Policies
Privacy Policy
If you contacted a business that uses this platform — by phone, WhatsApp, or
email — this policy explains how your personal data was handled during that
interaction.
If you are a business using our platform, your data handling is governed by
your service agreement.
WHO CONTROLS YOUR DATA
The business you contacted (the "Client") is your data controller — they decide
why your data is used and are responsible for it under GDPR. We are their data
processor — we handle the technical infrastructure to deliver their service.
For data access, correction, or deletion requests, contact the business
directly. Their details appear on their website or booking confirmation.
For platform-level privacy questions, contact: privacy@quadrantsunshine.com
Note: We have not appointed a Data Protection Officer, as we do not meet the
mandatory thresholds under GDPR Article 37. Platform-level privacy queries are
handled by our internal privacy contact at the address above.
WHAT DATA WE PROCESS
We collect only what is necessary to deliver the service. Data is never
repurposed beyond what is described in this policy.
Identity & contact: name, phone number, email address
Conversation content: WhatsApp messages, voice call recordings and
transcripts, email messagesAppointment data: service requested, date, time, cancellation or
rescheduling historyInteraction metadata: timestamps, channel used (voice/WhatsApp/email),
conversation outcome
Note: We do not intentionally collect sensitive categories of data (health,
financial, political views). Where a service name incidentally implies a
treatment type (e.g., at a clinic), the Client is responsible for ensuring a
valid legal basis exists for that data.
WHY WE PROCESS IT — LEGAL BASIS
Purpose Legal Basis (GDPR Art. 6)
Booking, rescheduling, cancelling Contractual necessity — 6(1)(b)
Answering customer enquiries Contractual necessity — 6(1)(b)
Sending appointment reminders Legitimate interest — 6(1)(f)
Post-service follow-up communications Legitimate interest — 6(1)(f)
Cold outreach (B2B only, never individuals) Legitimate interest — 6(1)(f)
Voice call recordings (where enabled) Legitimate interest — 6(1)(f)
Note on reminders: We have assessed that appointment reminders are
proportionate, expected by customers, and do not override individual privacy
rights. You may opt out at any time.
IMPORTANT: We never send cold outreach to private individuals. Cold outreach
is used exclusively in B2B contexts, targeting business contact addresses.
GDPR prohibits unsolicited direct marketing to consumers on the channels this
platform uses.
AUTOMATED PROCESSING & AI DECISION-MAKING
This platform uses AI to classify messages, route enquiries, and generate
responses. These are operational routing decisions — they do not produce legal
effects or significantly affect you as an individual.
No fully automated decision-making within the meaning of GDPR Article 22 is
applied. If you disagree with an automated outcome, you may request human
review by contacting the business directly.
WHO WE SHARE DATA WITH
We share data only with sub-processors required to deliver the service.
We do not sell data. We do not share data for advertising.
Sub-processor Role Location
Google (Calendar) Appointment scheduling EU / US
Meta (WhatsApp) Message delivery US
Retell AI Voice call handling US
Mailgun Email delivery US
Supabase Database & storage EU
Anthropic / OpenAI AI processing US
All transfers to US-based processors are protected by Standard Contractual
Clauses (SCCs) approved by the European Commission under GDPR Article 46.
HOW LONG WE KEEP YOUR DATA
Data type Retention period
Conversation logs & appointment records 12 months from last interaction
Voice call recordings 30 days, then permanently deleted
Email content 90 days
Opt-out records Indefinitely (to honour preference)
Lead & prospect records (B2B only) 24 months or until opt-out
Data is deleted automatically at the end of each retention period. You may
request earlier deletion — see Section 8.
SECURITY
Personal data is stored in encrypted databases with access controls. Voice
recordings are encrypted at rest and in transit. Access is restricted to
authorised platform personnel and the relevant Client.
We follow industry-standard security practices and conduct regular reviews.
In the event of a data breach affecting your rights, we will notify the
relevant supervisory authority within 72 hours, and affected individuals
without undue delay, as required by GDPR Articles 33-34.
YOUR RIGHTS
Under GDPR, you have the following rights:
Access — request a copy of the personal data we hold about you
Correction — request that inaccurate data be corrected
Erasure — request deletion of your data ("right to be forgotten")
Restriction — request that processing be limited in certain circumstances
Objection — object to processing based on legitimate interest
Portability — receive your data in a structured, machine-readable format
To exercise your rights: contact the business (your data controller) directly.
For platform infrastructure requests, email privacy@quadrantsunshine.com.
We will respond within 30 days.
To file a complaint:
Portugal: CNPD — cnpd.pt
EU residents: Contact your local supervisory authority (edpb.europa.eu)
COOKIES & TRACKING
This platform operates primarily via messaging channels (voice, WhatsApp,
email) and does not use browser cookies for end-user interactions.
If the Client's own website uses cookies or tracking technologies, that is
governed by the Client's separate cookie policy, independent of this document.
CHANGES TO THIS POLICY
We will notify Clients of material changes at least 30 days in advance via
email. The updated policy will be published with a revised date at the top
of this document.
For end-users, the version in effect at the time of your interaction always
applies. You may request a copy of any previous version by contacting
privacy@quadrantsunshine.com.
QUESTIONS ABOUT THIS POLICY?
Email privacy@quadrantsunshine.com — we aim to respond within 5 business days.
