Legal

Privacy Policy

How we collect, use, and protect your personal information.

1. Introduction

QESTIT Group ("QESTIT", "we", "our", or "us") is committed to protecting your privacy and handling your personal information with transparency, care, and in full compliance with applicable data protection laws.

This Privacy Policy explains how we collect, use, process, disclose, and safeguard your personal information when you visit our websites, enquire about or use our services, participate in our events or training programs, or interact with our AI-powered solutions - including LinQRAG℠ and our AI Quality Engineering services.

QESTIT Group operates across 7 countries with over 900 quality engineering and software testing specialists. We are headquartered in Paris, France, with legal entities in Germany, Switzerland, Sweden, Austria, Egypt, and Saudi Arabia. Each entity processes personal data in compliance with the laws of its jurisdiction, as detailed in Section 14 of this Policy.

This Policy applies to all QESTIT Group entities and covers both website visitors and clients, prospects, partners, and candidates whose personal data we process. It does not apply to data processed by QESTIT on behalf of its clients in the course of service delivery - that processing is governed by the relevant Data Processing Agreement between QESTIT and the client.

Last updated	April 2026 (replaces January 2026 version)
Data Controller	QESTIT Group, 20 rue d'Athènes, 75009 Paris, France
DPO contact	privacy@qestit.com \| [DPO name to be confirmed]
Supervisory authority (EU)	CNIL (Commission Nationale de l'Informatique et des Libertés), France
Supervisory authority (UK)	Information Commissioner's Office (ICO)
Swiss entity	QESTIT AG, Thurgauerstrasse 54, 8050 Zurich (regulated under nDSG)

2. Who We Are and How to Contact Us

For the purposes of this Privacy Policy, QESTIT Group acts as the Data Controller for personal data collected through our website, marketing activities, and direct client and candidate relationships. Where QESTIT processes personal data on behalf of clients as part of service delivery, we act as a Data Processor under the relevant Data Processing Agreement.

Data Protection Officer (DPO)

QESTIT has appointed a Data Protection Officer responsible for overseeing compliance with applicable data protection laws. You can contact our DPO at:

Email	privacy@qestit.com
Postal address	Data Protection Officer, QESTIT Group, 20 rue d'Athènes, 75009 Paris, France
Response time	We aim to respond to all privacy enquiries within 30 days.

3. Personal Information We Collect

We collect personal information in the following categories, depending on your relationship with us:

3.1 Information you provide directly

Contact details: name, email address, phone number, postal address
Professional details: company name, job title, industry, seniority level
Account and enquiry information: content of contact forms, service enquiries, or consultation requests
Training and event registrations: participation data, certifications, preferences
Recruitment data: CV, cover letter, employment history, references, interview notes (see our Recruitment Privacy Policy for full details)
Payment information: invoicing details, company registration numbers (no payment card data is stored by QESTIT)

3.2 Information we collect automatically

Website usage data: IP address, browser type, operating system, pages visited, time on page, referral source
Cookie and tracking data: see Section 10 (Cookies) for full details
Device identifiers: where you interact with QESTIT applications or tools

3.3 Information from third parties

Business contact data from professional networks (e.g. LinkedIn) where you have made your profile publicly available
Information from our technology partners and referral partners, where applicable
Publicly available company information for the purposes of sales and marketing outreach

3.4 Information processed as part of our AI services

AI data processing disclosure - important

When you or your organization use QESTIT's AI-powered services - including LinQRAG℠ (AI-driven test case generation), our AI Workflow Framework, AI Consulting, or AI Training programs - we may process requirements documents, business specifications, user stories, and other artefacts you provide. These documents may contain personal data. This processing is governed by the Data Processing Agreement between QESTIT and your organization and is described in detail in Section 7 (AI-Powered Services and Automated Processing) of this Policy.

4. How We Use Your Personal Information

We use personal information only for the purposes described below and on the basis of an identified lawful basis under Article 6 of the GDPR (or equivalent applicable law). We do not use personal data for purposes incompatible with those stated here.

