Privacy Policy

Last updated: 22 June 2026

Quantos website privacy notice

This Privacy Policy explains how GrowthX Analytics Private Limited, operating the Quantos Systems business and website (collectively, “Quantos”, “we”, “us” or “our”), handles personal data in connection with the Quantos website, briefing requests, business communications, security operations, measurement technologies, and early-stage enterprise engagement.

This notice is intended to provide a clear and auditable account of our practices. It does not replace a signed customer agreement, data processing agreement, confidentiality agreement, security schedule, or deployment-specific privacy notice. Where those documents apply, they govern the relevant enterprise processing.

We collectBusiness contact details, enquiry information, website usage data, consent choices, and security logs.

We use it forBriefings, business communications, site operation, security, analytics, and controlled enterprise evaluation.

We do notSell personal data for monetary consideration or use customer operational data outside agreed enterprise purposes.

1. Who We Are and When This Policy Applies

GrowthX Analytics Private Limited operates Quantos Systems and is responsible for the Quantos website at quantos.systems. For website and direct business-enquiry data, we generally act as the Data Fiduciary under India’s Digital Personal Data Protection Act, 2023 and, where the EU General Data Protection Regulation applies, as the controller.

This policy applies when you:

visit or interact with the Quantos website;
submit a briefing, contact, partnership, media, careers, institutional, or other enquiry;
communicate with us by email, telephone, meeting, event, or professional network;
participate in an evaluation, proof discussion, due-diligence process, or controlled pre-contract engagement; or
exercise a privacy right or submit a grievance.

When Quantos processes enterprise data under a signed agreement, our role may instead be that of a processor, service provider, or data processor acting on documented customer instructions. The applicable contract and deployment documentation will define that role.

2. Key Privacy Definitions

Personal dataInformation relating to an identified or identifiable individual, including business contact details, online identifiers, and device or interaction data where linked to a person.

Enterprise dataOperational, transactional, financial, supply-chain, inventory, planning, risk, or other organisational data provided under a controlled engagement.

ProcessingAny collection, recording, organisation, use, disclosure, storage, analysis, correction, deletion, or other handling of data.

Service providerA third party that processes information to support hosting, analytics, communications, security, scheduling, forms, or other approved operations.

3. Personal Data We Collect

We collect only the categories reasonably required for the purposes described in this policy.

Category	Examples	Typical source
Business identity and contact data	Name, work email, telephone number, job title, organisation, department, professional profile, and business address.	Directly from you, your organisation, referrals, public professional sources, or event organisers.
Enquiry and engagement data	Industry, ERP or source systems, use case, P&L or operational area, deployment interest, meeting notes, correspondence, and requested briefing context.	Forms, email, calls, meetings, and authorised representatives.
Website and device data	Pages viewed, referring page, timestamps, browser and device type, approximate location, session activity, cookie or similar identifiers, and interaction events.	Browser, hosting logs, Google Analytics, LinkedIn Insight Tag, and related technologies.
Consent and preference data	Cookie choice, communication preferences, opt-out requests, and records of consent or withdrawal.	Your browser, consent interface, or direct request.
Security and diagnostic data	IP address, request logs, suspected abuse indicators, error logs, access events, and incident records.	Hosting, security tooling, application logs, and service providers.
Enterprise evaluation data	Sample files, test datasets, technical requirements, user lists, architecture information, and validation results supplied for an authorised evaluation.	Your organisation or its authorised representatives under agreed controls.

We do not intentionally request special-category or highly sensitive personal data through public website forms. Do not submit health, biometric, financial-account credentials, government identifiers, passwords, classified information, export-controlled information, or other sensitive data unless a written agreement and approved secure channel expressly permit it.

4. Sources of Personal Data

We may obtain personal data directly from you; from your employer or authorised representative; from referrals and professional introductions; from publicly available company or professional sources; from events and institutional engagements; and automatically through website, network, and security technologies.

Where another person provides your business contact details, we expect that person to have a lawful basis to do so. You may contact us to ask how we obtained your information.

5. Why We Process Personal Data

Purpose	Data used	Typical legal ground
Responding to enquiries and arranging briefings	Contact, organisation, role, use case, correspondence, and scheduling information.	Consent, requested pre-contract steps, and legitimate business interests where permitted.
Evaluating a potential enterprise engagement	Technical requirements, sample data, stakeholder details, meeting records, and due-diligence materials.	Requested pre-contract steps, contract, legitimate interests, and consent where required.
Operating and improving the website	Device, browser, session, page, and interaction data.	Consent for optional technologies; legitimate interests for essential operation and reliability where permitted.
Security, fraud prevention, and incident response	IP, logs, request patterns, access records, and diagnostic information.	Legitimate interests, legal obligations, and protection of systems and users.
Business administration and legal compliance	Contracts, correspondence, records, invoices, audit evidence, and rights requests.	Contract, legal obligation, establishment or defence of legal claims, and legitimate interests.
Relevant professional communications	Business contact details, relationship history, role, organisation, and communication preferences.	Consent or legitimate interests, subject to applicable direct-marketing rules and opt-out rights.

