Privacy Policy. Your data, your rights.
How QWR Interactive Solutions Pvt. Ltd. collects, uses, stores, and protects your personal data across our websites and services.
1. Who we are
This privacy policy is issued by QWR Interactive Solutions Pvt. Ltd., a company incorporated under the laws of India (hereinafter "QWR", "we", "us", or "our"). We are the data controller (under GDPR) and data fiduciary (under India's Digital Personal Data Protection Act 2023, "DPDP Act") for the personal data described in this policy.
Registered office:
301, 303, 304 The Golden Bell, Koregaon Park Annexe, Industrial Area, Mundhwa, Pune, Maharashtra 411036, India
Corporate Identification Number (CIN): U72100MH2017PTC293580
2. Contact
For all privacy-related questions, requests, or complaints, please contact us at:
If you are an investor using our investor portal at investor.questionwhatsreal.com, please refer to the Investor Portal Privacy Notice for additional terms specific to the portal.
3. What data we collect
3.1 When you visit our website
- IP address (anonymised where analytics consent is not given)
- User-agent string (browser type and version, operating system)
- Session identifier (randomly generated, not linked to your identity)
- Referrer URL (the page that linked you to us)
- Pages viewed, scroll depth, and time on page
- Country of origin (derived from IP via Cloudflare
CF-IPCountryheader; not stored beyond session)
3.2 When you contact us
- Name
- Email address
- Phone number (if provided)
- Message content
- Organisation name (if provided)
3.3 When you use the product configurator, RFP forms, or ROI calculator
- Your selections and answers within the tool
- Generated output (e.g. configuration summary, cost estimate)
- Form submissions linked to your contact details if you choose to submit
3.4 Bot detection
We use Cloudflare Bot Management and Turnstile CAPTCHA to detect automated traffic. Requests identified as bots are blocked without recording personal data. Cloudflare may process the IP address and user-agent for this purpose under its own privacy policy.
4. Lawful basis for processing
We process personal data under the following legal bases:
| Purpose | GDPR Art. 6 basis | DPDP Act equivalent |
|---|---|---|
| Website security, abuse prevention, IP logging | Legitimate interest (Art. 6(1)(f)) | Reasonable purpose (Sec. 7(f) — security) |
| Analytics cookies (GA4, Clarity) | Consent (Art. 6(1)(a)) | Consent (Sec. 6) |
| Advertising cookies (Google Ads — conversion measurement, remarketing) | Consent (Art. 6(1)(a)) | Consent (Sec. 6) |
| Handling contact form submissions and enquiries | Contract / pre-contractual measures (Art. 6(1)(b)) | Legitimate use (Sec. 7(a) — specified purpose) |
| Product configurator / RFP processing | Contract / pre-contractual measures (Art. 6(1)(b)) | Legitimate use (Sec. 7(a) — specified purpose) |
| Error monitoring and performance (Sentry) | Legitimate interest (Art. 6(1)(f)) | Reasonable purpose (Sec. 7(f) — security) |
Where we rely on legitimate interest, we have conducted a balancing test and concluded that our interest does not override your fundamental rights. You may object to legitimate-interest processing at any time (see Section 8).
5. Who processes your data (third-party processors)
We share personal data only with processors who act on our instructions and are contractually bound by data processing agreements (DPAs). We never sell personal data. Only hashed user identifiers are shared with third parties; raw email addresses and names are never transmitted to analytics or monitoring services.
| Processor | Purpose | Data shared | Location | DPA status |
|---|---|---|---|---|
| Supabase (supabase.com) | Authentication, database, storage, edge functions | Account data, session data, contact form submissions | Seoul (AWS ap-northeast-2) | Supabase Master Service Agreement |
| Sentry (sentry.io / GetSentry Inc.) | Error and performance monitoring | Error events, anonymised IP, hashed user ID | Frankfurt, Germany (EU) | Sentry Data Processing Agreement |
| Google LLC (Google Analytics 4, Google Ads) | Web analytics; advertising — conversion measurement and remarketing | Anonymised IP, session ID, hashed user ID, behavioural events, ad-click identifiers (GCLID) | Global (Google infrastructure) | Google Ads Data Processing Terms |
| Microsoft Corporation (Clarity) | Session replay and heatmaps | Anonymised session recordings with strict input masking | Global (Microsoft infrastructure) | Microsoft Products and Services DPA |
| Cloudflare, Inc. | CDN, DNS, WAF, bot protection, Turnstile CAPTCHA | IP address, request metadata | Global edge network | Cloudflare Data Processing Addendum |
| DigitalOcean, LLC | Static site hosting | IP address, request metadata (passed through from Cloudflare) | App-region specific | DigitalOcean Data Processing Agreement |
| GitHub, Inc. (Microsoft) | Source code hosting | No end-user personal data is stored in source repositories | United States | GitHub Customer Agreement / DPA |
6. Data retention
We retain personal data only as long as necessary for the purposes set out in this policy, or as required by law.
| Data category | Retention period | Rationale |
|---|---|---|
| Analytics data (GA4) | 14 months | Google's default retention; sufficient for year-over-year analysis |
| Advertising conversion data (Google Ads) | 13 months | Google Ads default for conversion attribution windows |
| Session replays (Clarity) | 30 days | Microsoft Clarity default; used for UX improvement only |
| Error telemetry (Sentry) | 90 days | Sufficient for debugging and performance trend analysis |
| Server and CDN logs (Cloudflare) | Approximately 30 days | Per Cloudflare's default log retention |
| Contact form submissions | 2 years | To respond to and follow up on business enquiries |
| Investor portal audit logs | 8 years | SEBI record-keeping requirements (see Investor Privacy Notice) |
After the retention period expires, data is deleted or anonymised. Where anonymisation is technically infeasible (e.g., backups), access is restricted until deletion occurs in the normal backup rotation cycle.
7. International transfers
QWR is based in India. Your data may be processed in the following jurisdictions depending on the service involved:
- Seoul, South Korea — Supabase (database, authentication, storage)
- Frankfurt, Germany — Sentry (error monitoring)
- United States — GitHub (source hosting — no end-user PII)
- Global edge locations — Cloudflare, Google Analytics, Microsoft Clarity
EU/EEA/UK/Switzerland to non-EU transfers
Where personal data is transferred from the EU/EEA/UK/Switzerland to countries without an adequacy decision from the European Commission, we rely on:
- Standard Contractual Clauses (SCCs) — incorporated into our DPAs with each processor
- EU-US Data Privacy Framework — for US-based processors certified under the DPF (where applicable)
- UK adequacy decisions — where the UK ICO has recognised the receiving country
India to outside India
Under the DPDP Act 2023, cross-border transfers of personal data are permitted except to countries specifically restricted by the Central Government. As of the date of this policy, no such restricted-country list has been notified. We treat all current transfer destinations as permitted. Should any destination be restricted in future DPDP Rules, we will obtain explicit consent or cease the transfer.
8. Your rights
Depending on your jurisdiction, you have the following rights regarding your personal data:
| Right | GDPR | DPDP Act | Details |
|---|---|---|---|
| Access | Art. 15 | Sec. 11 | Request a copy of the personal data we hold about you |
| Rectification | Art. 16 | Sec. 12 | Correct inaccurate or incomplete personal data |
| Erasure | Art. 17 | Sec. 12 | Request deletion of your personal data, subject to legal retention obligations (e.g., SEBI audit log retention — in which case PII is pseudonymised while the audit record is preserved) |
| Restriction | Art. 18 | — | Request that we pause processing of your data in certain circumstances |
| Portability | Art. 20 | — | Receive your data in a structured, machine-readable format where technically feasible |
| Objection | Art. 21 | — | Object to processing based on legitimate interest |
| Withdraw consent | Art. 7(3) | Sec. 6(5) | Withdraw consent at any time; this does not affect the lawfulness of processing prior to withdrawal |
How to exercise your rights
Email [email protected] with your request. We will verify your identity and respond within:
- 30 days (GDPR — extendable by a further 60 days for complex requests, with notice)
- As soon as reasonably practicable (DPDP Act)
Right to complain
You have the right to lodge a complaint with a supervisory authority:
- India: Data Protection Board of India (once established under the DPDP Act)
- EU/EEA: Your local data protection supervisory authority
- UK: Information Commissioner's Office (ICO) — ico.org.uk
9. Cookies & tracking technologies
9.1 Essential cookies (no consent required)
These are strictly necessary for the website to function:
| Cookie / storage | Purpose | Duration |
|---|---|---|
Cloudflare bot-protection cookies (__cf_bm, cf_clearance) | Bot detection and WAF protection | Session / 30 minutes |
qwr-country | Stores detected country code for geo-gated consent logic | 300 seconds (5 minutes) |
qwr-theme | Remembers your dark/light theme preference | Persistent (localStorage) |
| Cloudflare Turnstile token | CAPTCHA verification on forms | Session |
9.2 Analytics cookies (consent required in EU/EEA/UK/CH; opt-out elsewhere)
Set by Google Analytics 4 and Microsoft Clarity for measurement only. Not used for advertising.
| Cookie / storage | Purpose | Duration |
|---|---|---|
Google Analytics 4 (_ga, _ga_*) | Web analytics — page views, events, session tracking | Up to 14 months |
Microsoft Clarity (_clck, _clsk, CLID) | Session replay, heatmaps, click tracking | Up to 30 days |
9.3 Advertising cookies (consent required in EU/EEA/UK/CH; opt-out elsewhere)
Set by Google Ads for measuring the effectiveness of our advertising campaigns and, where consent is given, for remarketing. We do not run advertising on this site directed at users under 18.
| Cookie / storage | Purpose | Duration |
|---|---|---|
Google Ads first-party (_gcl_au, _gcl_aw, _gcl_dc) | Conversion measurement and ad-click attribution | Up to 90 days |
DoubleClick (IDE, set on doubleclick.net) | Interest-based advertising and remarketing audiences | Up to 13 months |
You can opt out of personalised Google ads at any time via Google Ads Settings, or globally via the DAA opt-out (USA) and YourOnlineChoices (EU).
9.4 Consent model
We use a geo-gated consent model:
- EU/EEA/UK/Switzerland visitors: Analytics and advertising cookies are only set after you give explicit opt-in consent.
- All other visitors: Analytics and advertising cookies are set by default. You may opt out at any time.
To change your cookie preferences, click "Privacy settings" in the website footer.
9.5 Do Not Track & Global Privacy Control
We respect the DNT=1 (Do Not Track) header and the Global Privacy Control signal. When either signal is detected, analytics and advertising cookies are not loaded regardless of your geographic location.
10. Children's privacy
Our services are not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at [email protected] and we will delete the data promptly.
11. Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption in transit — HTTPS enforced on all connections with HSTS (HTTP Strict Transport Security) and HSTS preload
- Encryption at rest — Supabase provides AES-256 encryption at rest for all stored data
- Row-Level Security (RLS) — enforced on all user-scoped database tables, ensuring data isolation
- Tamper-evident audit logs — audit records include SHA-256 integrity hashes to detect unauthorised modification
- Multi-factor authentication (MFA) — required for all administrative accounts across all platforms
- Quarterly access reviews — we review access permissions to all systems at least quarterly
- Content Security Policy (CSP) — enforced at the CDN edge to prevent cross-site scripting attacks
No system is 100% secure. If you discover a security vulnerability, please report it responsibly to [email protected].
12. Breach notification
In the event of a personal data breach, we will:
- Data Protection Board of India — notify within 72 hours of becoming aware of the breach, as required under the DPDP Act
- EU/UK supervisory authorities — notify the relevant data protection authority within 72 hours where the breach is likely to result in a risk to the rights and freedoms of EU/UK data subjects (GDPR Art. 33)
- Affected individuals — notify without undue delay where the breach is likely to result in a high risk to your rights and freedoms (GDPR Art. 34) or as required under DPDP Act provisions
13. Changes to this policy
We may update this privacy policy from time to time to reflect changes in our practices, legal requirements, or the services we offer. When we make material changes:
- A notice will be displayed at the top of this page for at least 30 days
- The "Last updated" date below will be revised
- Where required by law, we will seek renewed consent
We encourage you to review this policy periodically.
Last updated: 28 April 2026
Version: 1.1
14. Governing law
This privacy policy is governed by the laws of India. Any disputes arising from or in connection with this policy shall be subject to the exclusive jurisdiction of the courts in Mumbai, Maharashtra, India.
This policy is without prejudice to any rights you may have under the GDPR (if you are in the EU/EEA/UK) or other applicable data protection laws in your jurisdiction.