Privacy Policy

Q BRIDGE AI ("Q BRIDGE", "we", "us") operates the QB510K platform at db.atdot.app and api.db.atdot.app (collectively, the "Platform"). This Privacy Policy describes what information we collect when you use the Platform, why we collect it, how we store it, and the choices you have.

Jurisdiction-specific notices: Aviso de Privacidad (México / LFPDPPP) · Sub-processors · AI-use disclosure · Cookies

QB510K is a business-to-business workflow product for U.S. medical device manufacturers and the regulatory affairs teams that support them. It is not a consumer product and it is not directed to individuals under 18.

1. Information we collect

Information you provide

• Organisation profile — legal name, FDA Establishment Registration Number (where provided), Small Business Determination identifiers.
• User account — full name, work email address, role (RA / QA / Engineering / CFO / CEO / Owner / Contributor / Viewer), a hashed login password, and a hashed electronic-signature PIN. Plaintext passwords and PINs are never stored.
• Submission content — device descriptions, predicate references, test plans, eSTAR section drafts, labeling, attachments, and any other regulatory artifacts you create inside the Platform.
• Correspondence — text of inbound or outbound FDA messages ingested through configured email channels.

Information we collect automatically

• Audit events — every login, electronic signature, agent invocation, and document mutation is appended to a hash-chained audit_events table per 21 CFR Part 11. Each row records the actor, timestamp, action, resource, IP address, and a hash that links to the previous event.
• Operational logs — server access logs, error traces, and performance metrics collected by Sentry and our hosting providers.
• Cookies — described in our Cookie Policy. We use exactly one cookie: an httpOnly session cookie. We do not run analytics, advertising, or behavioural-tracking scripts.

Information we do not collect

• Patient data. QB510K is not designed to store electronic protected health information (ePHI). Do not upload patient identifiers; if you believe you have done so by mistake, contact us immediately.
• Payment card data. FDA user-fee payments are routed through userfees.fda.gov and the Federal Reserve Bank of New York; we do not store credit card numbers, ACH credentials, or banking PINs.
• Biometric data. The Phase 3 WebAuthn second factor uses platform-stored credentials and never transmits the underlying biometric.

2. How we use your information

• To deliver the Platform — agent drafting, Gate workflow, eSTAR assembly, audit-trail recording.
• To maintain the integrity of the 21 CFR Part 11 audit chain.
• To investigate security incidents, prevent abuse, and enforce our Terms of Service.
• To support and improve the Platform.
• To meet legal, regulatory, or contractual obligations.

We do not sell your personal information. We do not use your submission content, device data, or correspondence to train machine-learning models. Agent drafting calls to Anthropic and other language-model providers are configured with zero-retention or short-retention options where the provider supports them.

3. Sub-processors and third parties

QB510K runs on a small, audited set of cloud providers. We rely on each of them to provide infrastructure only — none of them are independent controllers of your data.

• Supabase — PostgreSQL database, object storage, and authentication primitives.
• Vercel — front-end hosting (Next.js) and edge functions.
• Fly.io — back-end API hosting (FastAPI) co-located with the database in IAD.
• Anthropic — language-model inference for AI agent drafts. We do not send patient data; agent context is limited to the device and submission you are working on.
• Sentry — error monitoring (URL, stack trace, redacted user identifier).
• Postmark — inbound email ingestion for FDA correspondence (only when you configure it).

FDA-facing automations interact directly with fda.gov domains under your direction. Those interactions are governed by the FDA's own terms.

4. Retention

Audit-chain records (the audit_events table and all signed Gate manifests) are retained for as long as the records they support are required by 21 CFR Part 11, 21 CFR Part 820, and other applicable record-retention rules. You may not request deletion of audit-chain rows, because doing so would break the chain and the regulatory record.

Non-audit data — draft sections, predicates, attachments, correspondence — is retained for the life of your account plus a reasonable archival period.

5. Security

The Platform is served exclusively over HTTPS with TLS certificates issued by Let's Encrypt and managed by our hosts. Session cookies are httpOnly and never reach the browser-side JavaScript. Multi-tenant isolation is enforced at the database level via Postgres Row-Level Security on every table that carries an org_id. Production secrets are kept in Fly.io's encrypted secret store and Vercel's environment variable vault.

We are working towards a SOC 2 Type I audit. We are not currently a HIPAA Business Associate; do not use the Platform to store ePHI.

6. Your choices

• Access — request a copy of the information we hold about you.
• Correction — fix anything inaccurate by editing it in the Platform or by emailing us.
• Deletion — request deletion of your non-audit data; audit-chain rows are retained as described above.
• Account closure — close your tenant and we will remove operational data within 90 days, retaining only the records required by Part 11.

To exercise any of these rights, write to vamsy@qbridge.ai from the email address associated with your account.

7. International data transfers

The Platform is hosted in the United States (AWS us-east-1 and Fly.io IAD region). If you access the Platform from outside the United States, your information will be transferred to and processed in the United States.

8. Changes to this policy

We will update the "Last updated" date at the top of this policy when we make material changes. We will email account administrators if those changes are consequential.

9. Contact

Questions about this policy? Write to vamsy@qbridge.ai.