No blanket compliance claim. Applicable legal grounds vary by jurisdiction and context. We assess the relevant ground for the particular processing and do not rely on consent where another ground is more appropriate, or on legitimate interests where individual rights override those interests.

6. Cookies, Analytics, Pixels, and Similar Technologies

The website may use local storage, cookies, pixels, tags, and comparable technologies for essential operation, consent records, analytics, security, and professional-network measurement.

Essential storage: used to remember privacy choices and support basic site functionality.
Google Analytics: may collect session statistics, page and event activity, approximate location, browser, and device information to help us understand website performance.
LinkedIn Insight Tag: may process information such as page URL, timestamp, IP address, device and browser characteristics, cookie identifiers, and professional-network conversion or audience information, subject to LinkedIn’s terms and privacy practices.
IP and location enrichment: where enabled for a briefing submission and permitted by your choice, services such as api.ipify.org and ipwho.is may be used to identify an IP address and derive approximate city, region, country, or network information.

Optional analytics or advertising-related technologies should be used only in accordance with applicable consent requirements. Rejecting optional technologies does not prevent essential security logs, server requests, or storage strictly necessary to remember your privacy choice.

You can change browser cookie settings, clear local storage, use available consent controls, or contact us. Blocking some technologies may reduce measurement accuracy but should not prevent access to ordinary public content.

7. Briefing Forms and Direct Communications

When you submit a briefing or contact form, we use the information to understand the requested conversation, identify relevant stakeholders, assess fit, schedule the session, and maintain an accountable record of follow-up. Form submissions may be processed through Google Apps Script and delivered to authorised Quantos personnel.

Do not include confidential enterprise data, production credentials, personal customer records, sensitive employee information, or regulated datasets in a public form. Where such information is necessary, we will establish an approved transfer method and written terms first.

8. Enterprise, Customer, and Evaluation Data

Public website enquiries are separate from enterprise deployment data. Operational or customer datasets are accepted only through a controlled process governed by written terms that may include confidentiality, information-security, access-control, retention, deletion, audit, subprocessor, incident, and deployment provisions.

We use enterprise data only for authorised evaluation, implementation, support, security, or contracted processing.
We do not use a customer’s operational data to market to unrelated third parties.
We do not claim ownership of customer enterprise data merely because it is processed by Quantos.
Production, defence, government, regulated, air-gapped, or sensitive deployments may require separate controls and a deployment-specific privacy and security schedule.
Where de-identified or aggregated information is used for service reliability or evaluation, we apply measures intended to prevent reasonable re-identification and remain subject to contractual restrictions.

10. International Processing and Transfers

Quantos is based in India. Our providers and professional counterparts may process information in India and other jurisdictions. Those jurisdictions may have different data-protection laws.

Where required, we use contractual, organisational, and technical safeguards appropriate to the transfer, which may include data-processing agreements, confidentiality obligations, access restrictions, transfer assessments, and recognised contractual mechanisms. No transfer mechanism removes all risk, and the applicable arrangement depends on the service and jurisdiction.

11. Retention and Deletion

We retain personal data only for as long as reasonably necessary for the stated purpose, legal obligations, dispute management, security, audit, and legitimate business records. Typical periods are:

Unsuccessful or inactive business enquiries: generally up to 24 months after the last meaningful interaction, unless you request earlier deletion or a longer period is justified.
Active prospects, customers, partners, and institutional relationships: for the relationship and a reasonable period afterward consistent with contractual, tax, audit, limitation, and legal obligations.
Website analytics: according to configured provider retention settings and our operational requirements.
Security and diagnostic logs: generally up to 90 days, with longer retention where necessary for investigation, legal preservation, or security improvement.
Consent and rights records: for as long as needed to demonstrate choices, responses, and compliance.
Enterprise data: according to the applicable customer agreement, deployment schedule, lawful instructions, and backup cycle.

Deletion from active systems may not immediately remove information from encrypted backups, legal holds, or immutable audit records. Such residual copies remain restricted and are deleted or rendered inaccessible according to the applicable lifecycle.

12. Security and Access Control

We maintain administrative, technical, and organisational measures designed to protect personal data against unauthorised access, alteration, disclosure, loss, misuse, or destruction. Measures are selected according to the nature of the information and the relevant risk and may include:

least-privilege access and role-based restrictions;
transport encryption for supported communications;
environment separation and controlled administrative access;
logging, monitoring, change control, and incident investigation;
vendor and service-provider review appropriate to the engagement;
data minimisation, retention controls, and secure deletion procedures; and
contractual confidentiality and personnel access obligations.

