KEYBINO
Quantara Solutions Ltd
Privacy Policy
UK GDPR • Data Protection Act 2018 • PECR Compliant
Effective Date: 1 April 2026
This Privacy Policy explains how Quantara Solutions Ltd, trading as Keybino (“Company”, “we”, “us”), collects, uses, stores, and protects the personal data of individuals (“Users”) who access or use https://keybino.com. The Company is incorporated in England and Wales (No. 17073809) with registered address at 20 Wenlock Road, London, N1 7GU, England, United Kingdom.
The Company acts as Data Controller in respect of personal data collected through the Website, and processes such data in compliance with the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018 (“DPA 2018”).
ICO Registration: The Company is in the process of registering with the Information Commissioner’s Office (ICO) as a data controller. Once registered, the ICO registration number will be published here.
1. Definitions
“Personal Data”
Any information relating to an identified or identifiable natural person (Article 4(1) UK GDPR).
“Processing”
Any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
“Data Controller”
The entity that determines the purposes and means of processing Personal Data. The Company is the Data Controller for data collected through the Website.
2. Data Protection Contact
The Company is not legally required to appoint a Data Protection Officer (DPO) at this stage of operations. All data protection enquiries should be directed to the designated privacy contact at [email protected]. The Company keeps its DPO requirement under ongoing review as operations develop.
3. Categories of Personal Data Collected
3.1. Data Provided Directly by Users
- Registration data: full name and email address;
- Payment information: billing details processed by authorised third-party payment providers. The Company does not store full card numbers or authentication data;
- Support communications: any data submitted via contact forms, support tickets, or email;
- Identity verification documents: where KYC or Enhanced Due Diligence is triggered under AML/CTF obligations.
3.2. Data Collected Automatically
- Technical and log data: IP address, browser type, operating system, and pages visited;
- Transaction data: Order records, Codes purchased, and delivery logs;
- Cookie and tracking data: as described in the Cookie Policy.
3.3. Data from Third-Party Sources
- Payment service providers: transaction status and fraud signals;
- KYC/AML compliance providers: identity verification outcomes and risk scores.
4. Legal Bases for Processing
The Company processes Personal Data only where a lawful basis under Article 6 UK GDPR exists:
| Purpose | Data Categories | Legal Basis (Art. 6 UK GDPR) |
| Account creation and management | Name, email | Art. 6(1)(b) — Contract performance |
| Order processing and Code delivery | Name, email, payment data | Art. 6(1)(b) — Contract performance |
| Refund processing | Transaction data, identity data | Art. 6(1)(b) — Contract performance |
| AML/CTF compliance and SAR filing | ID docs, transaction data | Art. 6(1)(c) — Legal obligation |
| Tax record-keeping | Billing, transaction data | Art. 6(1)(c) — Legal obligation |
| Response to regulatory/law enforcement | All relevant data | Art. 6(1)(c) — Legal obligation |
| Fraud prevention and chargeback defence | IP, device, transaction patterns | Art. 6(1)(f) — Legitimate interests |
| Website security monitoring | Usage data, log data | Art. 6(1)(f) — Legitimate interests |
| Marketing to existing customers (soft opt-in) | Art. 6(1)(f) — Legitimate interests* | |
| Marketing to new subscribers | Art. 6(1)(a) — Consent | |
| Non-essential cookies | Cookie identifiers | Art. 6(1)(a) — Consent |
* Marketing to existing customers is conducted on the basis of legitimate interests under PECR Regulation 22 (soft opt-in), provided that: (a) the products or services promoted are similar to those previously purchased; and (b) the User was offered an opt-out at the time of data collection. Users may object at any time. Where these conditions are not met, explicit consent will be sought.
Where legitimate interests are relied upon, the Company has conducted a balancing test and is satisfied that its interests do not override Users’ fundamental rights and freedoms.
5. Automated Decision-Making
The Company uses automated systems for fraud detection and transaction risk scoring. These may result in a transaction being flagged, delayed, or declined without human review in the first instance. Where a solely automated decision produces a significant effect on a User, the User has the right to request human review, to express their point of view, and to contest the outcome. Such requests should be directed to [email protected].
6. Data Retention
6.1. Retention Schedule
| Data Category | Retention Period | Basis / Purpose |
| Transaction and financial records | 6 years from transaction | Legal obligation — HMRC / Limitation Act 1980 |
| KYC/AML documentation | 5 years from end of relationship | Legal obligation — MLR 2017, Reg. 40 |
| Account data (active account) | Duration of account | Contract performance |
| Account data (closed account, no legal hold) | Up to 12 months post-closure | Legitimate interests — fraud prevention and potential contractual claims (balancing test conducted) |
| Support correspondence | 2 years from resolution | Legitimate interests — dispute resolution |
| Marketing consent records | Until consent withdrawn + 1 year | Legitimate interests — demonstrating compliance with consent obligations |
| Server and access logs | 12 months | Legitimate interests — security monitoring |
6.2. Deletion and Anonymisation
On expiry of the applicable period, Personal Data is securely deleted or irreversibly anonymised. Account deletion requests are actioned within 30 calendar days, subject to applicable legal retention obligations.
7. Data Sharing and Disclosure
7.1. Internal Access
Access is restricted to personnel whose duties require it, on a strict need-to-know basis.
7.2. Third-Party Processors
Personal Data may be shared with the following categories of processor, each engaged under a written data processing agreement:
- Payment service providers — transaction processing and fraud screening;
- IT infrastructure and hosting providers — server and database operations;
- Analytics providers — anonymised Website usage monitoring;
- KYC/AML compliance providers — identity verification and risk assessment;
- Email and communication platforms — transactional and marketing messaging;
- Legal and professional advisors — where required in connection with a legal matter.
7.3. Regulatory Disclosure
Personal Data will be disclosed to regulatory authorities, law enforcement agencies, or courts where required by law or a lawful order, without prior notice where legally required.
7.4. No Sale of Data
The Company does not sell, rent, or otherwise commercially exploit Personal Data to any third party.
7.5. International Transfers
Where Personal Data is transferred outside the United Kingdom, the Company ensures appropriate safeguards are in place. These may include: UK International Data Transfer Agreements (IDTAs); transfers to countries that have received an adequacy decision from the UK Secretary of State; or such other transfer mechanisms as are recognised under UK GDPR. All international transfers are subject to a transfer risk assessment where required.
8. Data Security
8.1. Technical and Organisational Measures
- HTTPS/TLS encryption for data in transit;
- Role-based access controls with least-privilege principle;
- Regular security monitoring and vulnerability assessments;
- Staff confidentiality obligations and data protection awareness;
- Secure backup and disaster recovery procedures.
8.2. Data Breach Notification
In the event of a Personal Data breach likely to result in risk to individuals, the Company will notify the ICO within 72 hours of becoming aware, per Article 33 UK GDPR. Affected Users will be informed without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
9. Your Rights Under UK GDPR
To exercise any right, submit a written request to [email protected]. The Company will respond within one calendar month and may request proof of identity. Where a request is complex or numerous, the response period may be extended by a further two months, with prior notice.
| Right | Description |
| Access (Art. 15) | Request a copy of Personal Data held and information about its processing. |
| Rectification (Art. 16) | Request correction of inaccurate or incomplete data. |
| Erasure (Art. 17) | Request deletion where no lawful basis for retention exists. |
| Restriction (Art. 18) | Request temporary halt to processing in defined circumstances. |
| Portability (Art. 20) | Receive data in structured, machine-readable format (contract/consent basis only). |
| Object (Art. 21) | Object to processing based on legitimate interests or for direct marketing. |
| Withdraw Consent (Art. 7(3)) | Withdraw consent at any time; does not affect prior lawful processing. |
| Human Review (Art. 22) | Request human review of any solely automated decision with significant effect. |
You have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at www.ico.org.uk or by calling 0303 123 1113.
10. Children’s Data
The Website is directed at individuals aged 18 and above. The Company does not knowingly collect Personal Data from persons under 18. If the Company becomes aware that data of a minor has been collected, it will delete that data without undue delay.
11. Cookies
The Company uses cookies and similar technologies as described in the Cookie Policy available at https://keybino.com. Non-essential cookies are activated only upon prior User consent, in accordance with PECR.
12. Marketing
Where the User is an existing customer, the Company may send relevant promotional communications on the basis of legitimate interests (PECR soft opt-in), provided the products promoted are similar to those previously purchased and the User was offered an opt-out at collection. New subscribers receive marketing only upon explicit opt-in consent. Every marketing communication includes a clear and accessible unsubscribe mechanism. Opting out does not affect transactional communications.
13. Policy Updates
This Policy may be updated periodically. Material changes will be communicated to registered Users. The latest version is always available on the Website.
Contact Information
| Legal Name | Quantara Solutions Ltd |
| Trading Name | Keybino |
| Company Number | 17073809 |
| Registered Address | 20 Wenlock Road, London, N1 7GU, England, United Kingdom |
| Website | https://keybino.com |
| General Support | [email protected] |
| Compliance | [email protected] |
| Privacy | [email protected] |
Last Updated: 1 April 2026