Privacy Policy - Quantrocle Private Limited

1. Introduction

QUANTROCLE PRIVATE LIMITED ("Quantrocle," "Company," "we," "our," or "us") is committed to protecting and respecting your privacy. This Privacy Policy provides a comprehensive explanation of how we collect, use, store, process, share, and protect your personal information when you:

Visit our websites (quantrocle.com, xorqi.com)
Use our Software-as-a-Service (SaaS) platforms
Access our APIs (api.xorqi.com)
Subscribe to our services
Make payments through our payment partners
Communicate with us
Apply for employment

This policy applies to all users worldwide and is designed to comply with applicable data protection laws including the Information Technology Act, 2000 (India), GDPR (European Union), and other relevant regulations.

By accessing or using our services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, please do not use our services.

2. Company Information

2.1 Data Controller

The data controller responsible for your personal data is:

QUANTROCLE PRIVATE LIMITED

CIN: U62011UP2025PTC224178

GSTIN: 09AABCQ1186D1ZK

Registered Address: Noida, Uttar Pradesh 201306, India

Business Type: Private Limited Company

Industry: Software Development, Technology Consulting, SaaS

2.2 Business Operations

Quantrocle Private Limited operates as a technology company providing:

Software Development and Consulting Services
Cloud-based SaaS Products
AI-powered Project Management Solutions (Xorqi)
API Services for Third-party Integrations
Enterprise Technology Solutions

3. Our Platforms & Properties

Quantrocle Private Limited owns and operates the following digital properties:

3.1 Quantrocle.com (Primary Business Website)

Domain: quantrocle.com
Purpose: Corporate website, service information, consulting inquiries
Owner: Quantrocle Private Limited
Type: Business Information Portal

3.2 Xorqi.com (SaaS Platform)

Domain: xorqi.com
Purpose: AI-powered Project Management SaaS Platform
Owner: Quantrocle Private Limited (wholly owned)
Type: Software-as-a-Service (SaaS) Application
Subscription Model: Freemium, Monthly, Annual Plans

Xorqi is an AI-powered project management platform that helps teams plan, track, and collaborate on projects efficiently. It offers intelligent automation, real-time collaboration, and data-driven insights.

3.3 API.Xorqi.com (API Services)

Domain: api.xorqi.com
Purpose: RESTful API endpoints for Xorqi platform integration
Owner: Quantrocle Private Limited (wholly owned)
Type: API Gateway and Services
Authentication: OAuth 2.0, API Keys, JWT Tokens

The API service enables third-party applications, developers, and enterprise systems to integrate with Xorqi programmatically.

3.4 Ownership Declaration

All the above-mentioned domains, platforms, and services are wholly owned, operated, and controlled by Quantrocle Private Limited. Any data collected through these properties is governed by this Privacy Policy and is processed by Quantrocle Private Limited as the sole data controller.

4. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person, including but not limited to name, email, phone number, IP address, device identifiers, and any other data that can directly or indirectly identify an individual.

"Sensitive Personal Data" means personal data revealing racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, financial information, passwords, and sexual orientation, as defined under applicable laws.

"Processing" means any operation performed on personal data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.

"Data Subject" means the individual to whom the personal data relates (you, the user).

"Customer Data" means all data, content, files, and information that users upload, create, or store on our platforms in the course of using our services.

"SaaS" means Software-as-a-Service, a software distribution model where applications are hosted by a service provider and made available to customers over the internet on a subscription basis.

"API" means Application Programming Interface, a set of protocols and tools that allow different software applications to communicate with each other.

"Payment Processor" means third-party payment service providers (such as Razorpay) that process payment transactions on our behalf.

5. Data We Collect

5.1 Information You Provide Directly

Account Registration:

Full legal name
Email address (primary and secondary)
Phone number (with country code)
Username and password (encrypted)
Company/Organization name
Job title and department
Profile picture (optional)
Time zone and language preferences

Business Information:

Company registration details
GST Identification Number (GSTIN)
PAN (Permanent Account Number)
Business address (billing and shipping)
Industry and company size

5.2 Information Collected Automatically

Technical Data:

IP address (IPv4 and IPv6)
Browser type, version, and language
Operating system and version
Device type, model, and unique identifiers
Screen resolution and color depth
Time zone and locale settings

Usage Data:

Pages visited and features used
Time spent on each page/feature
Click patterns and navigation paths
Search queries within the platform
Error logs and crash reports
Session duration and frequency
Referral sources and exit pages

5.3 Information from Third Parties

SSO identity providers (Google, Microsoft, Okta, etc.)
Payment processors (transaction confirmations)
Third-party integrations you authorize
Publicly available business information
Marketing and analytics partners

