Privacy Policy

1. Introduction & Scope

QuimaRAT ("Company," "We," "Us," or "Our") is committed to protecting the privacy and personal data of our users. This Privacy Policy ("Policy") describes how we collect, use, process, store, share, and protect information when you:

• Visit our website;
• Purchase or license our Software;
• Create an account or register a license;
• Use our Software (server application, builder, client components);
• Contact our support team;
• Interact with us through any other channel.

This Policy applies to all users worldwide, including those in the European Economic Area (EEA), the United Kingdom (UK), California (USA), Brazil, Canada, South Africa, Australia, and all other jurisdictions with applicable data protection legislation.

By accessing or using our Software and Service, you acknowledge that you have read, understood, and consent to the practices described in this Privacy Policy. If you do not agree with any part of this Policy, please discontinue use of the Software and Service immediately.

2. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person, as defined under the GDPR and equivalent legislation.
• "Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.
• "Data Controller" means the entity that determines the purposes and means of processing Personal Data.
• "Data Processor" means the entity that processes Personal Data on behalf of the Data Controller.
• "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
• "GDPR" means the General Data Protection Regulation (EU) 2016/679.
• "CCPA" means the California Consumer Privacy Act of 2018, as amended by the CPRA.
• "COPPA" means the Children's Online Privacy Protection Act.
• "HWID" means Hardware Identification, a unique identifier derived from hardware components.
• "Server Data" means all data collected, processed, stored, or transmitted through the User's self-hosted QuimaRAT server installation.

3. Data Controller & Contact Information

For the purposes of applicable data protection laws, the Data Controller for Personal Data we collect directly from you (as described in Section 4) is QuimaRAT.

For data collected through your self-hosted server deployment (Server Data), YOU are the independent Data Controller, and you are solely responsible for all legal obligations associated with that role.

Contact channels for data-related inquiries:

• Discord: QuimaRAT Official Server
• Telegram: @QuimaRAT
• XMPP: quimarat@xmpp.jp

4. Information We Collect

We collect the following categories of information:

4.1 Account & Purchase Information

When you purchase a license or create an account, we may collect:

• Username or display name;
• Email address (if provided);
• Payment transaction IDs (we do NOT store full credit card numbers, CVVs, or banking details);
• Purchase date and subscription type;
• Communication platform identifiers (Discord ID, Telegram username, XMPP address).

4.2 License & Authentication Data

To manage and enforce licensing, we collect:

• License key;
• Hardware Identification (HWID) — a hashed identifier derived from your hardware components;
• Authentication timestamps;
• IP address at the time of license authentication;
• License status (active, expired, suspended, revoked).

4.3 Technical & Usage Data

When you use the Software, we may automatically collect:

• Software version number;
• Operating system type and version;
• Java runtime version;
• Basic error/crash reports (anonymized, no user data included);
• Feature usage statistics (which modules are used, aggregated and anonymous).

4.4 Communication Data

When you contact us for support or inquiries, we may collect:

• Content of your messages;
• Communication platform metadata (timestamps, message IDs);
• Any attachments, screenshots, or files you voluntarily share.

4.5 Website Data

When you visit our website, we may collect:

• IP address;
• Browser type and version;
• Device type;
• Pages visited and time spent;
• Referring URL;
• General geographic location (country/region level, derived from IP).

5. Information We Do NOT Collect

To be clear and transparent, we explicitly do NOT collect:

• Server Data: We have no access to your self-hosted QuimaRAT server. We cannot see, access, intercept, or retrieve any data flowing between your server and connected clients;
• Client/Agent Data: We do not collect any data from devices on which you have deployed client agents — including screenshots, keystrokes, files, webcam footage, microphone recordings, or GPS locations;
• Monitored Person Data: We do not collect, process, or store any data about individuals whose devices are being monitored through your deployment;
• Full Payment Details: We do not store credit card numbers, bank account numbers, CVV codes, or complete financial account details;
• Government IDs: We do not collect social security numbers, national ID numbers, passport numbers, or driver's license numbers;
• Biometric Data: We do not collect fingerprints, facial recognition data, voiceprints, or other biometric identifiers;
• Health Data: We do not collect any health or medical information;
• Genetic Data: We do not collect any genetic information.

6. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA) and the United Kingdom (UK), we process Personal Data based on the following legal grounds under Article 6(1) of the GDPR:

7. How We Use Your Information

We use the collected information for the following purposes:

7.1 License Management

• Verifying license authenticity and validity;
• Binding licenses to HWID for anti-piracy enforcement;
• Managing subscription renewals and expirations;
• Processing HWID reset requests;
• Detecting and preventing license abuse, sharing, or piracy.

