Trust

Security and Data Handling

Last updated: June 1, 2026

Authentication

Qurifix uses passwordless email sign-in. Login tokens and session tokens are hashed before storage. Signed-in sessions use an HttpOnly cookie with SameSite=Lax, and Secure is used when the request is served over HTTPS.

Access Controls

Account audit history requires a signed-in session. Private report links may use access tokens for controlled report access; newly created report access tokens are stored as hashes. Billing actions require account authentication and Creem signature validation where applicable.

Payment Handling

Qurifix does not directly store card numbers. Checkout, billing portal access, customer IDs, subscription IDs, and billing status are handled through Creem. Webhook events are verified with signatures before billing state is updated.

Audit Data Retention

Audit retention is plan-based: Free Trial is 7 days, Starter is 30 days, Growth is 180 days, and Pro or Enterprise is 365 days unless a separate enterprise agreement says otherwise. Security logs, billing records, webhook records, and legal records may be retained longer when needed.

Evidence Handling

Avoid submitting passwords, credentials, private customer data, payment data, or unnecessary personal information in product evidence. Qurifix is designed for product URLs, visible product-page evidence, screenshots submitted by user action, and ecommerce listing information.

Product URL inspection is restricted to public HTTP and HTTPS pages. Qurifix blocks localhost, private network addresses, link-local addresses, and common cloud metadata addresses before fetching or following redirects.

Security Reports

Report security concerns to [email protected]. Include the affected URL, steps to reproduce, impact, and your contact information.