Privacy Policy

Version: 1.0
Effective Date: November 17, 2025
Last Updated: November 17, 2025

1. Introduction

Welcome to QuantixAI ("we," "us," "our," or the "Company"). We are committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our time-series analysis and forecasting platform (the "Service").

Data Controller:

QuantixAI s.r.o.
IČO 57306290 Svatoplukova 15m 903 01, Bratislava, Slovak Republic

Email: privacy@quantix-ai.eu
Data Protection Contact: privacy@quantix-ai.eu

This Privacy Policy applies to:

Our website at www.quantix-ai.eu
Our web application and API services
Our business communications and support interactions

2. Our Commitment to Privacy

As a B2B service provider, we:

Process personal data in compliance with GDPR (Regulation (EU) 2016/679) and applicable data protection laws
Implement privacy by design and by default (Article 25 GDPR)
Maintain transparency about our data practices
Provide you with control over your personal data
Use industry-standard security measures to protect your information (Article 32 GDPR)

3. Information We Collect

3.1 Information You Provide Directly

Account Information:

Business name and registration details
Name, job title, and department
Business email address
Phone number (optional)
Billing address and VAT number

Payment Information (via Paddle):

Paddle, our Merchant of Record, collects and processes:
- Payment card details
- Billing information
- Transaction history
We receive only limited payment data from Paddle (transaction IDs, subscription status)

Service Data:

Time-series data you upload for analysis
Custom models and configurations
API keys and integration settings
Support tickets and communications

3.2 Information Collected Automatically

Authentication Data (via Auth0):

Login credentials (managed by Auth0)
Authentication tokens
Multi-factor authentication settings

Technical Data:

IP address and approximate location
Browser type and version
Device type and operating system
Timezone and language preferences
Unique device identifiers

Usage Data:

Features accessed and actions performed
API calls and endpoints used
Error logs and debugging information
Performance metrics and response times
Session duration and frequency

Cookie Data:

Essential cookies for session management
Preference cookies for user settings
Analytics cookies (if consented)
See Section 8 for detailed Cookie Policy

3.3 Information from Third Parties

From Auth0:

Authentication status and user identifiers
SSO provider information (if applicable)
Security event notifications

From Paddle:

Subscription status and tier
Payment success/failure notifications
Tax compliance information
Refund and chargeback notifications

From Business Partners:

Referral source information
Integration partner data (with your consent)

4. How We Use Your Information

4.1 Legal Basis for Processing (Article 6 GDPR)

We process personal data based on:

Contract Performance (Article 6(1)(b) GDPR): To provide the Service you've subscribed to
Legitimate Interests (Article 6(1)(f) GDPR): For business operations, security, and improvement
Legal Obligations (Article 6(1)(c) GDPR): To comply with laws and regulations
Consent (Article 6(1)(a) GDPR): Where required, particularly for marketing communications and non-essential cookies

4.2 Purposes of Processing

Service Delivery:

Create and manage your account
Provide access to the Service features
Process and analyze your time-series data
Generate forecasts and analytical reports
Provide API access and integrations

Business Operations:

Process payments via Paddle
Send service-related communications
Provide customer support
Maintain service quality and performance
Conduct internal audits and compliance checks

Security and Legal:

Detect and prevent fraud
Monitor for security threats
Investigate policy violations
Comply with legal obligations
Establish, exercise, or defend legal claims

Improvement and Development:

Analyze usage patterns (aggregated)
Develop new features
Optimize algorithms and models
Conduct A/B testing
Create aggregated industry insights

Marketing (with consent):

Send newsletters and product updates
Inform about new features
Share industry insights and best practices
Invite to webinars and events

5. How We Share Your Information

5.1 Service Providers (Processors under Article 28 GDPR)

We share data with carefully selected service providers:

Authentication Services:

Provider: Auth0 (Okta, Inc.)
Purpose: Identity management and authentication
Location: United States (with EU data residency options)
Safeguards: Standard Contractual Clauses (Article 46 GDPR), technical measures
Privacy Policy: https://auth0.com/privacy

Payment Processing:

Provider: Paddle.com Market Ltd
Purpose: Payment processing, tax calculation, invoicing
Location: United Kingdom
Safeguards: UK adequacy decision, PCI DSS certification
Note: Paddle acts as independent data controller for payment data
Privacy Policy: https://paddle.com/privacy

Infrastructure:

Provider: Hetzner Online GmbH
Purpose: Cloud hosting, data storage, processing, and backup
Location: Germany (EU)
Safeguards: ISO 27001 certified, GDPR compliant (Article 28 processing agreement)
Privacy Policy: https://www.hetzner.com/legal/privacy-policy

Communication Services:

Provider: SendGrid (Twilio Inc.)
Purpose: Transactional emails, service notifications, password resets
Location: United States
Safeguards: Standard Contractual Clauses (Article 46 GDPR)

Analytics (with consent):

Provider: Plausible Analytics
Purpose: Privacy-focused web analytics and usage statistics
Location: European Union
Safeguards: GDPR compliant, no personal data collection, no cookies
Privacy Policy: https://plausible.io/privacy
Provider: Google Analytics (Google LLC)
Purpose: Website usage statistics, traffic analysis, user behavior insights
Location: United States
Safeguards: Standard Contractual Clauses (Article 46 GDPR), IP anonymization enabled
Privacy Policy: https://policies.google.com/privacy
Note: Only used with your explicit cookie consent on our website

Email Marketing:

Provider: SmartSelling a.s.
Purpose: Marketing emails, newsletters, promotional communications
Location: Czech Republic (EU)
Safeguards: GDPR compliant, EU-based processor
Privacy Policy: https://www.smartemailing.cz/gdpr/
Note: Only used with your explicit consent; you can unsubscribe anytime

Backup Storage:

Provider: Scaleway SAS
Purpose: Database backups, trained model storage (S3-compatible object storage)
Location: Poland (EU)
Safeguards: GDPR compliant, EU-based processor, ISO 27001 certified
Privacy Policy: https://www.scaleway.com/en/privacy-policy/

5.2 Business Transfers

In the event of:

Merger, acquisition, or sale of assets
Bankruptcy or reorganization
Business partnership or joint venture

Your information may be transferred to the successor entity, subject to this Privacy Policy or equivalent protections. We will notify you via email before any such transfer.

5.3 Legal Disclosures (Article 6(1)(c) GDPR)

We may disclose information when required to:

Comply with legal obligations
Respond to lawful requests from authorities
Protect our rights, property, or safety
Prevent fraud or security threats
Enforce our Terms and Conditions

5.4 With Your Consent

We may share information:

With third parties you explicitly authorize
For purposes you specifically request
With integration partners you connect

5.5 What We Don't Do

We do NOT:

Sell your personal data
Share your data for third-party marketing
Transfer data outside the purposes stated
Allow unauthorized access to your business data

6. Data Retention

6.1 Retention Periods

Data Category	Retention Period	Justification
Account Data	Duration of service + 90 days	Service delivery, account recovery
Payment Records	7 years	Legal/tax requirements (Slovak law)
Usage Logs	24 months	Service improvement, security
Support Tickets	Resolution + 12 months	Quality assurance
Security Logs	12 months	Security monitoring
Marketing Preferences	Until withdrawn	Consent management (Article 7(3) GDPR)
Trained Models	Duration of service	Service delivery
Uploaded Data	Selected by User	Service delivery
API Logs	24 months	Debugging, rate limiting

6.2 Deletion Process

Upon account termination or deletion request (Article 17 GDPR):

Active data deleted within 30 days
Backups purged within 90 days
Anonymized aggregates may be retained indefinitely (no longer personal data under GDPR)
Legal obligations may require longer retention (Article 17(3)(b) GDPR)

7. International Data Transfers

7.1 Data Location

Primary data processing occurs within the European Union:

Primary Servers: Hetzner data centers in Nuremberg, Germany
Backups: EU-based locations only
CDN: European edge locations where available

7.2 Transfers Outside the EEA (Chapter V GDPR)

When necessary, we transfer data outside the EEA with appropriate safeguards:

To the United States:

Service: Auth0 (authentication services)
Safeguards: Standard Contractual Clauses (Article 46(2)(c) GDPR), supplementary technical measures (encryption, data minimization)

To the United Kingdom:

Service: Paddle (payment processing)
Safeguards: UK adequacy decision (Commission Implementing Decision (EU) 2021/1772)

7.3 Transfer Safeguards (Article 46 GDPR)

We ensure appropriate safeguards through:

Standard Contractual Clauses (SCCs): EU Commission approved clauses
Technical Measures: Encryption, pseudonymization, data minimization
Contractual Obligations: Data protection clauses in processor agreements (Article 28 GDPR)
Regular Assessments: Monitoring of third-country laws and transfer impact assessments

8. Cookie Policy

8.1 What Are Cookies

Cookies are small text files stored on your device when you visit our website or use our Service.

8.2 Cookies We Use

Essential Cookies (Always Active - Article 6(1)(b) GDPR):

Session management
Authentication state
Security tokens (CSRF protection)
Load balancing

These cookies are strictly necessary for the Service to function and cannot be disabled.

Functional Cookies (Article 6(1)(f) GDPR):

Language preferences
Timezone settings
UI preferences
Feature flags

Analytics Cookies (Article 6(1)(a) GDPR - Consent Required):

Usage patterns (via Plausible Analytics)
Feature adoption metrics
Performance monitoring

We only set analytics cookies with your explicit consent.

8.3 Managing Cookies

You can manage cookies through:

Our cookie consent banner (first visit)
Browser settings (see your browser's Help menu)

Note: Disabling essential cookies will prevent Service access.

8.4 Cookie Duration

Session Cookies: Deleted when you close your browser
Persistent Cookies: Remain for a set period (typically 30-365 days)
Analytics Cookies: 24 months maximum (with consent)

9. Your Data Protection Rights

Under GDPR (Regulation (EU) 2016/679), you have the following rights:

9.1 Right of Access (Article 15 GDPR)

You have the right to request:

Confirmation of whether we process your personal data
A copy of your personal data
Information about how we process it (purposes, categories, recipients, retention periods)

9.2 Right to Rectification (Article 16 GDPR)

You have the right to request correction of inaccurate or incomplete personal data without undue delay.

9.3 Right to Erasure - "Right to be Forgotten" (Article 17 GDPR)

You have the right to request deletion of your personal data when:

Data is no longer necessary for the purposes collected
You withdraw consent (where processing is based on consent)
You object to processing and there are no overriding legitimate grounds
Data has been unlawfully processed
Deletion is required to comply with legal obligations

Exceptions: We may refuse erasure when processing is necessary for:

Compliance with legal obligations (Article 17(3)(b))
Establishment, exercise, or defense of legal claims (Article 17(3)(e))

9.4 Right to Restriction of Processing (Article 18 GDPR)

You have the right to request limitation of processing when:

You contest the accuracy of personal data
Processing is unlawful but you oppose erasure
We no longer need the data but you need it for legal claims
You have objected to processing pending verification

9.5 Right to Data Portability (Article 20 GDPR)

You have the right to:

Receive your personal data in a structured, commonly used, machine-readable format (e.g., JSON, CSV)
Transmit your data to another controller without hindrance

This right applies when processing is based on consent or contract and carried out by automated means.

9.6 Right to Object (Article 21 GDPR)

You have the right to object to processing based on:

Legitimate interests (Article 6(1)(f)): We will stop processing unless we demonstrate compelling legitimate grounds
Direct marketing: We will stop processing immediately upon objection

9.7 Rights Related to Automated Decision-Making and Profiling (Article 22 GDPR)

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects or similarly significantly affect you.

Note: We do not engage in automated decision-making with legal or significant effects.

9.8 Right to Withdraw Consent (Article 7(3) GDPR)

Where processing is based on consent (Article 6(1)(a)), you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

9.9 How to Exercise Your Rights

Contact us at: privacy@quantix-ai.eu

Response Time: Within 30 days (Article 12(3) GDPR). We may extend by 2 months for complex requests with notification.

Fees: No fee unless requests are manifestly unfounded or excessive (Article 12(5) GDPR).

Verification: We may request additional information to verify your identity before fulfilling requests.

9.10 Right to Lodge a Complaint (Article 77 GDPR)

You have the right to lodge a complaint with a supervisory authority:

Primary Supervisory Authority (Slovak Republic):

Office for Personal Data Protection of the Slovak Republic
Námestie 1.mája 18 811 06 Bratislava Slovak Republic
Email: statny.dozor@pdp.gov.sk
Website: https://dataprotection.gov.sk/

You may also lodge a complaint with the supervisory authority in your EU member state of habitual residence, place of work, or place of alleged infringement.

10. Data Security (Article 32 GDPR)

10.1 Technical Measures

We implement industry-standard security measures including:

Encryption:

At Rest: AES-256 encryption for all stored forecast models
In Transit: TLS 1.3 (minimum TLS 1.2) for all data transmissions

Access Control:

Role-based access control (RBAC)
Multi-factor authentication (MFA) for administrative access
Principle of least privilege
Regular access reviews

Network Security:

Firewalls and intrusion detection systems (IDS)
DDoS protection
VPN access for remote administration
Network segmentation

Monitoring:

24/7 security monitoring
Automated threat detection
Audit logging of all access and modifications
Regular security audits and penetration testing

10.2 Organizational Measures

Staff Security:

Regular security awareness training
Confidentiality agreements (NDAs)
Background checks for employees with data access
Clear data handling procedures

Incident Response:

Documented incident response plan
Regular incident response drills
Designated incident response team

Vendor Management:

Due diligence on all processors
Data processing agreements (Article 28 GDPR)
Regular vendor security assessments

10.3 Infrastructure Security (Hetzner)

Our infrastructure provider maintains:

ISO 27001 certification
Physical security controls (24/7 surveillance, access controls)
Redundant systems and power supplies
Regular security updates and patch management
Fire suppression and climate control

10.4 Authentication Security (Auth0)

Auth0 provides:

Enterprise-grade authentication infrastructure
Breached password detection
Anomaly detection and bot prevention
Brute force protection
Passwordless and MFA options (if applicable)

10.5 Payment Security (Paddle)

Paddle maintains:

PCI DSS Level 1 compliance
Secure payment processing infrastructure
Fraud detection and prevention systems
Tokenization of payment data

Important: We never access, store, or process raw payment card data.

10.6 Data Breach Notification (Articles 33-34 GDPR)

In the event of a personal data breach:

To Supervisory Authority (Article 33):

We will notify the Slovak Office for Personal Data Protection within 72 hours of becoming aware of the breach
Notification includes nature of breach, categories and approximate number of affected individuals, likely consequences, and measures taken

To Affected Data Subjects (Article 34):

We will notify affected users without undue delay (typically within 7 business days) when the breach is likely to result in high risk to rights and freedoms
Notification via email will include:
- Nature of the breach in clear and plain language
- Contact point for more information
- Likely consequences
- Measures taken or proposed to mitigate adverse effects

11. Children's Privacy

Our Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children.

If we become aware that we have collected personal data from a person under 18 without parental consent, we will:

Delete the data immediately
Terminate the account
Notify the individual (if contact information is available)

If you believe we have collected data from a minor, please contact us immediately at privacy@quantix-ai.eu.

12. California Privacy Rights (CCPA/CPRA)

For California residents, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides additional rights.

