Privacy Policy

1. Introduction

This Privacy Policy explains how Qantara Distribution Ltd (BRN C25228995), a company incorporated under the laws of the Republic of Mauritius (“we”, “us”, “our”), collects, uses, stores, shares, and protects personal data when you use the Qantara Distribution Platform (“the Platform”).

We are committed to protecting your privacy and processing your personal data in compliance with the Mauritius Data Protection Act 2017 (Act No. 20 of 2017) and, where applicable to data subjects in the European Economic Area (EEA), the General Data Protection Regulation (EU) 2016/679 (GDPR).

By using the Platform, you acknowledge that you have read and understood this Privacy Policy. This Privacy Policy forms part of and should be read together with our Terms of Service.

2. Data Controller

2.1 Platform Data. Qantara Distribution Ltd is the data controller for personal data collected directly through the Platform for account management, authentication, billing, and platform administration.

2.2 Tenant Data. Each Tenant (business subscriber) acts as an independent data controller for the personal data of its own clients, contacts, buyers, and end customers. Qantara Distribution Ltd acts as a data processor on behalf of the Tenant for such data, processing it solely in accordance with the Tenant’s instructions and applicable law. A Data Processing Agreement (DPA) is available upon request.

2.3 Contact Details. For all data protection enquiries:

3. Data We Collect

We collect the following categories of personal data:

3.1 Account and Identity Data

• Full name (first name, last name)
• Phone number (used for WhatsApp OTP authentication)
• E-mail address (optional, used for back-office access and notifications)
• Role within your organisation (e.g., administrator, manager, salesperson)
• Account credentials (password hashes for e-mail login; OTP codes are ephemeral)

3.2 Business Data

• Company / trading name
• Business registration number (BRN) and business identifier type
• Registered and trading addresses
• Contact e-mail and phone for the business
• VAT registration number (where applicable)
• Country, timezone, and preferred locale

3.3 Transactional Data

• Quotations, orders, and order items
• Invoices, payments, and credit notes
• Delivery records, route information, and proof-of-delivery data
• Stock movements and inventory adjustments
• Product catalogue and pricing information

3.4 Technical and Usage Data

• IP address and approximate geolocation
• Browser type, version, and operating system
• Device type and screen resolution
• Login timestamps and session duration
• Pages visited, features used, and actions performed
• Error logs and performance data

3.5 Communication Data

• WhatsApp messages sent via the Platform (OTP codes, transactional notifications)
• E-mail notifications and their delivery status
• Support enquiries and correspondence

3.6 Location Data

• GPS coordinates for delivery addresses (with consent)
• Delivery tracking data during active deliveries
• District and region information for Mauritian addresses

4. Legal Basis for Processing

Under the Mauritius Data Protection Act 2017 and the GDPR, we process your personal data on the following legal bases:

Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.

5. How We Use Your Data

We use your personal data for the following purposes:

• Service Delivery: To provide, operate, and maintain the Platform, including account management, authentication, order processing, invoicing, stock management, and delivery tracking.
• Authentication: To verify your identity via WhatsApp one-time passwords (OTP) or e-mail/password credentials, and to manage session tokens (JWT).
• Notifications: To send transactional messages, including order confirmations, invoice alerts, delivery updates, and security notices via WhatsApp, e-mail, or in-app notifications.
• Tenant Administration: To enable Tenant administrators to manage Members, assign roles, and configure business settings.
• Compliance: To comply with legal obligations, including Mauritian tax law (retention of financial records), the Companies Act, and anti-money laundering regulations.
• Security: To detect, prevent, and investigate unauthorised access, fraud, abuse, and security incidents, including monitoring login attempts and enforcing rate limits.
• Improvement: To analyse usage patterns (in anonymised or aggregated form) to improve Platform features, performance, and user experience.
• Support: To respond to your enquiries, troubleshoot issues, and provide technical assistance.
• Audit: To maintain an audit trail of actions taken within the Platform for accountability and dispute resolution.

6. Data Sharing and Third Parties

We do not sell your personal data. We share personal data only in the following circumstances:

6.1 Within the Tenant

Members of the same Tenant organisation may access shared business data (orders, invoices, client records) as determined by their assigned role and the Tenant administrator’s configuration.

6.2 Service Providers

We engage trusted third-party service providers to assist in operating the Platform:

• WhatsApp (Meta Platforms): For OTP delivery and transactional messaging via the WhatsApp Business API. Your phone number and message content are transmitted to Meta.
• Cloud Infrastructure: Hosting and computing services for Platform operation.
• Monitoring and Observability: Error tracking, performance monitoring, and distributed tracing tools to maintain Platform reliability.

All service providers are bound by data processing agreements and are required to process personal data solely on our instructions and in compliance with applicable data protection law. A current list of our sub-processors is available upon request by contacting privacy@qantara.mu. We will notify Tenant administrators before engaging any new sub-processor that processes Tenant data, providing a reasonable opportunity to object.

6.3 Legal Requirements

We may disclose personal data to law enforcement, regulatory authorities, or courts when required by law, legal process, or government request, or when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

6.4 Business Transfers

In the event of a merger, acquisition, reorganisation, or sale of assets, your personal data may be transferred to the acquiring entity. We will notify you before your data becomes subject to a different privacy policy.

7. International Data Transfers

The Platform is primarily hosted and operated in Mauritius. However, some data may be transferred to or processed in countries outside Mauritius in the following cases:

• WhatsApp messaging services (Meta’s global infrastructure)
• Cloud infrastructure and content delivery networks
• Monitoring and analytics services

Where personal data is transferred outside Mauritius, we ensure that appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions by the Mauritius Data Protection Commissioner
• Binding corporate rules or equivalent contractual protections

For data subjects in the EEA, we ensure that transfers comply with GDPR Chapter V requirements. You may request details of the safeguards in place by contacting our Data Protection Officer.

8. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Specific retention periods are:

When the retention period expires, personal data is either securely deleted or irreversibly anonymised. Anonymised data may be retained indefinitely for statistical purposes.

9. Your Rights

Under the Mauritius Data Protection Act 2017 and the GDPR (where applicable), you have the following rights regarding your personal data:

• Right of Access (DPA 2017, Part IV / GDPR Article 15): You may request a copy of all personal data we hold about you. The Platform provides a built-in data export feature for self-service access.
• Right to Rectification (DPA 2017, Part IV / GDPR Article 16): You may request correction of inaccurate or incomplete personal data. You can update most information directly through your account settings.
• Right to Erasure (DPA 2017, Part IV / GDPR Article 17): You may request deletion of your personal data, subject to legal retention obligations (e.g., financial records must be retained for 7 years under Mauritian tax law).
• Right to Data Portability (GDPR Article 20): You may request your data in a structured, commonly used, machine-readable format (JSON). The Platform provides a self-service data export feature.
• Right to Restrict Processing (GDPR Article 18): You may request that we restrict the processing of your data in certain circumstances, such as while we verify the accuracy of contested data.
• Right to Object (DPA 2017, Part IV / GDPR Article 21): You may object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time. This does not affect the lawfulness of processing carried out before withdrawal.
• Right Not to Be Subject to Automated Decision-Making (GDPR Article 22): You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. The Platform does not currently engage in automated decision-making of this nature.

How to Exercise Your Rights

To exercise any of these rights, contact our Data Protection Officer at privacy@qantara.mu. We will respond to your request within 30 days. In complex cases, we may extend this period by an additional 60 days with prior notice. We may ask you to verify your identity before processing your request.

There is no fee for exercising your rights, unless requests are manifestly unfounded or excessive, in which case we may charge a reasonable administrative fee or refuse the request.

10. Data Security

We implement appropriate technical and organisational security measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

10.1 Technical Measures

• Encryption in Transit: All data transmitted between your device and the Platform is encrypted using TLS 1.2 or higher with HSTS enforcement.
• Encryption at Rest: Sensitive data stored in our database is encrypted at the storage layer.
• Row-Level Security (RLS): Database-level tenant isolation ensures that each Tenant can only access its own data, enforced automatically on every query.
• Authentication Security: OTP codes are hashed before storage and automatically expire. Passwords (where used) are hashed using industry-standard algorithms. Account lockout mechanisms prevent brute-force attacks.
• Security Headers: The Platform enforces Content Security Policy (CSP), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy headers.
• Rate Limiting: API endpoints are rate-limited to prevent abuse and denial-of-service attacks.
• Pod Security: All backend services run with minimal privileges, read-only filesystems, non-root users, and dropped Linux capabilities.

