- Part I: Global Privacy Policy
1. Introduction
Quantum Heaps Pte. Ltd. (“Quantum Heaps”, “we”, “our”, “us”) provides Software as a Service (SaaS) sales CRM solutions globally. We are committed to protecting privacy and handling personal data responsibly. This policy explains how we collect, use, disclose, store, and protect personal data when you use our services and websites.
2. Scope
This policy applies to all Quantum Heaps websites, applications, and services that link to it, including mobile apps and APIs. By using our services, you agree to this policy.
3. Definitions
“Personal Data” means information relating to an identified or identifiable natural person. “Processing” means any operation performed on Personal Data. “Controller” and “Processor” have the meanings given in applicable data protection laws (e.g., GDPR, PDPA, CCPA/CPRA).
4. Categories of Personal Data We Collect
– Account & Profile (e.g., name, business email, job title, company)
– Authentication & Security (e.g., passwords, MFA tokens, logs)
– Usage & Device (e.g., IP address, browser type, pages viewed, product interactions)
– CRM Service Data you upload (e.g., leads, contacts, notes, deals)
– Billing & Payment (processed via secure gateways)
– Communications & Support (e.g., tickets, chat transcripts)
– Marketing Preferences
5. How We Collect Personal Data
– Directly from you (account creation, forms, support)
– Automatically via cookies, SDKs, and logs
– From authorized third parties and integrations you enable
– From public sources where lawful and relevant to B2B CRM use
6. Purposes of Processing & Legal Bases
We process Personal Data to: (a) provide, maintain, and secure the services; (b) deliver support; (c) manage billing and accounts; (d) perform analytics and improve services; (e) prevent fraud and enhance security; (f) comply with legal obligations; (g) conduct marketing with consent where required. Legal bases include contractual necessity, consent, legitimate interests (e.g., service improvement and security), and compliance with legal obligations.
7. Data Minimization & Retention
We collect only what is necessary and retain it no longer than required: (a) for active accounts retained while services are provided; (b) following termination deleted from active systems within six (6) months and from backups within ninety (90) days, unless retention is required by law or for the establishment, exercise, or defense of legal claims.
8. Security Measures
We implement appropriate technical and organizational measures, including encryption in transit (TLS) and at rest (AES-256), access controls, multi-factor authentication, vulnerability management, logging and monitoring, employee training, and periodic audits aligned to ISO 27001/SOC 2 practices.
9. Cross Border Transfers
Personal Data may be transferred and processed outside the country of origin. Where applicable, we implement appropriate safeguards such as EU Standard Contractual Clauses (SCCs) and comparable protection under Singapore’s PDPA. We maintain transfer mechanisms and list of sub processors in our Data Processing Addendum (DPA).
10. Sub processors & Third Parties
We engage vetted sub processors for hosting, support, analytics, and related functions under written agreements imposing data protection obligations. A current list is available at [link], and we provide notice of material changes with an opportunity to object where required. We do not sell Personal Data. We may disclose Personal Data to: (a) sub processors; (b) affiliates for support/operations subject to safeguards; (c) competent authorities when legally required; (d) third parties at your direction via integrations. We may disclose aggregated or de-identified data that does not identify individuals.
11. Automated Decision Making & Profiling
We do not use automated decision-making producing legal or similarly significant effects without human involvement. Any profiling used for product analytics or marketing is subject to consent and opt-out rights where applicable.
12. Your Rights
Depending on jurisdiction, you may have rights to access, rectify, erase, restrict processing, object, port data, opt out of certain processing (e.g., targeted advertising or sale/share under CCPA/CPRA), and withdraw consent. Exercise rights via privacy@quantumheaps.com; we respond within thirty (30) days or as required by law.
13. Children’s Data
Our services target business users and are not directed to children. We do not knowingly collect Personal Data from individuals under 18. If discovered, we will delete it.
14. Marketing & Communications
We may send service and transactional communications. We obtain consent for marketing where required and include opt-out mechanisms in every marketing message.
15. Data Breach Notification
We will notify affected controllers/customers without undue delay upon becoming aware of a Personal Data breach, and where required, notify regulators and individuals (e.g., within 72 hours under GDPR; per PDPA thresholds for significant harm or scale).