12.1 Rights Available

Right to Know: What personal information is collected, used, disclosed, and sold
Right to Delete: Request deletion of personal information (subject to exceptions)
Right to Opt-Out: Opt-out of sale of personal information (we do not sell personal information)
Right to Correct: Request correction of inaccurate personal information
Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information beyond necessary service provision
Right to Non-Discrimination: We will not discriminate against you for exercising your rights

12.2 Categories of Information Collected

See Section 3 for detailed categories. In the preceding 12 months, we have collected:

Identifiers: Name, email, IP address
Commercial Information: Purchase history, subscription details
Internet Activity: Usage data, browsing history on our Service
Professional Information: Job title, company name

12.3 Use and Disclosure

We use personal information for purposes described in Section 4.

We do not sell personal information as defined by CCPA/CPRA.

We disclose personal information to service providers as described in Section 5.1.

12.4 Exercising Your Rights

California residents may exercise rights by:

Email: privacy@quantix-ai.eu
Subject Line: "California Privacy Rights Request"

We will verify your identity before fulfilling requests and respond within 45 days (extendable by 45 days with notice).

You may designate an authorized agent to make requests on your behalf by providing written authorization.

13. Updates to This Policy

13.1 Notification of Changes

We will notify you of material changes via:

Email notification to your registered email address
Service dashboard notice upon login
Website announcement on our homepage

13.2 Effective Date of Changes

Material changes: Effective 30 days after notification
Non-material changes: Effective immediately upon posting

13.3 Acceptance of Changes

Continued use after changes take effect constitutes acceptance. For material changes affecting legal basis or significantly changing how we process data, we may seek renewed consent where required by law.

13.4 Version History

See Change Log at the end of this document for version history.

14. Third-Party Links

Our Service may contain links to third-party websites (e.g., integration partners, educational resources).

We are not responsible for:

Privacy practices of third-party websites
Content or accuracy of third-party sites
Your interactions with third parties

Please review their privacy policies before providing personal information to third parties.

15. Data Processing Agreement (Article 28 GDPR)

Business customers who process personal data of their own users through our Service (acting as data controllers) should execute our Data Processing Agreement (DPA).

The DPA includes:

Subject matter and duration of processing
Nature and purpose of processing
Types of personal data and categories of data subjects
Controller and processor obligations and rights
Sub-processor authorizations
Security measures (Article 32 GDPR)
Data subject rights assistance
Data breach notification procedures
Deletion and return of data after termination
Audit rights

To request a DPA: Email legal@quantix-ai.eu or visit https://quantix-ai.eu/dpa/

16. Privacy by Design and Default (Article 25 GDPR)

We implement privacy by design and default principles:

Data Minimization:

Collect only data necessary for specified purposes
Limit data retention to necessary periods
Anonymize or pseudonymize where possible

Purpose Limitation:

Process data only for specified, explicit, legitimate purposes
No further processing incompatible with original purposes

Privacy Defaults:

Minimal data collection by default
Strictest privacy settings as default
Opt-in (not opt-out) for non-essential processing

Transparent Processing:

Clear, plain language privacy information
Accessible privacy controls
Visibility into data processing activities

User Control:

Easy-to-use privacy controls
Granular consent management
Simple rights exercise procedures

Security First:

Security integrated into system design
Regular security assessments
Proactive threat monitoring

17. Contact Information

17.1 Data Protection Inquiries

Email: privacy@quantix-ai.eu
Response Time: Within 48 business hours for initial response

For exercising data subject rights, see Section 9.9.

