Trust
Security and Data Handling
Last updated: June 1, 2026
Qurifix is operated by 宁波通变知化科技有限公司. This page summarizes how that operating entity handles account access, product evidence, reports, billing records, and security reports for the Qurifix service.
Authentication
Qurifix uses email and password sign-in. Password hashes and session tokens are stored securely. Signed-in sessions use an HttpOnly cookie with SameSite=Lax, and Secure is used when the request is served over HTTPS.
Access Controls
Account audit history requires a signed-in session. Private report links may use access tokens for controlled report access; newly created report access tokens are stored as hashes. Billing actions require account authentication and Creem signature validation where applicable.
Payment Handling
Qurifix does not directly store card numbers. Checkout, billing portal access, customer IDs, subscription IDs, and billing status are handled through Creem. Webhook events are verified with signatures before billing state is updated.
Audit Data Retention
Audit retention is plan-based: Free Trial is 7 days, Lite is 180 days, Pro is 365 days, and Enterprise is 730 days unless a separate enterprise agreement says otherwise. Security logs, billing records, webhook records, and legal records may be retained longer when needed.
Evidence Handling
Avoid submitting passwords, credentials, private customer data, payment data, or unnecessary personal information in product evidence. Qurifix is designed for product URLs, visible product-page evidence, screenshots submitted by user action, and ecommerce listing information.
Capture privacy is bounded by public product evidence. Qurifix Capture should not collect private admin pages, checkout flows, account pages, orders, customer records, seller-center credentials, or billing screens.
- No cookies: Qurifix does not need browser cookies to diagnose a public product page.
- No checkout data: checkout, payment, cart, and billing views are outside the evidence boundary.
- No customer records: customer names, order histories, addresses, messages, and support records should never be submitted.
Product URL inspection is restricted to public HTTP and HTTPS pages. Qurifix blocks localhost, private network addresses, link-local addresses, and common cloud metadata addresses before fetching or following redirects.
Report Sharing Controls
Report sharing controls are designed for readonly client handoff. Shared report links should summarize SKU readiness, missing evidence, and next action without exposing the private Workspace, account settings, billing details, or unrelated audit history.
Contact Security
Report security concerns to [email protected]. Include the affected URL, steps to reproduce, impact, and your contact information.