Skip to main content
QSearch logomarkQSearch Security ResearchENGINEERED CONTINUOUS ADVERSARIAL INTELLIGENCE
LEGAL NOTICE & POLICIES

Impressum

Who stands behind qsearch.ch, how we test, and how we handle your data — the legal notice required under Swiss law, plus every policy that governs an engagement, on one page.

LAST REVIEWED · 07 JUL 2026ENTITY · QSearch Security ResearchCONTACT · contact@qsearch.ch
01 · LEGAL NOTICE

Impressum

LEGAL ENTITY
QSearch Security Research
TRADING AS
QSearch
REGISTERED OFFICE
Zürich, Switzerland
CONTACT
contact@qsearch.ch — a senior researcher replies, PGP available
WEBSITE
qsearch.ch
PGP KEY
4750 C048 3121 910D FED8 8FB5 CA24 82F6 D3C6 A9D6 · download .asc →

STATUTORY REGISTER DETAILS ARE COMPLETED AT LAUNCH — MOCKUP ONLY.

Data protection oversight: Federal Data Protection and Information Commissioner (FDPIC), Bern. The full detail of how we handle data lives in the privacy policy below →

Liability for content

We prepare the content of this site with care, but assume no liability for its accuracy, completeness, or timeliness. Nothing here is a binding offer, security advice for your specific situation, or a guarantee of any result. Every engagement is governed solely by its signed engagement letter — that document, not this website, defines what we deliver.

Liability for links

This site links to external resources — advisory databases, CVE sources, and research references. Those sites are outside our control, and we take no responsibility for their content. Links were checked for legality when added; if you find one that shouldn't be here, tell us at contact@qsearch.ch and we'll remove it.

Intellectual property

The content, structure, copy, and design of this site are © 2026 QSearch Security Research, unless marked otherwise. Reproduction, distribution, or reuse beyond what Swiss copyright law permits requires our prior written consent. Third-party names, CVE identifiers, and advisory references remain the property of their respective owners.

Law & jurisdiction

This notice and the use of this site are governed by Swiss law. To the extent permitted, the exclusive place of jurisdiction is Zürich, Switzerland.

02 · nFADP / GDPR

Privacy Policy

How we handle your data: transparent, minimal, and compliant with the Swiss Federal Act on Data Protection (nFADP) and, where applicable, the GDPR. Controller: QSearch Security Research, Zürich · contact@qsearch.ch.

What we collect

CONTACT & SCOPING FORMS

Name, email, role, company size, domain, and your message — forwarded to our mailbox to answer you. Draft quotes you build on the Services page stay in your browser until you send them.

CALL BOOKINGS

Date, time, name and email you enter in the scheduling widget, processed by Cal (EU instance) under their data-processing agreement.

SERVER LOGS

Our hosting provider records standard logs — IP address, browser type, pages, timestamps — kept for security monitoring only.

COOKIELESS ANALYTICS · NO AD COOKIES BY DEFAULT

We measure the site with cookieless, aggregate analytics — no personal data, no fingerprinting, no cross-site tracking. Marketing cookies exist only if you allow them in the consent banner. Full detail in Cookies & analytics. Preferences like the theme you pick live in your browser's local storage and never leave it.

How we use it

To respond to your inquiry · to deliver the engagement you hire us for · to send follow-ups you asked for · to keep our own systems secure. We do not sell, rent, or share your data for marketing. Ever.

Third-party processors

Cal
call scheduling — EU instance, booking data only
Vercel Inc.
website hosting and delivery network
Resend
transactional e-mail — delivers your form messages and confirmations
Supabase
application database — stores form and booking requests
Umami
web analytics — cookieless and aggregate; EU cloud today, self-hosted on our own infrastructure as we scale (see Cookies & analytics)
Sentry
error and performance monitoring — technical crash reports only, scrubbed of personal data
Ad platforms
none active by default — loaded only with your consent; the exact list is maintained in Cookies & analytics
Google Fonts
typeface delivery — no cookies set

Retention

Inquiry and engagement data: duration of the business relationship plus 12 months, unless Swiss law requires longer. Server logs: 90 days maximum. You may request deletion at any time.