17.2 General Contact

Website: www.quantix-ai.eu
Support: support@quantix-ai.eu
Legal: legal@quantix-ai.eu

17.3 Postal Address

QuantixAI s.r.o.
[Street Address]
[Postal Code] Bratislava
Slovak Republic

17.4 Supervisory Authority

Office for Personal Data Protection of the Slovak Republic
Námestie 1.mája 18 811 06 Bratislava Slovak Republic

Email: statny.dozor@pdp.gov.sk
Phone: +421 2 3231 3214
Website: https://dataprotection.gov.sk/

18. Definitions

Personal Data: Any information relating to an identified or identifiable natural person (Article 4(1) GDPR)

Processing: Any operation performed on personal data, whether automated or not (Article 4(2) GDPR)

Controller: Entity determining purposes and means of processing (Article 4(7) GDPR)

Processor: Entity processing personal data on behalf of controller (Article 4(8) GDPR)

Data Subject: Individual whose personal data is processed (Article 4(1) GDPR)

Consent: Freely given, specific, informed, and unambiguous indication of agreement (Article 4(11) GDPR)

Recipient: Person, authority, or body to whom personal data is disclosed (Article 4(9) GDPR)

Third Party: Person, authority, or body other than data subject, controller, processor, and persons authorized to process (Article 4(10) GDPR)

Merchant of Record (MoR): Entity handling payment processing, invoicing, and tax compliance (Paddle acts as MoR)

Standard Contractual Clauses (SCCs): EU Commission approved contract terms for international data transfers (Article 46(2)(c) GDPR)

Appendix A: Specific Service Provider Privacy Information

Auth0 Privacy

Privacy Policy: https://auth0.com/privacy
GDPR Compliance: https://auth0.com/docs/compliance/gdpr
Data Processing Agreement: Available upon request
EU Data Residency: Available for applicable plans
Certifications: SOC 2 Type II, ISO 27001, Privacy Shield (historic)

Paddle Privacy

Privacy Policy: https://paddle.com/privacy
Role: Independent data controller for payment data
Compliance: PCI DSS Level 1, UK GDPR
Location: United Kingdom (adequacy decision applies)
Data Processed: Payment card data, billing information, tax data

Hetzner Privacy

Privacy Policy: https://www.hetzner.com/legal/privacy-policy
Location: Germany (EU) - Nuremberg data centers
Certifications: ISO 27001
Role: Processor under Article 28 GDPR
Data Processed: All Service data, backups

Plausible Analytics

Privacy Policy: https://plausible.io/privacy
Location: European Union
GDPR Compliance: Fully compliant, no cookies, no personal data
Data Processed: Aggregated, anonymous website usage statistics
Role: Processor (with consent for analytics cookies)

Google Analytics

Privacy Policy: https://policies.google.com/privacy
Location: United States (Standard Contractual Clauses apply)
GDPR Compliance: https://support.google.com/analytics/answer/9019185
Data Processed: Website usage data, IP addresses (anonymized), browser information, pages visited
Role: Processor (with user consent for analytics cookies)
Safeguards: IP anonymization enabled, Standard Contractual Clauses, data retention controls
Opt-out: Via cookie consent banner or browser settings
Note: Only active on public website (www.quantix-ai.eu) with explicit cookie consent

SmartSelling Privacy

Privacy Policy: https://www.smartemailing.cz/gdpr/
Location: Czech Republic (EU)
GDPR Compliance: Fully compliant, EU-based
Role: Processor for email marketing communications
Data Processed: Email addresses, names, marketing preferences, email engagement metrics
Opt-out: Unsubscribe link in every marketing email

Scaleway Privacy

Privacy Policy: https://www.scaleway.com/en/privacy-policy/
Location: Poland (EU) - Warsaw data centers
Certifications: ISO 27001
Role: Processor for backups and object storage
Data Processed: Database backups, trained machine learning models

Change Log

Version	Date	Changes
1.0	November 17, 2025	Initial release

This Privacy Policy was last reviewed and updated on November 17, 2025.

By using the Service, you acknowledge that you have read and understood this Privacy Policy and agree to the collection, use, and disclosure of your personal information as described herein.

For questions about this Privacy Policy, contact us at privacy@quantix-ai.eu

EN Last updated: January 6, 2026 Download Markdown