Privacy Policy

Effective: 29 May 2026

1. Controller

The data controller for personal data processed via the Gardia service is QuantumBox Inc. ("we", "QuantumBox"). Gardia is a product of QuantumBox Inc.

2. Roles

For documents and data your tenant uploads, you (the customer) are the controller and QuantumBox is the processor. For account-level data (admin email, billing) we act as controller.

3. What we collect

Account: name, email, locale, tenant role. Billing: name, billing address, last 4 digits & brand of card (full card data is handled by Stripe, never stored by us). Usage: page views, API calls, document counts, model token usage, IP address, user-agent. Documents: whatever your tenant uploads or receives by email.

4. Purpose & legal basis

We process data to (a) provide and secure the Service (contract), (b) bill customers (contract / legal obligation), (c) communicate about the Service (legitimate interest), (d) comply with legal requests (legal obligation). We do not sell personal data and we do not use customer documents to train third-party AI models.

5. Sub-processors

Hosting: Microsoft Azure (region selectable per tenant, default France Central). Email: Postmark (inbound), Azure Communication Services (outbound). Payments: Stripe. AI inference: Azure OpenAI Service. The list is maintained at gardia.cloud/subprocessors.

6. International transfers

EU/UK customer data stays in the customer-selected region. Where transfers outside the EEA are necessary (e.g. support, sub-processors), Standard Contractual Clauses (SCC) apply.

7. Retention

Documents and extractions: kept until you delete them. Account data: kept until 30 days after account closure. Billing records: kept for the statutory retention period (typically 7–10 years). Audit logs: 12 months.

8. Security

TLS 1.2+ in transit, AES-256 at rest, row-level isolation per tenant, role-based access control, MFA-protected admin access. Vulnerability reports: security@gardia.cloud.

9. Your rights (GDPR / equivalent)

You may request access, rectification, deletion, portability or restriction of your personal data, and you may object to processing. Tenant admins can self-serve most of these from the Admin panel. For everything else, write to privacy@gardia.cloud. You may also lodge a complaint with your supervisory authority (e.g. CNIL in France).

10. Cookies

We use strictly necessary cookies for authentication and session management, and privacy-friendly analytics (no third-party advertising cookies). A cookie banner is shown on first visit.

11. Children

Gardia is intended for business use and is not directed to children under 16. We do not knowingly collect their personal data.

12. Changes

We may update this Policy. The "Effective" date above tracks the latest revision. Material changes are notified by email to tenant administrators.

13. Contact

Privacy: privacy@gardia.cloud · Data Protection Officer: dpo@gardia.cloud · Parent company: QuantumBox Inc. (quantumbox.ai).

---

Gardia is a product, brand and trademark of QuantumBox Inc. Visit quantumbox.ai for company information.