Effective 12 July 2026 · v1 · QuantumLayer (“we”, “us”). What we collect, why, and what we deliberately do not.
Account data: your name, email, and organization via our sign-in provider (Clerk). Connection credentials: the read-only credentials you supply, envelope-encrypted at rest; keyless references are stored as references. Estate metadata: resource identifiers, kinds, regions, states, cost and utilization figures read from your connected accounts. Product analytics: basic usage events to improve the Service.
No workload contents: we never read your databases, storage objects, source code, prompts, or model inputs/outputs. Token counts are read as aggregate numbers from your provider’s usage APIs — never the text behind them. We do not sell data, full stop.
To run sweeps you request or schedule, produce findings and receipts, alert the webhook you configure, bill paid plans, and secure the Service. Legal bases under UK/EU GDPR: contract performance, legitimate interest (service security and improvement), and consent where required.
Data is stored in our infrastructure on Microsoft Azure (UK South) with per-tenant isolation enforced at the database layer (row-level security). Sub-processors: Microsoft Azure (hosting), Clerk (authentication), and — when you configure them — your webhook destination. We will maintain a current sub-processor list on request.
Credentials are deleted when you disconnect a cloud. Estate snapshots and findings are retained while your account is active (they are your audit history). On account deletion we remove your data within 30 days, except records retention law requires.
Access, correction, export, deletion, and objection — email SubrahmanyaGonella@quantumlayerplatform.com and we will respond within 30 days. You may complain to the ICO (UK) or your local supervisory authority.
v1 draft — pending counsel review; the data-controller legal entity will be confirmed here before paid contracts reference this page.