Legal

Privacy Policy. Your data, your rights.

How QWR Interactive Solutions Pvt. Ltd. collects, uses, stores, and protects your personal data across our websites and services.

Version 1.1 · Last updated: 28 April 2026

1. Who we are

This privacy policy is issued by QWR Interactive Solutions Pvt. Ltd., a company incorporated under the laws of India (hereinafter "QWR", "we", "us", or "our"). We are the data controller (under GDPR) and data fiduciary (under India's Digital Personal Data Protection Act 2023, "DPDP Act") for the personal data described in this policy.

Registered office:

301, 303, 304 The Golden Bell, Koregaon Park Annexe, Industrial Area, Mundhwa, Pune, Maharashtra 411036, India

Corporate Identification Number (CIN): U72100MH2017PTC293580

2. Contact

For all privacy-related questions, requests, or complaints, please contact us at:

Privacy contact
[email protected]
General enquiries
[email protected]

If you are an investor using our investor portal at investor.questionwhatsreal.com, please refer to the Investor Portal Privacy Notice for additional terms specific to the portal.

3. What data we collect

3.1 When you visit our website

  • IP address (anonymised where analytics consent is not given)
  • User-agent string (browser type and version, operating system)
  • Session identifier (randomly generated, not linked to your identity)
  • Referrer URL (the page that linked you to us)
  • Pages viewed, scroll depth, and time on page
  • Country of origin (derived from IP via Cloudflare CF-IPCountry header; not stored beyond session)

3.2 When you contact us

  • Name
  • Email address
  • Phone number (if provided)
  • Message content
  • Organisation name (if provided)

3.3 When you use the product configurator, RFP forms, or ROI calculator

  • Your selections and answers within the tool
  • Generated output (e.g. configuration summary, cost estimate)
  • Form submissions linked to your contact details if you choose to submit

3.4 Bot detection

We use Cloudflare Bot Management and Turnstile CAPTCHA to detect automated traffic. Requests identified as bots are blocked without recording personal data. Cloudflare may process the IP address and user-agent for this purpose under its own privacy policy.

4. Lawful basis for processing

We process personal data under the following legal bases:

PurposeGDPR Art. 6 basisDPDP Act equivalent
Website security, abuse prevention, IP loggingLegitimate interest (Art. 6(1)(f))Reasonable purpose (Sec. 7(f) — security)
Analytics cookies (GA4, Clarity)Consent (Art. 6(1)(a))Consent (Sec. 6)
Advertising cookies (Google Ads — conversion measurement, remarketing)Consent (Art. 6(1)(a))Consent (Sec. 6)
Handling contact form submissions and enquiriesContract / pre-contractual measures (Art. 6(1)(b))Legitimate use (Sec. 7(a) — specified purpose)
Product configurator / RFP processingContract / pre-contractual measures (Art. 6(1)(b))Legitimate use (Sec. 7(a) — specified purpose)
Error monitoring and performance (Sentry)Legitimate interest (Art. 6(1)(f))Reasonable purpose (Sec. 7(f) — security)

Where we rely on legitimate interest, we have conducted a balancing test and concluded that our interest does not override your fundamental rights. You may object to legitimate-interest processing at any time (see Section 8).

5. Who processes your data (third-party processors)

We share personal data only with processors who act on our instructions and are contractually bound by data processing agreements (DPAs). We never sell personal data. Only hashed user identifiers are shared with third parties; raw email addresses and names are never transmitted to analytics or monitoring services.

ProcessorPurposeData sharedLocationDPA status
Supabase (supabase.com)Authentication, database, storage, edge functionsAccount data, session data, contact form submissionsSeoul (AWS ap-northeast-2)Supabase Master Service Agreement
Sentry (sentry.io / GetSentry Inc.)Error and performance monitoringError events, anonymised IP, hashed user IDFrankfurt, Germany (EU)Sentry Data Processing Agreement
Google LLC (Google Analytics 4, Google Ads)Web analytics; advertising — conversion measurement and remarketingAnonymised IP, session ID, hashed user ID, behavioural events, ad-click identifiers (GCLID)Global (Google infrastructure)Google Ads Data Processing Terms
Microsoft Corporation (Clarity)Session replay and heatmapsAnonymised session recordings with strict input maskingGlobal (Microsoft infrastructure)Microsoft Products and Services DPA
Cloudflare, Inc.CDN, DNS, WAF, bot protection, Turnstile CAPTCHAIP address, request metadataGlobal edge networkCloudflare Data Processing Addendum
DigitalOcean, LLCStatic site hostingIP address, request metadata (passed through from Cloudflare)App-region specificDigitalOcean Data Processing Agreement
GitHub, Inc. (Microsoft)Source code hostingNo end-user personal data is stored in source repositoriesUnited StatesGitHub Customer Agreement / DPA

6. Data retention

We retain personal data only as long as necessary for the purposes set out in this policy, or as required by law.

Data categoryRetention periodRationale
Analytics data (GA4)14 monthsGoogle's default retention; sufficient for year-over-year analysis
Advertising conversion data (Google Ads)13 monthsGoogle Ads default for conversion attribution windows
Session replays (Clarity)30 daysMicrosoft Clarity default; used for UX improvement only
Error telemetry (Sentry)90 daysSufficient for debugging and performance trend analysis
Server and CDN logs (Cloudflare)Approximately 30 daysPer Cloudflare's default log retention
Contact form submissions2 yearsTo respond to and follow up on business enquiries
Investor portal audit logs8 yearsSEBI record-keeping requirements (see Investor Privacy Notice)

After the retention period expires, data is deleted or anonymised. Where anonymisation is technically infeasible (e.g., backups), access is restricted until deletion occurs in the normal backup rotation cycle.

7. International transfers

QWR is based in India. Your data may be processed in the following jurisdictions depending on the service involved:

  • Seoul, South Korea — Supabase (database, authentication, storage)
  • Frankfurt, Germany — Sentry (error monitoring)
  • United States — GitHub (source hosting — no end-user PII)
  • Global edge locations — Cloudflare, Google Analytics, Microsoft Clarity

EU/EEA/UK/Switzerland to non-EU transfers

Where personal data is transferred from the EU/EEA/UK/Switzerland to countries without an adequacy decision from the European Commission, we rely on:

  • Standard Contractual Clauses (SCCs) — incorporated into our DPAs with each processor
  • EU-US Data Privacy Framework — for US-based processors certified under the DPF (where applicable)
  • UK adequacy decisions — where the UK ICO has recognised the receiving country

India to outside India

Under the DPDP Act 2023, cross-border transfers of personal data are permitted except to countries specifically restricted by the Central Government. As of the date of this policy, no such restricted-country list has been notified. We treat all current transfer destinations as permitted. Should any destination be restricted in future DPDP Rules, we will obtain explicit consent or cease the transfer.

8. Your rights

Depending on your jurisdiction, you have the following rights regarding your personal data:

RightGDPRDPDP ActDetails
AccessArt. 15Sec. 11Request a copy of the personal data we hold about you
RectificationArt. 16Sec. 12Correct inaccurate or incomplete personal data
ErasureArt. 17Sec. 12Request deletion of your personal data, subject to legal retention obligations (e.g., SEBI audit log retention — in which case PII is pseudonymised while the audit record is preserved)
RestrictionArt. 18Request that we pause processing of your data in certain circumstances
PortabilityArt. 20Receive your data in a structured, machine-readable format where technically feasible
ObjectionArt. 21Object to processing based on legitimate interest
Withdraw consentArt. 7(3)Sec. 6(5)Withdraw consent at any time; this does not affect the lawfulness of processing prior to withdrawal

How to exercise your rights

Email [email protected] with your request. We will verify your identity and respond within:

  • 30 days (GDPR — extendable by a further 60 days for complex requests, with notice)
  • As soon as reasonably practicable (DPDP Act)

Right to complain

You have the right to lodge a complaint with a supervisory authority:

  • India: Data Protection Board of India (once established under the DPDP Act)
  • EU/EEA: Your local data protection supervisory authority
  • UK: Information Commissioner's Office (ICO) — ico.org.uk

9. Cookies & tracking technologies

9.1 Essential cookies (no consent required)

These are strictly necessary for the website to function:

Cookie / storagePurposeDuration
Cloudflare bot-protection cookies (__cf_bm, cf_clearance)Bot detection and WAF protectionSession / 30 minutes
qwr-countryStores detected country code for geo-gated consent logic300 seconds (5 minutes)
qwr-themeRemembers your dark/light theme preferencePersistent (localStorage)
Cloudflare Turnstile tokenCAPTCHA verification on formsSession

9.2 Analytics cookies (consent required in EU/EEA/UK/CH; opt-out elsewhere)

Set by Google Analytics 4 and Microsoft Clarity for measurement only. Not used for advertising.

Cookie / storagePurposeDuration
Google Analytics 4 (_ga, _ga_*)Web analytics — page views, events, session trackingUp to 14 months
Microsoft Clarity (_clck, _clsk, CLID)Session replay, heatmaps, click trackingUp to 30 days

9.3 Advertising cookies (consent required in EU/EEA/UK/CH; opt-out elsewhere)

Set by Google Ads for measuring the effectiveness of our advertising campaigns and, where consent is given, for remarketing. We do not run advertising on this site directed at users under 18.

Cookie / storagePurposeDuration
Google Ads first-party (_gcl_au, _gcl_aw, _gcl_dc)Conversion measurement and ad-click attributionUp to 90 days
DoubleClick (IDE, set on doubleclick.net)Interest-based advertising and remarketing audiencesUp to 13 months

You can opt out of personalised Google ads at any time via Google Ads Settings, or globally via the DAA opt-out (USA) and YourOnlineChoices (EU).

9.4 Consent model

We use a geo-gated consent model:

  • EU/EEA/UK/Switzerland visitors: Analytics and advertising cookies are only set after you give explicit opt-in consent.
  • All other visitors: Analytics and advertising cookies are set by default. You may opt out at any time.

To change your cookie preferences, click "Privacy settings" in the website footer.

9.5 Do Not Track & Global Privacy Control

We respect the DNT=1 (Do Not Track) header and the Global Privacy Control signal. When either signal is detected, analytics and advertising cookies are not loaded regardless of your geographic location.

10. Children's privacy

Our services are not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at [email protected] and we will delete the data promptly.

11. Security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • Encryption in transit — HTTPS enforced on all connections with HSTS (HTTP Strict Transport Security) and HSTS preload
  • Encryption at rest — Supabase provides AES-256 encryption at rest for all stored data
  • Row-Level Security (RLS) — enforced on all user-scoped database tables, ensuring data isolation
  • Tamper-evident audit logs — audit records include SHA-256 integrity hashes to detect unauthorised modification
  • Multi-factor authentication (MFA) — required for all administrative accounts across all platforms
  • Quarterly access reviews — we review access permissions to all systems at least quarterly
  • Content Security Policy (CSP) — enforced at the CDN edge to prevent cross-site scripting attacks

No system is 100% secure. If you discover a security vulnerability, please report it responsibly to [email protected].

12. Breach notification

In the event of a personal data breach, we will:

  • Data Protection Board of India — notify within 72 hours of becoming aware of the breach, as required under the DPDP Act
  • EU/UK supervisory authorities — notify the relevant data protection authority within 72 hours where the breach is likely to result in a risk to the rights and freedoms of EU/UK data subjects (GDPR Art. 33)
  • Affected individuals — notify without undue delay where the breach is likely to result in a high risk to your rights and freedoms (GDPR Art. 34) or as required under DPDP Act provisions

13. Changes to this policy

We may update this privacy policy from time to time to reflect changes in our practices, legal requirements, or the services we offer. When we make material changes:

  • A notice will be displayed at the top of this page for at least 30 days
  • The "Last updated" date below will be revised
  • Where required by law, we will seek renewed consent

We encourage you to review this policy periodically.

Last updated: 28 April 2026
Version: 1.1

14. Governing law

This privacy policy is governed by the laws of India. Any disputes arising from or in connection with this policy shall be subject to the exclusive jurisdiction of the courts in Mumbai, Maharashtra, India.

This policy is without prejudice to any rights you may have under the GDPR (if you are in the EU/EEA/UK) or other applicable data protection laws in your jurisdiction.