Privacy Policy

1. Data Controller

The data controller responsible for your personal data is SoftQuantus innovative OÜ, a private limited company registered in Estonia (Registry Code: 17048927, VAT: EE102767458), with registered address at Veskiposti tn 2-1002, Kesklinna linnaosa, Tallinn 10138, Harju maakond, Estonia. For data protection matters, contact our Data Protection Officer at dpo@softquantus.com.

2. Legal Basis for Processing

We process personal data under Article 6(1) GDPR based on the following legal grounds:

• Contract (Art. 6(1)(b)): Processing necessary for performance of our services
• Legal Obligation (Art. 6(1)(c)): Compliance with tax, accounting, and regulatory requirements
• Legitimate Interests (Art. 6(1)(f)): Service improvement, fraud prevention, security
• Consent (Art. 6(1)(a)): Marketing communications, optional analytics

3. Categories of Personal Data

Data you provide:

• Identity data: name, username, job title
• Contact data: email address, phone number, company address
• Account data: credentials, preferences, settings
• Financial data: payment information (processed by certified PCI-DSS providers)
• Communication data: support tickets, feedback

Data collected automatically:

• Technical data: IP address, browser type, device information
• Usage data: pages visited, features used, API calls
• Log data: access times, errors, performance metrics

4. Purpose of Processing

• Provide, operate, and maintain our Services
• Process transactions and manage your account
• Communicate service updates, security alerts, and support
• Improve and personalize user experience
• Detect, prevent, and address security incidents
• Comply with legal obligations
• Send marketing communications (with consent)

5. Data Recipients

We may share personal data with:

• Service providers: Cloud hosting (EU-based), payment processors, analytics
• Quantum hardware providers: Only technical data necessary for circuit execution
• Legal authorities: When required by applicable law
• Business successors: In case of merger, acquisition, or reorganization

All processors are bound by Data Processing Agreements under Article 28 GDPR. We do not sell personal data to third parties.

6. International Transfers

We primarily process data within the European Economic Area (EEA). Where transfers outside the EEA are necessary, we ensure appropriate safeguards under Chapter V GDPR, including Standard Contractual Clauses (Commission Decision 2021/914) and adequacy decisions.

7. Data Retention

We retain personal data only as long as necessary:

• Account data: Duration of contract + 5 years (legal retention)
• Financial records: 7 years (Estonian Accounting Act)
• Technical logs: 90 days
• Marketing data: Until consent withdrawn
• Circuit execution data: 90 days (configurable for enterprise)

8. Your Rights Under GDPR

You have the right to:

To exercise these rights, email privacy@softquantus.com. We respond within 30 days as required by GDPR.

9. Security Measures

We implement technical and organizational measures under Article 32 GDPR, including: encryption in transit (TLS 1.3) and at rest (AES-256), access controls, regular security audits, SOC 2-aligned security controls (certification in progress), and incident response procedures.

10. Cookies

We use cookies in accordance with the ePrivacy Directive 2002/58/EC. Essential cookies are required for service operation. Analytics and marketing cookies require your consent. Manage preferences through our cookie banner or browser settings.

11. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects concerning you, as defined in Article 22 GDPR.

12. Supervisory Authority

You have the right to lodge a complaint with a supervisory authority, in particular in your Member State of residence. Our lead supervisory authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon), Tatari 39, 10134 Tallinn, Estonia. Website: www.aki.ee.

13. Contact