No website, network, or storage system is completely secure. You are responsible for using authorised channels, protecting credentials, and avoiding the transmission of sensitive information through public forms.

13. Your Privacy Rights

Depending on applicable law, you may have rights to:

obtain information about our processing and request access to personal data;
correct, complete, or update inaccurate or incomplete information;
request erasure where the data is no longer required or processing is unlawful;
withdraw consent for future processing where consent is the legal basis;
object to or request restriction of certain processing;
request portability where provided by law;
opt out of direct marketing and, where applicable, certain sharing or targeted advertising;
nominate another individual to exercise rights in circumstances recognised by Indian law;
raise a grievance and receive a response; and
complain to the Data Protection Board of India or another competent supervisory authority.

We may verify identity and authority before acting on a request. Rights are not absolute and may be limited by legal obligations, privilege, security, the rights of others, or the need to establish, exercise, or defend legal claims. We respond within the period required by applicable law; where GDPR applies, the ordinary period is one month, subject to permitted extensions.

14. Children’s Data

The Quantos website and services are intended for business, institutional, government, defence, and professional audiences. They are not directed to children. We do not knowingly solicit personal data from children through public forms.

If you believe a child has provided personal data without valid authorisation, contact us so we can investigate and take appropriate action. Enterprise customers are responsible for ensuring that any child-related data supplied under contract is lawful, necessary, and covered by the required notices and permissions.

15. Automated Decision-Making and Profiling

We may use website analytics to understand aggregate engagement and may use business information to prioritise or route enquiries. We do not use public website data to make solely automated decisions that produce legal or similarly significant effects on individuals.

Quantos enterprise capabilities may support forecasting, risk assessment, action prioritisation, and decision control for customer operations. The customer agreement, deployment design, human-governance model, and applicable law determine the customer’s responsibilities for any processing that affects individuals.

16. Business Communications and Marketing Preferences

We may send relevant business communications concerning a requested briefing, ongoing conversation, event, service, security matter, or legitimate professional relationship. We do not require consent to send communications that are necessary to respond to your request or administer an existing relationship where another lawful ground applies.

You may opt out of non-essential promotional communications by using an unsubscribe mechanism where provided or by contacting us. An opt-out does not prevent service, security, legal, transactional, or relationship-administration messages.

17. Data Incidents

We maintain procedures to assess suspected personal-data incidents, contain risk, preserve evidence, notify relevant stakeholders, and meet applicable reporting obligations. Whether notification is required depends on the facts, the affected data, contractual duties, and applicable law.

If you become aware of a suspected incident involving information provided to Quantos, contact us promptly and do not include sensitive details in an unsecured message.

18. Grievances and Complaints

You may submit a privacy grievance using the contact details below. Please state the nature of the concern, the relevant interaction or relationship, and the outcome requested. We will acknowledge, investigate, and respond in accordance with applicable law and our verification requirements.

If you are not satisfied with our response, you may have the right to approach the Data Protection Board of India, an EU or UK supervisory authority, or another competent regulator, depending on your location and the applicable law.

19. Privacy Contact

For access, correction, deletion, consent withdrawal, marketing preferences, grievances, security concerns, or questions about this policy, contact:

Organisation: GrowthX Analytics Private Limited, operating Quantos Systems

Email: asheesh@getquantos.com

Postal address: Mahakaal Ki Baithak, Opp. Classic Towers, Near Sai Dreams, Amlidih, Raipur, Chhattisgarh, Bharat — 492001

Telephone: +91-98937-11220

For a request concerning an enterprise customer deployment, contact the customer organisation first where it determines the purpose and means of processing. We will support the customer as required by the applicable agreement and law.

20. Changes to This Policy

We may revise this policy to reflect changes in law, technology, services, providers, or processing practices. The date at the top shows the latest published revision. Material changes may be highlighted on the website or communicated directly where appropriate.

Your continued use of the public website after an update does not by itself create consent where consent is legally required. Where a new purpose requires consent or a fresh notice, we will seek it through an appropriate mechanism.

21. Relationship to Contracts and Applicable Law

This policy is a public transparency notice. It does not create a warranty, service level, contractual security commitment, or broader obligation than required by applicable law or an executed agreement. Customer contracts, data processing agreements, security schedules, confidentiality terms, and deployment documents take precedence for enterprise processing.

If any provision of this policy conflicts with mandatory law, the mandatory law applies to the extent of the conflict. References to legal frameworks describe our intended approach and should not be read as a representation that every framework applies to every visitor or processing activity.