Your rights

ACCESScopy of your dataRECTIFICATIONfix what's wrongERASUREdelete itPORTABILITYtake it with youOBJECTIONto legitimate-interest processing

Write to contact@qsearch.ch — we respond within 30 days.

Law & jurisdiction

This policy is governed by Swiss law; the competent supervisory authority is the FDPIC. EU residents may also lodge a complaint with their local data protection authority. We may update this policy as our practices or the law change — the current version always lives at this URL.

03 · FOR SECURITY RESEARCHERS

Responsible Disclosure

We're researchers too. If you've found a vulnerability in our own systems, we want to hear from you — and good-faith reports earn recognition and credit, researcher to researcher.

01
Report promptly

Contact us as soon as you find a potential issue. Don't access, modify, or delete data beyond what's needed to demonstrate it.

02
Use secure channels

Email contact@qsearch.ch first — PGP key above — and we'll share Signal, Telegram, or Threema details for anything sensitive.

03
Include details

Clear description, steps to reproduce, affected systems, potential impact. Proof-of-concept code is appreciated.

04
Allow time to remediate

Give us a reasonable window — typically 90 days— before any public disclosure. We'll keep you informed throughout.

CREDITED

Named in our advisories, with your permission.

RESPECTED

Senior eyes on every report — and a straight answer, researcher to researcher.

PROTECTED

No legal action against good-faith research.

04 · HOW WE TEST
V1.0 DRAFT · FOR COUNSEL REVIEW

Reconnaissance Policy

The rules our own researchers operate under. Short version: nothing active happens without your written authorization.

01 · WRITTEN SCOPE FIRST

Every engagement starts from a signed engagement letter that lists every in-scope target. Anything not listed is out.

02 · PASSIVE BY DEFAULT

The free surface check uses public sources only — DNS records, certificate transparency, exposed-service indexes. No exploitation, no credentials, no load on your systems.

03 · ACTIVE UNDER CONTRACT

Exploitation, authentication testing, and social engineering run only inside a signed engagement window, with named emergency contacts on both sides.

04 · THIRD PARTIES

Assets on shared infrastructure are tested within the hosting provider's published testing rules; third-party systems are never targeted without their own consent.

05 · STOP CONDITIONS

If a system shows instability, we halt, notify your contact, and wait. Availability beats findings.

06 · EVIDENCE HANDLING

Findings are encrypted at rest, redacted in reports, and retained per the privacy policy above. Reports are signed — verify any deliverable before you trust it.

05 · CONSENT & MEASUREMENT

Cookies & Analytics

The honest version, in plain words: we measure the site without cookies, and anything that does use cookies is off until you switch it on.

ALWAYS ON — COOKIELESS ANALYTICS

We run Umami, an open-source, cookieless analytics platform (EU cloud today, self-hosted on our own infrastructure as we scale). It sets no cookies and stores no personal data— visitors are counted via an anonymous hash whose salt rotates every 24 hours. No consent is required for this, which is why the banner doesn't ask for it.

OFF BY DEFAULT — MARKETING COOKIES

If we run ad campaigns, their measurement pixels (e.g. LinkedIn, Google) load only after you allow them in the consent banner. Decline and the site works identically. The exact vendor list is published here before any pixel ships.

What the analytics see

Usage — aggregate
pages viewed, clicks on key actions, visit duration, referrer and campaign (UTM) parameters
Environment
country/region, language, browser, operating system, device type — as reported by your browser
Identity
none — a daily-rotating anonymous hash; no IP stored, no fingerprinting, no cross-site profile
Session replay
anonymized recordings of page interactions to fix UX problems — form inputs are masked, keystrokes and personal data are never captured
E-mail
delivery, open and click events on the digest and our confirmations (Resend) — every digest has a one-click unsubscribe

Your choice

Your consent decision is stored in your browser only and you can change it whenever you like. Legal basis: legitimate interest (Art. 31 nFADP / Art. 6(1)(f) GDPR) for cookieless aggregate measurement; consent (Art. 6(1)(a) GDPR) for marketing cookies.