Privacy Policy

This Privacy Policy explains how Quenta collects, uses, protects, discloses, and retains personal data in connection with the Service.

1. Scope

1.1 Pre-Checkout and Pre-Purchase Disclosures

Before a customer starts a paid subscription, free trial that may convert to a paid subscription, annual plan, add-on, implementation service, or other paid service, Quenta will make commercially reasonable efforts to disclose the applicable plan, price, billing frequency, included users, included branches, document limits, trial period, renewal terms, cancellation method, material add-on fees, and other material commercial conditions presented at checkout, in the order form, or in the billing page.

Plan comparison tables, pricing cards, and feature lists are summaries only. The customer is responsible for reviewing plan details, included limits, add-on fees, usage thresholds, exclusions, and applicable legal terms before subscribing.

This Privacy Policy explains how Quenta Technologies Inc. (“Quenta,” “we,” “us”) collects, uses, shares, protects, retains, and deletes personal data when users visit the website, use the Service, join Quenta Community, subscribe, request support, communicate with us, or otherwise interact with Quenta.

We process personal data in accordance with the Data Privacy Act of 2012, its Implementing Rules and Regulations, and applicable issuances of the National Privacy Commission.

2. Privacy Contact / Data Protection Officer

Data Protection Officer: Ethel Medrano. Privacy requests, questions, and data subject concerns may be sent to inquire@quenta.ph (Attention: Data Protection Officer). Mailing address: Quenta Technologies Inc., 30F, Tower 2 RCBC Plaza, Ayala Avenue, Bel-Air, Makati City 1209, Philippines.

3. Quenta’s Privacy Roles

Quenta acts as a personal information controller for account registration data, billing data, service administration data, security logs, support communications, website analytics, marketing communications, and Quenta Community administration.

For personal data that a customer, company owner, administrator, invited user, accountant, or advisor uploads into the Service as part of business records, Quenta generally acts as a personal information processor on behalf of the customer, and the customer remains the personal information controller responsible for lawful collection, notices, consent or other lawful basis, accuracy, retention, and instructions.

Where Quenta creates aggregated, de-identified, statistical, or non-customer-identifiable information from service operations, Quenta may process that information as a controller for service security, analytics, improvement, product development, and legal compliance, provided the information does not identify a customer, user, or data subject.

4. Personal Data We Collect

Account data: name, email, mobile number, login credentials, verification status, role, company access, branch access, account settings, and invitation status.

Company and billing data: company profile, subscription plan, usage limits, billing status, payment provider references, invoice/payment references, and non-sensitive payment metadata.

Business data: customer, supplier, employee, contractor, payee, invoice, bill, payment, journal, inventory, payroll-related information when available, reports, approvals, and accounting records.

Uploaded documents and attachments: receipts, invoices, bills, statements, vouchers, proof of payment, images, PDFs, file metadata, thumbnails, OCR text, extracted fields, confidence scores, review corrections, and related metadata.

Community and support data: posts, comments, votes, feature suggestions, support messages, call notes, screenshots, attachments, and feedback.

Technical and usage data: IP address, device/browser information, logs, sessions, cookies, security events, audit logs, access timestamps, authentication records, and usage analytics.

5. Uploaded Documents and OCR Data

When users upload or capture receipts, invoices, bills, statements, vouchers, proof of payment, payroll documents, or other source documents, Quenta may process the original file, file metadata, thumbnails, extracted text, OCR confidence scores, reviewed fields, corrections, document type, vendor/customer/payee matches, tax indicators, and posting status.

Uploaded documents and OCR data may contain personal data or sensitive personal information. Customers are responsible for ensuring they have the authority and lawful basis to upload and process such documents in Quenta. OCR text and extracted fields are treated as Customer Data unless aggregated or de-identified for service improvement according to this Privacy Policy and the Data Processing Addendum.

6. Purposes of Processing

Provide, operate, maintain, secure, support, troubleshoot, and improve the Service.

Authenticate users, verify email/mobile numbers, manage invitations, administer company workspaces, and enforce access controls.

Process subscriptions, billing, payments, receipts, plan limits, collections, support, and customer communications.

