Privacy Policy

Overview

Quandry Labs LLC ("Quandry Labs," "we," "us," or "our") respects your privacy and is committed to protecting the personal data we process. This Privacy Policy explains how we collect, use, store, share, and protect information when you interact with our services, website (quandrylabs.com), and consulting engagements.

This policy applies to all individuals whose data we process, including website visitors, clients, prospective clients, and any data subjects whose personal data is processed as part of our service delivery.

Data We Collect

Information you provide directly

• Contact information — name, email address, phone number, company name, job title
• Engagement data — project requirements, technical specifications, communications related to our consulting services
• Account credentials — authentication information for systems we deploy on your behalf
• Payment information — billing address, payment method details (processed by our payment processor; we do not store full card numbers)

Information collected automatically

• Device and browser data — IP address, browser type, operating system, device identifiers
• Usage data — pages visited, time spent, referring URLs, click patterns
• Log data — server logs, error reports, access timestamps
• Cookies and similar technologies — see Cookies section below

Information from third parties

• Business contact databases for sales outreach
• Identity verification services
• Publicly available professional information (LinkedIn, company websites)

How We Use Data

We process personal data for the following purposes:

• Service delivery — executing consulting engagements, building integrations, deploying solutions
• Communication — responding to inquiries, sending project updates, sharing relevant content
• Security — protecting our systems, detecting fraud, maintaining audit trails
• Improvement — analyzing usage patterns to improve our website and services
• Legal compliance — meeting regulatory obligations, responding to legal requests
• Marketing — sending newsletters and industry insights (with consent where required)

Legal Basis for Processing (GDPR)

Under the General Data Protection Regulation, we rely on the following legal bases:

Data Sharing

We do not sell personal data. We share data only in the following circumstances:

• Service providers — cloud infrastructure, payment processors, analytics platforms, and communication tools that support our operations (under data processing agreements)
• Professional advisors — legal counsel, accountants, auditors under confidentiality obligations
• Legal requirements — when required by law, subpoena, court order, or to protect our legal rights
• Business transfers — in connection with a merger, acquisition, or sale of assets (with prior notice)
• With your consent — any other sharing will require your explicit authorization

International Data Transfers

Quandry Labs is based in the United States. If you are located outside the US, your data will be transferred to and processed in the United States.

For transfers from the European Economic Area (EEA), United Kingdom, or Switzerland, we implement appropriate safeguards including:

• Standard Contractual Clauses (SCCs) — EU Commission-approved contractual protections for international transfers
• Supplementary measures — encryption in transit and at rest, access controls, and contractual obligations on sub-processors
• Adequacy decisions — where applicable, reliance on adequacy determinations by competent authorities

You may request a copy of the applicable transfer mechanisms by contacting us at [email protected].

Data Retention

We retain personal data only as long as necessary for the purposes for which it was collected:

• Client engagement data — duration of the engagement plus 5 years (contractual and legal obligations)
• Financial records — 7 years (tax and accounting requirements)
• Marketing contacts — until consent is withdrawn or 3 years of inactivity
• Website analytics — 26 months (anonymized/aggregated data may be retained longer)
• Security logs — 12 months
• Prospective client inquiries — 2 years from last contact

When retention periods expire, data is securely deleted or irreversibly anonymized.

Your Rights (GDPR)

If you are located in the EEA, UK, or Switzerland, you have the following rights under applicable data protection law:

• Right of access — obtain confirmation of whether we process your data and request a copy
• Right to rectification — correct inaccurate or incomplete personal data
• Right to erasure — request deletion of your personal data (subject to legal retention obligations)
• Right to data portability — receive your data in a structured, machine-readable format
• Right to restriction — limit processing while a dispute or objection is resolved
• Right to object — object to processing based on legitimate interests, including profiling
• Right to withdraw consent — withdraw consent at any time without affecting prior processing
• Right to lodge a complaint — file a complaint with your local supervisory authority

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

Your Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act and California Privacy Rights Act provide you with additional rights:

• Right to know — what personal information we collect, use, disclose, and sell
• Right to delete — request deletion of personal information we hold about you
• Right to correct — correct inaccurate personal information
• Right to opt-out — opt out of the "sale" or "sharing" of personal information (we do not sell personal data)
• Right to limit use of sensitive data — restrict processing of sensitive personal information
• Right to non-discrimination — we will not discriminate against you for exercising your rights

To submit a verifiable consumer request, contact us at [email protected].

Cookies & Tracking Technologies

We use cookies and similar technologies to operate our website, analyze traffic, and personalize your experience.

Essential cookies

Required for core website functionality (authentication, security, preferences). These cannot be disabled.

Analytics cookies

Help us understand how visitors interact with our website. We use privacy-respecting analytics that do not build advertising profiles.

Marketing cookies

Used only with your consent to measure campaign effectiveness. We do not participate in third-party advertising networks.

Managing cookies

You can manage cookie preferences through your browser settings. Most browsers allow you to block or delete cookies. Note that disabling essential cookies may impact website functionality.

Third-Party Services

Our website and services integrate with the following categories of third-party providers:

• Cloud infrastructure — hosting, compute, storage (data processing agreements in place)
• Communication tools — email delivery, scheduling, video conferencing
• Analytics — privacy-respecting website analytics
• Payment processing — PCI-DSS compliant payment processors
• Security tools — DDoS protection, bot management, SSL/TLS

Each third party operates under their own privacy policy and our contractual data protection requirements.

Children's Privacy

Our services are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will take immediate steps to delete it.

Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to active clients or prominently posted on our website at least 30 days before taking effect.

The "Last updated" date at the top of this page indicates when the most recent revisions were made.

Data Protection Contact

For privacy-related questions, data subject requests, or concerns about our data practices:

If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.