Back to home

Privacy Policy

Last updated: February 18, 2026 — Version 3.0.0

1. Introduction and Data Controller

This Privacy Policy explains how SIBAL, operating under the trade name quiBAL ("we," "us," or "our"), collects, uses, stores, shares, and protects personal data when you use the quiBAL application and related services (collectively, the "Service").

quiBAL is a cloud-based Computerized Maintenance Management System (CMMS) designed exclusively for businesses and professionals. We are committed to protecting your privacy and processing your data lawfully, fairly, and transparently.

Data Controller

• Company: SIBAL
• Location: Ecuador
• Contact: soporte@quibal.com
• Data Protection Contact: soporte@quibal.com

This policy applies to all users of the quiBAL mobile application, web application, and any associated services, regardless of how you access or use them. By using our Service, you acknowledge that you have read and understood this Privacy Policy.

2. Definitions

For the purposes of this Privacy Policy:

• Personal Data: any information relating to an identified or identifiable natural person ("Data Subject"), such as a name, email address, or device identifier.
• Processing: any operation performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.
• Data Controller: the entity that determines the purposes and means of the Processing of Personal Data. For this Service, SIBAL is the Data Controller.
• Data Processor: an entity that processes Personal Data on behalf of the Data Controller.
• Sub-processor: a third-party service provider engaged by the Data Controller or Data Processor to process Personal Data on its behalf.
• Consent: any freely given, specific, informed, and unambiguous indication of the Data Subject's wishes by which they, by a statement or by a clear affirmative action, signify agreement to the Processing of their Personal Data.
• Customer Content: all data, files, documents, photographs, and other materials uploaded or created by users within the Service, including but not limited to maintenance records, equipment data, client data, project data, PDF reports, digital signatures, and technical manuals.
• Data Subject: an identified or identifiable natural person whose Personal Data is processed.
• Supervisory Authority: an independent public authority responsible for monitoring the application of data protection law (e.g., a GDPR supervisory authority in the EEA, the ANPD in Brazil, or the Superintendencia de Protección de Datos Personales in Ecuador).

3. Information We Collect

3.1 Account Information

When you create an account and use our Service, we collect:

• Email address
• Full name
• Company name
• User role within the organization (administrator, advisor, or technician)
• Authentication credentials (securely hashed; we never store passwords in plain text)

3.2 Business Data (Customer Content)

In the course of using the Service, you and your organization may create or upload:

• Maintenance records (work orders, corrective and preventive maintenance logs)
• Equipment data (equipment catalog, client-specific equipment instances with brand, model, serial number, location)
• Client data (client names, contact information, addresses)
• Project data (project descriptions, timelines, assigned equipment and personnel)
• Photographs of equipment, maintenance work, and facilities
• PDF technical reports with digital signatures
• Technical manuals in PDF format
• Equipment meter readings and usage data
• CSV-imported data
• QR label data for equipment identification

Your Customer Content belongs to your organization. We process it solely to provide and maintain the Service.

3.3 Technical Data

We automatically collect certain technical information when you use the Service:

• Device identifiers (device type, model)
• Operating system type and version
• Application version
• IP address
• Browser type and version (for web access)
• Crash reports and error logs

3.4 Usage Data

With your consent, we may collect anonymized usage data including:

• Feature usage patterns (which features are used and how frequently)
• Session duration and frequency
• Navigation patterns within the application

This data is collected through Firebase Analytics and is used solely to improve the Service. You can disable analytics collection at any time from the app Settings.

3.5 Geolocation Data

• Collected only with your explicit permission
• Used exclusively for equipment location tagging
• You can revoke location access at any time through your device settings
• Geolocation data is automatically deleted after 30 days

3.6 Payment Data

• Subscription and payment processing is handled entirely by Paddle (our Merchant of Record, based in the European Union)
• We do not store, process, or have access to your credit card numbers, bank account details, or other payment instrument information
• We receive only subscription status, plan type, and billing cycle information from Paddle to manage your service access
• Paddle issues all invoices directly and handles tax compliance

3.7 Communication Data

When you contact us, we collect:

• Support emails and their content
• Feedback and feature requests
• Any information you voluntarily provide in communications with us

4. Legal Basis for Processing

We process your Personal Data under the following legal bases, in accordance with applicable data protection laws:

4.1 Contract Performance

Processing necessary for the performance of our contract with you or to take steps at your request prior to entering into a contract:

• Providing and maintaining the Service (maintenance management, data storage, synchronization)
• Account creation and management
• Subscription management and service access
• Customer support
• Data export and portability features

4.2 Legitimate Interest

Processing necessary for our legitimate interests, provided these do not override your fundamental rights and freedoms:

• Security measures and fraud prevention
• Automated content moderation to ensure platform safety
• Service improvement based on aggregated and anonymized usage patterns
• Bug detection and resolution (crash reporting)
• Enforcing our Terms of Service

4.3 Consent

Processing based on your freely given, specific, informed, and unambiguous consent:

• Analytics data collection (Firebase Analytics, can be disabled in app Settings)
• Geolocation data collection (requires explicit device permission)
• Push notifications (requires explicit device permission)
• Marketing communications (opt-in only)

You may withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

4.4 Legal Obligation

Processing necessary for compliance with a legal obligation to which we are subject:

• Maintaining tax and financial records as required by law
• Responding to lawful requests from law enforcement or judicial authorities
• Complying with data protection regulations and supervisory authority orders

5. How We Use Your Information

5.1 Service Delivery

• Equipment and maintenance management (work orders, preventive and corrective maintenance)
• Project management and tracking
• Client and equipment registry management
• Generation and delivery of PDF technical reports with digital signatures
• Data synchronization across devices
• Offline data access and encrypted manual storage
• QR code generation and scanning for equipment identification
• Equipment meter tracking and locally-calculated predictions
• Scheduled maintenance notifications

5.2 Service Improvement

• Analyzing anonymized usage patterns to improve the application
• Identifying and resolving errors and performance issues
• Developing new features based on aggregated usage data

5.3 Security and Safety

• Protecting against unauthorized access, fraud, and abuse
• Automated content moderation of uploaded photographs
• Session management and single-session enforcement
• Monitoring and logging critical operations for audit purposes

5.4 Support and Communication

• Responding to support requests and inquiries
• Sending service-related notifications (e.g., maintenance reminders, subscription status)
• Communicating important updates about the Service or this Privacy Policy

5.5 Legal Compliance

• Fulfilling our legal and regulatory obligations
• Responding to lawful government and law enforcement requests
• Establishing, exercising, or defending legal claims

6. Automated Content Moderation

To maintain a safe and professional environment, photographs uploaded to the platform are automatically analyzed for inappropriate content. This section explains how this works:

• Technology used: Google Cloud Vision API SafeSearch Detection only
• Processing location: Exclusively on our backend servers; no user interaction is required or involved
• What it does: Classifies uploaded images into predefined safety categories (e.g., adult content, violence) as either appropriate or inappropriate
• What it does NOT do: It does not use generative artificial intelligence, large language models, machine learning training on your data, or any form of AI content generation
• Flagged content: Images classified as potentially inappropriate are flagged for review by system administrators
• Data sharing: Image content is not shared with any third parties beyond the automated safety analysis performed by Google Cloud Vision API
• No profiling: Content moderation results are not used to build user profiles, make automated decisions about users, or restrict access based on content patterns

This automated analysis is conducted under the legitimate interest legal basis to ensure the safety and integrity of the platform for all users. You have the right to object to processing based on legitimate interests. However, we may continue content moderation where compelling legitimate grounds exist that override your interests — specifically, the safety and integrity of the platform for all users.

7. Information Sharing and Sub-processors

7.1 We Do Not Sell Personal Data

We do not sell, rent, trade, or otherwise share your Personal Data with third parties for their own commercial purposes. This commitment applies to all users worldwide.

7.2 No Advertising Partners

We do not share any data with advertising companies, ad networks, or data brokers. quiBAL does not display advertisements of any kind.

