Privacy policy

1. Data controller

QUASART S.à r.l. RCS Luxembourg: B253631 8 Zone Industrielle Am Bruch – Hall 6 L-3327 Crauthem, Grand Duchy of Luxembourg DPO Email: rgpd@quasart.lu Phone: +352 661 848 464

2. Personal data collected

We collect the following data only when you provide it voluntarily:

• Contact / quote form: surname, first name, email address, phone number (optional), company name (optional), request type, message, project location, urgency level.
• Job application: surname, first name, email address, desired position, message, CV and attached documents (PDF, DOCX).
• Attachments: plans, photos, quotes and technical documents submitted via the form (PDF, JPG, PNG, DWG, DOCX, XLSX, ZIP — max. 20 MB per file, 10 files maximum).
• Browsing data: IP address (truncated), browser type, pages viewed, visit duration — only with your prior consent via the cookie banner.

We do not collect any sensitive data (ethnic origin, political opinions, health, sexual orientation, biometric data).

3. Purposes and legal bases for processing

In accordance with Article 6 of the GDPR, each processing activity is based on a legitimate legal basis:

4. Recipients and processors

Your personal data is processed exclusively by QUASART S.à r.l. and the following processors, strictly within the scope of the purposes described above:

• Vercel Inc. (USA) — Website hosting and CDN
• Cloudflare Inc. (USA) — CDN, DDoS protection and DNS
• Resend Inc. (USA) — Transactional email delivery
• Sanity AS (Norway) — Content management (CMS)
• Upstash Inc. (USA) — Rate limiting (anti-spam protection)
• Functional Software Inc. / Sentry (USA) — Technical error monitoring
• PostHog Inc. (USA) — Analytics and heatmaps (with consent)
• Google LLC (USA) — Google Analytics 4 and Google Tag Manager (with consent)

No data is sold, rented or transferred to third parties for commercial purposes.

5. Transfers outside the European Union

Some of our processors are based in the United States. These transfers are governed by:

• the EU-U.S. Data Privacy Framework (European Commission adequacy decision of 10 July 2023) for certified companies;
• standard contractual clauses (SCCs) adopted by the European Commission, in accordance with Article 46.2.c of the GDPR, for other processors.

You can obtain a copy of the safeguards in place by contacting us at rgpd@quasart.lu.

6. Cookies and trackers

On your first visit, a banner allows you to choose which categories of cookies you accept. No non-essential cookies are set before your explicit consent.

You can change your choices at any time via the "Cookie settings" link in the website footer.

7. Your rights

In accordance with the GDPR (Articles 15 to 22), you have the following rights:

• Right of access (Art. 15) : obtain confirmation that your data is being processed and receive a copy.
• Right to rectification (Art. 16) : correct inaccurate or incomplete data.
• Right to erasure (Art. 17) : request the deletion of your data under the conditions provided by the GDPR.
• Right to restriction of processing (Art. 18) : request the suspension of processing in certain cases.
• Right to data portability (Art. 20) : receive your data in a structured, machine-readable format.
• Right to object (Art. 21) : object to processing based on legitimate interest.
• Right to withdraw consent (Art. 7.3) : at any time, without affecting the lawfulness of prior processing.

8. Exercising your rights

You can exercise your rights by:

• Email: rgpd@quasart.lu
• Mail: QUASART S.à r.l. — DPO — 8 Zone Industrielle Am Bruch – Hall 6, L-3327 Crauthem, Luxembourg

We will respond to your request within a maximum of 30 days from receipt. Proof of identity may be requested in case of reasonable doubt about your identity.

9. Right to lodge a complaint

If you believe that the processing of your personal data constitutes a violation of the GDPR, you have the right to lodge a complaint with the Luxembourg supervisory authority:

Commission Nationale pour la Protection des Données (CNPD) Complaints department 15, Boulevard du Jazz L-4370 Belvaux, Grand Duchy of Luxembourg Phone: (+352) 26 10 60 1 Website: https://cnpd.public.lu

10. Minors’ data

The quasart.lu website is not intended for persons under 16 years of age. QUASART S.à r.l. does not knowingly collect personal data from minors. If you are a parent or guardian and believe your child has submitted personal data to us, contact us at rgpd@quasart.lu so we can arrange for its deletion.

11. Security measures

QUASART S.à r.l. implements appropriate technical and organisational measures to protect your data against unauthorised access, loss, alteration or disclosure, including:

• Encryption of communications via HTTPS/TLS
• HTTP security headers (CSP, HSTS, X-Frame-Options)
• Anti-DDoS protection and web application firewall (Cloudflare WAF)
• Rate limiting on forms (anti-spam protection)
• Validation and sanitisation of all user inputs
• Restricted data access based on the principle of least privilege
• Error monitoring and real-time alerts

12. Profiling and automated decision-making

QUASART S.à r.l. does not carry out any profiling or automated decision-making within the meaning of Article 22 of the GDPR.

13. Policy amendments

This privacy policy may be amended at any time to adapt to regulatory or technical developments. The date of the last update is indicated at the top of this page. We invite you to consult it regularly.

14. Contact

For any questions regarding the protection of your personal data:

DPO Email: rgpd@quasart.lu Phone: +352 661 848 464 Mail: QUASART S.à r.l. — DPO — 8 Zone Industrielle Am Bruch – Hall 6, L-3327 Crauthem, Luxembourg