Purpose	Lawful basis (GDPR Art. 6)	Examples
Responding to enquiries and providing services	Art. 6(1)(b) - Contract performance	Contacting you after a consultation request; delivering LinQRAG℠ outputs; providing training.
Marketing and business development communications	Art. 6(1)(f) - Legitimate interests	Sending relevant service updates, insights, and event invitations to existing contacts and prospects.
Newsletter and content subscriptions	Art. 6(1)(a) - Consent	Sending the QESTIT newsletter where you have opted in. You may withdraw consent at any time.
Website analytics and improvement	Art. 6(1)(f) - Legitimate interests	Analyzing site traffic and usage to improve performance and user experience.
Recruitment and talent management	Art. 6(1)(b) - Contract performance; Art. 6(1)(c) - Legal obligation	Processing candidate applications and conducting assessments.
Compliance with legal obligations	Art. 6(1)(c) - Legal obligation	Responding to regulatory requests; tax and accounting requirements; data breach notification.
AI service delivery (on behalf of clients)	Art. 6(1)(b) - Contract performance (under DPA)	Processing client-provided documents through LinQRAG℠ or AI Workflow Framework.
Improving our AI solutions (anonymized only)	Art. 6(1)(f) - Legitimate interests	Using aggregated, anonymized performance data to improve LinQRAG℠ accuracy. No personal data used for model training without explicit consent.

Legitimate interests: Where we rely on legitimate interests as our lawful basis, we have assessed that our interests do not override your fundamental rights and freedoms. You have the right to object to this processing at any time (see Section 9).

5. How Long We Keep Your Information

We retain personal information only for as long as is necessary for the purpose for which it was collected, or as required by applicable law. The following schedules apply:

Contact and enquiry data	3 years from last interaction, or until you request deletion
Client and contract data	7 years from end of contract (legal / accounting obligations)
Marketing and newsletter data	Until you unsubscribe or object; suppression list maintained thereafter
Recruitment data (unsuccessful)	6 months from rejection (12 months with consent for talent pool)
Website analytics data	13 months (Google Analytics standard retention)
AI service delivery data	As defined in the client Data Processing Agreement; typically project duration + 90 days
AI-related anonymized performance data	Up to 36 months for model improvement purposes (no personal data)
Security and audit logs	12 months minimum; up to 7 years for regulated environments (NIS2/DORA)

At the end of the applicable retention period, personal data is securely deleted or anonymized. We do not retain personal data beyond the periods above unless required to do so by law or court order.

6. How We Share Your Information

We do not sell your personal data. We do not share it with third parties for their own marketing purposes. We may share your information in the following limited circumstances:

6.1 Within the QESTIT Group

Your data may be shared between QESTIT Group entities where necessary to deliver services, manage our business, or comply with legal obligations. All intra-group transfers are governed by our internal data sharing policies and, where applicable, Standard Contractual Clauses.

6.2 With service providers and sub processors

We engage third-party service providers ("processors") to support our operations. These include:

CRM and marketing platforms (e.g. HubSpot)
Website hosting and analytics providers
Cloud infrastructure providers (e.g. Microsoft Azure, AWS)
AI model and LLM providers used in our AI solutions (e.g. OpenAI, Mistral AI, Microsoft Azure OpenAI Service)
Video conferencing and collaboration tools
Accounting and legal service providers

All processors are subject to written Data Processing Agreements requiring them to process data only on our instructions and to implement appropriate security measures. A current list of our sub processors is available on request.

6.3 With clients (in the context of service delivery)

Where we process data on behalf of a client organization, that processing is governed by the relevant Data Processing Agreement between QESTIT and the client. QESTIT acts as processor, the client acts as controller.

