Privacy Policy

Category: Legal
Confidential Level: public
Last Updated: 2025-11-25

Overview

This document outlines Qiwako's Privacy Policy, explaining how we collect, use, protect, and share user data. This policy applies to all users of the Qiwako CMS platform.

Information We Collect

User-Provided Information

• Account Data: Username, email, password (encrypted), organization name
• Profile Information: Name, contact details, optional profile data
• Content: Pages, posts, media files, and user-generated content
• Donation Data: Donor information, amounts, payment proofs, campaign data
• Contact Messages: Form submissions with name, email, institution, message

Automatically Collected Information

• Usage Analytics: Page views, clicks, form submissions, user behavior
• Device Data: Browser type, OS, device type, screen resolution
• Log Data: IP addresses, timestamps, visited pages, referrers
• Cookies: Session, preference, and analytics cookies
• Security Logs: Login attempts, authentication events, audit trails

Third-Party Information

• OAuth Providers: Profile data from Google/Facebook sign-in
• Analytics: Google Analytics 4 data (when enabled by tenant)

How We Use Your Information

• Service Delivery: Provide, maintain, and improve the platform
• Account Management: Create and manage user accounts and tenants
• Authentication: Verify identity, support MFA and biometric login
• Content Management: Store, display, and manage user content
• Analytics: Understand usage patterns and improve UX
• Communication: Send notifications, updates, and support responses
• Security: Detect and prevent threats, fraud, and abuse
• Compliance: Meet legal obligations and enforce Terms of Service

Data Security

Multi-Tenant Architecture

• Logical data isolation per tenant organization
• Tenant admins control their organization's data
• Cross-tenant access prevention via middleware

Security Measures

• Encryption: Bcrypt/Argon2 password hashing, SSL/TLS transmission
• Access Control: Role-based permissions (RBAC)
• MFA Support: Multi-factor authentication available
• Brute Force Protection: Account lockout and IP blocking
• DDoS Protection: Rate limiting and pattern detection
• CSP Headers: Content Security Policy for XSS prevention
• Audit Logging: Complete administrative action trail
• File Security: Extension and MIME type validation

Data Retention

• Active Accounts: Data retained while account is active
• Deleted Accounts: Permanent deletion within 30 days
• Audit Logs: Retained 90 days to 1 year for compliance
• Backups: Retained per backup retention policy

Data Sharing

We do not sell, rent, or trade personal information. Sharing occurs only:

• With Consent: When explicitly authorized
• Within Tenant: Shared based on role and permissions
• Service Providers: Cloud hosting, email, analytics, payment processors
• Legal Requirements: Court orders, government investigations, fraud prevention

Cookies and Tracking

• Essential: Session cookies, CSRF tokens (required)
• Functional: Theme preferences, pop-up tracking
• Analytics: Google Analytics (tenant-enabled), internal tracking

Users can control cookies via browser settings.

User Rights

• Access: Request copy of personal data
• Correction: Update profile information
• Deletion: Request account and data deletion
• Opt-Out: Disable analytics, communications, push notifications
• Portability: Export organization data (tenant admins)

Children's Privacy

Qiwako is not intended for children under 13. We do not knowingly collect data from children under 13.

International Transfers

Data may be transferred internationally. We ensure compliance with data protection laws and implement appropriate safeguards.

Policy Changes

We may update this policy. Material changes will be communicated via:
- Updated policy on this page
- Updated "Last Updated" date
- Email notification for significant changes

Contact

For privacy questions or requests:
- Email: [email protected]
- Website: your-domain.com

This privacy policy is effective as of the last updated date and applies to all users of the Qiwako platform.