QuickZTNA
Get started free

Privacy Policy

Effective: April 13, 2026 · Compliant with the Digital Personal Data Protection Act, 2023

This Privacy Policy explains how Victor Chasex Pvt Ltd, operating as QUICK ZTNA (“we”, “us”, “our”) collects, uses, stores, and protects your personal data when you use our Zero Trust Network Access platform at quickztna.com and login.quickztna.com (the “Service”).

1. Data Fiduciary Information

Under the Digital Personal Data Protection Act, 2023 (DPDP Act), the Data Fiduciary is:

Victor Chasex Pvt Ltd

(operating as QUICK ZTNA)

L-149, Sector 6, HSR Layout, Bengaluru 560102, Karnataka, India

Phone: +91-9611027980

Email: support@quickztna.com

Hours: Mon–Sat, 10:00 AM – 6:00 PM IST

2. Data We Collect

Category Data Points Collection Method
Account Full name, email address, password (PBKDF2 hash only) Registration form
Device Hostname, operating system, IP address, WireGuard public key Client agent
Network Connection timestamps, peer relationships, bandwidth usage, NAT type Service operation
Billing Plan type, subscription status, payment timestamps. Card details are processed by Razorpay — we never store card numbers. Razorpay integration
Security Audit logs, threat intelligence results (IP reputation), risk scores, login attempts Automated monitoring

3. Purpose of Processing

  • Service delivery — provisioning WireGuard tunnels, DNS resolution, key exchange, device management
  • Security — threat intelligence lookups, risk scoring, anomaly detection, DLP scanning, auto-quarantine
  • Billing — subscription management, invoicing, payment processing via Razorpay
  • Support — responding to support requests, troubleshooting connectivity issues
  • Compliance — maintaining immutable audit trail, generating compliance reports (SOC 2, ISO 27001, HIPAA)
  • AI features (opt-in) — natural language ACL builder, AI security digest, AI chat assistant. When enabled, prompts are sent to our AI inference provider. No personally identifiable information is included in AI prompts.

4. Workforce Monitoring

If your Organisation administrator enables workforce management features, the QUICK ZTNA client and dashboard may collect additional data about device activity. This section discloses exactly what is collected, how often, who can see it, and how long it is retained.

Capability Data Collected Frequency Visible To Default Retention
Activity Level Tracking Activity level (active / low / idle), estimated keyboard & mouse activity counts, window switch count. Not raw keystrokes. Every 5 seconds Org Admin 90 days
DNS Query Analytics Domain names queried, query timestamps, category classification Per DNS query Org Admin, Member (own data) 90 days
Session Recording Full terminal output for SSH and RDP sessions (command text, not video) Continuous during session Org Admin 90 days
Remote Desktop Screen capture stream (only while session is active). Peer sessions require a consent dialog on the user’s machine. On-demand Org Admin, requesting peer Not stored
Software Inventory Installed application names, versions, publishers Periodic scan Org Admin, Member (overview) 90 days
Productivity Scoring Aggregated active vs. idle time ratio, domain category breakdown Computed from activity data Org Admin 90 days
User Risk Scoring Behavioural risk score based on 6 factors (login anomalies, device posture, network behaviour, access patterns, compliance, threat intel) Computed periodically Org Admin, Member (own score only) 90 days
Schedule Compliance Machine online/offline times compared to configured work schedule Derived from session data Org Admin only 90 days
DLP Monitoring File access events flagged by data loss prevention rules Per file event Org Admin 90 days

Privacy Safeguards

  • No keystroke logging — keyboard activity counts are estimated from idle-time analysis, not intercepted from a keystroke hook
  • Window titles OFF by default — application window title tracking is disabled by default and can only be enabled by an Org Admin
  • Remote desktop consent — peer-to-peer remote desktop sessions display a consent dialog on the target user’s machine before screen sharing begins
  • Monitoring indicator — when workforce monitoring is active, the VPN client displays a visible indicator and the dashboard shows a monitoring notice
  • Admin-controlled — all monitoring capabilities are disabled by default and must be explicitly enabled by an Organisation administrator