6.4 Legal and regulatory disclosures

We may disclose personal data to law enforcement, regulatory authorities, or courts where required by applicable law, a valid legal process, or to protect the rights, property, or safety of QESTIT, our clients, or others. We assess the legality and legitimacy of any such request before complying.

7. AI-Powered Services and Automated Processing

EU AI Act compliance - August 2026

The EU AI Act's transparency obligations under Article 50 apply from 2 August 2026. This section is designed to ensure QESTIT meets those obligations in advance of the compliance deadline. QESTIT does not deploy AI systems classified as 'high-risk' under Annex III of the EU AI Act in its client-facing services. LinQRAG℠ and our AI Workflow Framework are classified as limited-risk systems subject to transparency obligations only.

7.1 Our AI solutions and how they process data

QESTIT offers the following AI-powered solutions, each involving data processing as described:

LinQRAG℠ (AI test case generation)	Processes requirements documents, user stories, and functional specifications provided by clients to generate structured test cases. Data is processed under the client's Data Processing Agreement. We do not use client-provided documents to train our AI models without explicit written consent.
AI Workflow Framework	Processes domain knowledge, test artefacts, and workflow data within a client's environment. Connects to tools such as Jira, Confluence, GitHub, and CI/CD pipelines. Processing is governed by the client's DPA.
AI Consulting	May involve reviewing a client's existing QA data, systems documentation, and infrastructure as part of an assessment. Data is treated as confidential and processed under NDA and DPA.
AI Training programmes	May involve processing participant names, professional roles, and training performance data for QESTIT Academy certification records. Governed by training agreements and GDPR.
QESTIT website chatbot / AI assistant	If QESTIT deploys an AI assistant on its website, users will be clearly informed they are interacting with an AI system before engagement begins, in compliance with EU AI Act Article 50.

7.2 AI model providers and data residency

Where our AI services rely on third-party large language model (LLM) providers, we have implemented the following safeguards:

We use enterprise-grade API configurations that do not permit training on client data
Data processing agreements are in place with all LLM providers
We assess and document data residency for each deployment (EU-region hosting preferred for regulated sector clients)
Where required by client sector regulations (DORA, NIS2, Saudi SAMA), we implement on-premises or private cloud configurations

7.3 Automated decision-making

QESTIT does not make solely automated decisions that produce legal or similarly significant effects about individuals (GDPR Article 22). Our AI solutions generate recommendations and test case outputs that are always subject to review and validation by QESTIT's human QA experts before delivery to clients.

Where AI-generated insights or recommendations form part of a client's decision-making process, we disclose this in the relevant service documentation and ensure that meaningful human oversight is maintained throughout.

7.4 AI system transparency

In accordance with EU AI Act Article 50 (effective August 2026):

Where QESTIT deploys AI-generated content or AI-assisted interfaces in its client-facing communications, this will be clearly disclosed.
QESTIT does not use AI to generate content intended to deceive or manipulate users.
AI-generated content produced by QESTIT tools is labelled as such in service deliverables.

7.5 No use of personal data for AI model training

QESTIT confirms that personal data provided by clients or website users is not used to train, fine-tune, or improve any AI model unless explicit, informed, and documented consent has been obtained. Aggregated and fully anonymized performance metrics may be used to improve the quality of LinQRAG℠ outputs.

8. International Data Transfers

QESTIT operates across multiple countries and uses service providers based in the EU, EEA, and third countries. Where we transfer personal data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place:

Standard Contractual Clauses (SCCs): We use the European Commission's approved SCCs for transfers to countries not covered by an adequacy decision, including the 2025 updated SCC versions.
Adequacy decisions: Where the European Commission has recognized a country as providing adequate protection (e.g. Switzerland, UK), we rely on those decisions for transfers to those countries.
Binding Corporate Rules (BCR): QESTIT is developing a BCR framework to govern intra-group transfers. Until BCR is in place, SCCs apply to all intra-group cross-border transfers.
Data transfer impact assessments (TIAs): We conduct transfer impact assessments for transfers to countries where legal access by public authorities could affect the protection of your data.

