Privacy Policy

QLA is committed to protecting and respecting your privacy. This Privacy Policy explains how QLA collects, processes, and protects personal data in accordance with:

  • Regulation (EU) 2016/679 (General Data Protection Regulation – “GDPR”)

  • Applicable EU data protection laws

This Policy applies solely to personal data collected through the Website or through direct communications with QLA in connection with its advisory activities.

Data Controller

For purposes of GDPR, QLA acts as the Data Controller in respect of personal data processed under this Policy.

Contact details:

Quantum Leap Acquisition
Email: info@qla.ee

Categories of Personal Data Collected

QLA may collect and process the following categories of personal data:

  • Identification data (name, title, organization)

  • Contact details (email address, phone number)

  • Professional information (role, industry, mandate-related information)

  • Technical data (IP address, browser type, device information)

  • Website usage data

QLA does not intentionally collect sensitive personal data unless voluntarily provided in connection with a formal advisory engagement.

Lawful Basis for Processing

Personal data is processed under one or more of the following legal bases:

  • Legitimate interest (e.g., responding to inquiries, business development, mandate discussions)

  • Performance of a contract (where a formal engagement exists)

  • Legal obligation (regulatory compliance, AML, sanctions screening where applicable)

  • Consent (for marketing communications, where required)

Purpose of Processing

QLA processes personal data for the following purposes:

  • Responding to inquiries and communications

  • Evaluating potential advisory engagements

  • Performing due diligence and transaction advisory services (under mandate)

  • Regulatory compliance obligations

  • Website analytics and improvement

  • Business development communications (where permitted by law)

QLA does not sell personal data. QLA does not use personal data for automated decision-making or profiling.

Data Sharing

QLA may share personal data only where necessary and lawful, including with:

  • Professional advisors (legal, accounting, compliance)

  • IT and infrastructure service providers

  • Secure document management providers

  • Regulatory authorities (where legally required)

All third-party processors are required to process personal data in accordance with applicable data protection laws. QLA does not transfer personal data to third parties for marketing resale.

International Data Transfers

Where personal data is transferred outside the European Economic Area (EEA), QLA ensures appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs)

  • Transfers to jurisdictions recognized as providing adequate protection

  • Other lawful transfer mechanisms under GDPR

QLA retains personal data only for as long as necessary to fulfil the purposes for which it was collected and in accordance with applicable legal, regulatory, and contractual obligations.

In general:

  • Website inquiries and general communications are retained for up to 36 months, unless a business relationship or advisory engagement is established.

  • Personal data relating to formal advisory engagements is retained for seven (7) years following the conclusion of the engagement, or longer where required by applicable law or regulatory obligations.

  • Personal data processed on the basis of consent (e.g., marketing communications) is retained until consent is withdrawn or the data is no longer necessary for the relevant purpose.

QLA may retain personal data for longer periods where necessary to:

  • comply with legal, tax, or regulatory requirements;

  • establish, exercise, or defend legal claims;

  • resolve disputes;

  • enforce contractual rights and obligations.

Retention periods are determined based on the nature of the relationship, the type of data involved, and applicable statutory limitation periods.

Data Security

QLA implements appropriate technical and organizational measures to protect personal data against:

  • Unauthorized access

  • Loss or destruction

  • Alteration

  • Disclosure

Such measures may include:

  • Encrypted communications (SSL/TLS)

  • Access control systems

  • Secure data storage

  • Limited internal access on a need-to-know basis

However, no method of electronic transmission or storage is completely secure, and QLA cannot guarantee absolute security.

Your Rights Under GDPR

Subject to applicable law, you have the right to:

  • Access your personal data

  • Rectify inaccurate or incomplete data

  • Request erasure (“right to be forgotten”)

  • Restrict processing

  • Object to processing based on legitimate interest

  • Data portability

  • Withdraw consent (where processing is based on consent)

You may exercise these rights by contacting: info@qla.ee

You also have the right to lodge a complaint with the Data Protection Inspectorate or another competent supervisory authority.

Cookies and Website Analytics

The Website may use cookies and similar technologies to:

  • Improve functionality

  • Analyze site usage

  • Maintain security

Cookies do not, by themselves, identify users personally.

Users may manage or disable cookies through browser settings.
Disabling cookies may affect Website functionality.

Detailed information regarding cookies may be provided in a separate Cookie Notice.

Third-Party Websites

The Website may contain links to third-party websites. QLA is not responsible for the privacy practices or content of external websites. Users access such websites at their own risk.

Confidential Submissions

Submission of information through the Website does not create confidentiality obligations unless a separate written agreement (e.g., NDA or mandate) has been executed.

Users are advised not to transmit sensitive or confidential information via unsecured communication channels.

Changes to This Policy

QLA may update this Privacy Policy periodically. Updates become effective upon publication on the Website. Continued use of the Website constitutes acceptance of the updated Policy.

Effective date: 31 January 2026.