What we collect, and what we don't.

Headquartz is operated by Merendon Cloud LLC, a Delaware limited liability company in the United States. References on this page to “we” or “us” mean Merendon Cloud LLC. Merendon Cloud LLC is the controller of the personal data described below.

From you when you sign in. Your email address, a one-time login code we send to that address, and a session cookie that keeps you signed in until you sign out. We don't store passwords — Headquartz uses email-based one-time codes (and an equivalent magic link) for authentication.

When you add a Quartz. The domain or URL you submit, the public content from that website (page text, metadata, favicon), and a small amount of structured information inferred from it (name, tagline, description, location, founded year). All of that is content the website was already publishing publicly. Once you verify ownership of the domain via a DNS record, your authenticated identity is linked to that Quartz for editing rights.

How you use the directory. When a Quartz page loads, we record an anonymous view event. When you click out to a Quartz's website or contact link, we record an anonymous click event. When you appear in a search result set, the same. These events power the small “Your stats” sidebar owners see on their own pages — they're aggregate counts, not user-level histories. Owner self-views are excluded.

Reports and feedback. If you file a report against a Quartz, we keep the report content and any email you provide. If you submit feedback through the footer button, we keep the message, any email you provide, and the path you were on when you sent it (so we can see what surface you were looking at). Both are routed to the team for review.

• Passwords. We use one-time codes, not stored credentials.
• Payment information. There's nothing to pay for in v1.
• Browsing history outside Headquartz. We don't track you across the web.
• Government IDs, tax IDs, or any identity documents.
• Location data beyond what you explicitly type into a Quartz (or what the scraped website itself published).

We don't sell or rent personal data. Three categories of third parties are involved in operating the directory:

• Hosting and database. The site runs on Vercel; the database runs on Supabase (Postgres). Both process the same data we describe above as part of normal operation.
• Aggregate site analytics. We use Vercel Web Analytics and Speed Insights to count anonymous page views and measure load performance. Both are cookieless — they don't set or read browser cookies and don't assign you a persistent identifier. Vercel computes a short-lived session hash from your IP address and browser user-agent that resets every 24 hours and never leaves their infrastructure.
• Scraping and language models. When you submit a domain, we fetch its public content through one or more third-party scraping services (browser-based renderers and content APIs), and may consult the Internet Archive's Wayback Machine for a recent public snapshot if the live fetch fails or returns nothing useful. The result is then summarized by a hosted language model so the resulting Quartz reads cleanly. Only the public website URL and the page content are sent to those services — never your email or session.
• Email. The one-time login codes are sent through an email provider. Only your email address and the code itself are sent.
• Team operations. Reports, feedback messages, and major lifecycle events (a Quartz being added, verified, or removed) are forwarded to a Slack workspace where the team reviews them. If you provide an email when filing a report or sending feedback, that email is included in the forwarded message; report content and feedback text are forwarded verbatim, truncated to a few hundred characters.

We also resolve DNS records (against Cloudflare and Google public resolvers) when an owner verifies a domain. Those lookups carry no personal data beyond the domain itself.

Headquartz uses a single session cookie to keep you signed in. We use no advertising cookies and no third-party analytics cookies — the analytics described above run cookielessly. Your browser's local storage may hold a small preference like the dark/light theme toggle.

A small number of public endpoints — the URL submit on the homepage, the report flow, and the feedback form — run an invisible bot challenge before they accept input. The challenge is provided by Vercel BotID and uses signals from your browser environment (network behavior, runtime characteristics) to distinguish a person from automated abuse. It does not set cookies and does not retain a profile of you across sessions.

• Access. Email hi@headquartz.com and we'll provide a copy of the data we hold about you.
• Correction. Once you verify a Quartz, you can edit every public field on it directly. For other corrections, contact us.
• Deletion. Verified owners can delete their Quartz. Auto-generated, unverified Quartzes can be removed by anyone who files a removal request — they're deleted immediately. Active Quartzes filed for removal go to manual review.
• Opt out of email. The only emails we send are login codes you triggered yourself. There's no marketing list to opt out of in v1.

Quartzes stay in the directory until they're deleted by their owner or removed via a takedown request. Login session cookies expire on a rolling basis (typically a few days without activity). Anonymous event data — page views, clicks, search hits — is kept indefinitely in aggregate; we never tie it to an identified visitor in the first place.

Headquartz isn't directed at children under 16. If you believe a child has provided personal information to us, contact us and we'll remove it.

We'll update this page when our practices change. Material changes get a note on the changelog and a refreshed “Last updated” date at the top.