Privacy Policy

Effective date: January 10, 2026
Last updated: January 10, 2026

This Privacy Policy explains how SHAZAM Analytics Ltd ("Qualimetry", "we", "us") collects, uses, shares, and protects personal data when you visit our websites (including qualimetry.com, qualimetry.ai, qualimetry.io and related subdomains) and when we provide our products and services (the "Services"). By accessing or using the website or Services, you agree to the practices described in this policy.

This policy is intended to support customers and users across jurisdictions, including the United Kingdom, the European Union, and the United States, and to meet transparency expectations under UK GDPR, EU GDPR, and applicable US privacy laws.

Who We Are and How to Contact Us

Controller: SHAZAM Analytics Limited
Privacy & Security email: info [at] qualimetry [dot] com
Registered address and Postal contact for privacy requests: The Privacy Officer, 1417-1419 London Road, Norbury, London, SW16 4AH

If you use the Services through your employer or another organisation, your organisation may be the primary controller for some processing. See "Roles Under Data Protection Law".

Scope: Website Data vs Service Data

We process personal data in two main contexts:

Website Data (Controller): information collected when you browse our marketing site, request a demo, create an account, or contact us.

Service Data (Processor in most cases): information processed when we deliver the Services to customers, including code-quality analysis workflows and related administration and security operations.

Roles Under Data Protection Law (Controller vs Processor)

When we provide the Services to a business customer, the customer is typically the controller of Service Data and we act as a processor on the customer's instructions (for example, analysing code repositories, generating reports, and managing users within the customer's tenant).

When we operate our website, sales activities, billing, and account administration, we are the controller of that data.

Where required, we provide a Data Processing Addendum ("DPA") that governs our processor obligations, including confidentiality, security controls, subprocessors, and international transfers, available here.

Personal Data We Collect

Website and Business Contact Data: we may collect identity and contact data (name, email address, phone number, job title, company, country), enquiry and communications data (messages and support requests), marketing preferences, and technical and usage data (IP address, device type, browser, pages viewed, referral URLs, approximate location derived from IP, and logs).

Service Data (processed on behalf of customers): depending on configuration and use, we may process user account data (name, username, email, role, authentication identifiers), audit logs, repository and development metadata (repository identifiers, branch names, commit IDs, pull request metadata), and code review artefacts.

Source code and related files: customers may provide source code and associated files for analysis. Source code may sometimes contain personal data (for example, author names/emails in commit history or comments) or secrets inadvertently embedded by customers. Customers should avoid placing unnecessary personal data or secrets in code and should use appropriate secret management controls. We provide access controls and operational safeguards designed to support secure handling of Service Data.

How We Use Personal Data

Website and Business Purposes (Controller):

- Provide and administer the website and customer accounts
- Respond to enquiries, schedule demos, and provide customer support
- Send service communications (onboarding, transactional messages, security notices)
- Improve our website and Services, including performance and reliability
- Market and promote the Services where permitted by law and your preferences
- Prevent fraud, misuse, and security incidents
- Comply with legal obligations and enforce our rights

Service Delivery (Processor):

- Provide the Services to customers (run analyses, generate outputs, manage access, maintain audit logs, provide support)
- Maintain, secure, and troubleshoot the Services
- Meet contractual commitments and legal requirements applicable to the service provider role

Legal Bases (UK/EU)

Where UK GDPR or EU GDPR applies and we act as controller, we rely on one or more of the following legal bases:

- Contract: to provide Services you request, manage accounts, and provide support
- Legitimate interests: to operate and secure our business, improve Services, and prevent fraud (balanced against your rights)
- Consent: where required (for example, certain cookies and some marketing)
- Legal obligation: to meet applicable legal, regulatory, accounting, and tax requirements

Where we act as processor, the customer determines the legal basis and instructs us regarding the processing.

Sharing of Personal Data

We do not sell personal data in the ordinary meaning of "sell". We may share personal data with:

- Service providers and subprocessors (for example, hosting, email delivery, customer support tooling, security tooling) who process data under contractual obligations of confidentiality and security
- Professional advisers (legal, audit, insurers) where necessary
- Authorities where required by law or to protect rights, safety, and security
- Parties in connection with corporate events (merger, acquisition, financing, or sale of assets), subject to appropriate protections

International Data Transfers

We may process and store personal data in the United Kingdom, the European Economic Area, the United States, and other locations where we or our service providers operate.

Where UK/EU personal data is transferred internationally, we use appropriate safeguards such as Standard Contractual Clauses and the UK Addendum or UK IDTA, and additional technical and organisational measures where appropriate. You can request information about transfer safeguards using the contact details in this policy.

Data Retention

We retain personal data only for as long as necessary for the purposes described in this policy.

- Website enquiries: until no longer needed for the purposes of the enquiry.
- Marketing contacts: until you opt out, or we remove inactive contacts per our retention rules
- Service Data: retained according to the customer contract and/or customer instructions; backups retained for limited periods for disaster recovery
- Legal and financial records: retained as required by applicable law

We may retain data longer where needed to establish, exercise, or defend legal claims.

Data Security

We implement administrative, technical, and physical measures designed to protect personal data, such as role-based access control and least privilege, multi-factor authentication for administrative access where supported or required, logging and audit trails, encryption in transit and, where appropriate, at rest, vulnerability management, and incident response processes.

No method of transmission or storage is 100% secure. If you believe your interaction with us is no longer secure, please contact us immediately using the security contact details listed above.

Your Rights (UK/EU)

Depending on your location and applicable law, you may have rights regarding your personal data, including the right to access, correct, delete, restrict processing, object to processing, and data portability, and the right to withdraw consent where processing is based on consent.

You may also have the right to lodge a complaint with a supervisory authority. UK supervisory authority: Information Commissioner's Office (ICO).

To exercise your rights, contact us at the address above. We may need to verify your identity and will respond within legally required timeframes.

Service users: if your organisation controls your Service account, we may direct you to your organisation to exercise certain rights relating to Service Data.

US Privacy Disclosures (Summary)

Where applicable under US state privacy laws, you may have rights such as access, correction, deletion, and data portability, and the ability to opt out of certain targeted advertising or profiling where applicable.

We disclose the categories of personal data we collect, the purposes for which we use it, and the categories of recipients in this policy. If we engage in targeted advertising or cross-context behavioural advertising, we will provide an appropriate opt-out mechanism as required. If we do not engage in such activities, we will state that clearly. We do not engage in cross-context behavioural advertising / targeted advertising on our marketing site.

Cookies and Similar Technologies

We use cookies and similar technologies for essential site functionality and, where enabled, analytics and preference management. For details and how to manage preferences, see our Cookie Policy.

Children

Our website and Services are not directed to children and are intended for business users. We do not knowingly collect personal data from children.

Third-Party Links

Our website may link to third-party websites. Their privacy practices are governed by their own policies. We are not responsible for the content or privacy practices of third parties.

Changes to This Policy

We may update this policy periodically. We will post the updated version and revise the "Last updated" date. Material changes will be communicated through appropriate channels.