: ✅ Minimal Data = Low Risk
CCPA Categories of Information
What we collect (in CCPA terminology):
| CCPA Category | What We Collect | Sale/Share | Business Purpose |
|---|---|---|---|
| Identifiers | ❌ None (session IDs not personal identifiers) | ❌ Never | N/A |
| Personal Information (PI) | ❌ None | ❌ Never | N/A |
| Commercial Information | ❌ None | ❌ Never | N/A |
| Internet/Network Activity | ⚠️ Anonymous usage stats | ❌ Never | Analytics |
| Geolocation | ❌ None | ❌ Never | N/A |
| Biometric Information | ❌ None | ❌ Never | N/A |
| Professional/Employment | ❌ None | ❌ Never | N/A |
| Education Information | ❌ None | ❌ Never | N/A |
| Inferences | ❌ None | ❌ Never | N/A |
"Do Not Sell My Personal Information"
Our Statement:
We do not sell personal information.
We do not share personal information with third parties.
We do not have personal information to sell.
Result: CCPA's "Do Not Sell" requirement does not apply to us.
CCPA Rights
California Residents' Rights:
| Right | How to Exercise | Our Response |
|---|---|---|
| Right to Know | Read this documentation | See Data Collection |
| Right to Delete | Settings → Clear Session Data | Immediate |
| Right to Opt-Out of Sale | N/A (we don't sell data) | N/A |
| Right to Non-Discrimination | Automatic | All features available regardless |
Notice to California Residents:
CALIFORNIA PRIVACY RIGHTS
Categories of PI Collected: None (anonymous session IDs only)
Categories of PI Sold: None
Categories of PI Disclosed: None
Right to Know: You can request what data we have about you.
Right to Delete: You can delete your data at any time.
Right to Opt-Out: N/A (we don't sell data)
Contact: privacy@qwip.ioCCPA Compliance Checklist
- ✅ Privacy policy published (this documentation)
- ✅ "Do Not Sell" notice (not applicable, but disclosed)
- ✅ Clear opt-out mechanism (disable server features)
- ✅ No discrimination for exercising rights
- ✅ 45-day response time for requests
- ✅ Reasonable security measures (TLS, encryption)
3. COPPA Compliance (Children)
Regulation: Children's Online Privacy Protection Act (USA)
Our Status: ✅ Safe for All Ages
Why COPPA Applies
COPPA applies if:
- Service is directed at children under 13, OR
- Service knowingly collects data from children under 13
qwip's position:
- ✅ Service is NOT directed at children (general audience)
- ✅ We do NOT knowingly collect data from anyone (including children)
Result: COPPA technically doesn't apply, but we comply anyway.
COPPA Requirements vs. Our Practices
| Requirement | Our Implementation |
|---|---|
| Notice to parents | Not required (no PI collected), but documented |
| Parental consent | Not required (no PI collected) |
| Limit collection | Only anonymous session IDs (no PI) |
| No conditioning | All features available without data sharing |
| Data security | TLS encryption, secure storage |
| Data retention | Auto-delete after 30 days |
| No disclosure without consent | No data disclosed to anyone |
Parental Controls
Parents can:
- Review our source code (open source)
- Verify no personal data collection
- Disable all server features in settings
- Monitor network activity (DevTools)
No age verification needed:
- We don't collect personal information from anyone
- Safe for users of all ages
Recommendation for parents:
- Review this privacy documentation
- Test the extension yourself first
- Teach children about online privacy
- Monitor their internet usage generally
4. Other Regulations
UK GDPR (Post-Brexit)
Status: ✅ Compliant
Differences from EU GDPR: Minimal (substantially same requirements)
UK Supervisory Authority: Information Commissioner's Office (ICO)
Compliance: Same as EU GDPR (see section 1)
PIPEDA (Canada)
Regulation: Personal Information Protection and Electronic Documents Act
Status: ✅ Compliant
How we comply:
- Consent: Optional server features, can disable
- Limited collection: Only anonymous session IDs
- Use limitation: Only for analytics
- Accuracy: N/A (no personal data)
- Safeguards: TLS encryption, secure storage
- Openness: This documentation
- Individual access: View/delete session data
- Challenging compliance: Email privacy@qwip.io
LGPD (Brazil)
Regulation: Lei Geral de Proteção de Dados
Status: ✅ Compliant
How we comply:
- Lawful basis: Legitimate interest
- Data minimization: Only anonymous session IDs
- Purpose limitation: Only analytics
- Security: TLS encryption
- Transparency: This documentation
- Rights: Delete, access, opt-out
Australia Privacy Act
Status: ✅ Compliant
Australian Privacy Principles (APPs):
- APP 1: Open and transparent management | ✅ This documentation
- APP 3: Collection of solicited PI | ✅ No PI collected
- APP 6: Use or disclosure | ✅ Only for analytics
- APP 11: Security | ✅ TLS encryption, secure storage
5. International Data Transfers
Where Is Data Stored?
