AppScan Studio is operated by QUICKSYNC, UNIPESSOAL LDA, registered in Portugal with tax identification number 518210596 ("we", "us", or "AppScan"). For privacy-related enquiries, contact us at [email protected].

1. What We Collect

We collect only what is strictly necessary to provide the service. When you register and use AppScan Studio, we collect the following:

1.1 Account Information

• Your name — collected at registration.
• Your email address — collected at registration and used as your login identifier. We do not send marketing emails.
• Your password — stored as a one-way bcrypt hash. We never store or have access to your password in plain text.
• Your company or organisation name — collected at registration to identify your account.
• Your trial / contract dates — when you register, your account is provisioned with a 14-day free trial. The trial start date and end date are stored against your account and are visible to you inside the application at all times. Once you convert to a paid annual subscription, these become your contract start and end dates.

1.2 Session Data

We maintain a session to keep you logged in. This consists solely of a session identifier stored server-side. No personal information is embedded in the session token itself.

1.3 Scan Results

When you run a scan, AppScan Studio processes structural data about your OutSystems application — module names, dependencies, and architectural patterns. This data belongs to you and is stored in your isolated account. It does not contain personal data from your application's end users.

1.4 Demo Scan Submissions

When you submit a demo scan from our landing page (without registering an account), we collect:

• The URL you submitted — used to run the scan and to verify the app is a non-production OutSystems Reactive environment.
• Your email address — used to verify your identity (one-time code) and to send you the link to your scan report.
• Your phone number (optional) — only requested AFTER you opt in to follow-up contact, and you may leave it blank. Used solely to reach you about your scan report; never shared, never used for marketing.
• Your IP address — used for rate-limiting and to prevent abuse of the demo scanner. Not used for identification or tracking.
• Your country preference — used to route the scan through the appropriate regional proxy when your app is geographically restricted.
• The scan results themselves — same structural data as a paid scan, with no personal data from your application's end users.

Authorization. You may only submit URLs for applications you own or are authorised to test. Submitting a URL you do not have permission to test is a violation of these terms.

Retention. Demo scan data is automatically deleted 7 days after submission. Your email address is also deleted after 7 days unless you explicitly opted in to follow-up (in which case we retain only your email, optional phone, and the domain, to contact you about your report). Your IP address is purged together with the scan data.

Abuse prevention. We reserve the right to limit, throttle, or refuse demo scan requests that appear automated, abusive, or unauthorised. Demo scans are always routed through a proxy on our side, so no traffic from our infrastructure ever directly reaches the target you submit.

Marketing. If you opt in to follow-up, we will contact you once to set up a short call about your scan report. We do not subscribe you to any list, do not send marketing newsletters, and do not share your email with any third party. If you opt out (the default), we do not contact you at all beyond delivering the scan link.

1.5 In-app Feedback (optional)

If you click the Feedback button inside the app and submit a message, we receive:

• The text of your message, the category you picked, and the page you were on when you opened the form.
• A short "recent activity" trace — the last ~50 in-app interactions on your current tab (button labels you clicked, pages you navigated to, AJAX response status codes, and any JavaScript errors). This trace contains no input contents: we never capture keystrokes, form field values, passwords, search terms, scroll position, mouse movement, or the bodies of any network requests.

The trace is held only in your browser's tab-local storage and is never sent automatically — it is attached only at the moment you click Send. We use it solely to reproduce and triage what you reported. If you delete your account, your feedback message is retained (anonymised — all links back to your account are wiped) so we keep the product signal, but the activity trace and any browser identifiers are deleted with the rest of your data.

2. What We Do Not Collect

We want to be explicit about what we do not do:

• No marketing emails, newsletters, or promotional communications of any kind.
• No continuous analytics, usage tracking, or behavioural data collection — the in-app activity trace described in §1.5 is collected only at the moment you click Send on the feedback form, never in the background.
• No third-party advertising or ad-targeting data.
• No personal data from the applications you scan — our analysis is structural and architectural only.
• No cookies beyond the strictly necessary cookie described in Section 6.

3. How We Use Your Data

The data we collect is used exclusively to:

• Create and authenticate your account.
• Deliver scan results and maintain your access to them during your subscription.
• Generate AI-assisted changelogs (see Section 5 for details on how this works).
• Respond to support requests you initiate.

The legal basis for processing your personal data is the performance of a contract: your account registration is necessary to provide the service you have subscribed to (Article 6(1)(b) GDPR; Article 7(V) LGPD).

4. Data Retention and Deletion

We retain your data for as long as your subscription is active. When your account ends, deletion happens on one of two timelines depending on what triggered the end:

• Self-cancellation (immediate). If you self-cancel a trial from inside the application, OR if we process a paid-subscription cancellation request from you, all data associated with your account is permanently deleted on confirmation. There is no recovery.
• Lapsed contract (60 days). If a contract end date passes without renewal or active cancellation, your account is immediately suspended (login blocked) and your scan data is retained for 60 days so you can still renew without losing it. After 60 days the data is permanently deleted on a routine sweep.

