Privacy Policy

1. Who We Are (Data Controller)

Quantro is a product of SEEDSPROUTER PRIVATE LIMITED, a company incorporated in India, operating the SaaS platform at quantro.finance. For all personal data processed through the platform, SEEDSPROUTER PRIVATE LIMITED is the data controller (GDPR Art. 4(7)) — i.e. we determine the purposes and means of processing.

2. EU Representative and Data Protection Officer

EU Representative (GDPR Art. 27)

As a non-EU controller offering services to data subjects in the European Union, Quantro is required to designate a representative in the Union. We are in the process of appointing an Article 27 representative. Until that appointment is finalised and published here, EU and EEA data subjects may contact us directly at team@quantro.finance for any privacy enquiry, and we will respond within the timeframes set by Article 12(3) of the GDPR.

Data Protection Officer (GDPR Art. 37)

Quantro is not required to appoint a Data Protection Officer under Article 37(1): we are not a public authority, our core activities do not consist of large-scale regular and systematic monitoring of data subjects, and our core activities do not involve large-scale processing of special-category data. We have nonetheless designated a privacy contact who handles all data-subject requests and supervisory-authority correspondence. Reach them at team@quantro.finance.

3. Data We Collect

We collect the following categories of personal data:

• Account data: name, email address, phone number (optional), company name, role (founder or angel investor), profile photo (optional).
• Authentication data: if you sign in via a single-sign-on provider, we receive your name, email, and profile photo from that provider. We never see or store your password. Email-link sign-in stores only your email address.
• Financial data: investment amounts, equity percentages, valuations, funding rounds, cap-table entries, investor portfolio entries, and any documents you upload (term sheets, SAFEs, agreements, financial sheets). Files you upload are stored in our private encrypted storage, visible only to you, and remain until you delete them.
• Communications: investor updates, broadcasts, in-app messages, support requests, and the metadata of emails we send on your behalf (recipient, send time, delivery status, opens, link clicks).
• Usage data: pages visited, features used, click events, dashboard configuration, error reports — only with your cookie consent.
• Technical data: IP address (stored for security and fraud prevention), browser user-agent, device type, approximate location derived from IP, session timestamps.
• Payment data: subscription plan, billing cycle, billing email, invoice history. Card details are entered directly on our payment provider's hosted checkout and never reach Quantro servers.

4. Data We Receive From Other People (GDPR Art. 14)

In a few situations we obtain personal data about you from someone other than you. This typically happens when:

• A founder adds you to their cap table or investor list: a founder using Quantro may add an investor (you) to their workspace by name and email so they can send you investor updates. The source is the founder; the categories obtained are name, email, and the equity/investment terms they enter.
• An investor refers a portfolio company: an angel investor using Quantro may add a founder or another portfolio contact by name and email so we can extend an invitation. The source is the referring investor; the categories are name, email, and the role they assigned.
• Authentication and email-deliverability events: when you sign in via a single-sign-on provider, that provider transmits your basic profile to us. Our email-delivery sub-processor transmits bounce, complaint, and delivery events for messages we send to you.

When data about you is added to Quantro by someone else, we provide the disclosures required by Article 14 either at the first contact (e.g. in the invitation email) or, at the latest, within one month of receiving the data. You may object to that processing or request erasure at any time using the contact details in section 1.

5. Why We Process Your Data and the Legal Basis (GDPR Art. 6)

Under Article 6 of the GDPR every processing activity must have a lawful basis. The table below maps each purpose to its basis.

Where we rely on legitimate interests, you may object under Article 21 — see section 9. Where we rely on consent, you may withdraw at any time without affecting the lawfulness of processing carried out before withdrawal.

6. Who We Share Your Data With (GDPR Art. 13(1)(e))

We engage third-party service providers ("sub-processors") to operate parts of the platform. Each provider is contractually bound to process data on our instructions, with confidentiality, security, and audit obligations equivalent to those required by Article 28 of the GDPR. By category, we use sub-processors for:

• Infrastructure, hosting, and content delivery
• Outbound transactional and broadcast email delivery
• Subscription billing and hosted payment checkout
• Product analytics and uptime monitoring
• Single-sign-on identity providers
• AI processing services that help extract structured information from documents you upload (operated under data-processing agreements that prohibit training on your data; alternatives available where applicable)

The current sub-processor list — including each provider's name, purpose, hosting region, and privacy policy — is published at /sub-processors in accordance with GDPR Article 28(2). We will notify customers with active subscriptions before adding a new sub-processor and you may object to the change.

Beyond sub-processors, we may disclose personal data to professional advisers, auditors, legal counsel, tax authorities, courts, or regulators where we are required by law to do so. Customers who need a Data Processing Agreement under GDPR Article 28(3) can review and execute our standard Data Processing Agreement.

7. Where We Store Your Data and International Transfers (GDPR Art. 13(1)(f), 44–49)

Quantro is operated from India. Personal data is stored primarily in the European Union (Ireland), within the European Economic Area. Some sub-processors operate from other jurisdictions, including Singapore and the United States, in which case the data is transferred to those countries to provide the relevant service.

Where personal data is transferred outside the European Economic Area, we rely on either (a) the recipient's certification under the EU-US Data Privacy Framework — an adequacy decision under GDPR Article 45 — or (b) the European Commission's Standard Contractual Clauses 2021/914 entered into with the relevant sub-processor under Article 46. The specific safeguard in force for each sub-processor is recorded on the sub-processor list.