Run OCR, document capture, draft workflows, review screens, reports, dashboards, analytics, audit logs, and Financial Command Center features.

Send transactional notices, security alerts, billing reminders, trial reminders, service updates, legal notices, and support messages.

Comply with legal obligations, prevent fraud, enforce agreements, protect users, protect Quenta, and maintain the security and integrity of the Service.

7. Service Improvement, OCR Learning, and De-identified Data

Quenta may use aggregated, de-identified, pseudonymized, or statistical data derived from use of the Service to operate, secure, troubleshoot, improve, and develop the Service, including OCR quality, field extraction, vendor/payee matching, error detection, product analytics, and workflow improvements.

Quenta will not use identifiable Customer Data, uploaded source documents, payroll records, tax records, or sensitive personal information to train externally available AI models or third-party models unless permitted by the customer’s configuration, written agreement, consent, the Data Processing Addendum, or applicable law.

8. Legal Bases

We process personal data based on contract performance, legitimate interests in operating and securing the Service, consent where required, compliance with legal obligations, and other lawful bases recognized under applicable law.

9. Customer Responsibilities for Personal Data

Customers are responsible for providing all required notices and obtaining all required consents, authorizations, employment notices, contractual permissions, or other lawful bases before uploading, importing, sharing, or processing personal data through Quenta. This includes personal data of customers, suppliers, employees, contractors, payees, accountants, advisors, and other persons whose data may appear in invoices, receipts, vouchers, bills, payroll records, payment records, tax records, uploaded documents, OCR text, comments, approvals, or audit trails.

Customers are responsible for configuring user roles, permissions, branch access, accountant/advisor access, and invited-user access according to the minimum access needed for each user’s role.

10. Service Providers and Subprocessors

10.1 Payment Providers and Payment Metadata

To process payments, verify billing methods, prevent fraud, comply with provider requirements, manage subscriptions, and reconcile billing records, Quenta may share necessary account, billing, transaction, company, user, and payment metadata with payment providers, banks, wallets, card networks, fraud-prevention providers, and related service providers.

Customers and users must not enter or upload full card numbers, CVV codes, wallet passwords, bank login credentials, one-time passwords, recovery codes, private keys, or other sensitive payment credentials into Quenta fields, comments, attachments, OCR uploads, support tickets, Community posts, or implementation materials. Where payment method details are used, they should be entered only through the secure checkout, hosted payment page, vaulting flow, or tokenized process provided by the payment provider.

Quenta may store limited payment metadata where permitted, such as provider name, customer reference, subscription reference, transaction reference, payment status, method type, brand, last four digits, expiration month/year, billing contact, invoice reference, or payment-provider response codes.

Quenta may use trusted service providers and subprocessors for hosting, database, storage, application delivery, payment processing, email, SMS, OCR, monitoring, logging, analytics, customer support, security, and communication. Xendit is the current intended primary payment provider. PayMongo may be used as an additional or future payment provider. Quenta does not store raw card numbers or CVV codes.

Quenta may update subprocessors from time to time. Where required by law or contract, Quenta will provide notice of material subprocessor changes. Continued use of the Service after notice means the customer acknowledges the updated subprocessors.

11. Cross-Border Transfers

Quenta and its service providers may process or store personal data in the Philippines or other jurisdictions where Quenta or its subprocessors operate. Where personal data is transferred across borders, Quenta will use reasonable contractual, technical, and organizational safeguards designed to protect the data to a standard consistent with applicable Philippine data privacy requirements.

12. Retention Schedule Summary

12.1 Legal Retention, Disputes, and Litigation Holds

Quenta may retain billing records, invoices, receipts, order forms, payment-provider references, tax documentation, acceptance logs, customer communications, dispute records, account activity records, audit logs, and related records for legal, accounting, tax, audit, security, fraud-prevention, and dispute-resolution purposes, to the extent permitted by law.

Account data is generally retained while the account is active and for a reasonable legal, security, and dispute-resolution period thereafter.

Billing, invoice, payment, and tax records are retained for applicable accounting, tax, audit, legal, and dispute-resolution periods.

