Privacy Policy
1. Introduction & Scope
Quint Security, Inc. (“Quint,” “we,” “us,” or “our”) operates the website at quintai.dev and the Quint Security platform (collectively, the “Services”). This Privacy Policy describes how we collect, use, disclose, and protect personal information when you visit our website, create an account, or interact with us through marketing channels.
Important: This Privacy Policy applies to data we collect as a data controller — including website visitors, marketing contacts, prospective customers, and account holders. It does not apply to data processed through the Quint platform on behalf of our customers (e.g., AI agent telemetry, tool call metadata, compliance scoring data). That data is governed by our Data Processing Agreement (DPA), available upon request, and the applicable customer agreement.
Quint acts as a conduit for AI agent traffic controlled by our customers. Customer data transits through the Quint infrastructure solely for security evaluation, compliance enforcement, and audit logging as configured by the customer. We do not own, sell, or use customer platform data for advertising.
2. Information We Collect
2.1 Information You Provide Directly
| Category | Examples | Purpose |
|---|---|---|
| Account Information | Name, email address, company name, job title | Account creation, service delivery, communications |
| Contact Information | Email, phone (if provided), mailing address | Responding to inquiries, sales outreach |
| Payment Information | Billing address, payment method details | Processing payments (handled by Stripe; we do not store full card numbers) |
| Communications | Emails, support tickets, feedback | Customer support, product improvement |
| Job Applications | Resume, cover letter, professional history | Recruitment and hiring |
2.2 Information Collected Automatically
| Category | Examples | Purpose |
|---|---|---|
| Device & Browser Data | IP address, browser type, operating system, device identifiers | Security, analytics, service optimization |
| Usage Data | Pages visited, time spent, referral URLs, click patterns | Website analytics, product improvement |
| Cookies & Similar Technologies | Session cookies, analytics cookies | Authentication, preferences, analytics (see Section 9) |
| Log Data | Access timestamps, API request metadata, error logs | Security monitoring, debugging |
2.3 Information from Third Parties
We may receive information from:
- Analytics providers (e.g., Google Analytics) — aggregated website usage data
- Business partners — referral information when introduced by a partner
- Public sources — professional information from company websites or professional networks for sales outreach
3. How We Use Your Information
We use personal information for the following purposes:
- Service Delivery — Creating and managing your account, providing access to the Quint platform, processing transactions
- Communications — Responding to inquiries, sending service-related notices (security alerts, maintenance windows, policy changes)
- Marketing — Sending product updates, newsletters, and promotional content (with opt-out available)
- Analytics & Improvement — Understanding how our website and services are used to improve functionality and user experience
- Security — Detecting, preventing, and responding to fraud, abuse, and security incidents
- Legal Compliance — Complying with applicable laws, regulations, and legal processes
- Business Operations — Internal administration, financial reporting, and business planning
We do not:
- Sell your personal information to third parties
- Use your personal information for automated decision-making or profiling that produces legal effects
- Use customer platform data (AI agent telemetry) for marketing or advertising purposes
4. How We Share Your Information
We share personal information only in the following circumstances:
4.1 Service Providers
We engage third-party service providers who process data on our behalf under contractual obligations:
| Provider | Purpose | Data Processed |
|---|---|---|
| Stripe | Payment processing | Billing and payment information |
| Google Workspace | Email and collaboration | Business communications |
| AWS | Cloud infrastructure (ECS, RDS, VPC) | Service hosting and delivery |
| Supabase | Authentication and database | Account credentials (hashed) |
| Vercel | Website hosting | Website analytics |
| Google Analytics | Website analytics | Anonymized usage data |
A current list of sub-processors is maintained at quintai.dev/subprocessors and updated as changes occur.
4.2 Legal Requirements
We may disclose personal information if required by law, regulation, legal process, or governmental request. Where permitted, we will attempt to notify you before disclosing your information in response to legal process.
4.3 Business Transfers
In connection with a merger, acquisition, reorganization, or sale of assets, personal information may be transferred to the acquiring entity. We will notify you of any such transfer and any choices you may have regarding your information.
4.4 With Your Consent
We may share your information with third parties when you have given explicit consent.
5. Legal Bases for Processing (GDPR)
For individuals in the European Economic Area (EEA), United Kingdom (UK), and Switzerland, we process personal data under the following legal bases:
| Legal Basis | Activities |
|---|---|
| Contract Performance (Art. 6(1)(b)) | Account creation, service delivery, payment processing |
| Legitimate Interest (Art. 6(1)(f)) | Analytics, security, marketing to existing customers, product improvement |
| Consent (Art. 6(1)(a)) | Marketing communications to prospects, optional cookies |
| Legal Obligation (Art. 6(1)(c)) | Tax reporting, responding to lawful government requests |
You may withdraw consent at any time without affecting the lawfulness of prior processing.