16. Updates & Version Control
We may update this policy to reflect changes in laws or practices. We will provide notice of material changes via email or in-product banners and indicate the effective date at the top. Prior versions can be requested at privacy@quantumheaps.com.
17. Dispute Resolution & Arbitration
This policy is governed by Singapore law. Disputes shall be finally resolved by arbitration administered by the Singapore International Arbitration Centre (SIAC) in accordance with the SIAC Rules then in force. Seat: Singapore. Tribunal: one arbitrator unless otherwise agreed. Language: English. Nothing precludes urgent interim relief from a court of competent jurisdiction. - Part II: Region Specific Addenda
A. EU GDPR Addendum
Roles: Quantum Heaps acts as processor for Customer CRM data and controller for account-level data.
EU Representative: Where Article 27 requires, we will appoint and publish contact details.
Lawful Bases: Contract, consent, legitimate interests, legal obligations.
Rights: Access, rectification, erasure, restriction, objection, portability, and rights concerning automated decision-making; submit requests via privacy@quantumheaps.com.
International Transfers: Use SCCs and supplementary measures following transfer impact assessments.
Breach Notification: We notify controllers without undue delay and, where required, individuals/regulators within statutory timelines.
DPA: Our DPA incorporates SCCs (Module 2), sub processor change notifications, audit options, and technical/organizational measures.
B. US CCPA/CPRA Addendum
Scope: Applies to California residents’ personal information.
No Sale/Share: We do not sell or share personal information for cross-context behavioral advertising.
Consumer Rights: Right to know categories and specific pieces, right to delete, right to correct, right to opt out of sale/share, right to limit use of sensitive personal information, and non-discrimination.
Verified Requests: Submit via privacy@quantumheaps.com or our Privacy Center; we verify identity before fulfilling requests.
Sensitive PI: Used only for permitted purposes.
Recordkeeping: We maintain request logs and metrics to demonstrate compliance.
C. Singapore PDPA Addendum
Consent & Notification: We collect, use, and disclose personal data with consent or under PDPA exceptions, and notify individuals of purposes.
Access & Correction: Individuals may request access to and correction of their personal data subject to statutory exceptions.
Protection, Retention, Accuracy: We protect personal data with reasonable security arrangements, retain only as necessary, and make reasonable efforts to ensure accuracy.
Data Breach Notification: We assess incidents and notify the PDPC and affected individuals where the breach results in, or is likely to result in, significant harm or involves significant scale.
Cross Border Transfers: We ensure recipients provide a comparable level of protection (e.g., contractual clauses).
DNC: We comply with Do Not Call provisions for marketing to Singapore numbers. - Part III: Cookie & Consent Management Policy
1. Purpose
This policy explains how Quantum Heaps uses cookies and similar technologies and how users can manage consent and preferences on our websites and applications.
2. What Are Cookies?
Cookies are small text files placed on your device to remember settings and track usage. We also use SDKs, pixels, local storage, and server-side logs.
3. Types of Cookies We Use
– Strictly Necessary: Enable core functionality and security.
– Functional: Remember preferences and improve experience.
– Performance/Analytics: Measure usage and help improve services.
– Marketing: Subject to consent; used for our own outreach (no third party ad sales).
4. Consent & Preference Center
On first visit, we present a consent banner with granular controls. You can accept, reject, or customize categories at any time in the Privacy/Consent Center. We honor browser based signals (e.g., Global Privacy Control) where applicable by declining non essential tracking.
5. Managing Cookies
You may manage cookies via browser settings or via our platform, designed to give you a secure experience. While you may disable certain cookies, please note that doing so could limit functionality and reduce the performance of personalized features. For optimal security and tailored services, we recommend enabling essential and performance cookies.
6. Cookie Lifetimes
Strictly necessary cookies typically persist for the session; analytics/functional cookies generally expire within 12–24 months unless renewed by consent.
7. Third Party Tools & Integrations
Where you enable third-party integrations (e.g., chat widgets, analytics, forms), those providers may collect data and set cookies under their own privacy policies. Quantum Heaps does not control and is not responsible for the privacy or security practices of such third parties. We provide disclosures and controls to help you manage these integrations, and recommend reviewing the privacy policies of any third party services you enable.
8. Updates
We may update this policy to reflect changes in law or technology. Material changes will be communicated via banner notices.
Back