Privacy Policy

1. Overview

QuantaSeal Pty Ltd ("QuantaSeal", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you visit our website at quantaseal.io or use our post-quantum cryptography platform and related services (collectively, the "Services").

By accessing or using our Services, you agree to the terms of this Privacy Policy. If you do not agree, please discontinue use of the Services.

2. Who We Are

QuantaSeal is an enterprise security software company headquartered in 24 Pirie Street, Adelaide SA 5000, Australia. We provide post-quantum cryptography (PQC) services including field-level encryption, credential vault management, quantum-safe API proxying, and Salesforce security integrations.

3. Information We Collect

3.1 Information You Provide Directly

• Account registration: name, email address, password (hashed), company name, job title, phone number.
• Contact & inquiry forms: name, email, company, phone, message content, and selected plan interest.
• Billing information: payment card details (processed directly by Stripe; we do not store raw card numbers), billing address, and transaction history.
• Support communications: messages, attachments, and issue descriptions you send us.
• Waitlist sign-ups: email address and optional company name.

3.2 Information Collected Automatically

• Usage data: pages visited, features used, API call counts, error logs, and interaction timestamps.
• Device & browser data: IP address, browser type and version, operating system, screen resolution, and referring URL.
• Cookies & similar technologies: session tokens, authentication cookies, analytics cookies, and preference cookies (see Section 11).
• API & service logs: request metadata, response codes, latency metrics, and authentication events for security and operational purposes.

3.3 Customer Data (Data Processed on Your Behalf)

When you use QuantaSeal's encryption and vault services, you may submit data belonging to your end-users or customers ("Customer Data"). This data is encrypted using NIST-approved post-quantum algorithms (ML-KEM-768, ML-DSA-65) and processed solely to provide the Services. We act as a data processor for Customer Data; you remain the data controller and are responsible for ensuring you have appropriate legal bases for sharing that data with us.

We do not access, use, sell, or disclose Customer Data for any purpose other than providing, maintaining, and improving the Services as described in our Data Processing Agreement (DPA), available on request.

4. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain our Services and platform features.
• Create and manage your account and process subscription payments.
• Respond to your contacts, support requests, and sales inquiries.
• Send transactional emails (account confirmations, invoices, security alerts).
• Send marketing emails with product updates, security advisories, or promotional content - only with your consent or where permitted by law. You may opt out at any time.
• Monitor, detect, and prevent fraud, abuse, and unauthorised access.
• Perform analytics and improve the performance, reliability, and security of our Services.
• Comply with legal obligations and enforce our Terms of Service.
• Fulfil our obligations under applicable compliance frameworks (SOC 2, HIPAA, GDPR, Australian Privacy Act 1988).

5. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the following legal bases under the GDPR:

6. Sharing Your Information

We do not sell your personal information. We may share it in limited circumstances:

• Service Providers & Sub-processors: Third-party vendors who help us operate the platform (e.g., AWS for cloud hosting, Stripe for payments, Web3Forms for contact form delivery). These parties are contractually bound to process data only on our instructions and maintain appropriate security standards.
• Salesforce & Integration Partners: When you connect QuantaSeal to a Salesforce org or other third-party platform, data flows between QuantaSeal and that platform as directed by you.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify affected users prior to any such transfer.
• Legal Requirements: Where required by law, regulation, subpoena, court order, or governmental authority, or to protect the rights, property, and safety of QuantaSeal, our users, or the public.
• With Your Consent: Any other sharing will only occur with your explicit prior consent.

7. International Data Transfers

QuantaSeal is based in Australia. Our primary infrastructure is hosted on AWS in the Asia-Pacific region (Sydney, ap-southeast-2) - all Australian customer data is stored in Australia by default. Some sub-processors operate outside Australia, as set out below.

Under APP 8 of the Australian Privacy Act 1988, before we disclose personal information to an overseas recipient, we must take reasonable steps to ensure the recipient does not breach the APPs in relation to that information. We satisfy this obligation through contractual commitments and, where applicable, Standard Contractual Clauses (SCCs).

For a full list of sub-processors, see Sub-Processor List.

8. Data Retention

We retain personal information for as long as necessary to fulfil the purposes described in this policy, maintain your account, resolve disputes, and comply with our legal obligations.

