Privacy Policy

Last updated: 6 May 2026

This notice explains how QuantElit collects and processes personal data when you visit quantelit.com, enquire with us, or book a call. It is written to satisfy Articles 12–14 of the EU General Data Protection Regulation (GDPR) and the Irish Data Protection Act 2018.

1. Who we are (data controller)

QuantElit is a boutique digital agency based in Clifden, Connemara, County Galway, Ireland. We are the data controller for information collected through this website.

Contact: hello@quantelit.com · +353 83 080 2995 · 9 The Spires, Clifden, Connemara, County Galway, H71 CR27, Ireland.

We do not collect or process any payment information on this website. New engagements run as a free call, then a meeting, a written contract, and only after that an invoice — which is settled offline by bank transfer (SEPA). No card data, no payment-processor cookies, and no payment IDs ever touch the site.

2. What we collect, why, and our legal basis

Enquiries and bookings

When you email us, submit a contact form, or book a call, we process your name, email address, phone number (if you provide it), and the content of your message.

• Purpose: to reply, arrange a call, and deliver services you request.
• Legal basis: Article 6(1)(b) — performance of a contract or taking steps at your request prior to entering into a contract.
• Retention: up to 24 months after our last interaction, then deleted or anonymised. Accounting records relating to paid engagements are kept for 6 years as required by Irish tax law.

Analytics and product improvement

Subject to your consent, we process pseudonymous analytics data via Google Analytics 4 (pages viewed, device type, referral source, approximate location at city level, interaction events) and may record anonymised session replays via Microsoft Clarity to understand how the site performs. You can withdraw consent at any time using the cookie settings link in the site footer.

• Purpose: measure site performance, diagnose issues, improve content.
• Legal basis: Article 6(1)(a) — consent. Analytics cookies are only set after you accept them in the consent banner. Before consent is given, Google Consent Mode v2 sends cookieless pings that report aggregate, non-identifying signals only.
• Retention: 14 months in Google Analytics 4. Microsoft Clarity retains session-recording playback data for 30 days; aggregated click data and any sessions you label or favourite in the Clarity portal are retained for 13 months.

Security and core site function

We process your IP address, browser user-agent, and technical headers to defend against abuse, serve the site, and satisfy hosting infrastructure logs.

• Legal basis: Article 6(1)(f) — legitimate interests in protecting our infrastructure and users.
• Retention: rolling hosting logs, typically 30 days.

3. Cookies and similar technologies

The site uses a small number of cookies and similar storage. Strictly necessary cookies (including the cookie-consent record itself) are set without consent. Analytics and session-recording cookies are only set after you accept them in the banner. You can change your choice at any time via the cookie-settings link in the footer, or by clearing cookies for this site in your browser.

The full inventory of cookies actually set on this site is below. The Cookiebot consent panel surfaces the same list at runtime (with the latest scan timestamp); the table here is the authoritative reference for Article 13(1) transparency.

Cookies in the analytics category fire only after consent. If you do not accept analytics, none of _ga, _ga_*, _clck,_clsk, or the Clarity auxiliary cookies are set.

4. Third-party processors

We use the following processors. Each is bound by a Data Processing Agreement (DPA) under Article 28 GDPR.

4.1 EU-established processors

These processors are established inside the EU/EEA, so no third-country transfer mechanism is required for the processing itself.

• Cybot A/S (Cookiebot) — Consent Management Platform, loaded as a GTM tag and configured with Google Consent Mode v2 (all categories default to denied). Cybot A/S is established in Denmark; consent records and scan logs are stored in the EU. The CMP banner asset is delivered via a global CDN (consentcdn.cookiebot.com) with edge nodes outside the EEA — only the static banner asset is served from those nodes, and no personal data is processed at those edge nodes.

4.2 Processors with onward transfer to the United States

Transfers outside the EEA rely on the EU Commission's Standard Contractual Clauses (SCCs) and, where the processor is certified, the EU-US Data Privacy Framework (DPF) adequacy decision of 10 July 2023.

• Vercel Inc. — website hosting, edge delivery, and aggregate Web Vitals telemetry via Vercel Speed Insights. Speed Insights is anonymous and aggregated; no personal data is processed (USA, SCCs + DPF).
• Cal.com, Inc. — booking embed and calendar integration (USA, SCCs + DPF). Processes your name, email, meeting time, and any notes you enter on the booking form.
• Google Ireland Limited — Google Tag Manager (the single client-side container loader on this site; GTM itself sets no analytics cookies) and Google Analytics 4. GA4 is loaded as a GTM tag and only fires after you accept analytics in the consent banner. Google receives your IP at the request layer to derive city-level geolocation; the IP is not retained in GA4 reports, and IP-anonymisation is enabled at the property level. Data is processed initially in the EU with onward transfer to the US under SCCs + DPF.
• Microsoft Ireland Operations Ltd. — Microsoft Clarity (pseudonymous session recording and heatmaps, with form-field values and personal identifiers masked at capture), loaded as a GTM tag and gated on the analytics consent category. Data is processed by Microsoft Corporation (USA) under SCCs + DPF.

We do not sell personal data. We do not use it for automated decision-making with legal effect.

5. International transfers

Some processors listed above are established in the United States. Transfers rely on the EU Commission's Standard Contractual Clauses and, for providers certified under the EU-US Data Privacy Framework, an adequacy decision of the European Commission (10 July 2023). A copy of the SCCs used by a specific processor is available on request.

6. Your rights

Under the GDPR you have the right to:

• access the personal data we hold about you (Article 15);
• correct inaccurate data (Article 16);
• request erasure where applicable (Article 17);
• restrict or object to processing (Articles 18 and 21);
• portability of data you have provided (Article 20);
• withdraw consent at any time where processing is based on consent.

To exercise any of these rights, email hello@quantelit.com. We respond within one month of a verified request.

7. Complaints

If you believe your data is being processed unlawfully, you have the right to lodge a complaint with the Irish Data Protection Commission: dataprotection.ie.

8. Changes to this notice

Material changes are dated at the top of this page and, where significant, surfaced in the consent banner for re-review. Previous versions are available on request.

9. Contact

Data-protection queries: hello@quantelit.com.