7.3 Sub-processors

We use the following third-party Sub-processors, which are strictly limited to processing data as necessary to provide their respective services:

• Google Firebase / Google Cloud Platform: Cloud Firestore (data storage), Firebase Authentication (user authentication), Cloud Storage (file storage), Firebase Realtime Database (real-time synchronization), Cloud Functions (server-side logic), Firebase Cloud Messaging (push notifications), Firebase Analytics (optional, consent-based analytics), and Firebase Crashlytics (crash reporting). Google processes data under its Firebase Data Processing Terms.
• Google Gemini AI: AI-assisted generation of equipment types with inspection checklists. Only the textual business description and equipment names are sent; no personal data, photos, or client data is transmitted. Prompts are not used to train models. See Gemini API Terms of Use.
• Google Cloud Vision API: Automated content safety analysis (SafeSearch Detection) exclusively for uploaded photographs. Image data is processed solely for classification purposes and is not retained by Google beyond the duration of the API call. See Google Cloud Vision Data Usage.
• Paddle: Payment processing, subscription billing, and tax-compliant invoicing as Merchant of Record. Paddle processes payment data under its own privacy policy and acts as an independent data controller for payment information. See Paddle's Privacy Policy.
• Hostinger: Transactional email delivery (account verification, service notifications) via SMTP protocol.

We do not use any other Sub-processors. If we add new Sub-processors in the future, we will update this Privacy Policy and notify you in advance.

7.4 Law Enforcement and Legal Requirements

We may disclose your Personal Data only when we believe in good faith that disclosure is necessary to:

• Comply with a legal obligation, court order, or lawful government request
• Protect the rights, property, or safety of SIBAL, our users, or the public
• Prevent fraud or address security issues

In such cases, we will make reasonable efforts to notify affected users unless prohibited by law or court order.

8. International Data Transfers

Your data may be processed on servers located outside your country of residence. Our infrastructure providers (Google Cloud/Firebase) and payment processor (Paddle) operate in different jurisdictions.

We ensure that all international data transfers are subject to adequate safeguards in accordance with applicable data protection legislation. Our providers implement appropriate technical and organizational measures to protect transferred data, including standard contractual clauses and other internationally recognized transfer mechanisms.

9. Data Security

We implement comprehensive technical and organizational measures to protect your data:

9.1 Encryption

• In transit: All data transmitted between your device and our servers is encrypted using TLS (Transport Layer Security)
• At rest: Data stored in Firebase is encrypted at rest using Google's default encryption
• Offline manuals: Technical manuals downloaded for offline use are encrypted with AES-256 encryption using unique cryptographic keys per manual, with HMAC-SHA256 integrity verification. Decrypted content exists only in memory and is never written to disk in unencrypted form

9.2 Access Control and Isolation

• Multi-tenant data isolation: Each company's data is stored in a completely separate, isolated database. There is no data commingling between organizations
• Firebase Authentication: Secure authentication with industry-standard protocols
• Firestore security rules: Granular, per-organization security rules enforce that users can only access data belonging to their own organization
• Role-based access control: Permissions are enforced based on user roles (administrator, advisor, technician)
• Single session control: Only one active session per user account is permitted at any time, preventing unauthorized concurrent access

9.3 Monitoring and Auditing

• Automated content moderation for uploaded images
• Audit logs for critical operations and data access events
• Regular security reviews and assessments
• Automated monitoring for suspicious activity

9.4 Incident Response

We maintain an incident response plan to address potential security breaches promptly. See Section 21 (Data Breach Notification) for details on our notification procedures.

10. Data Retention

We retain Personal Data only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

10.1 Active Account Data

• Retained for as long as your account remains active and you continue to use the Service
• Includes all Customer Content, account information, and configuration data

10.2 Account Deletion (User Request)

To request the deletion of your account and all its data, the account owner must:

1. Cancel the subscription (if active) from the Paddle management portal.
2. Wait for the already-paid billing period to end. While the subscription is still active, it is not possible to request deletion.
3. Request deletion once the subscription has expired, from the app (Settings → Privacy & Data → My Data → "Request account deletion") or by contacting soporte@quibal.com.

Accounts on a free trial or managed directly by the administrator may request deletion at any time.