6. Xorqi Platform Data Collection

When you use the Xorqi SaaS platform, we collect specific data related to project management activities:

6.1 Project and Task Data

Project names, descriptions, and objectives
Tasks, subtasks, and checklists
Due dates, milestones, and deadlines
Priority levels and status updates
Time entries and effort tracking
Dependencies and relationships
Custom fields and metadata

6.2 Collaboration Data

Comments and discussions
Mentions and notifications
File attachments and documents
Activity feeds and audit logs
Team member assignments
Approval workflows

6.3 Organization Data

Workspace and team structure
User roles and permissions
Department and group configurations
Invitation and access history
Subscription and license allocation

6.4 Integration Data

Connected third-party applications
OAuth tokens (encrypted)
Webhook configurations
Calendar synchronization data
Email integration settings

7. API Data Collection (api.xorqi.com)

When you access our API services, we collect:

7.1 API Authentication Data

API keys and secret tokens
OAuth 2.0 access and refresh tokens
JWT (JSON Web Tokens) for session management
Client application identifiers
Developer account information

7.2 API Usage Data

API endpoints accessed
Request timestamps and frequency
Request/response payloads (logged for debugging)
Rate limiting and quota usage
Error responses and status codes
IP addresses of API calls
User-agent strings

7.3 API Security Logs

Authentication attempts (successful and failed)
Token generation and revocation events
Suspicious activity patterns
Rate limit violations

8. Payment & Billing Data

IMPORTANT: WE DO NOT STORE YOUR CREDIT/DEBIT CARD DETAILS. All payment processing is handled securely by our authorized payment partner, Razorpay. We never have access to your full card numbers, CVV, or card PINs.

8.1 Payment Processing Partner

We use Razorpay Software Private Limited ("Razorpay") as our exclusive payment gateway partner for processing all subscription payments and transactions.

Partner: Razorpay Software Private Limited
Website: razorpay.com
PCI DSS Compliance: Level 1 (Highest Level)
RBI Authorization: Licensed Payment Aggregator

8.2 Data We Collect for Billing

We collect and store the following billing-related information:

Billing name and address
GST Identification Number (GSTIN) for invoicing
Email address for receipts and invoices
Subscription plan and billing cycle
Transaction IDs and payment references
Invoice history and payment status
Last four digits of card (for identification only)
Card type (Visa, Mastercard, etc.)
Payment method type (card, UPI, netbanking)

8.3 Data Handled by Razorpay

The following sensitive payment data is collected and processed exclusively by Razorpay under their privacy policy:

Full credit/debit card numbers
Card expiry dates
CVV/CVC security codes
UPI IDs and VPAs
Net banking credentials
Wallet information
Bank account details (for refunds)

Please review Razorpay's Privacy Policy at https://razorpay.com/privacy/ for information on how they handle your payment data.

8.4 Subscription Management

For recurring SaaS subscriptions, we store:

Subscription plan details (type, price, features)
Billing cycle (monthly/annual)
Next billing date
Razorpay subscription ID (for managing recurring payments)
Payment method token (secure reference, not actual card data)
Auto-renewal preferences
Cancellation and refund history

8.5 Payment Security

All payment pages use HTTPS/TLS 1.3 encryption
Payment forms are served directly by Razorpay
We are PCI DSS compliant for our scope of operations
3D Secure (3DS) authentication is enabled for card payments
Fraud detection and prevention systems are active

9. Single Sign-On (SSO) & Authentication Data

9.1 Supported Authentication Methods

Email and password (native authentication)
Google OAuth 2.0 / Google Workspace
Microsoft Azure Active Directory
SAML 2.0 (enterprise identity providers)
OpenID Connect (OIDC)
Okta, OneLogin, Auth0, and other IdPs

9.2 SSO Data We Receive

When you authenticate via SSO, we receive from your identity provider:

Unique user identifier (sub/NameID)
Email address
Display name / Full name
Profile picture URL (if shared)
Group/role memberships (for RBAC)
Organization/tenant identifier

9.3 Data We Do NOT Receive

Your identity provider password
MFA/2FA codes or secrets
Other application access tokens
Personal data beyond configured scopes

9.4 Session Management

Session tokens expire after configurable periods
Sessions can be revoked remotely
Concurrent session limits may apply
Session activity is logged for security

10. Legal Basis for Processing

We process your personal data based on one or more of the following legal grounds:

10.1 Contractual Necessity

Processing necessary to perform our contract with you, including:

Providing access to our SaaS platforms
Processing subscription payments
Delivering customer support
Managing your account

10.2 Consent

Processing based on your explicit consent, including:

Marketing communications
Optional analytics and tracking
Third-party integrations
Participation in surveys or research

10.3 Legitimate Interests

Processing necessary for our legitimate business interests:

Improving our products and services
Fraud prevention and security
Analytics and performance monitoring
Enforcing our terms of service

10.4 Legal Obligations

Processing required to comply with applicable laws:

Tax and financial reporting
Responding to legal requests
Data protection compliance
Regulatory requirements

11. How We Use Your Data

11.1 Service Delivery

Creating and managing your account
Providing access to Xorqi and other platforms
Processing and fulfilling subscriptions
Enabling platform features and functionality
Facilitating team collaboration
Generating reports and analytics

11.2 Communication

Sending transactional emails (receipts, confirmations)
Platform notifications and alerts
Customer support responses
Service updates and announcements
Marketing communications (with consent)

11.3 Platform Improvement

Analyzing usage patterns
Developing new features
Optimizing performance
Conducting A/B testing
Bug fixing and troubleshooting

11.4 Security and Compliance

Detecting and preventing fraud
Monitoring for security threats
Enforcing our terms and policies
Complying with legal requirements
Responding to legal requests

12. AI and Machine Learning Data Processing

Xorqi incorporates artificial intelligence and machine learning features. Here's how we handle data in AI processing:

12.1 AI-Powered Features

Smart task suggestions and prioritization
Automated project timeline estimation
Intelligent resource allocation
Natural language processing for commands
Predictive analytics and forecasting
Automated categorization and tagging

12.2 AI Data Practices

Data Isolation: Your data is processed in isolated environments
No Cross-Customer Training: We do NOT use your proprietary project data to train AI models for other customers
Anonymization: Aggregate data used for model improvement is fully anonymized
Opt-out Available: You can disable AI features in settings
Transparency: AI-generated content is clearly labeled

12.3 AI Model Training

General models are trained on licensed, public datasets
Customer-specific models (if any) use only that customer's data with explicit consent
You can request deletion of data used in training

13. Consent Management

13.1 How We Obtain Consent

Account Creation: By creating an account, you consent to necessary data processing
Checkbox Consent: Explicit opt-in for marketing and optional features
Cookie Consent: Banner-based consent for non-essential cookies
In-App Consent: Feature-specific consent prompts

13.2 Managing Your Consent

Account Settings: Update preferences anytime
Email Preferences: Unsubscribe links in all marketing emails
Cookie Settings: Modify cookie preferences
Contact Us: Email info@quantrocle.com to withdraw consent

13.3 Withdrawal of Consent

You may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. Some services may become unavailable if consent for essential processing is withdrawn.

14. Data Sharing and Disclosure

14.1 Service Providers

We share data with trusted service providers who assist in our operations:

Cloud Infrastructure: AWS, Google Cloud (hosting, storage)
Payment Processing: Razorpay (payment gateway)
Email Services: For transactional and marketing emails
Analytics: Google Analytics, Mixpanel (usage analytics)
Customer Support: Helpdesk and ticketing systems
Security: Fraud detection and DDoS protection

All service providers are bound by data processing agreements and confidentiality obligations.

14.2 Within Your Organization

On Xorqi, your data may be visible to:

Organization administrators
Team members based on permission settings
Project collaborators you invite

14.3 Legal Requirements

We may disclose data when required by law or to:

Comply with legal process or government requests
Enforce our terms of service
Protect our rights, property, or safety
Prevent fraud or security threats

14.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred. You will be notified of any such change.

14.5 No Sale of Personal Data

We do NOT sell, rent, or trade your personal information to third parties for their marketing purposes under any circumstances.

15. International Data Transfers

Your data may be transferred to and processed in countries outside India. When this occurs:

We ensure adequate protection through contractual safeguards
Standard Contractual Clauses (SCCs) are used where required
Data processing agreements are in place with all vendors
We comply with applicable cross-border transfer regulations

Primary Data Storage: India (with backups in geographically distributed locations for redundancy)

16. Data Retention

16.1 Active Accounts

Account data: Retained while account is active
Project data: Retained for subscription duration
Usage logs: 12 months
API logs: 90 days

16.2 After Account Closure

Account data: Deleted within 30 days
Backups: Purged within 90 days
Aggregated analytics: May be retained indefinitely (anonymized)

16.3 Legal Retention Requirements

Financial/tax records: 7 years (as per Indian tax laws)
Invoices and billing records: 7 years
Contract records: Duration + 6 years
Legal claims data: Until resolution + limitation period