Customer Data, uploaded documents, OCR text, extracted fields, accounting records, and related metadata are retained while the customer account is active unless deleted, exported, or otherwise governed by plan terms, legal requirements, retention settings, or customer instructions.

Security logs, audit trails, authentication records, and activity records may be retained for security, fraud-prevention, legal defense, compliance, and service-integrity purposes.

Community content may be retained while published and may be retained longer where needed for moderation, abuse investigation, legal compliance, dispute resolution, or protection of users and the Service.

Backup copies may persist for a limited period after deletion from active systems and will be overwritten or deleted according to Quenta’s backup cycle, unless retention is required for legal, security, fraud-prevention, dispute-resolution, or compliance reasons.

13. Data Subject Rights and Request Process

Data subjects may have rights to be informed, access, object, erasure or blocking, rectification, damages, data portability, and complaint, subject to requirements and limitations under law. To exercise privacy rights, contact Quenta at inquire@quenta.ph or the privacy contact stated in this Policy.

Quenta may need to verify the requestor’s identity and authority before acting on a request. Where Quenta acts as a processor for Customer Data, Quenta may refer the request to the relevant customer/controller or act on the customer’s documented instructions, unless applicable law requires Quenta to respond directly.

Quenta may deny, limit, defer, or condition a request where permitted by law, including where data must be retained for legal, tax, accounting, security, fraud-prevention, dispute-resolution, contractual, backup, or legitimate business reasons.

14. Security and Internal Access Controls

Quenta uses reasonable administrative, technical, organizational, and physical safeguards designed to protect personal data. These may include access controls, authentication, role-based permissions, encryption in transit where supported, provider-side encryption at rest where supported, backups, monitoring/logging, least-privilege access, incident response procedures, vendor/subprocessor controls, and confidentiality obligations.

Quenta will use reasonable access controls designed to limit internal access to personal data to personnel and service providers who need access for authorized business, security, support, operational, or legal purposes. No system is perfectly secure.

15. Security Incidents and Breach Notices

Quenta will maintain a personal data breach response process. Where Quenta becomes aware of a confirmed or reasonably suspected security incident affecting personal data, Quenta will assess whether the incident constitutes a personal data breach requiring notification under applicable law.

Where Quenta acts as a processor for Customer Data, Quenta will notify the affected customer without undue delay after confirming a relevant breach, so the customer can assess and comply with its own obligations as controller. Where Quenta acts as controller, Quenta will notify the NPC and affected data subjects where legally required and within the period required by applicable law and NPC issuances.

16. Cookies, Analytics, and Marketing Communications

Quenta may use cookies, local storage, analytics, and similar technologies to operate the website and Service, maintain sessions, secure accounts, understand usage, and improve the user experience. A separate Cookie Policy should be published if analytics or marketing cookies are used.

Quenta may send service, billing, security, legal, and transactional communications. These are necessary for the Service and may not be fully opted out of while the account is active. Quenta may send marketing or promotional communications where permitted by law. Users may opt out of marketing communications using the unsubscribe mechanism or by contacting Quenta, but may still receive transactional and service-related messages.

17. Quenta Community Privacy

Quenta Community content may be visible to other users, moderators, partners, or the public depending on the feature configuration. Users must not post personal data, confidential business information, tax records, payroll information, customer/supplier data, or sensitive information unless they are authorized to do so and understand the visibility of the post.

Quenta may moderate, remove, restrict, or retain Community content to enforce guidelines, investigate abuse, comply with law, or protect users and the Service.

18. Children

The Service is intended for business users and is not directed to children. Users must not submit children’s personal data unless they have a lawful basis and authority to do so and the data is necessary for legitimate business, employment, tax, accounting, or legal purposes.

19. Changes and Contact

Quenta may update this Privacy Policy from time to time. For privacy questions or requests, contact inquire@quenta.ph.

Quenta Technologies Inc. · SEC Reg. No. 2026020237348-66 · TIN 010-999-041-000 · 30F Tower 2 RCBC Plaza, Ayala Avenue, Makati City 1209, Philippines · inquire@quenta.ph