After requesting deletion:

• A 30-day grace period begins, during which you can cancel the request and export your data from the app
• You will receive email confirmation and a reminder 3 days before deletion
• After 30 days, all Customer Content and Personal Data are permanently deleted, including: users, projects, maintenance records, clients, equipment, photos, PDFs, manuals, and signatures

10.3 Automatic Deletion Due to Expiration

• If the subscription expires and is not renewed, at 90 days you will receive a reminder to export your data
• At 180 days after expiration, data is permanently deleted automatically

10.4 Data Retained After Deletion

After complete deletion, a minimal fiscal record is retained as required by applicable law:

• Company name, administrator email, and Tax ID
• Billing dates and subscription amounts
• Retention period: as required by applicable tax law (up to 10 years)

10.5 Specific Retention Periods

• Error and crash logs: 90 days
• Analytics data: up to 2 years (anonymized and aggregated)
• Geolocation data: automatically deleted after 30 days
• Content moderation records: 1 year
• Backup data: 30 days after data deletion
• Payment and invoice records: as required by applicable tax law (typically 5 to 7 years), held and managed by Paddle as Merchant of Record
• Communication data (support emails): retained for the duration of the business relationship plus 1 year, unless you request earlier deletion

11. Your Rights

Regardless of your location, we are committed to providing all users with meaningful control over their personal data. Subject to applicable law, you have the following rights:

• Right of Access: Request a copy of the Personal Data we hold about you
• Right to Rectification: Request correction of inaccurate or incomplete Personal Data
• Right to Erasure (Right to Be Forgotten): Request the deletion of your Personal Data, subject to legal retention obligations
• Right to Data Portability: Receive your Personal Data in a structured, commonly used, and machine-readable format, or request that it be transferred to another controller
• Right to Object: Object to the processing of your Personal Data based on legitimate interests
• Right to Restriction: Request that we limit the processing of your Personal Data in certain circumstances
• Right to Withdraw Consent: Where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing

In addition to the general rights above, you may have additional rights under the data protection laws of your jurisdiction, including the right not to be subject to decisions based solely on automated processing, the right to lodge a complaint with the competent data protection authority, and the right to be informed about the sharing of your data with third parties. Note: our content moderation system does not make decisions that produce legal or similarly significant effects on users.

Non-discrimination: We will not discriminate against you for exercising any of your privacy rights. We will not deny you services or charge different prices for exercising your rights.

We do not sell your data: We do not sell, share for advertising, or use your personal information for commercial profiling. There is no need to request an opt-out of data sales because we do not engage in these practices.

12. How to Exercise Your Rights

You can exercise any of the rights described above through the following methods:

• Email: Send a request to soporte@quibal.com with the subject line "Privacy Rights Request"
• In-app privacy settings: Manage analytics consent, notification preferences, and location permissions directly within the quiBAL app under Settings
• Data export: Use the in-app data export feature to download your Personal Data in a machine-readable format

When submitting a request, please provide sufficient information to verify your identity and specify the right(s) you wish to exercise. We may ask for additional information to verify your identity before processing your request.

Response time: We will respond to your request within 30 days. If the request is complex, we may extend this period and will inform you within the initial period.

All requests are processed free of charge unless the request is manifestly unfounded, repetitive, or excessive.

12.1 Data Processing Agreement (DPA)

For Clients who require a Data Processing Agreement (DPA) under applicable data protection legislation, a DPA is available upon request. Please contact soporte@quibal.com to request a DPA.

13. Children's Privacy

quiBAL is a B2B application designed exclusively for businesses and professionals. Our Service is not directed at children under the age of 18.

• We do not knowingly collect Personal Data from children under the age of 18
• If we discover that we have inadvertently collected Personal Data from a child under the age of 18, we will take immediate steps to delete that information from our systems
• If you believe that a child under 18 has provided us with Personal Data, please contact us immediately at soporte@quibal.com

14. Application Permissions

The quiBAL application may request the following device permissions. Required permissions are necessary for core functionality, while optional permissions enhance the experience but are not mandatory:

18.1 Required Permissions

• Camera: To take photographs of equipment, maintenance work, and facilities for documentation purposes
• Storage: To save and access PDF reports, technical manuals, and other documents on your device
• Internet: For data synchronization, cloud storage, and real-time communication with our servers
• Bluetooth: For connecting to compatible thermal printers to print QR labels for equipment identification

18.2 Optional Permissions

• Location: For equipment geolocation tagging. This permission is requested only when needed and can be denied or revoked at any time through your device settings
• Notifications: For maintenance reminders, schedule alerts, and important service updates. You can manage notification preferences in both your device settings and the quiBAL app settings

You can review and modify these permissions at any time through your device's operating system settings. Denying optional permissions will not prevent you from using core Service features.

