Loading…
Loading…
Compliance
Last updated: June 2026
Quantilence AI Solutions is a company incorporated in India. We are committed to compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK GDPR. This page explains our role as a data controller and data processor, how we process personal data, and how you can exercise your rights.
Quantilence AI Solutions acts as the data controller for personal data collected when you:
When you submit images to our API for processing on behalf of your users, Quantilence acts as the data processor and you (the customer) are the data controller. In this role, we process data only on your instructions, as set out in our Data Processing Agreement (DPA).
| Processing Activity | Lawful Basis |
|---|---|
| Account management and billing | Contract (Art. 6(1)(b)) |
| Responding to contact form enquiries | Legitimate interests (Art. 6(1)(f)) |
| API request logging for security and rate-limiting | Legitimate interests (Art. 6(1)(f)) |
| Operational logging of API-processed images | Legitimate interests (Art. 6(1)(f)) + Art. 9(2) basis as processor |
| Sending transactional emails | Contract (Art. 6(1)(b)) |
| Anonymised website analytics | Consent (Art. 6(1)(a)) |
| Marketing emails (where opted in) | Consent (Art. 6(1)(a)) |
| Processing biometric images via API (as processor) | Your lawful basis as the data controller |
Facial images from which biometric data can be derived are special category data under GDPR Art. 9. Our approach:
We have assessed our obligations under GDPR Article 37 with respect to the appointment of a Data Protection Officer. Given that our core activities involve large-scale processing of special category biometric data, privacy and data protection oversight responsibilities are a formal function within our organisation. For DPO-related enquiries, contact privacy@quantilence.com.
As a data subject, you have the following rights. To exercise any of them, email privacy@quantilence.com. We will respond within one month. For complex requests, this may be extended by a further two months with notice.
Right of access (Art. 15)
You can request a copy of the personal data we hold about you and information about how we process it.
Right to rectification (Art. 16)
You can ask us to correct inaccurate or incomplete personal data we hold about you.
Right to erasure (Art. 17)
You can request that we delete your personal data. This right applies in specific circumstances, including where data is no longer necessary for the purpose it was collected.
Right to restrict processing (Art. 18)
You can ask us to pause processing of your data in certain circumstances, such as while we verify the accuracy of your data.
Right to data portability (Art. 20)
Where processing is based on consent or contract and carried out by automated means, you can request your data in a structured, commonly used, machine-readable format.
Right to object (Art. 21)
You can object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
Right not to be subject to automated decisions (Art. 22)
We do not use your personal data to make solely automated decisions that produce significant legal effects concerning you.
If you are not satisfied with how we handle your request, you have the right to lodge a complaint with your local supervisory authority. In the UK this is the Information Commissioner's Office (ICO); in the EU, with your national data protection authority.
| Data Type | Retention Period |
|---|---|
| Demo images (submitted via public demo) | Up to 7 days, then deleted |
| Production API images (operational logging) | Up to 30 days, then deleted |
| API request logs (metadata only) | 90 days |
| Account information | Duration of account + 90 days after closure |
| Contact form submissions | 12 months |
| Billing records | 7 years (legal obligation) |
| Marketing consent records | Until consent withdrawn + 12 months |
Our primary infrastructure is located within the European Union. Where personal data is transferred outside the EU/EEA (for example, to sub-processors in other regions), we ensure appropriate safeguards are in place, including:
A list of our sub-processors and their locations is available to all paying customers on request at legal@quantilence.com. No NDA is required to obtain this list.
In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours of becoming aware, where feasible. If the breach is likely to result in a high risk to your rights and freedoms, we will notify you directly without undue delay.
All paying customers who process personal data through our API are entitled to a Data Processing Agreement (DPA) that formalises our respective roles and obligations under GDPR. To request a DPA, email legal@quantilence.com with "DPA Request" in the subject line. We aim to return a signed DPA within 5 business days.
For GDPR-related enquiries or to exercise your rights, contact our privacy team:
Privacy Team — Quantilence AI Solutions
Belgaum, Karnataka
India
For our full privacy practices, see the Privacy Policy.