In every case, "permanently deleted" means we do not anonymise data for continued use, archive it, or retain any portion of it — with the single exception below (§4.1, trial-abuse hash). The deletion cascade wipes your scan results, user accounts, API keys, verified environments, and all associated records.

4.1 Trial-Abuse Prevention Hash

One small exception to the "permanently deleted" rule above: when a trial account is self-cancelled, we keep a one-way SHA-256 hash of the deleted email address — and only that hash — together with the deletion date, for up to 90 days. We use it solely to block immediate re-registration with the same email (prevents trial abuse where the same person repeatedly deletes and re-creates an account to extend their free trial).

The hash cannot be reversed to the original email address by us or by anyone else. After 90 days the hash is no longer enforced and is automatically cleaned up. This processing is based on our legitimate interest in fraud prevention (GDPR Article 6(1)(f), Recital 47; LGPD Article 7(IX)). Outside this hash, no personal data from a deleted account survives in our systems.

5. Third-Party Services

We use exactly three external service providers (sub-processors) to deliver AppScan Studio. We name them explicitly so you can review their own policies if your compliance posture requires it.

5.1 OpenAI — AI changelog generation

When you request an AI-assisted changelog, we send anonymised structural data about your OutSystems application modules to OpenAI. This data describes module architecture only and contains no account data, no user credentials, and no personal information of any kind.

OpenAI processes this data under its Data Processing Agreement (DPA), and data transfers outside the EU/EEA are covered by standard contractual clauses in accordance with Article 46 GDPR.

5.2 Cloudflare — edge security & CDN

All HTTP traffic to AppScan Studio passes through Cloudflare's edge network for DDoS protection, TLS termination, bot mitigation, and content delivery. As part of that function Cloudflare processes request metadata: your IP address, requested URL path, and user-agent string.

Cloudflare does not receive your scan data, report contents, or any application payload — those flow to our origin servers (see §5.3) over the encrypted Cloudflare tunnel. Cloudflare acts as a sub-processor under its own DPA, and EU-to-US transfers (where they occur) are governed by EU SCCs.

5.3 Amazon Web Services (AWS) — hosting

Our application servers and databases run on AWS infrastructure located in the EU/EEA region. Your account data and scan reports are stored on AWS-managed instances, with data at rest encrypted using AWS-managed keys.

AWS acts as a sub-processor under the AWS GDPR Data Processing Addendum. Where personal data is transferred outside the EU/EEA (e.g. for log aggregation or backup), transfers are governed by EU SCCs in accordance with Article 46 GDPR.

5.4 No other sharing

No other third parties receive any of your data. We do not use analytics providers, advertising networks, marketing platforms, error-tracking SaaS, or session-replay services. If we add a new sub-processor, we will update this Privacy Policy and notify active subscribers by email before the new processing begins.

6. Cookies

AppScan Studio uses exactly one cookie: a session cookie, which is strictly necessary for login and to keep you authenticated while you use the application. This cookie is not used for tracking, analytics, or advertising.

Because this cookie is strictly necessary, no cookie consent banner is required under the ePrivacy Directive. No other cookies are set by AppScan Studio.

7. Your Rights (GDPR and LGPD)

Depending on your location, you have the following rights regarding your personal data:

7.1 Rights under GDPR (EU/EEA users, including Portugal)

• Right of access — you can request a copy of the personal data we hold about you.
• Right to rectification — you can ask us to correct inaccurate data.
• Right to erasure — you can request deletion of your personal data (note: cancelling your subscription triggers immediate deletion automatically).
• Right to data portability — you can request your data in a structured, machine-readable format.
• Right to object — you can object to processing in certain circumstances.

7.2 Rights under LGPD (Brazilian users)

• Right to confirmation and access to your data.
• Right to correction of incomplete, inaccurate, or outdated data.
• Right to anonymisation, blocking, or deletion of unnecessary or excessive data.
• Right to portability of your data.
• Right to information about the entities with which your data has been shared.

7.3 Exercising Your Rights

To exercise any of these rights, contact us at [email protected]. We will respond within the timeframes required by applicable law (30 days under GDPR; 15 days under LGPD).

8. International Data Transfers

Your personal account data (name, email, company) is stored within the EU/EEA. The only transfer of data outside the EU/EEA is to OpenAI for AI changelog generation, as described in Section 5, and is covered by appropriate safeguards under Article 46 GDPR. No other international transfers of personal data take place.

9. Contact

If you have any questions about this Privacy Policy or how we handle your data, please contact us:

• Company: QUICKSYNC, UNIPESSOAL LDA
• Tax ID (NIF): 518210596
• Email: [email protected]

This Privacy Policy may be updated from time to time. We will notify active subscribers of any material changes. The current version will always be available within the AppScan Studio platform.