15. Cookies and Similar Technologies

quiBAL uses cookies and similar local storage technologies in a limited and privacy-respecting manner:

19.1 What We Use

• Authentication tokens: Strictly necessary to maintain your logged-in session securely
• User preferences: To remember your selected language, theme (light/dark mode), and display preferences
• Application settings: To store your configuration choices locally on your device

19.2 What We Do NOT Use

• No third-party tracking cookies
• No advertising cookies or pixels
• No cross-site tracking technologies
• No fingerprinting or supercookies

Local storage for theme and language preferences is purely functional and does not involve Personal Data transmission to third parties.

16. Analytics and Tracking

20.1 Firebase Analytics

• We use Firebase Analytics to understand how users interact with the Service on an aggregate level
• Analytics collection is optional and consent-based
• You can enable or disable analytics at any time from within the app under Settings > Privacy
• When disabled, no analytics data is collected or transmitted

20.2 What We Do NOT Do

• No cross-app tracking
• No advertising identifiers (IDFA/GAID) are used for profiling or advertising purposes
• No data sharing with advertising networks or data brokers
• No user-level profiling for marketing purposes

20.3 Crash Reporting

We use Firebase Crashlytics to detect and diagnose application crashes and errors. Crash reports may include technical device information and the state of the application at the time of the crash. This data is used exclusively for bug fixing and does not include Personal Data such as your name or email address.

17. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will:

17.1 Notification to Authorities

• Notify the relevant authority within 72 hours of becoming aware of the breach
• Provide the nature of the breach, categories and approximate number of affected individuals and records
• Communicate the likely consequences and the measures taken or proposed to address the breach

17.2 Notification to Affected Users

• Notify affected users without undue delay when the breach is likely to result in a high risk to their rights and freedoms
• Notification will include a description of the nature of the breach, the types of data affected, measures we have taken or propose to take, and our contact information for further inquiries
• Notification will be sent by email and, where appropriate, through in-app communication

17.3 Remediation

• We will take immediate steps to contain and remediate the breach
• We will conduct a thorough investigation to determine the cause and scope
• We will implement additional safeguards to prevent recurrence
• We will maintain a record of all breaches, their effects, and the remedial actions taken

18. Changes to This Policy

• We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors
• For material changes, we will provide at least 30 days' advance notice by email to the address associated with your account and through a prominent notice within the application
• We will update the "Last updated" date at the top of this page
• Material changes include: changes to the categories of Personal Data collected, new purposes of processing, new Sub-processors, changes to data retention periods, or changes to your rights
• Continued use of the Service after the effective date of the updated Privacy Policy constitutes your acceptance of the changes
• If you do not agree with the changes, you may close your account and request deletion of your data before the changes take effect

19. Contact and Data Protection

For any questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please contact us:

• Email: soporte@quibal.com
• Subject line: Please include "Privacy" or "Data Protection" in your subject line for faster routing
• Response time: We will acknowledge your inquiry within 5 business days and provide a substantive response within 30 days

If you are unsatisfied with our response, you have the right to escalate your complaint to the competent data protection authority in your jurisdiction.

20. Jurisdiction and Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of the Republic of Ecuador, without prejudice to mandatory data protection laws applicable in your jurisdiction.

In the event of a conflict between this Privacy Policy and mandatory local data protection law, the mandatory local law shall prevail to the extent of the conflict.

Any disputes arising from this Privacy Policy that cannot be resolved through direct communication shall be submitted to the competent courts of Ecuador, without prejudice to your right to bring proceedings before the courts of your habitual residence or before the competent data protection authority.

---