You can request a copy of the Standard Contractual Clauses or the Data Processing Agreement applicable to any transfer by writing to team@quantro.finance.

8. How Long We Keep Your Data (GDPR Art. 13(2)(a))

We keep personal data only as long as necessary for the purpose it was collected for, then delete or anonymise it.

When a retention period ends, the data is permanently deleted by an automated job, or — for free-text fields referenced by other records (e.g. an investor name on a historical update) — overwritten with a non-identifying placeholder.

9. Your Rights (GDPR Art. 15–22)

If the GDPR or DPDP Act applies to your data, you have the rights below. To exercise any of them, email team@quantro.finance from the email address registered with your Quantro account, or — if you do not have an account — from the address at which you received our communications. We respond within one month of receiving a verifiable request, extendable by two further months for complex requests as permitted by Article 12(3). Exercising these rights is free; we may charge a reasonable fee or refuse only if a request is manifestly unfounded or excessive.

• Access (Art. 15): receive confirmation of whether we process your data, a copy of it, and the information set out in this policy.
• Rectification (Art. 16): correct inaccurate data and complete incomplete data. Most fields can be edited directly in your Quantro account.
• Erasure / "right to be forgotten" (Art. 17): have your data deleted where one of the Article 17 grounds applies. We may have to retain certain records — e.g. tax invoices, audit logs needed to defend a legal claim — for the period required by law; in that case we will explain which exception applies.
• Restriction (Art. 18): ask us to suspend processing while a dispute about accuracy or lawfulness is resolved.
• Portability (Art. 20): receive a copy of the data you provided in a structured, commonly used, machine-readable format. We provide JSON and CSV exports of your account, cap-table, and update history on request.
• Object (Art. 21): object to processing based on legitimate interests, including for direct marketing. Where you object to direct marketing we stop immediately.
• Withdraw consent: withdraw consent for any processing based on Article 6(1)(a) at any time, e.g. by clicking "Unsubscribe" in a marketing email or changing your cookie preferences. Withdrawal does not affect the lawfulness of processing before it.
• Automated decisions (Art. 22): Quantro does not make decisions about you that have legal or similarly significant effects based solely on automated processing.
• Right to lodge a complaint (Art. 13(2)(d), 77): lodge a complaint with the supervisory authority in your EU/EEA country of residence, work, or alleged infringement. In India, you may also write to the Data Protection Board of India once it is constituted under the DPDP Act.

10. Security (GDPR Art. 32)

We implement technical and organisational measures appropriate to the risk, including:

• Encryption of personal data at rest and in transit
• Strict access controls so each user can only access the data they are authorised to see
• Separation between privileged server-side operations and client-facing access
• Audit logging of authentication events, administrative actions, and access to personal data
• Server-side input validation, rate-limiting on sensitive endpoints, and edge protections (firewall, DDoS mitigation)
• Regular dependency vulnerability scans and a documented incident-response process

No system is perfectly secure. If we become aware of a personal data breach affecting you, we will notify the relevant supervisory authority within 72 hours where required by Article 33, and notify you directly without undue delay where Article 34 applies.

11. Cookies and Similar Technologies

We classify cookies into two groups. Strictly-necessary cookies are set on every visit because the platform cannot function without them. All other cookies require your consent, captured via the cookie-consent banner shown on first visit; you may reopen your choice at any time via the cookie controls in the page footer.

• Strictly-necessary cookies: authentication session cookies, security tokens, and load-balancer routing cookies. Lawful basis: Art. 6(1)(b) — contract performance.
• Analytics cookies: set by our analytics sub-processors only with your consent, to understand product usage. Lawful basis: Art. 6(1)(a) — consent.
• Local storage: your browser's local storage holds UI preferences (theme, dashboard layout, dismissed banners) on your device. No data is transmitted to us by local storage alone.

12. Children's Privacy (GDPR Art. 8)

Quantro is not directed at, and we do not knowingly collect personal data from, individuals under 16 (or under 18 where local law sets a higher threshold, including under the Indian DPDP Act). If you become aware that a minor has provided us with personal data, please contact us at team@quantro.finance and we will delete the data and the associated account.

13. Notice to California Residents (CCPA / CPRA)

If you are a California resident, you have the right to know what personal information we collect, the right to delete it, the right to correct it, and the right to opt out of "sale" or "sharing" of personal information. Quantro does not sell or share personal information for cross-context behavioural advertising. To exercise your California rights, email team@quantro.finance with the subject line "California Privacy Request". We will not discriminate against you for exercising any of these rights.

14. Changes to This Policy

We may update this Privacy Policy periodically. The "Effective date" and "Last updated" stamps at the top of this page reflect the latest version. We will notify registered users by email of any material change. Continued use of the platform after a change takes effect constitutes acceptance of the updated policy.

15. Governing Law

This Privacy Policy and the contractual relationship between you and Quantro are governed by the laws of India, with exclusive jurisdiction in the competent courts of India. Nothing in this policy limits the rights you have, or the supervisory authorities you may complain to, under the GDPR, the UK GDPR, the DPDP Act, or any other applicable mandatory privacy law.

16. Contact

For any question about this Privacy Policy, to exercise a data-subject right, or to request a copy of the relevant Standard Contractual Clauses, email team@quantro.finance. For B2B customers requiring a Data Processing Agreement, see our standard Data Processing Agreement. Our full controller identity (company name, CIN, GSTIN, registered address) is in section 1.