Your Rights as a Monitored Employee

  • You will be notified when monitoring features are active for your Organisation
  • You may view your own activity summary and risk score via the dashboard
  • You may raise concerns about monitoring practices with your Organisation administrator or our Grievance Officer (Section 13)
  • You may exercise your DPDP Act rights (Section 7) with respect to monitoring data

5. Lawful Basis for Processing

  • Consent — provided when you create an account and agree to these terms
  • Contract performance — necessary to deliver the Service you subscribed to
  • Legitimate interest — security monitoring, threat detection, abuse prevention
  • Legal obligation — audit logs retained for regulatory compliance

6. Data Retention

Data Type Retention Period
Account dataDuration of account + 30 days after deletion
Audit logs7 years (regulatory compliance)
Billing records7 years (tax/accounting requirements)
Session recordings90 days
Security logs1 year
Database backups7 days (local), 30 days (cloud)

7. Your Rights (DPDP Act, Sections 11–14)

As a Data Principal, you have the right to:

  • Access — request a summary of your personal data and processing activities
  • Correction — update or correct inaccurate personal data
  • Erasure — request deletion of your personal data (subject to legal retention obligations)
  • Grievance redressal — file a complaint with our Grievance Officer (see Section 13)
  • Nomination — nominate another person to exercise your rights in case of death or incapacity
  • Withdraw consent — withdraw consent at any time by deleting your account. Note: withdrawal does not affect processing done prior to withdrawal.

To exercise any of these rights, email support@quickztna.com with the subject line “Data Rights Request”. We will respond within 30 days.

8. Sub-Processors

Provider Purpose Data Shared
Razorpay Payment processing Email, subscription plan (card details handled by Razorpay directly)
Cloudflare CDN, DNS, R2 object storage, Pages hosting HTTP requests, encrypted backups
Groq Cloud AI inference (opt-in only) Anonymised prompts — no PII, no network data
AbuseIPDB / VirusTotal Threat intelligence IP address hashes for reputation lookup

9. Cross-Border Data Transfer

Your data is primarily stored on servers located in Bengaluru, India. Certain sub-processors (Cloudflare, Groq) may process data outside India. Where this occurs:

  • Cloudflare R2 may replicate encrypted backups globally for redundancy
  • AI inference via Groq (US-based) is opt-in only and receives no personally identifiable information
  • DERP relay servers (India, US, Europe) relay encrypted WireGuard traffic only — no plaintext data

We will comply with any data localisation requirements notified by the Central Government under the DPDP Act.

10. Children’s Data

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

11. Cookies & Local Storage

We use minimal browser storage, limited to what is essential for the Service to function:

Name Type Purpose Essential?
refresh_token httpOnly cookie Silent token refresh Yes
quickztna_session localStorage Session metadata (user info, org) Yes
theme localStorage Light/dark mode preference No

We do not use any third-party tracking cookies, analytics scripts, or advertising pixels.

12. Security Measures

  • AES-256-GCM encryption for all stored secrets and private keys
  • Post-quantum hybrid key exchange (X25519 + ML-KEM-768, FIPS 203) for all WireGuard tunnels
  • TLS 1.3 minimum for all HTTPS and DERP relay connections
  • PBKDF2 password hashing with per-user salt
  • Immutable, append-only audit trail
  • Rate limiting on authentication endpoints (10 attempts per 5 minutes)
  • ES256 (P-256 ECDSA) signed JWT tokens with 24-hour expiry
  • Daily encrypted database backups to Cloudflare R2

13. Grievance Officer

In accordance with the DPDP Act, 2023 and the Information Technology Act, 2000, we have appointed a Grievance Officer:

Grievance Officer

Victor Chasex Pvt Ltd (QUICK ZTNA)

L-149, Sector 6, HSR Layout, Bengaluru 560102

Email: grievance@quickztna.com

Phone: +91-9611027980

Grievances will be acknowledged within 48 hours and resolved within 30 days of receipt. If you are not satisfied with our resolution, you may file a complaint with the Data Protection Board of India.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified via email to your registered address and a prominent notice on the dashboard. Continued use of the Service after notification constitutes acceptance of the updated policy.

Last updated: April 13, 2026. Questions? Contact us at support@quickztna.com.