Quantara AI ("we", "us", "our") operates Quantara Flow AI (the "Service"). This policy explains what personal data we process, why, on which legal basis, how long we keep it, and the rights available to you under the EU General Data Protection Regulation (GDPR) and the UK GDPR.
1. Controller and contact
Controller: Quantara AI. Data Protection contact: privacy@quantaraai.ae.
2. Personal data we process
- Account data: name, work email, hashed password or OAuth identifier, tenant/role assignments.
- Support content: case messages, attachments, KB articles and any personal data your customers include when contacting you through the Service.
- Product usage: logs, timestamps, feature interactions, error diagnostics, device identifiers, IP address.
- Billing data: plan, invoices, payment status. Payment card data is handled by our Merchant of Record (Paddle); we do not store card numbers.
- AI interaction data: prompts, generated drafts, accept/edit/reject feedback used to improve per-tenant models.
3. Purposes and legal bases
| Purpose | Legal basis (Art. 6 GDPR) |
|---|---|
| Providing and securing the Service | Contract (6(1)(b)) |
| Billing, fraud prevention, tax records | Legal obligation (6(1)(c)) |
| Product analytics and improvement | Legitimate interest (6(1)(f)) |
| Marketing communications | Consent (6(1)(a)) — withdrawable at any time |
4. Retention
Account and support data are retained while your subscription is active plus 30 days after termination for recovery. Billing records are kept for 7 years to satisfy tax law. AI interaction logs used for adaptive learning are pseudonymised after 90 days.
5. Data sharing and subprocessors
We share personal data with the following categories of recipients:
- Lovable Cloud — application hosting, database, authentication, storage.
- Lovable AI Gateway — AI inference for drafts, classification, RCA. Providers include Google Gemini and OpenAI.
- Paddle.com Market Limited — Merchant of Record for the sale of the Service, subscription management, payment processing, tax compliance and invoicing.
- Transactional email providers — delivery of account, billing and support emails.
- Professional advisers (legal, accounting) and authorities where required by law.
An up-to-date subprocessor list is available on request from privacy@quantaraai.ae.
6. International transfers
Where personal data is transferred outside the EEA/UK, we rely on the European Commission's Standard Contractual Clauses (2021/914) and the UK IDTA, together with supplementary technical measures (encryption in transit and at rest, tenant isolation).
7. Your rights
- Access, rectification, erasure, restriction, portability, objection.
- Withdraw consent for marketing at any time.
- Lodge a complaint with your supervisory authority.
To exercise a right, email privacy@quantaraai.ae. We respond within one month.
8. Security
We apply appropriate technical and organisational measures including encryption in transit and at rest, role-based access controls, tenant isolation, and audit logging. See the Security page for the enabled controls.
9. Cookies
See the Cookie Policy for details and preferences.
10. Changes
Material changes will be notified in-product at least 30 days before they take effect.