Privacy Policy

Last updated: April 2026

QuetraAI ("we", "our", "us") is operated by Developer Hub d.o.o. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the QuetraAI platform, including our website at quetra.dev, the dashboard at app.quetra.dev, our API gateway, SDK, and MCP server integrations.

QuetraAI is a governance middleware for AI agent spending. We evaluate whether transactions should be approved based on mandate rules — including budgets, vendor allowlists, category restrictions, rate controls, and time windows — enforced via cryptographically signed mandates with real-time policy evaluation.

Payment Processing

QuetraAI facilitates transaction governance and approval decisions. We do not directly process credit card payments. It is important to understand how payment data is handled:

  • --We do NOT store credit card numbers, CVVs, or full payment account details.
  • --Card details are collected and stored securely by Stripe, which is PCI DSS Level 1 certified — the highest level of certification in the payment industry.
  • --QuetraAI only stores non-sensitive display information: card brand (e.g., Visa, Mastercard), last 4 digits, and expiry date — solely for display purposes in the dashboard.
  • --QuetraAI evaluates spending policies for AI agents. Actual payment processing is handled by third-party services configured by the user.

Information We Collect

Account Information

When you create an account, we collect your name, email address, and organization name. Authentication is handled via Better Auth (self-hosted). If you sign in with a social provider (GitHub, Google, Apple, or Microsoft), we receive your basic profile information from that provider.

Agent Governance Data

We store the mandate rules, budget configurations, agent definitions, and transaction history (approve/reject decisions with amounts, vendors, and categories) that you create and manage through our platform. This data is essential to providing the governance service.

Usage Metrics

We track evaluation counts and API usage per organization for billing purposes and to enforce tier-based rate limits.

Payment Method Display Information

When you add a payment method via Stripe, we store only the card brand, last 4 digits, and expiry date for display in the dashboard. We never receive or store full card numbers or CVVs.

Website Analytics

We use Google Analytics (GA4) and Vercel Analytics to collect anonymized usage data such as page views, session duration, and referral sources. This data is used to improve our website and documentation.

How We Use Your Information

  • --To provide the mandate governance service — evaluating, approving, and rejecting agent spending requests in real time.
  • --To process and track agent spending decisions and maintain an audit trail of all transactions.
  • --To bill for our service using usage-based pricing via Stripe.
  • --To improve our service, documentation, and user experience via analytics.
  • --To send service-related communications (e.g., webhook event notifications, billing alerts).

Third-Party Service Providers

We share data with the following third-party providers solely to operate and deliver the QuetraAI platform:

  • --Stripe — payment processing and subscription billing. Stripe receives your payment method details directly and is PCI DSS Level 1 certified.
  • --Neon — serverless PostgreSQL database hosting. All data is encrypted at rest and in transit.
  • --Cloudflare — API gateway and MCP server hosting (Cloudflare Workers). Provides DDoS protection and edge computing.
  • --Vercel — dashboard and marketing website hosting.
  • --Google — anonymized website analytics via Google Analytics (GA4).

We do not sell, rent, or trade your personal data to any third party.

Security

We implement industry-standard security measures to protect your data:

  • --Ed25519 cryptographic signing on all mandates, ensuring tamper-proof governance rules.
  • --AES-256-GCM encryption for sensitive cryptographic keys at rest.
  • --All data transmitted over HTTPS/TLS.
  • --API keys stored as SHA-256 hashes — we never store plaintext API keys after initial creation.
  • --Webhook payloads signed with HMAC-SHA256 for integrity verification.

Data Retention

  • --Transaction records are retained indefinitely as part of our append-only audit log. This ensures a complete, tamper-proof history of all agent spending decisions.
  • --Webhook events are retained for 30 days, after which they may be archived or deleted.
  • --Account data is retained while your account is active. Upon account deletion request, we will remove your personal information within 30 days, subject to legal retention requirements.
  • --Analytics datacollected via Google Analytics is subject to Google's data retention policies.

Your Rights

You have the right to:

  • --Access the personal data we hold about you.
  • --Correct inaccurate or incomplete data.
  • --Delete your account and associated personal data.
  • --Export your transaction history and governance data.
  • --Object to processing of your data where we rely on legitimate interests.

To exercise any of these rights, contact us at support@quetra.dev.

Cookies

We use essential cookies for authentication (session cookies via Better Auth) and analytics cookies (Google Analytics, Vercel Analytics). Session cookies are required for the dashboard to function. Analytics cookies help us understand how our website is used and can be blocked by your browser or ad blocker without affecting platform functionality.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on this page with a revised "Last updated" date. Your continued use of QuetraAI after changes are posted constitutes acceptance of the revised policy.

Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

QuetraAI

Email: support@quetra.dev

Website: quetra.dev

See also our Terms of Service.