Legal · Privacy

Privacy Policy

Last updated: 25 May 2026 · Version 1.0 · Applies to qadbak.com, license.omiiba.dev and the Qadbak panel software.

1. Who is responsible

The data controller for personal data processed via qadbak.com, license.omiiba.dev and the Qadbak Premium license server is:

Omiiba does not have a statutory obligation to appoint a Data Protection Officer (DPO). For any privacy question, write to [email protected] and we'll respond within 30 days.

2. What data we collect, and why

We deliberately collect very little. Below is the complete list.

2.1 When you buy a license

• Email address — to deliver your license key and send service emails (receipt, renewal).
• Stripe payment metadata — Stripe checkout session ID, amount, currency, country, payment method type (card / iDEAL / etc.). We do not see or store card numbers, IBANs, or CVCs; Stripe processes those directly.
• License order record — plan you bought, timestamp, fulfilment status, email delivery status.
• Billing country (from Stripe) — required for EU VAT and tax reporting.

2.2 When your panel uses Premium features

The Qadbak panel running on your VPS sends a small heartbeat to license.omiiba.dev to verify your license is still valid. That request includes:

• Your license key (hashed before storage).
• An instance ID — random per-server identifier so we can enforce the "one VPS per license" limit.
• Your server's public IP address — visible in nginx/Cloudflare access logs (standard for any HTTPS request), and stored alongside each activation so you can recognise which server is which in the panel.
• The panel version and a list of unlocked module names — so we can warn you about incompatible upgrades.

We do not receive any of the data on your VPS: no domains hosted, no email content, no databases, no files, no visitor analytics from your sites. All of that stays on your hardware.

2.3 When you browse qadbak.com

• Standard web server access logs (IP, user-agent, requested URL, timestamp), kept for 14 days for security/debugging.
• No third-party analytics, no advertising cookies, no fingerprinting scripts.

2.4 When you email us

Your email address, the message body, and any attachments. We use these to answer you and to keep a searchable support history. Stored in the inbox provider (currently self-hosted Postfix on EU infrastructure).

3. Legal basis (GDPR Art. 6)

• Contract — for processing a license purchase, delivering the key, and verifying activations.
• Legal obligation — for invoice retention (Dutch tax law: 7 years).
• Legitimate interest — for fraud prevention, abuse prevention (one VPS per license), and server access logs.
• Consent — only if you opt in to a newsletter (we currently have none). No marketing emails are sent without explicit opt-in.

4. Who we share data with

Personal data is shared with a small number of processors strictly to deliver the service:

We do not sell personal data, ever. We do not share it with advertisers or data brokers.

5. How long we keep data

• Active license records: kept for the lifetime of the license + 90 days after expiry/revocation.
• Invoices & payment receipts: 7 years (Dutch tax law requirement).
• Server access logs: rotated and deleted after 14 days.
• Support emails: 2 years from last reply.
• Heartbeat IP addresses: only the most recent IP per activation is stored; previous values are overwritten.

6. Your rights under the GDPR

You have the right to:

• Access the personal data we hold about you (Art. 15).
• Rectify incorrect data (Art. 16).
• Erase data ("right to be forgotten") — except where we must legally keep it, e.g. invoices (Art. 17).
• Restrict or object to processing (Art. 18, 21).
• Portability — receive your data in a machine-readable format (Art. 20).
• Withdraw consent at any time, where processing is based on consent.

Send any rights request to [email protected]. We respond within 30 days. There is no fee for the first request in any 12-month period.

7. Cookies and analytics

qadbak.com (this marketing site) sets no cookies at all and runs no analytics scripts.

The Qadbak panel that you self-host uses a strictly-necessary session cookie to keep you logged in. That cookie never leaves your VPS — we have no access to it.

license.omiiba.dev uses one strictly-necessary cookie during checkout (the Stripe checkout session identifier) and no analytics or marketing cookies.

8. Security

• All public endpoints use TLS 1.2+ with modern cipher suites and HSTS.
• License keys are stored as bcrypt hashes; a recovery copy is encrypted with AES-256-GCM and only decryptable by the license-server admin user.
• Stripe webhook events are verified with HMAC signatures.
• VPS hosts are kept patched; SSH is key-only.
• Database backups are stored encrypted, on the same EU region.

No system is 100% secure. If you spot a vulnerability, please email [email protected] instead of disclosing publicly.

9. International data transfers

Our primary infrastructure is in the EU (Germany). Stripe and Cloudflare may transfer limited data to the United States; those transfers are covered by EU Standard Contractual Clauses and, for Stripe, the EU-US Data Privacy Framework.

10. Children

Qadbak is a B2B / professional product and is not directed at people under 16. We do not knowingly collect personal data from children. If you believe we have, contact us and we will delete it.

11. Changes to this policy

Material changes are posted on this page with the "last updated" date at the top, and announced to active license holders by email at least 14 days in advance.

12. Contact & complaints

Email [email protected]. If you are not satisfied with our response, you have the right to lodge a complaint with the Dutch supervisory authority, Autoriteit Persoonsgegevens.