Legal

Privacy Policy.

Last updated — May 2026

Quintara Reports (“Quintara,” “we”) processes personal data in accordance with the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). This policy explains what we collect, why, and what rights you have.

1. Data we collect

When you order a report or request our sample, we collect:

  • Contact data: name (if provided), email address, optional PGP public key.
  • Order data: the report type you selected, the company one-liner, and the question paragraph you submitted.
  • Billing data: company name, address, and VAT number (collected at checkout by our payment processor, Stripe, and shared with us for invoicing — Quintara is the seller of record). We do not store full card numbers — only the Stripe customer ID for refund processing.
  • Identity-dedup data: a canonicalised form of your email (lowercased, gmail dots collapsed, “+alias” stripped), your payment-processor customer ID, and a lowercased form of your billing name. Used to detect repeat-refund abuse and asset-redistribution patterns. See section 3 (legitimate interest) and section 5 (retention).
  • Delivery access logs: when your /d/{token} link is fetched, we log the access timestamp, IP address, and a count. Used for forensic detection of bulk-download / shared-link abuse, and to surface a download history to you on request.
  • Technical data: IP address (hashed at request time), user agent, and referrer, recorded for general anti-fraud logging.

2. Analytics

We use Plausible Analytics by default — a privacy-first analytics tool that does not set cookies and does not collect personal data. No consent is required for Plausible under GDPR. If you accept the cookie banner, we additionally load Google Analytics 4 and Microsoft Clarity for richer product analytics. You can withdraw consent at any time via your browser’s site data controls.

3. Why we process data

  • To deliver your report and communicate about scope (legal basis: contract).
  • To send transactional emails (legal basis: contract).
  • To send our monthly “field notes” (legal basis: explicit opt-in consent — unsubscribe in one click).
  • To prevent fraud and maintain service security (legal basis: legitimate interest).
  • To comply with tax and accounting obligations (legal basis: legal obligation).

4. Sub-processors

We share personal data only with the following sub-processors, all subject to a Data Processing Agreement:

  • Neon (Postgres database, EU region) — order and email storage.
  • Resend (transactional email, EU region) — delivery of confirmations and reports.
  • Cloudflare (CDN + Turnstile anti-spam) — request routing.
  • Vercel (hosting, EU region) — site delivery.
  • Plausible (analytics, EU region) — privacy-first product analytics.
  • Stripe Payments Europe Ltd. (payment processing, EU/Ireland) — checkout, invoicing, refunds.

5. Retention

  • Order records & invoices: 7 years (Dutch tax law).
  • Sample requests & newsletter subscribers: until you unsubscribe.
  • General anti-fraud logs (request IP hash, user agent): 30 days.
  • Delivery access logs (per-link fetch counts + IPs): 12 months.
  • Identity-dedup data (refunded / chargeback / flagged identities): retained under GDPR “legitimate interest” (Article 6(1)(f)) for as long as needed to enforce the Terms of Service. A subject-access deletion request will remove the row from the dedup log only if you confirm in writing that you will not attempt to re-purchase under a new email or card. Otherwise the entry remains as the minimum data necessary to enforce against abuse — see /terms section 7.

6. Your rights (GDPR / CCPA)

You have the right to:

  • Access the personal data we hold about you.
  • Request correction or deletion (right to be forgotten, subject to retention obligations).
  • Restrict or object to processing.
  • Receive your data in a portable format (JSON).
  • Withdraw consent at any time.
  • Lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

To exercise any of these rights, email business@quintara-reports.com. We will respond within 30 days.

7. International transfers

All sub-processors store data within the EU/EEA. We do not transfer personal data to the United States or other third countries.

8. Children

Our service is intended for businesses. We do not knowingly collect data from children under 16. If you believe we have, contact us and we will delete it.

9. Changes

We will post material changes to this policy here and notify active clients by email.

Data controller: Quintara Reports

business@quintara-reports.com