Executive summary

This Privacy Policy is written for a Spain-based provider of real-time voice, messaging and AI-agent infrastructure. It explains how Quantrova Tech SL processes personal data when operating the website, handling sales and support enquiries, managing customer accounts, and providing platform services. It also distinguishes between data for which Quantrova acts as a controller and service-content data that Quantrova will generally process on behalf of customers as a processor under the applicable customer contract and data-processing terms. The structure below is designed to match GDPR, Spain’s data-protection framework, and the practical realities of an AI communications platform. 

Company information

Quantrova Tech SL, NIF B88671284, with registered office at Calle Balandro, 39, 28042 Madrid, Spain, and Mercantile Registry reference Registro Mercantil de Madrid, Hoja M-882839, Inscripción 1, is the data controller for the website, marketing, commercial, account, billing, compliance and support processing described in this page. Contact email: contact@quantrova.io. 

Scope of this policy

This Privacy Policy applies to website visitors, prospective customers, customer representatives, suppliers, business contacts and other individuals whose personal data is processed through the website or in connection with the commercial relationship with Quantrova. When a customer deploys voice, messaging, transcription, observability or AI-agent workflows through the platform, that customer will usually determine the purposes and essential means of that service processing and will therefore usually act as the controller. In those cases, Quantrova will generally act as a processor, except where Quantrova must process certain data as an independent controller for security, fraud prevention, billing, compliance or internal recordkeeping. 

If an individual interacts with an agent, voice flow, number, chat endpoint or messaging workflow deployed by a Quantrova customer, the primary privacy notice for that interaction should normally be the customer’s own notice. Quantrova may nonetheless provide reasonable assistance to customers so that data-subject rights, security requests and deletion requests can be handled properly under the relevant customer agreement and, where applicable, a data-processing agreement. 

Personal data processed

Quantrova may process identification and contact data such as name, work email, job title, employer, telephone number and correspondence details. Quantrova may also process commercial and account data such as quote requests, onboarding information, contract contacts, invoices, billing identifiers and support history. For platform services, depending on configuration, Quantrova may process communications content and metadata, such as call detail records, message-routing data, session identifiers, timestamps, device and browser data, IP addresses, call recordings, transcripts, prompts, responses, workflow events, model and runtime selections, audit logs, security events and diagnostics.

Where the website uses forms, analytics or cookies, Quantrova may also process online identifiers and usage data such as cookie IDs, browser settings, visited pages, referral URLs and interaction events. Quantrova does not ask for special-category personal data through ordinary website forms, and customers should avoid sending such information unless its processing is necessary, lawful and covered by appropriate contractual and technical safeguards.

Purposes of processing and legal bases

Quantrova processes personal data to operate and secure the website, answer enquiries, send quotes, manage demos and onboarding, negotiate and perform contracts, provide support, manage accounts, issue invoices, prevent fraud, investigate incidents, maintain auditability, improve platform reliability and meet legal obligations. The main legal bases used for controller-side processing are consent, pre-contractual steps and contractual necessity, compliance with legal obligations, and legitimate interests such as network security, fraud prevention, service continuity, documentation and measured improvement of the platform. Where consent is the legal basis, it can be withdrawn at any time without affecting earlier processing. 

When Quantrova processes service content on behalf of a customer, the customer is normally responsible for identifying the correct legal basis for the underlying processing, for delivering any required privacy notices, and for documenting its instructions to Quantrova. Where legally significant or similarly significant automated decisions are involved, additional safeguards may be required, including meaningful human review where appropriate. 

AI processing, model routing and agent runtime

Quantrova provides infrastructure and runtime capabilities for real-time voice, messaging and AI-agent execution. Depending on customer configuration, service data may be routed to speech, telephony, messaging, storage, observability, security and model providers so that the platform can generate responses, route conversations, perform transcription, maintain short-term agent context, apply safeguards, log actions, and execute workflows. The documents below are deliberately drafted to cover selected models, voice providers and runtime choices without hard-coding specific model names, because the homepage you supplied describes a configurable model layer and such catalogues can change over time.

