Privacy Policy

Table of Content

1. Introduction

Quaking Aspen Pvt Ltd / Quaking Aspen Inc ("we," "our," or "us") provides a Supply Chain Management SaaS platform that enables businesses to manage logistics, inventory, and compliance with global trade regulations.

We are committed to protecting personal data in compliance with:

  • General Data Protection Regulation (GDPR) (EU 2016/679)
  • California Consumer Privacy Act (CCPA) (as amended by CPRA)
  • ISO/IEC 27001 (Information Security Management System)
  • ISO 28000 (Supply Chain Security Management System)
  • Customs and trade compliance regulations (e.g., CTPAT, AEO, ITAR, EAR, BIS, OFAC)
  • Local data protection laws applicable to users' jurisdictions

This Privacy Policy explains how we collect, process, share, and protect your data when using our platform and services.

2. Data Controller and Contact Information

For data processing activities covered by this policy, we act as the Data Controller. If you have any questions, you can contact us:

3. Personal Data We Collect

We collect different types of data necessary for supply chain operations, compliance, and security.

a. Customer & Business Data (User-Provided)
  • Name, email, and job title
  • Company details (e.g., name, address, tax ID)
  • Billing and payment details
  • User account credentials
  • Communication and support inquiries
b. Supply Chain-Specific Data
  • Supplier, vendor, and logistics partner details
  • Order tracking, inventory, and shipment records
  • Freight forwarding and customs documentation
  • Risk assessments for supply chain security (ISO 28000 compliance)
  • Compliance data (export control checks, regulatory certificates)
c. Technical & Usage Data (Collected Automatically)
  • IP address and device details
  • Browser type and OS information
  • System logs, usage metrics, and API call data
  • Cookies and tracking technologies

We do not process special category data (e.g., health, biometric data) unless explicitly required and with user consent.

4. Purpose and Legal Basis for Processing

We process personal data based on lawful grounds under GDPR (Article 6) and CCPA’s "business purposes" definition:

Purpose Legal Basis (GDPR) Legal Basis (CCPA)
To provide and manage our SaaS platform Contractual necessity Business purpose
To ensure system security and fraud prevention Legitimate interest Business purpose
To optimize supply chain performance and analytics Legitimate interest Business purpose
To ensure regulatory and customs compliance Legal compliance Legal obligation
To provide customer support and respond to inquiries Contractual necessity Business purpose
To send product updates and marketing communications Consent (can be withdrawn) Consumer consent

5. Data Sharing and Third-Party Integrations

We do not sell personal data but may share it in the following cases:

  • With service providers: Cloud hosting, analytics, and customer support providers.
  • With supply chain partners: Logistics providers, freight forwarders, customs agencies, and regulatory authorities.
  • With third-party integrations: We connect with ERP systems (SAP, Oracle), logistics platforms (DHL, FedEx), and compliance tools (SAP GTS, Amber Road).
  • For legal compliance: To comply with customs regulations (e.g., CTPAT, AEO) and trade laws (e.g., ITAR, EAR, BIS, OFAC).
  • During business transfers: If we undergo a merger, acquisition, or restructuring.

All third-party processors are bound by GDPR, CCPA, ISO 27001, and contractual security measures.

6. International Data Transfers

If we transfer data outside the European Economic Area (EEA) or California, we ensure compliance through:

  • Standard Contractual Clauses (SCCs) (GDPR)
  • CCPA opt-out mechanisms for data sharing
  • Adequacy decisions by the European Commission
  • Binding Corporate Rules (BCRs) for global data processing

7. Data Retention

We retain data only as long as necessary for its intended purpose:

  • User account data: Until account deletion.
  • Supply chain records: Retained for legal and audit purposes (typically 7 years).
  • Customs and trade compliance records: Retained per regulatory requirements (e.g., 5 years for ITAR compliance).
  • Security logs: Retained for 12 months unless required for an investigation.

When retention is no longer necessary, data is securely deleted or anonymized.

8. Security Measures

We implement ISO 27001- and ISO 28000-compliant security controls, including:

  • Encryption: Data in transit and at rest is encrypted.
  • Access Controls: Role-based access, multi-factor authentication (MFA).
  • Regular Security Audits: Continuous monitoring, penetration testing, and vulnerability assessments.
  • Supply Chain Risk Management: Risk assessments, vendor security audits, and compliance verifications.
  • Incident Response: Procedures in place for breach detection and notification.

9. Your Rights Under GDPR and CCPA

As a data subject, you have the following rights:

Under GDPR:

  • Right to Access, Rectification, and Erasure
  • Right to Restrict Processing and Data Portability
  • Right to Object to Processing and Withdraw Consent

Under CCPA:

  • Right to Know what personal data we collect and share
  • Right to Delete personal data (with exceptions)
  • Right to Opt-Out of data sales (we do not sell data)
  • Right to Non-Discrimination for exercising privacy rights

To exercise these rights, contact us at [your contact email]. We respond within one month (GDPR) or 45 days (CCPA).

10. Collection of Data from Children

Our services are not intended for children under the age of 16 (or 13, where applicable by law), and we do not knowingly collect personal data from children.

  • Under GDPR (EU & UK): We do not process the personal data of children under 16 years old without verifiable parental consent.
  • Under CCPA (California): We do not sell or share data of minors under 16 years old without explicit opt-in consent.
  • Under COPPA (U.S.): If we become aware that we have collected data from a child under 13 years old without parental consent, we will delete it immediately.

11. Cookies and Tracking Technologies

We use cookies to improve functionality, analytics, and marketing. California residents can opt-out of targeted advertising via the "Do Not Sell or Share My Personal Information" link on our website.

For more details, see our [Cookie Policy].

12. Third-Party Links

Our service may include links to external websites. We are not responsible for their privacy practices.

13. Changes to This Privacy Policy

We may update this Privacy Policy periodically. The latest version will always be available on our website.

If significant changes occur, we will notify you via email or in-app notifications.

14. Complaints & Regulatory Contact

If you believe we have violated your data protection rights, you may lodge a complaint with:

For GDPR:

  • Supervisor Authority: Sridhar Ranganathan
  • Contact: sridhar.ranganathan@pando.ai
  • Address: Quaking Aspen, Inc., 220 N Green Street, Chicago IL 60607, USA

For CCPA:

California Attorney General’s Office
https://oag.ca.gov/privacy/ccpa

Alternatively, you may contact our DPO, at sridhar.ranganathan@pando.ai.