9. Security

Security is central to our product. We employ the following measures to protect your information:

• Post-quantum encryption using NIST FIPS 203 (ML-KEM-768) and NIST FIPS 204 (ML-DSA-65) for all Customer Data at rest and in transit.
• TLS 1.3 for all data in transit between your browser/API client and our servers.
• AWS KMS for encryption key management with HSM-backed key storage.
• Role-based access controls (RBAC) and least-privilege principles for internal staff.
• Continuous security monitoring, intrusion detection, and anomaly alerting.
• Regular third-party penetration testing and vulnerability assessments.
• SOC 2 Type II compliance programme (in progress).

While we apply industry-leading security measures, no method of transmission over the internet or electronic storage is 100% secure. In the event of a data breach affecting your personal information, we will notify you and relevant authorities in accordance with applicable law (including the Australian Notifiable Data Breaches scheme and GDPR Article 33/34).

10. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

To exercise any of these rights, contact us at privacy@quantaseal.io. We will respond within 30 days (or sooner as required by law). We may need to verify your identity before processing your request.

If you are in the EEA/UK and believe we have not handled your complaint adequately, you have the right to lodge a complaint with your local supervisory authority.

Australian residents: If you are not satisfied with how we have handled your privacy complaint, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC). The OAIC can be contacted at oaic.gov.au/privacy/making-a-privacy-complaint or by calling 1300 363 992. Before contacting the OAIC, we encourage you to contact us first at privacy@quantaseal.io - we will acknowledge your complaint within 5 business days and aim to resolve it within 30 days as required under APP 1.4.

11. Cookies & Tracking

We use cookies and similar tracking technologies on our website. These include:

You can control cookies through your browser settings. Blocking essential cookies may affect the functionality of our Services. For EEA/UK visitors, we obtain consent for non-essential cookies prior to setting them.

12. Children's Privacy

Our Services are intended for business use and are not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that a child under 18 has provided us with personal information, we will delete it promptly. If you believe a child has provided us their data, please contact us at privacy@quantaseal.io.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (to the address associated with your account) and update the Effective Date at the top of this page. We encourage you to review this policy periodically. Your continued use of the Services after any changes constitutes acceptance of the updated policy.

14. Contact Us

For any privacy-related questions, requests, or concerns, please contact us:

15. Australian Privacy Principles

QuantaSeal is bound by the 13 Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth), as amended by the Privacy and Other Legislation Amendment Act 2024 (royal assent October 2024). The 2024 Act introduced a statutory tort for serious invasions of privacy, civil penalties of up to AUD $50 million for serious or repeated interference with privacy by body corporates, and (from 2026) mandatory disclosure of automated decision-making.

16. Automated Decision-Making

The Privacy and Other Legislation Amendment Act 2024 (s16C, from 2026 commencement) requires APP entities to disclose when they use automated systems that make decisions affecting individuals.

Quanta Copilot (available on Professional and higher plans) is a large language model (LLM) AI agent that can execute actions within the QuantaSeal platform - including encrypting and decrypting data, querying audit logs, and executing integration proxy operations - in response to natural language instructions. Quanta Copilot uses AWS Bedrock (Claude), OpenAI (GPT-4o), or Anthropic models depending on configuration.

Quanta Copilot operates entirely within the scope of your explicit instructions and your tenant's configured permissions. It does not autonomously make decisions about individuals without a user directing it to do so. However, because it may process personal information as part of tool calls (e.g., decrypting a credential record, querying audit logs containing user emails), we disclose its use here as required.

You may request human review of any Quanta Copilot action by contacting privacy@quantaseal.io. Full audit logs of all Copilot tool calls are available in the QuantaSeal dashboard.

17. Spam Act 2003 (Cth)

QuantaSeal complies with the Spam Act 2003 (Cth) for all commercial electronic messages (CEMs) sent to Australian recipients.

• Consent: We only send marketing emails to individuals who have given express consent (e.g., opted in during registration or via a marketing sign-up) or where inferred consent applies (e.g., existing business relationship within the past 2 years and the message relates to that relationship).
• Identification: Every marketing email clearly identifies QuantaSeal Pty Ltd as the sender, including our registered business address.
• Unsubscribe: Every marketing email contains a functional unsubscribe mechanism that processes opt-out requests within 5 business days. You may also opt out at any time by emailing privacy@quantaseal.io with "Unsubscribe" in the subject line.
• Transactional messages: Account confirmations, invoices, security alerts, and service-critical notifications are not marketing messages and may be sent without consent, as they relate directly to your use of the platform.