Switzerland: QESTIT AG (Zurich) processes data under the Swiss nDSG (new Federal Act on Data Protection, in force September 2023), which requires equivalent safeguards to GDPR for international transfers.

Saudi Arabia: Our Saudi Arabia office complies with the Saudi Personal Data Protection Law (PDPL) and the SAMA Cybersecurity Framework. Data held by our Saudi entity is subject to Saudi data localization requirements where applicable.

Egypt: Our Egypt operations comply with Egypt's Cybercrime Law (No. 175/2018) and the Central Bank of Egypt cybersecurity framework for financial sector data.

9. Your Data Protection Rights

Depending on your location and the applicable law, you have the following rights regarding your personal information:

9.1 Rights under GDPR and UK GDPR (EU/EEA and UK residents)

Right of access (Art. 15)	Request a copy of the personal data we hold about you and information about how it is processed.
Right to rectification (Art. 16)	Request correction of inaccurate or incomplete personal data.
Right to erasure (Art. 17)	Request deletion of your personal data where there is no legitimate reason for us to continue processing it.
Right to restrict processing (Art. 18)	Request that we limit the processing of your data in certain circumstances.
Right to data portability (Art. 20)	Receive your data in a machine-readable format or request transfer to another controller.
Right to object (Art. 21)	Object to processing based on legitimate interests or for direct marketing purposes.
Right not to be subject to automated decisions (Art. 22)	Not be subject to decisions based solely on automated processing with significant effects. QESTIT maintains human oversight on all AI-generated outputs.
Right to withdraw consent	Where processing is based on consent, withdraw it at any time without affecting prior processing.

9.2 Rights under Saudi Arabia PDPL

Saudi residents have the right to access, correct, and request deletion of their personal data, and to object to processing for direct marketing. Requests should be sent to privacy@qestit.com.

9.3 Rights under Egypt data protection frameworks

Egyptian residents may submit data access and correction requests to our Egypt data protection contact at privacy@qestit.com. We respond to all requests within 30 days.

9.4 How to exercise your rights

To exercise any of the above rights, please contact our DPO at privacy@qestit.com or by post at QESTIT Group, 20 rue d'Athènes, 75009 Paris, France. We will respond within 30 days and will not charge a fee for reasonable requests. We may ask for proof of identity before processing your request.

If you are not satisfied with our response, you have the right to lodge a complaint with your relevant supervisory authority:

EU/France: CNIL - www.cnil.fr
UK: ICO - www.ico.org.uk
Germany: Federal Commissioner for Data Protection (BfDI)
Switzerland: Federal Data Protection and Information Commissioner (FDPIC)
Sweden: Integritetsskyddsmyndigheten (IMY)

10. Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies to operate and improve our site, personalize your experience, and analyze traffic. A separate Cookie Policy is available at [link to cookie policy page].

Cookie categories

Strictly necessary	Essential for the website to function. Cannot be disabled. No consent required.
Analytics / performance	Measure traffic and usage patterns. Anonymized where possible. Enabled with consent.
Functional	Enable personalized features such as language preference and chat tools. Enabled with consent.
Marketing / targeting	Used to deliver relevant advertising and track campaign performance. Enabled with consent only.

You can manage your cookie preferences at any time via our Cookie Settings tool in the website footer. Our cookie consent mechanism complies with the requirements of the EU privacy Directive and the 2025 Digital Omnibus amendments, which require equal prominence for accept and reject buttons.

11. Data Security

QESTIT implements appropriate technical and organizational security measures to protect your personal data against unauthorized access, accidental loss, destruction, or alteration. These measures include:

Encryption of personal data in transit (TLS 1.2+) and at rest
Role-based access controls and least-privilege principles
Regular security testing including penetration testing and vulnerability assessments
Multi-factor authentication for internal systems
Employee data protection and information security training
Incident detection and response procedures aligned with GDPR Article 33, NIS2, and DORA requirements
Third-party processor security assessment as part of vendor onboarding

QESTIT holds ISO 27001 certification for information security management. As a specialist in cybersecurity quality assurance, we apply the same rigorous standards internally as we implement for our clients.