7.2 Service Delivery

• Providing access to the Software and updates;
• Delivering customer support and technical assistance;
• Processing transactions and delivering license keys;
• Sending important service notifications (updates, security alerts, license expiration reminders).

7.3 Product Improvement

• Analyzing anonymous usage patterns to improve features and performance;
• Identifying and fixing bugs, errors, and compatibility issues;
• Developing new features and modules based on aggregated usage data.

7.4 Security & Fraud Prevention

• Detecting and preventing unauthorized access, fraud, and abuse;
• Enforcing our Terms of Service;
• Protecting the rights, property, and safety of the Company and its users;
• Investigating suspicious or potentially illegal activities.

7.5 Legal Compliance

• Complying with applicable laws, regulations, and legal processes;
• Responding to lawful requests from government and law enforcement authorities;
• Establishing, exercising, or defending legal claims.

8. Data Sharing & Disclosure

We do NOT sell, rent, trade, or otherwise commercially share your Personal Data with third parties for their marketing purposes. We may disclose your information in the following limited circumstances:

8.1 Service Providers

We may share data with trusted third-party service providers who assist us in operating our business, including payment processors, hosting providers, and analytics services. These providers are contractually obligated to protect your data and may only use it for the purposes we specify.

8.2 Legal Requirements

We may disclose your information if required to do so by law, or if we believe in good faith that such disclosure is necessary to:

• Comply with applicable laws, regulations, or legal processes;
• Respond to a valid subpoena, court order, or government request;
• Protect the rights, property, or safety of the Company, its users, or the public;
• Investigate, prevent, or take action regarding suspected illegal activities;
• Enforce our Terms of Service.

8.3 Law Enforcement Cooperation

In cases where we have reasonable grounds to believe that a user is engaging in illegal activities using our Software (including unauthorized computer access, stalking, harassment, or other criminal conduct), we reserve the right to cooperate with law enforcement authorities and may proactively share relevant information to assist in investigations.

8.4 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of the transaction. We will notify affected users of any material changes in ownership or control of their Personal Data.

8.5 With Your Consent

We may share your information with third parties when we have your explicit consent to do so.

9. Data Retention

9.1 Retention Periods

9.2 Retention Justification

We retain data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements. When data is no longer needed, it is securely deleted or anonymized.

9.3 Account Deletion

You may request deletion of your account and associated Personal Data at any time by contacting us. Account deletion will result in the termination of your license. Certain data may be retained as required by law or for legitimate business purposes (e.g., fraud prevention, financial records).

10. Data Security

10.1 Security Measures

We implement appropriate technical and organizational security measures to protect your Personal Data against unauthorized access, alteration, disclosure, destruction, or loss, including but not limited to:

• Encryption of data in transit (SSL/TLS);
• Encryption of sensitive data at rest;
• Access controls and authentication mechanisms;
• Regular security assessments and updates;
• Secure development practices;
• Minimization of data collection;
• Employee/team access on a need-to-know basis.

10.2 No Absolute Guarantee

While we take reasonable measures to protect your data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security and are not liable for any unauthorized access resulting from factors beyond our reasonable control (e.g., zero-day exploits, state-sponsored attacks, user negligence).

10.3 Your Security Responsibilities

You are responsible for maintaining the security of your account credentials, license keys, and access to your own server installation. If you suspect any unauthorized access to your account, you must notify us immediately.

11. User-Operated Server & Client Data

11.1 Self-Hosted Architecture

QuimaRAT operates on a self-hosted architecture. The server application runs entirely on YOUR infrastructure (your personal computer, your VPS, your dedicated server, etc.). All client-to-server communications are direct between the end-user's server and the deployed client agents.

11.2 No Company Access

The Company has absolutely NO access to:

• Your server installation or configuration;
• The IP addresses, locations, or identities of connected client agents;
• Any data transmitted between your server and client agents;
• Screenshots, keystrokes, files, webcam footage, microphone recordings, clipboard data, or any other content captured by client modules;
• Any data stored on your server's database or file system;
• Network traffic between your server and clients;
• The identity of individuals whose devices are being monitored.

11.3 You Are the Data Controller

For all data collected through your deployment of the QuimaRAT Software (Server Data), YOU are the independent Data Controller as defined under the GDPR and equivalent legislation. This means YOU are solely responsible for:

• Determining the purposes and means of data processing;
• Obtaining all necessary consents from data subjects;
• Providing required privacy notices to monitored individuals;
• Implementing appropriate data security measures;
• Responding to data subject access requests (DSARs);
• Reporting data breaches to relevant authorities where required;
• Complying with all applicable data protection laws, including GDPR, CCPA, COPPA, and others;
• Maintaining Data Processing Impact Assessments (DPIAs) where required;
• Appointing a Data Protection Officer if required by applicable law;
• Ensuring lawful cross-border data transfers.

11.4 Company's Non-Liability

The Company is NOT a Data Controller, Data Processor, or Sub-Processor for any Server Data. The Company bears absolutely no responsibility or liability for:

• The nature, content, or legality of data you collect;
• Your compliance or non-compliance with privacy laws;
• Any data breaches occurring on your server or infrastructure;
• Any privacy violations resulting from your use of the Software;
• Any claims by third parties whose data you have collected;
• Any regulatory fines or penalties imposed on you.

12. Parental Monitoring Data

12.1 Special Considerations

If you use the Software for parental monitoring purposes (as described in the Terms of Service, Section 10), you are collecting data about your minor child. This data may include sensitive information such as browsing history, messages, locations, and screen content.

12.2 Parent as Data Controller

As the parent or legal guardian, you are the Data Controller for any data collected from your child's device. You must:

• Handle your child's data with the utmost care and sensitivity;
• Use collected data solely for the purpose of ensuring your child's safety and well-being;
• Implement appropriate security measures to protect your child's data;
• Not share or disclose your child's monitoring data with unauthorized third parties;
• Comply with all applicable children's privacy laws, including COPPA (if applicable);
• Consider the child's age, maturity, and privacy expectations when configuring monitoring;
• Retain monitoring data only for as long as reasonably necessary;
• Securely delete monitoring data when it is no longer needed.

12.3 COPPA Compliance

The Company does not knowingly collect personal information from children under 13. The parental monitoring functionality is designed for parents to use on their children's devices — the parent (an adult) is the user of the Software, and any data collection is under the parent's control and responsibility.

13. Cookies & Tracking Technologies

13.1 Website Cookies

Our website may use the following types of cookies:

13.2 Managing Cookies

You can manage, disable, or delete cookies through your browser settings. Please note that disabling essential cookies may affect the functionality of our website. For more information on cookie management, refer to your browser's help documentation.

13.3 Software Telemetry

The Software may transmit anonymous usage telemetry to help us improve the product. This telemetry does NOT include any personal data, monitoring data, or information about connected clients. You may be able to disable telemetry in the Software settings.

14. International Data Transfers

14.1 Cross-Border Transfers

Your Personal Data may be transferred to and processed in countries outside your country of residence, including countries that may not provide the same level of data protection as your home country.

14.2 Safeguards

Where we transfer Personal Data outside the EEA or UK, we implement appropriate safeguards to ensure an adequate level of protection, which may include:

• Standard Contractual Clauses (SCCs) approved by the European Commission;
• Transfers to countries with adequacy decisions;
• Other legally recognized transfer mechanisms.

14.3 Your Server Data Transfers

If your server deployment involves cross-border data transfers (e.g., your server is in one country and monitored devices are in another), YOU are responsible for ensuring such transfers comply with applicable data protection laws, including implementing appropriate transfer mechanisms under the GDPR.

15. Your Rights Under GDPR

If you are located in the European Economic Area (EEA) or the United Kingdom (UK), you have the following rights under the GDPR and UK GDPR:

15.1 Right of Access (Art. 15)

You have the right to request a copy of the Personal Data we hold about you, along with information about how we process it.

15.2 Right to Rectification (Art. 16)

You have the right to request correction of inaccurate or incomplete Personal Data.

15.3 Right to Erasure (Art. 17)

You have the right to request deletion of your Personal Data in certain circumstances, including when the data is no longer necessary for its original purpose, you withdraw consent, or you object to processing.

15.4 Right to Restrict Processing (Art. 18)

You have the right to request restriction of processing of your Personal Data in certain circumstances.

15.5 Right to Data Portability (Art. 20)

You have the right to receive your Personal Data in a structured, commonly used, machine-readable format and to transmit it to another controller.

15.6 Right to Object (Art. 21)

You have the right to object to processing based on legitimate interests or for direct marketing purposes.

15.7 Right to Withdraw Consent (Art. 7(3))

Where processing is based on consent, you have the right to withdraw consent at any time without affecting the lawfulness of prior processing.

15.8 Right to Lodge a Complaint (Art. 77)

You have the right to lodge a complaint with your local data protection supervisory authority.

15.9 Exercising Your Rights

To exercise any of these rights, please contact us using the information in Section 26. We will respond to your request within 30 days. We may require verification of your identity before processing your request.

16. Your Rights Under CCPA/CPRA

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

16.1 Right to Know

You have the right to request that we disclose the categories and specific pieces of Personal Information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share it.

16.2 Right to Delete

You have the right to request that we delete Personal Information we have collected from you, subject to certain exceptions.

16.3 Right to Correct

You have the right to request correction of inaccurate Personal Information.

16.4 Right to Opt-Out of Sale/Sharing

We do NOT sell or share your Personal Information for cross-context behavioral advertising. If this practice changes, we will provide a clear opt-out mechanism.

16.5 Right to Non-Discrimination

We will not discriminate against you for exercising your CCPA/CPRA rights.

16.6 Authorized Agents

You may designate an authorized agent to submit requests on your behalf, provided you verify the agent's identity and authorization.

17. Your Rights Under Other Privacy Laws

17.1 Brazil (LGPD)

If you are located in Brazil, you have rights under the Lei Geral de Proteção de Dados (LGPD), including the right to confirmation of processing, access, correction, anonymization, portability, deletion, information about sharing, and the right to revoke consent.

17.2 Canada (PIPEDA)

If you are located in Canada, you have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA), including the right to access and challenge the accuracy of your personal information.

17.3 Australia (Privacy Act)

If you are located in Australia, you have rights under the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs), including the right to access and correct your personal information.

17.4 South Africa (POPIA)

If you are located in South Africa, you have rights under the Protection of Personal Information Act (POPIA), including the right to access, correction, and deletion of your personal information.

17.5 Other Jurisdictions

If you are located in a jurisdiction with applicable data protection legislation not specifically addressed above, we will respect and comply with your rights under such legislation to the extent required by law.

18. Children's Privacy (COPPA)

18.1 Age Restriction

The Software and Service are not directed at and are not intended for children under the age of 18. We do not knowingly collect Personal Data from children under 13 (or the applicable age in your jurisdiction).

18.2 Parental Monitoring Exception

The parental monitoring feature is designed for adult parents/guardians to monitor their minor children. In this context, the adult is the Software user and data controller — the child is not a user of our Software or Service, and we do not collect any data from or about the child.

18.3 Discovery of Minor's Data

If we discover that we have inadvertently collected Personal Data from a child under 13, we will take immediate steps to delete such data from our records.

18.4 Parental Rights

If you believe we have collected Personal Data from your child, please contact us immediately so we can delete the information.

19. Third-Party Services & Links

Our website and Software may contain links to or integrations with third-party websites, services, or platforms (e.g., Discord, Telegram, payment processors). This Privacy Policy does not apply to third-party services. We are not responsible for the privacy practices, content, or security of third-party services. We encourage you to review the privacy policies of any third-party services you access.

20. Data Breach Notification

20.1 Company Breach Notification

In the event of a data breach affecting your Personal Data held by the Company, we will:

• Investigate the breach promptly and thoroughly;
• Take immediate steps to contain and mitigate the breach;
• Notify affected users without undue delay;
• Report the breach to relevant supervisory authorities within 72 hours where required by GDPR;
• Provide information about the nature of the breach, the data affected, and steps taken to mitigate it.

20.2 Your Breach Notification Obligations

If you experience a data breach involving data collected through your QuimaRAT server deployment, YOU are responsible for complying with all applicable breach notification laws, including notifying affected individuals and relevant authorities as required.

21. Do Not Track Signals

Some web browsers transmit "Do Not Track" (DNT) signals. There is currently no universally accepted standard for how to respond to DNT signals. Our website may not respond to DNT signals at this time, but we do not engage in cross-site tracking of our users.

22. Automated Decision Making & Profiling

We do not use automated decision-making or profiling that produces legal effects concerning you or similarly significantly affects you. License management decisions (such as fraud detection) may involve automated processes, but significant decisions (such as license termination) are reviewed by a human.

23. Data Protection Officer

For data protection inquiries, you may contact our designated data protection contact through the channels listed in Section 26. We will direct your inquiry to the appropriate person responsible for data protection matters.

24. Changes to This Privacy Policy

We reserve the right to update or modify this Privacy Policy at any time. Changes will be posted on this page with an updated "Last Updated" date. Material changes may be communicated through our website, email, in-application notification, or community channels.

Your continued use of the Software and Service after any changes to this Policy constitutes your acceptance of those changes. We recommend reviewing this Policy periodically.

If you disagree with any changes, your sole remedy is to discontinue use of the Software and Service and request deletion of your account.

25. Governing Law

This Privacy Policy is governed by the same governing law provisions as set forth in our Terms of Service. For users in the EEA/UK, nothing in this Policy affects your rights under the GDPR/UK GDPR or your right to lodge a complaint with your local supervisory authority.

26. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us through the following channels:

• Discord: QuimaRAT Official Server
• Telegram: @QuimaRAT
• XMPP: quimarat@xmpp.jp

For privacy-specific requests (data access, deletion, correction), please include "PRIVACY REQUEST" in the subject/title of your message. We will respond within 30 days of receiving your request.

For EEA/UK residents: If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.