10.2 Organisational Measures

• Access to personal data is restricted to authorised personnel on a need-to-know basis
• Role-based access control (RBAC) within the Platform limits Member permissions
• All data access and modifications are recorded in an immutable audit trail
• Regular security reviews and vulnerability assessments
• Incident response procedures for data breaches

11. Cookies and Similar Technologies

11.1 Essential Cookies

We use strictly necessary cookies for session management and authentication. These cookies are required for the Platform to function and cannot be disabled.

• Session cookie: Maintains your authenticated session (expires on browser close or after 24 hours)
• Locale preference: Remembers your language preference (English or French)
• Cookie consent: Records your cookie preferences

11.2 No Tracking Cookies

We do not use advertising cookies, social media tracking pixels, or third-party analytics cookies. We do not participate in cross-site tracking or behavioural advertising networks.

11.3 Local Storage

The Platform uses browser session storage to maintain authentication state during your session. This data is automatically cleared when you close your browser or log out.

12. WhatsApp OTP Processing

The Platform uses WhatsApp as the primary authentication channel. When you log in:

1. You provide your registered phone number.
2. We generate a one-time password (OTP) and transmit it to your WhatsApp number via the WhatsApp Business API (operated by Meta Platforms, Inc.).
3. You enter the OTP on the Platform to verify your identity.
4. The OTP expires after 15 minutes and is purged from our systems within 24 hours.

Data shared with Meta: Your phone number and the OTP message content are transmitted to Meta’s servers for delivery. Meta’s processing of this data is subject to WhatsApp’s Privacy Policy. We do not share any other personal data with Meta through this process.

Security measures: OTP codes are hashed before storage. Failed verification attempts are logged and subject to rate limiting (maximum 3 OTP requests per 15 minutes). Repeated failures trigger temporary account lockout.

13. Children’s Privacy

The Platform is a business-to-business service intended for use by individuals aged 18 or over who are acting in a professional capacity. We do not knowingly collect personal data from children under 18. If you believe that a child has provided us with personal data, please contact our Data Protection Officer at privacy@qantara.mu, and we will take steps to delete such data.

14. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the Mauritius Data Protection Commissioner within 72 hours of becoming aware of the breach, as required by the Data Protection Act 2017.
• Where the breach is likely to result in a high risk to your rights and freedoms, notify affected individuals without undue delay, describing the nature of the breach, the likely consequences, and the measures taken to address it.
• For EEA data subjects, comply with the notification requirements under GDPR Articles 33 and 34.
• Maintain a record of all data breaches, including those that do not meet the notification threshold.

Tenant administrators will be notified of any breach affecting their Tenant’s data via e-mail and, where possible, via the Platform.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our processing activities, legal requirements, or industry practices. When we make changes:

• The updated policy will be published on the Platform with the new effective date.
• For material changes, we will notify you via the Platform or by e-mail at least 30 days before the changes take effect.
• Continued use of the Platform after the effective date constitutes acceptance of the updated policy.

We encourage you to review this Privacy Policy periodically. Previous versions are available upon request.

16. Complaints

If you are not satisfied with how we handle your personal data or your rights request, you may:

1. Contact us first: Write to our Data Protection Officer at privacy@qantara.mu. We will endeavour to resolve your concern within 30 days.
2. Lodge a complaint with the regulator: You have the right to lodge a complaint with the Mauritius Data Protection Office (under the Data Protection Commissioner):

   Data Protection Office

   5th Floor, SICOM Tower

   Wall Street, Ebene

   Republic of Mauritius

   Tel: +230 460 0251

3. EEA data subjects: If you are located in the European Economic Area, you may also lodge a complaint with your local supervisory authority.

17. Contact

For any questions about this Privacy Policy or our data protection practices, please contact: