Privacy Policy

1. Overview

QuantaSeal Pty Ltd ("QuantaSeal", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you visit our website at quantaseal.io or use our post-quantum cryptography platform and related services (collectively, the "Services").

By accessing or using our Services, you agree to the terms of this Privacy Policy. If you do not agree, please discontinue use of the Services.

2. Who We Are

QuantaSeal is an enterprise security software company headquartered in Adelaide, South Australia 5000, Australia. We provide post-quantum cryptography (PQC) services including field-level encryption, credential vault management, quantum-safe API proxying, and Salesforce security integrations.

3. Information We Collect

3.1 Information You Provide Directly

• Account registration: name, email address, password (hashed), company name, job title, phone number.
• Contact & inquiry forms: name, email, company, phone, message content, and selected plan interest.
• Billing information: payment card details (processed directly by Stripe; we do not store raw card numbers), billing address, and transaction history.
• Support communications: messages, attachments, and issue descriptions you send us.
• Waitlist sign-ups: email address and optional company name.

3.2 Information Collected Automatically

• Usage data: pages visited, features used, API call counts, error logs, and interaction timestamps.
• Device & browser data: IP address, browser type and version, operating system, screen resolution, and referring URL.
• Cookies & similar technologies: session tokens, authentication cookies, analytics cookies, and preference cookies (see Section 11).
• API & service logs: request metadata, response codes, latency metrics, and authentication events for security and operational purposes.

3.3 Customer Data (Data Processed on Your Behalf)

When you use QuantaSeal's encryption and vault services, you may submit data belonging to your end-users or customers ("Customer Data"). This data is encrypted using NIST-approved post-quantum algorithms (ML-KEM-768, ML-DSA-65) and processed solely to provide the Services. We act as a data processor for Customer Data; you remain the data controller and are responsible for ensuring you have appropriate legal bases for sharing that data with us.

We do not access, use, sell, or disclose Customer Data for any purpose other than providing, maintaining, and improving the Services as described in our Data Processing Agreement (DPA), available on request.

4. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain our Services and platform features.
• Create and manage your account and process subscription payments.
• Respond to your contacts, support requests, and sales inquiries.
• Send transactional emails (account confirmations, invoices, security alerts).
• Send marketing emails with product updates, security advisories, or promotional content — only with your consent or where permitted by law. You may opt out at any time.
• Monitor, detect, and prevent fraud, abuse, and unauthorised access.
• Perform analytics and improve the performance, reliability, and security of our Services.
• Comply with legal obligations and enforce our Terms of Service.
• Fulfil our obligations under applicable compliance frameworks (SOC 2, HIPAA, GDPR, Australian Privacy Act 1988).

5. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the following legal bases under the GDPR:

6. Sharing Your Information

We do not sell your personal information. We may share it in limited circumstances:

• Service Providers & Sub-processors: Third-party vendors who help us operate the platform (e.g., AWS for cloud hosting, Stripe for payments, Web3Forms for contact form delivery). These parties are contractually bound to process data only on our instructions and maintain appropriate security standards.
• Salesforce & Integration Partners: When you connect QuantaSeal to a Salesforce org or other third-party platform, data flows between QuantaSeal and that platform as directed by you.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify affected users prior to any such transfer.
• Legal Requirements: Where required by law, regulation, subpoena, court order, or governmental authority, or to protect the rights, property, and safety of QuantaSeal, our users, or the public.
• With Your Consent: Any other sharing will only occur with your explicit prior consent.

7. International Data Transfers

QuantaSeal is based in Australia. Our infrastructure is hosted on AWS in the Asia-Pacific region (Sydney, ap-southeast-2). If we process data outside Australia, or if you access our Services from the EEA/UK, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission for transfers to non-adequate countries.
• Data Processing Agreements (DPAs) with all sub-processors.
• Compliance with the Australian Privacy Act 1988 Australian Privacy Principles (APPs) for cross-border disclosures.

8. Data Retention

We retain personal information for as long as necessary to fulfil the purposes described in this policy, maintain your account, resolve disputes, and comply with our legal obligations.

9. Security

Security is central to our product. We employ the following measures to protect your information:

• Post-quantum encryption using NIST FIPS 203 (ML-KEM-768) and NIST FIPS 204 (ML-DSA-65) for all Customer Data at rest and in transit.
• TLS 1.3 for all data in transit between your browser/API client and our servers.
• AWS KMS for encryption key management with HSM-backed key storage.
• Role-based access controls (RBAC) and least-privilege principles for internal staff.
• Continuous security monitoring, intrusion detection, and anomaly alerting.
• Regular third-party penetration testing and vulnerability assessments.
• SOC 2 Type II compliance programme (in progress).

While we apply industry-leading security measures, no method of transmission over the internet or electronic storage is 100% secure. In the event of a data breach affecting your personal information, we will notify you and relevant authorities in accordance with applicable law (including the Australian Notifiable Data Breaches scheme and GDPR Article 33/34).

10. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

To exercise any of these rights, contact us at privacy@quantaseal.io. We will respond within 30 days (or sooner as required by law). We may need to verify your identity before processing your request.

If you are in the EEA/UK and believe we have not handled your complaint adequately, you have the right to lodge a complaint with your local supervisory authority. In Australia, you may contact the Office of the Australian Information Commissioner (OAIC).

11. Cookies & Tracking

We use cookies and similar tracking technologies on our website. These include:

You can control cookies through your browser settings. Blocking essential cookies may affect the functionality of our Services. For EEA/UK visitors, we obtain consent for non-essential cookies prior to setting them.

12. Children's Privacy

Our Services are intended for business use and are not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that a child under 18 has provided us with personal information, we will delete it promptly. If you believe a child has provided us their data, please contact us at privacy@quantaseal.io.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (to the address associated with your account) and update the Effective Date at the top of this page. We encourage you to review this policy periodically. Your continued use of the Services after any changes constitutes acceptance of the updated policy.

14. Contact Us

For any privacy-related questions, requests, or concerns, please contact us: