Compliance
GDPR Compliance
Last updated: June 2026
Quantilence AI Solutions is a company incorporated in India. We are committed to compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK GDPR. This page explains our role as a data controller and data processor, how we process personal data, and how you can exercise your rights.
Data Controller
Quantilence AI Solutions acts as the data controller for personal data collected when you:
- Visit quantilence.com and interact with the site
- Contact us via the contact form or email
- Register for a paid account
When you submit images to our API for processing on behalf of your users, Quantilence acts as the data processor and you (the customer) are the data controller. In this role, we process data only on your instructions, as set out in our Data Processing Agreement (DPA).
Lawful Basis for Processing
| Processing Activity | Lawful Basis |
|---|---|
| Account management and billing | Contract (Art. 6(1)(b)) |
| Responding to contact form enquiries | Legitimate interests (Art. 6(1)(f)) |
| API request logging for security and rate-limiting | Legitimate interests (Art. 6(1)(f)) |
| Operational logging of API-processed images | Legitimate interests (Art. 6(1)(f)) + Art. 9(2) basis as processor |
| Sending transactional emails | Contract (Art. 6(1)(b)) |
| Anonymised website analytics | Consent (Art. 6(1)(a)) |
| Marketing emails (where opted in) | Consent (Art. 6(1)(a)) |
| Processing biometric images via API (as processor) | Your lawful basis as the data controller |
Special Category Data — Biometric Processing
Facial images from which biometric data can be derived are special category data under GDPR Art. 9. Our approach:
- Images submitted to production API endpoints are retained for up to 30 days in isolated, access-controlled storage for operational logging and quality assurance, then automatically and permanently deleted.
- Demo images submitted via the public demo interface are retained for up to 7 days, then automatically deleted.
- Face embeddings computed during processing are transient and are not persisted beyond the API response.
- No biometric database is built from API submissions. Images are never used to train models.
- As a data processor, we rely on the customer's lawful basis under Art. 9(2) for processing special category data submitted via the API.
- Customers must conduct a Data Protection Impact Assessment (DPIA) before processing biometric data through our API in high-risk scenarios (e.g., employee monitoring, public surveillance).
Data Protection Oversight
We have assessed our obligations under GDPR Article 37 with respect to the appointment of a Data Protection Officer. Given that our core activities involve large-scale processing of special category biometric data, privacy and data protection oversight responsibilities are a formal function within our organisation. For DPO-related enquiries, contact privacy@quantilence.com.
Your Rights under GDPR
As a data subject, you have the following rights. To exercise any of them, email privacy@quantilence.com. We will respond within one month. For complex requests, this may be extended by a further two months with notice.
Right of access (Art. 15)
You can request a copy of the personal data we hold about you and information about how we process it.
Right to rectification (Art. 16)
You can ask us to correct inaccurate or incomplete personal data we hold about you.
Right to erasure (Art. 17)
You can request that we delete your personal data. This right applies in specific circumstances, including where data is no longer necessary for the purpose it was collected.
Right to restrict processing (Art. 18)
You can ask us to pause processing of your data in certain circumstances, such as while we verify the accuracy of your data.
Right to data portability (Art. 20)
Where processing is based on consent or contract and carried out by automated means, you can request your data in a structured, commonly used, machine-readable format.
Right to object (Art. 21)
You can object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
Right not to be subject to automated decisions (Art. 22)
We do not use your personal data to make solely automated decisions that produce significant legal effects concerning you.
If you are not satisfied with how we handle your request, you have the right to lodge a complaint with your local supervisory authority. In the UK this is the Information Commissioner's Office (ICO); in the EU, with your national data protection authority.
Data Retention
| Data Type | Retention Period |
|---|---|
| Demo images (submitted via public demo) | Up to 7 days, then deleted |
| Production API images (operational logging) | Up to 30 days, then deleted |
| API request logs (metadata only) | 90 days |
| Account information | Duration of account + 90 days after closure |
| Contact form submissions | 12 months |
| Billing records | 7 years (legal obligation) |
| Marketing consent records | Until consent withdrawn + 12 months |
International Data Transfers
Our primary infrastructure is located within the European Union. Where personal data is transferred outside the EU/EEA (for example, to sub-processors in other regions), we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions where applicable
- Transfer Impact Assessments for high-risk destination countries
A list of our sub-processors and their locations is available to all paying customers on request at legal@quantilence.com. No NDA is required to obtain this list.
Data Breach Notification
In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours of becoming aware, where feasible. If the breach is likely to result in a high risk to your rights and freedoms, we will notify you directly without undue delay.
Data Processing Agreement
All paying customers who process personal data through our API are entitled to a Data Processing Agreement (DPA) that formalises our respective roles and obligations under GDPR. To request a DPA, email legal@quantilence.com with "DPA Request" in the subject line. We aim to return a signed DPA within 5 business days.
Contact
For GDPR-related enquiries or to exercise your rights, contact our privacy team:
Privacy Team — Quantilence AI Solutions
Belgaum, Karnataka
India
For our full privacy practices, see the Privacy Policy.