Qby Wentzel

Privacy Policy

Last updated: March 2026

Wentzel.AI ("we," "us," or "our") operates Q by Wentzel ("the Service"), a post-quantum cryptography assessment platform. This Privacy Policy describes how we collect, use, share, and protect your personal information when you use the Service.

1. Information We Collect

1.1 Account Information

When you create an account, we collect your name, email address, and (if you choose) a profile image. If you sign in via GitHub or Google OAuth, we receive your public profile information from those providers. We also collect your password (stored as a bcrypt hash) or, if you use magic link authentication, your email address.

1.2 Organization and Billing Information

If you create or join an organization, we collect the organization name and member roles. If you subscribe to a paid plan, payment processing is handled by Stripe. We store your Stripe customer ID and subscription details but never store your credit card number or full payment details on our servers.

1.3 Scan and Assessment Data

When you use our scanning and assessment tools, we collect and store scan configurations, scan targets, scan results, vulnerability findings, PQC assessment results, Cryptographic Bills of Materials (CBOM), and Harvest Now Decrypt Later (HNDL) risk scores. This data is associated with your organization and is used to provide assessment results and track remediation progress.

1.4 Usage and Log Data

We automatically collect information about your interactions with the Service, including: IP address, browser type and version, pages visited, features used, timestamps of actions, and API usage patterns. We maintain audit logs of significant actions (scans created, settings changed, members managed) for security and compliance purposes.

1.5 Contact Information

If you submit a contact form or inquiry, we collect your name, email address, company name (optional), inquiry type, and message content.

2. How We Use Your Information

We use your information to:

  • Provide, maintain, and improve the Service, including delivering scan results and assessment reports.
  • Authenticate your identity and manage your account and organization access.
  • Process payments and manage your subscription (via Stripe).
  • Send transactional emails including password resets, email verification, magic links, and scan notifications (via AWS SES).
  • Maintain audit trails for security, compliance, and debugging purposes.
  • Respond to your inquiries and provide customer support.
  • Detect, prevent, and address security incidents, fraud, and abuse.
  • Comply with legal obligations and enforce our Terms of Service.

3. How We Share Your Information

We do not sell your personal information. We share your information only in the following circumstances:

  • Service providers: We use third-party services to operate the platform. These providers process data on our behalf and are contractually bound to protect it. See Section 7 for details.
  • Within your organization: Other members of your organization can view shared scan results, assessment data, and audit logs according to their assigned role (owner, admin, member, or viewer).
  • Legal requirements: We may disclose your information if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of Wentzel.AI, our users, or others.
  • Business transfers: If Wentzel.AI is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will provide notice before your information is subject to a different privacy policy.

4. Data Retention

We retain your data for the following periods, after which it is automatically deleted:

  • Scan results and findings: 2 years from creation.
  • HNDL and PQC assessments: 2 years from creation.
  • Audit logs: 3 years from the event date.
  • User account data: Account lifetime plus 30 days after deletion request.
  • Session data: 30 days from creation or until expiration.
  • Contact submissions: 1 year from submission.
  • Billing records: 7 years for tax compliance.

5. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: You can request a copy of your personal data at any time by using the data export feature in your account settings or by contacting us at privacy@wentzel.ai.
  • Deletion: You can request deletion of your personal data through your account settings or by contacting us. Your personal identifiers will be anonymized and your account deactivated. Scan data is retained in anonymized form for the standard retention period.
  • Portability: You can export your data in a machine-readable JSON format via the data export feature.
  • Correction: You can update your profile information at any time through your account settings.
  • Objection: You can object to the processing of your personal data for certain purposes by contacting us.
  • Restriction: You can request that we restrict the processing of your personal data under certain circumstances.

To exercise any of these rights, contact us at privacy@wentzel.ai. We will respond to your request within 30 days.

6. Cookies and Tracking

We use essential cookies for authentication and session management. These cookies are strictly necessary for the Service to function and cannot be disabled. We use:

  • Session cookies: Encrypted HTTP-only cookies managed by Better Auth that maintain your authenticated session. These have the Secure and SameSite flags set.
  • Theme preference: A local storage value to remember your light/dark/system theme choice.

We do not use third-party tracking cookies, advertising cookies, or analytics services that track individual users across websites.

7. Third-Party Services

We use the following third-party services to operate the platform. Each has its own privacy policy governing how it handles data:

  • Stripe -- Payment processing. Stripe receives your payment details directly and is PCI DSS Level 1 certified.
  • Amazon Web Services (SES) -- Transactional email delivery. Email addresses and message content are transmitted to AWS SES for delivery.
  • Neon -- PostgreSQL database hosting. All application data is stored in Neon's infrastructure with AES-256 encryption at rest.
  • Vercel -- Application hosting and CDN. Vercel processes HTTP requests including IP addresses and request metadata.
  • Upstash -- Redis cache for rate limiting and caching. Ephemeral data only.

8. Data Security

We implement industry-standard security measures to protect your data:

  • All data in transit is encrypted using TLS 1.3 with HSTS enforced.
  • All data at rest is encrypted using AES-256 (Neon TDE).
  • Passwords are hashed using bcrypt.
  • API keys are stored as SHA-256 hashes.
  • Access is controlled via role-based access control with four permission levels.
  • All significant actions are logged in an immutable audit trail.

While we take reasonable measures to protect your information, no method of electronic transmission or storage is 100% secure. If you discover a security vulnerability, please report it responsibly to security@wentzel.ai.

9. International Data Transfers

Our Service is hosted in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States. We ensure that any such transfers comply with applicable data protection laws, including by relying on the Standard Contractual Clauses approved by the European Commission where applicable.

10. Children's Privacy

The Service is not intended for use by anyone under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete that information.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Service and updating the "Last updated" date. Your continued use of the Service after such changes constitutes your acceptance of the updated policy.

12. Contact Information

For questions about this Privacy Policy or to exercise your data rights, please contact us at:

NetflixOracleFigmaCoinbaseDellServiceNowAppleDeloitteNikeAWSJPMorgan ChaseT-MobileAtlassianBoschStripeL'OrealDatadogMicrosoftPalantirHPRobinhoodEYSonyCanvaVisaAutoCADDiscordBellAdobeCharles SchwabE*TRADENVIDIAGoogleJohnson & JohnsonFidelityClaudeMastercardIntuitBoeingAT&TShopifyPwCOpenAIKPMGIBMDatabricksSalesforceGitHubAmerican ExpressWorkday