17. Data Destruction

17.1 Destruction Methods

Logical Deletion: Data marked deleted, inaccessible immediately
Physical Deletion: Removed from primary systems within 30 days
Backup Purge: Removed from backups within 90 days
Secure Erasure: Industry-standard methods (NIST 800-88)

17.2 Requesting Destruction

Use "Delete Account" in account settings
Email: info@quantrocle.com
Written request to our DPO

17.3 Enterprise Data Destruction

Organization admins can request full organization data deletion
Certificate of destruction available upon request
Data export provided before destruction if requested

18. Security Measures

18.1 Technical Security

TLS 1.3 encryption for all data in transit
AES-256 encryption for data at rest
Web Application Firewall (WAF)
DDoS protection and mitigation
Intrusion Detection/Prevention Systems (IDS/IPS)
Regular penetration testing and security audits
Vulnerability scanning and patch management

18.2 Organizational Security

Role-based access control (RBAC)
Principle of least privilege
Employee background checks
Security awareness training
Confidentiality agreements
Incident response procedures

18.3 Infrastructure Security

SOC 2 Type II compliant data centers
Geographic redundancy
24/7 monitoring and alerting
Automated backup systems
Disaster recovery procedures

19. Data Breach Notification

In the event of a personal data breach:

We will investigate and contain the breach immediately
Affected users will be notified within 72 hours of discovery (where required by law)
Relevant supervisory authorities will be notified as required
We will provide details of the breach and remedial measures
Free credit monitoring may be offered where appropriate

20. Your Data Protection Rights

Depending on your jurisdiction, you have the following rights:

20.1 Right to Access

Request a copy of your personal data we hold.

20.2 Right to Rectification

Request correction of inaccurate or incomplete data.

20.3 Right to Erasure

Request deletion of your personal data ("right to be forgotten").

20.4 Right to Restriction

Request limitation of processing in certain circumstances.

20.5 Right to Portability

Receive your data in a machine-readable format.

20.6 Right to Object

Object to processing based on legitimate interests or direct marketing.

20.7 Right to Withdraw Consent

Withdraw consent at any time where processing is based on consent.

20.8 Exercising Your Rights

To exercise any right, email: info@quantrocle.com

We will respond within 30 days (extendable by 60 days for complex requests).

21. Cookies and Tracking Technologies

21.1 Essential Cookies

Required for platform functionality. Cannot be disabled.

Session management
Authentication
Security features
Load balancing

21.2 Analytics Cookies

Help us understand usage patterns. Require consent.

Google Analytics
Performance monitoring
Feature usage tracking

21.3 Marketing Cookies

Used for advertising. Require explicit consent.

21.4 Managing Cookies

Use our cookie settings panel or browser settings to manage preferences.

22. Children's Privacy

Our services are not intended for individuals under 16 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, contact us immediately for deletion.

23. Regulatory Compliance

We comply with applicable data protection laws including:

India: Information Technology Act, 2000; IT Rules, 2011; Digital Personal Data Protection Act, 2023 (as applicable)
European Union: General Data Protection Regulation (GDPR)
United States: California Consumer Privacy Act (CCPA), where applicable
Payment Industry: PCI DSS compliance (via Razorpay)

24. Governing Law and Jurisdiction

EXCLUSIVE JURISDICTION CLAUSE

24.1 This Privacy Policy shall be governed by and construed in accordance with the laws of the Republic of India.

24.2 Any dispute, controversy, or claim arising out of or relating to this Privacy Policy, or the breach, termination, or validity thereof, shall be subject to the exclusive jurisdiction of the competent courts located in Noida, Uttar Pradesh, India.

24.3 You irrevocably submit to the exclusive jurisdiction of the courts in Noida, Uttar Pradesh, India, and waive any objection to proceedings in such courts on the grounds of venue or forum non conveniens.

24.4 Notwithstanding the above, we may seek injunctive or other equitable relief in any court of competent jurisdiction to protect our intellectual property rights.

25. Changes to This Policy

We may update this policy periodically
Material changes will be notified via email
A notice will be displayed on our platforms
Continued use after changes constitutes acceptance
Previous versions are available upon request

26. Contact Us

QUANTROCLE PRIVATE LIMITED

Data Controller

Privacy Inquiries: info@quantrocle.com

Data Protection Officer: info@quantrocle.com

General Inquiries: info@quantrocle.com

Phone: +91 9910441822

Registered Address: Quantrocle Private Limited, Noida, Uttar Pradesh 201306, India

Grievance Officer (As per IT Rules, 2011)

Email: connect@quantrocle.com

Response Time: Within 30 days of receipt of complaint