Privacy Policy

1. Information We Collect

We collect the following categories of information:

• Account information — name, email address, company name, and country when you register or contact us.
• API usage data — request timestamps, endpoint accessed, response times, error codes, and IP address for rate-limiting and security monitoring.
• Images submitted for processing — images you upload to our demo or production API endpoints are used to generate the requested output (similarity score, detection result, liveness verdict, or blurred image). For operational logging and service quality purposes, submitted images and API outputs may be retained on our servers for a limited period. See Section 4 (Data Retention) for details.
• Communication data — messages, emails, and support requests you send to us.
• Usage analytics — anonymised page views and interaction data collected via cookie-based analytics (Google Analytics). See our Cookie Policy for details.

2. How We Use Your Information

• To provide, operate, and improve the Services
• To enforce rate limits and prevent abuse of the API
• To respond to enquiries and support requests
• To send transactional emails (e.g., onboarding, billing receipts)
• To analyse aggregate usage patterns and improve model performance
• To comply with legal obligations

3. Lawful Basis for Processing

We process your personal data on the following lawful bases under GDPR Article 6:

• Contract (Art. 6(1)(b)) — account management, billing, and transactional communications necessary to provide the Services.
• Legitimate interests (Art. 6(1)(f)) — security monitoring, rate-limiting, API request logging, and anonymised analytics. Our legitimate interests are assessed to not override your rights and freedoms.
• Consent (Art. 6(1)(a)) — marketing emails and non-essential analytics cookies, where you have opted in.
• Legal obligation (Art. 6(1)(c)) — billing records and compliance-required disclosures.

For biometric data (special category under Art. 9), we process as a data processor acting on your instructions and lawful basis. See Section 4 and our GDPR page for full details.

4. Biometric Data

Our face AI APIs process facial images to generate biometric-derived outputs (e.g., similarity scores, bounding boxes, liveness verdicts). We treat this data with heightened care under GDPR Article 9:

• Images submitted via the API may be retained on our servers for up to 30 days for operational debugging and service quality purposes, in isolated, access-controlled storage. They are then automatically deleted.
• Demo images submitted through the public demo interface are retained for no more than 7 days.
• We do not build biometric databases, train models on, or share submitted images with third parties.
• Face embeddings computed during processing are transient and are not persisted beyond the API response.
• Customers are responsible for obtaining appropriate consent from individuals whose biometric data is submitted to the API, and for conducting a DPIA where required.

5. Data Retention

We retain personal data only as long as necessary for the stated purpose:

• API-processed images — up to 30 days (production); up to 7 days (demo), then automatically deleted.
• API request logs (metadata only) — 90 days for security and debugging, then automatically deleted.
• Account and contact information — for the duration of your account plus 90 days after closure.
• Contact form submissions — 12 months.
• Billing records — 7 years (statutory accounting obligation).

You may request earlier deletion by contacting us at privacy@quantilence.com.

6. Sharing Your Information

We do not sell your personal data. We share data only:

• With service providers who help operate our infrastructure (cloud hosting, email delivery) under data processing agreements
• When required by law, court order, or to protect the safety of our users or the public
• In connection with a merger, acquisition, or sale of assets, with prior notice to you

7. Your Rights

Depending on your location, you may have the right to:

• Access the personal data we hold about you
• Correct inaccurate data
• Request deletion of your data
• Object to or restrict our processing
• Data portability — receive your data in a structured, machine-readable format
• Withdraw consent at any time (where processing is consent-based)

To exercise any of these rights, contact us at privacy@quantilence.com. We will respond within one month. For complex or numerous requests, this period may be extended by a further two months, with notice provided within the initial one-month period.

If you are unsatisfied with how we handle your request, you have the right to lodge a complaint with your local supervisory authority — in the UK, the Information Commissioner's Office (ICO); in the EU, your national data protection authority.

8. Data Protection Officer

Given the nature of our processing of special category biometric data, we have assessed our obligations under GDPR Article 37. Privacy and data protection oversight responsibilities are held by our Privacy Team. For DPO-related enquiries, contact privacy@quantilence.com.

9. Cookies

We use cookies and similar technologies for authentication, session management, and anonymised analytics. Non-essential cookies (analytics) are only placed following your consent. See our Cookie Policy for full details and opt-out instructions.

10. Security

We implement industry-standard security controls including TLS 1.2+ encryption in transit, AES-256 encryption at rest, access controls, and regular security reviews. No method of transmission over the internet is 100% secure. See our Security page for details.

11. International Transfers

Our primary infrastructure is hosted in the European Union. Where personal data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs). For more information, see our GDPR page.

12. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes by posting a notice on our website and, where appropriate, by email at least 30 days before changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.

13. Contact Us

For privacy-related questions or to exercise your rights: