Impressum
Who stands behind qsearch.ch, how we test, and how we handle your data — the legal notice required under Swiss law, plus every policy that governs an engagement, on one page.
Impressum
STATUTORY REGISTER DETAILS ARE COMPLETED AT LAUNCH — MOCKUP ONLY.
Data protection oversight: Federal Data Protection and Information Commissioner (FDPIC), Bern. The full detail of how we handle data lives in the privacy policy below →
Liability for content
We prepare the content of this site with care, but assume no liability for its accuracy, completeness, or timeliness. Nothing here is a binding offer, security advice for your specific situation, or a guarantee of any result. Every engagement is governed solely by its signed engagement letter — that document, not this website, defines what we deliver.
Liability for links
This site links to external resources — advisory databases, CVE sources, and research references. Those sites are outside our control, and we take no responsibility for their content. Links were checked for legality when added; if you find one that shouldn't be here, tell us at contact@qsearch.ch and we'll remove it.
Intellectual property
The content, structure, copy, and design of this site are © 2026 QSearch Security Research, unless marked otherwise. Reproduction, distribution, or reuse beyond what Swiss copyright law permits requires our prior written consent. Third-party names, CVE identifiers, and advisory references remain the property of their respective owners.
Law & jurisdiction
This notice and the use of this site are governed by Swiss law. To the extent permitted, the exclusive place of jurisdiction is Zürich, Switzerland.
Privacy Policy
How we handle your data: transparent, minimal, and compliant with the Swiss Federal Act on Data Protection (nFADP) and, where applicable, the GDPR. Controller: QSearch Security Research, Zürich · contact@qsearch.ch.
What we collect
Name, email, role, company size, domain, and your message — forwarded to our mailbox to answer you. Draft quotes you build on the Services page stay in your browser until you send them.
Date, time, name and email you enter in the scheduling widget, processed by Cal (EU instance) under their data-processing agreement.
Our hosting provider records standard logs — IP address, browser type, pages, timestamps — kept for security monitoring only.
We measure the site with cookieless, aggregate analytics — no personal data, no fingerprinting, no cross-site tracking. Marketing cookies exist only if you allow them in the consent banner. Full detail in Cookies & analytics. Preferences like the theme you pick live in your browser's local storage and never leave it.
How we use it
To respond to your inquiry · to deliver the engagement you hire us for · to send follow-ups you asked for · to keep our own systems secure. We do not sell, rent, or share your data for marketing. Ever.
Third-party processors
Retention
Inquiry and engagement data: duration of the business relationship plus 12 months, unless Swiss law requires longer. Server logs: 90 days maximum. You may request deletion at any time.
Your rights
Write to contact@qsearch.ch — we respond within 30 days.
Law & jurisdiction
This policy is governed by Swiss law; the competent supervisory authority is the FDPIC. EU residents may also lodge a complaint with their local data protection authority. We may update this policy as our practices or the law change — the current version always lives at this URL.
Responsible Disclosure
We're researchers too. If you've found a vulnerability in our own systems, we want to hear from you — and good-faith reports earn recognition and credit, researcher to researcher.
Contact us as soon as you find a potential issue. Don't access, modify, or delete data beyond what's needed to demonstrate it.
Email contact@qsearch.ch first — PGP key above — and we'll share Signal, Telegram, or Threema details for anything sensitive.
Clear description, steps to reproduce, affected systems, potential impact. Proof-of-concept code is appreciated.
Give us a reasonable window — typically 90 days— before any public disclosure. We'll keep you informed throughout.
Named in our advisories, with your permission.
Senior eyes on every report — and a straight answer, researcher to researcher.
No legal action against good-faith research.
Reconnaissance Policy
The rules our own researchers operate under. Short version: nothing active happens without your written authorization.
Every engagement starts from a signed engagement letter that lists every in-scope target. Anything not listed is out.
The free surface check uses public sources only — DNS records, certificate transparency, exposed-service indexes. No exploitation, no credentials, no load on your systems.
Exploitation, authentication testing, and social engineering run only inside a signed engagement window, with named emergency contacts on both sides.
Assets on shared infrastructure are tested within the hosting provider's published testing rules; third-party systems are never targeted without their own consent.
If a system shows instability, we halt, notify your contact, and wait. Availability beats findings.
Findings are encrypted at rest, redacted in reports, and retained per the privacy policy above. Reports are signed — verify any deliverable before you trust it.