11.1 Breach notification

In the event of a personal data breach that is likely to result in risk to the rights and freedoms of individuals, QESTIT will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (GDPR Article 33). Where the breach is likely to result in a high risk to individuals, we will also notify affected individuals without undue delay (GDPR Article 34).

Where QESTIT operates as a data processor on behalf of a client, we will notify the client data controller without undue delay upon becoming aware of a breach, to enable the controller to meet its own notification obligations.

12. Children's Data

QESTIT's services and website are not directed at children under the age of 16 (or under 18 in jurisdictions where that threshold applies). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at privacy@qestit.com and we will delete it promptly.

13. Third-Party Links

Our website may contain links to third-party websites, partner platforms, and social media. This Privacy Policy applies only to QESTIT's own websites and services. We encourage you to review the privacy policies of any third-party sites you visit. QESTIT is not responsible for the privacy practices of third-party sites.

14. Jurisdiction-Specific Information

14.1 European Union and EEA

QESTIT's primary data controller is QESTIT Group, incorporated in France and subject to GDPR. Our lead supervisory authority is the CNIL (Commission Nationale de l'Informatique et des Libertés). Residents of EU member states may exercise all rights set out in Section 9.1.

14.2 United Kingdom

QESTIT operates in the UK under UK GDPR, which mirrors GDPR in most material respects. The UK supervisory authority is the Information Commissioner's Office (ICO - www.ico.org.uk). QESTIT uses appropriate safeguards for any UK–EU data transfers.

14.3 Switzerland

QESTIT AG (Zurich) is subject to the Swiss Federal Act on Data Protection (nDSG, in force since 1 September 2023). The nDSG provides rights substantially equivalent to GDPR. The supervisory authority is the Federal Data Protection and Information Commissioner (FDPIC - www.edoeb.admin.ch).

14.4 Germany

In addition to GDPR, QESTIT's German operations comply with the Federal Data Protection Act (BDSG). NIS2 implementation obligations under German NIS2UmsuCG apply, including mandatory registration obligations effective early 2026.

14.5 Saudi Arabia

QESTIT's Saudi Arabia office complies with the Saudi Personal Data Protection Law (PDPL, effective 2023), administered by the National Data Management Office (NDMO). We also align with the SAMA Cybersecurity Framework for financial sector client data. Saudi residents have the right to access, correct, and request deletion of their personal data.

14.6 Egypt

QESTIT's Egypt operations comply with Egypt's Cybercrime Law (No. 175/2018) and the Central Bank of Egypt Cybersecurity Framework for data related to financial sector clients. Individuals in Egypt may submit data rights requests to privacy@qestit.com.

14.7 Sweden

QESTIT's Swedish operations are subject to GDPR as implemented in Sweden and supervised by the Integritetsskyddsmyndigheten (IMY). Swedish residents may contact IMY at www.imy.se.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our services, applicable laws, or our data processing practices. We will indicate the date of the most recent update at the top of this Policy.

Where changes are material - such as introducing new AI-powered services, new data processing purposes, or new jurisdictions - we will notify you by email (where we hold your contact details) or by a prominent notice on our website at least 30 days before the changes take effect. Continued use of our website or services following notification constitutes acceptance of the updated Policy.

16. How to Contact Us

If you have questions about this Privacy Policy, wish to exercise your data protection rights, or have a concern about how we handle your personal data, please contact us:

Email	privacy@qestit.com
Post	Data Protection Officer, QESTIT Group, 20 rue d'Athènes, 75009 Paris, France
Website	Contact page: qestit.com/en/contact-us
Response time	We aim to respond within 30 days. For complex requests, we may extend by a further 60 days and will notify you accordingly.