6. Data Retention
| Data Category | Retention Period |
|---|---|
| Account information | Duration of account plus 30 days after deletion request |
| Payment records | 7 years (tax and financial compliance) |
| Marketing contacts | Until unsubscribe or deletion request |
| Website analytics | 26 months (Google Analytics default) |
| Support communications | 3 years from last interaction |
| Job applications | 1 year from submission (unless consent given for longer) |
| Server logs | 90 days |
We may retain anonymized, aggregated data indefinitely for statistical purposes.
7. International Data Transfers
Quint is based in the United States. If you are located outside the United States, your personal information will be transferred to and processed in the United States.
For transfers from the EEA, UK, and Switzerland, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- UK International Data Transfer Agreement (IDTA) or UK Addendum to SCCs
- Adequacy decisions where applicable
We are committed to applying for self-certification under the EU-U.S. Data Privacy Framework (DPF) and UK Extension to the DPF as the company scales.
8. Your Rights
Depending on your jurisdiction, you may have the following rights:
| Right | Description |
|---|---|
| Access | Request a copy of the personal information we hold about you |
| Rectification | Request correction of inaccurate or incomplete information |
| Erasure | Request deletion of your personal information (subject to legal retention requirements) |
| Portability | Receive your data in a structured, machine-readable format |
| Restriction | Request that we limit processing of your information |
| Objection | Object to processing based on legitimate interest, including direct marketing |
| Withdraw Consent | Withdraw consent where processing is based on consent |
| Lodge a Complaint | File a complaint with your local data protection authority |
To exercise your rights: Email privacy@quintai.com with your request. We will respond within 30 days (or sooner as required by applicable law).
9. Cookies & Tracking Technologies
We use cookies and similar technologies for:
| Type | Purpose | Duration |
|---|---|---|
| Strictly Necessary | Authentication, security, session management | Session |
| Functional | Remembering preferences, language settings | 1 year |
| Analytics | Understanding website usage (Google Analytics) | 26 months |
We do not use advertising cookies or third-party tracking pixels for behavioral advertising.
You can manage cookie preferences through your browser settings. Note that disabling strictly necessary cookies may affect website functionality.
10. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
- Right to Know — Categories and specific pieces of personal information collected
- Right to Delete — Request deletion of personal information
- Right to Correct — Request correction of inaccurate personal information
- Right to Opt-Out of Sale/Sharing — We do not sell or share personal information for cross-context behavioral advertising
- Right to Non-Discrimination — We will not discriminate against you for exercising your rights
To exercise your California rights: Email privacy@quintai.com or submit a request through our website.
In the preceding 12 months, we have collected the following categories of personal information: Identifiers, commercial information, internet or electronic network activity, and professional or employment-related information. We have not sold personal information to third parties.
11. Children's Privacy
Quint's services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under 16, we will promptly delete that information.
12. Security
We implement appropriate technical and organizational measures to protect personal information, including:
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- API key hashing (SHA-256; plaintext keys are never stored)
- Role-based access controls with principle of least privilege
- Row-level security (RLS) for multi-tenant data isolation
- Regular security assessments and code reviews
- Tamper-evident audit logging with Ed25519 cryptographic signatures
No method of transmission or storage is 100% secure. If you have reason to believe your interaction with us is no longer secure, please contact us immediately at security@quintai.com.
13. What Quint Does NOT Collect
For clarity, the following data is never collected through our website or marketing operations:
- Content of conversations between users and AI agents
- User prompts or AI model responses
- Source code or file contents
- Personally identifiable information from AI agent tool calls (e.g., SSNs, credit card numbers)
- Keystroke data or screen recordings
For information about how the Quint platform handles AI agent telemetry data, please refer to our Data Processing Agreement.
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Posting the updated policy on our website with a revised “Last Updated” date
- Sending an email notification to registered account holders for material changes
Your continued use of our services after any changes constitutes acceptance of the updated policy.
15. Data Protection Officer
While Quint is not currently required to appoint a Data Protection Officer under GDPR, we have designated a privacy contact responsible for data protection matters:
16. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices:
- Email: privacy@quintai.com
- Security issues: security@quintai.com
- Website: quintai.dev
For EEA/UK residents, you have the right to lodge a complaint with your local supervisory authority.