Server Location: United States (AWS us-east-1)
Data Subject Location: Worldwide
GDPR Transfer Mechanisms
For EU users, we rely on:
Option 1: Article 49 Derogations
- Data is anonymous (not personal data under strict interpretation)
- Transfer is necessary for service functionality
- User can opt-out (disable server features)
Option 2: Standard Contractual Clauses (SCCs)
- Planned for formal compliance (Q1 2026)
- Even though data is anonymous
Data Protection Safeguards:
- TLS 1.3 encryption in transit
- Secure storage at rest
- Auto-deletion after 30 days
- User controls (opt-out anytime)
Cross-Border Data Flow
User (EU/UK/etc.) → Browser (Local Processing)
↓
[Optional Server Query]
↓
Server (US - AWS us-east-1)
↓
Only Receives:
- Anonymous session ID
- Cryptographic hashes
- Detection resultsNo personal data crosses borders because we don't collect personal data.
6. Data Protection Officer
Current Status
DPO Required? Not yet (small team, minimal data)
When we'll appoint DPO:
- If we hire 250+ employees, OR
- If we process large-scale sensitive data, OR
- If required by regulators
Contact for Privacy Questions
Current: privacy@qwip.io (handled by team)
Future: dpo@qwip.io (dedicated DPO when appointed)
Response times:
- General inquiries: 5 business days
- GDPR access requests: 30 days max
- GDPR deletion requests: Immediate
- Security issues: 48 hours
7. Regulatory Updates
How We Monitor Compliance
Quarterly Review:
- Review new privacy regulations
- Update documentation
- Implement necessary changes
- Notify users of material updates
Recent Regulatory Changes (2025):
- ✅ GDPR amendments reviewed (no changes needed)
- ✅ CCPA/CPRA enforcement update (compliant)
- ✅ State privacy laws (Virginia, Colorado, etc.) reviewed
Upcoming Regulations:
- 🚧 AI Act (EU) - Monitoring for applicability
- 🚧 State privacy laws (US) - Monitoring
- 🚧 Privacy Shield successor - Awaiting clarity
Update Policy
We will notify users if:
- We change what data we collect
- We change how we use data
- We change data retention periods
- We receive government data requests (never happened)
Notification method:
- Extension update notification
- Updated documentation (with changelog)
- Email (if we have contact info - we don't currently)
8. Transparency Reports
Quarterly Reporting
Published: Transparency Report
What we report:
- Government data requests (if any)
- Data breaches (if any)
- Regulatory inquiries (if any)
- Compliance updates
- User rights requests statistics
Statistics (Q4 2025):
| Metric | Count |
|---|---|
| Government data requests | 0 |
| User access requests | 0 |
| User deletion requests | 0 |
| Data breaches | 0 |
| Third-party data sharing | 0 |
Next Report: Q1 2026 (March 2026)
9. Certifications
Current Certifications
Status: None yet (v1.0 launch)
Self-Assessment:
- ✅ GDPR compliant
- ✅ CCPA compliant
- ✅ COPPA compliant
Planned Certifications (Roadmap)
| Certification | Target Date | Status |
|---|---|---|
| SOC 2 Type II | Q4 2026 | 🚧 Planned |
| ISO 27001 | Q2 2027 | 🚧 Planned |
| Privacy Shield Successor | TBD (awaiting new framework) | 🚧 Monitoring |
Why certifications matter:
- Third-party validation of security practices
- Required for enterprise customers
- Demonstrates commitment to privacy
Current approach:
- Self-assessment against standards
- Preparing for future audits
- Implementing best practices now
Compliance Summary
Quick Reference Table
| Regulation | Jurisdiction | Status | Notes |
|---|---|---|---|
| GDPR | EU/EEA | ✅ Compliant | Legitimate interest, data minimization |
| UK GDPR | United Kingdom | ✅ Compliant | Same as EU GDPR |
| CCPA/CPRA | California, USA | ✅ Compliant | No personal data sold |
| COPPA | USA | ✅ Compliant | No data from children |
| PIPEDA | Canada | ✅ Compliant | Minimal collection, consent |
| LGPD | Brazil | ✅ Compliant | Anonymization, transparency |
| Privacy Act | Australia | ✅ Compliant | No PI collected |
Questions?
- GDPR questions: privacy@qwip.io
- CCPA questions: privacy@qwip.io
- Legal inquiries: legal@qwip.io
- General questions: hello@qwip.io
Commitment to Compliance:
We take privacy regulations seriously and design our service to exceed legal requirements. If you believe we're not complying with a privacy law, please contact us immediately at privacy@qwip.io.
Last Legal Review: December 2025 | Next Review: March 2026