If Quantrova acts as controller for limited AI-related processing, that processing will be tied to legitimate operational purposes such as service delivery, abuse detection, quality assurance, auditability and platform security. If Quantrova acts as processor for customer-run agents, the relevant customer remains responsible for the lawfulness of the prompts, data sources, guardrails, escalation rules and downstream actions configured in that customer’s deployment. Solely automated decisions with legal or similarly significant effects should not be deployed without an appropriate lawful basis and safeguards. 

Call recording, transcription and communications handling

Quantrova services may support call recording, transcription, conversation analytics, note generation, message retention and workflow automation. These features may be enabled or disabled depending on the product configuration chosen by the customer. Where recording or transcription is enabled, personal data may include audio, message content, transcript text, speaker metadata, routing information, summaries, tags and logs of actions taken by an agent or by a human operator.

Customers using these features are responsible for ensuring that all required notices, lawful bases and sector-specific compliance steps are in place before recording, transcribing or analysing communications. Quantrova may process the resulting content and metadata to deliver the service, maintain observability and audit trails, respond to support requests, protect the platform and comply with legal obligations.

Cookies and similar technologies

If the website stores or reads cookies or similar technologies on a visitor’s device, Quantrova will provide clear information about their purposes and, where required, collect consent before placing non-essential cookies. Essential cookies may be used where strictly necessary for the technical operation, security and basic functionality of the site. Visitors must also be able to withdraw consent as easily as it was given, and a cookie-settings tool should be available if non-essential cookies are used. 

If analytics or audience-measurement tools are used, their configuration should be reviewed against the latest AEPD guidance before deployment. That is especially relevant when the site uses third-party analytics, advertising tags or conversion tools. 

Recipients, subprocessors and international transfers

Quantrova may share personal data with hosting providers, network and telecom providers, messaging providers, model and speech providers, cloud infrastructure providers, payment service providers, professional advisers and other vendors that help operate the business and the platform. These recipients may act either as processors acting on Quantrova’s behalf or, in some cases, as independent controllers for their own regulated functions. Quantrova will use written contractual controls where required and will select processors that provide sufficient guarantees of security and compliance. 

Where personal data is transferred outside the European Economic Area, Quantrova will rely on a lawful transfer mechanism such as an adequacy decision or the Standard Contractual Clauses adopted by the European Commission, together with supplementary measures where necessary. 

Retention and security

Quantrova keeps personal data only for as long as necessary for the purposes for which it was collected, for the duration of the customer relationship, for the retention period configured by the relevant service settings or contract, or for the time required by tax, accounting, limitation, security and regulatory obligations. Website enquiries are retained only while needed to handle the request and any related business follow-up. Contract and billing records are retained for the applicable statutory periods. Service recordings, transcripts, logs and runtime data are retained according to customer configuration, support needs, security requirements and contractual commitments, after which they are deleted or anonymised where feasible. 

Quantrova applies appropriate technical and organisational measures proportionate to the risks presented by the processing. Depending on context, those measures may include access controls, least-privilege permissions, encryption in transit and at rest where appropriate, logging, monitoring, backup controls, environment segregation, vendor due diligence and incident response procedures. No digital environment can offer absolute security, but GDPR requires risk-based measures and active accountability, and this policy is drafted on that basis. 

Data-subject rights and complaints

For processing where Quantrova acts as controller, an individual may request access, rectification, erasure, restriction, objection, portability, and—where applicable—the right not to be subject to certain automated decisions. An individual may also withdraw consent at any time where consent is the legal basis. Requests can be sent to contact@quantrova.io. If the request concerns service data processed by Quantrova on behalf of a customer, Quantrova may redirect the request to that customer or coordinate the response under the applicable processing agreement. 

If an individual believes that personal data has been handled in breach of applicable law, that individual may also lodge a complaint with the Agencia Española de Protección de Datos or another competent supervisory authority. 

Children

Quantrova’s website and platform are intended for business and professional use and are not directed to children. In Spain, consent-based processing of a child’s personal data generally requires that the child be at least 14 years old. If Quantrova becomes aware that personal data has been collected from a child in circumstances that do not satisfy the applicable legal requirements, the data will be deleted or otherwise handled in accordance with applicable law. 

Changes and contact

Quantrova may update this Privacy Policy from time to time to reflect legal, technical, commercial or operational changes. The current version should remain available from the website footer. Questions about this Privacy Policy can be sent to contact@quantrova.io.