Legal

Privacy Policy

Last updated: July 9, 2026

Quantara AI ("we", "us", "our") operates Quantara Flow AI (the "Service"). This policy explains what personal data we process, why, on which legal basis, how long we keep it, and the rights available to you under the EU General Data Protection Regulation (GDPR) and the UK GDPR.

1. Controller and contact

Controller: Quantara AI. Data Protection contact: privacy@quantaraai.ae.

2. Personal data we process

  • Account data: name, work email, hashed password or OAuth identifier, tenant/role assignments.
  • Support content: case messages, attachments, KB articles and any personal data your customers include when contacting you through the Service.
  • Product usage: logs, timestamps, feature interactions, error diagnostics, device identifiers, IP address.
  • Billing data: plan, invoices, payment status. Payment card data is handled by our Merchant of Record (Paddle); we do not store card numbers.
  • AI interaction data: prompts, generated drafts, accept/edit/reject feedback used to improve per-tenant models.

3. Purposes and legal bases

PurposeLegal basis (Art. 6 GDPR)
Providing and securing the ServiceContract (6(1)(b))
Billing, fraud prevention, tax recordsLegal obligation (6(1)(c))
Product analytics and improvementLegitimate interest (6(1)(f))
Marketing communicationsConsent (6(1)(a)) — withdrawable at any time

4. Retention

Account and support data are retained while your subscription is active plus 30 days after termination for recovery. Billing records are kept for 7 years to satisfy tax law. AI interaction logs used for adaptive learning are pseudonymised after 90 days.

5. Data sharing and subprocessors

We share personal data with the following categories of recipients:

  • Lovable Cloud — application hosting, database, authentication, storage.
  • Lovable AI Gateway — AI inference for drafts, classification, RCA. Providers include Google Gemini and OpenAI.
  • Paddle.com Market Limited — Merchant of Record for the sale of the Service, subscription management, payment processing, tax compliance and invoicing.
  • Transactional email providers — delivery of account, billing and support emails.
  • Professional advisers (legal, accounting) and authorities where required by law.

An up-to-date subprocessor list is available on request from privacy@quantaraai.ae.

6. International transfers

Where personal data is transferred outside the EEA/UK, we rely on the European Commission's Standard Contractual Clauses (2021/914) and the UK IDTA, together with supplementary technical measures (encryption in transit and at rest, tenant isolation).

7. Your rights

  • Access, rectification, erasure, restriction, portability, objection.
  • Withdraw consent for marketing at any time.
  • Lodge a complaint with your supervisory authority.

To exercise a right, email privacy@quantaraai.ae. We respond within one month.

8. Security

We apply appropriate technical and organisational measures including encryption in transit and at rest, role-based access controls, tenant isolation, and audit logging. See the Security page for the enabled controls.

9. Cookies

See the Cookie Policy for details and preferences.

10. Changes

Material changes will be notified in-product at least 30 days before they take effect.