**Version:** 1.0  
**Effective Date:** November 17, 2025  
**Last Updated:** November 17, 2025

---

## 1. Introduction

Welcome to QuantixAI ("we," "us," "our," or the "Company"). We are committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our time-series analysis and forecasting platform (the "Service").

**Data Controller:**

QuantixAI s.r.o.  
IČO 57306290 
Svatoplukova 15m 903 01, 
Bratislava, Slovak Republic

**Email:** privacy@quantix-ai.eu  
**Data Protection Contact:** privacy@quantix-ai.eu

**This Privacy Policy applies to:**

- Our website at www.quantix-ai.eu
- Our web application and API services
- Our business communications and support interactions

---

## 2. Our Commitment to Privacy

As a B2B service provider, we:

- Process personal data in compliance with GDPR (Regulation (EU) 2016/679) and applicable data protection laws
- Implement privacy by design and by default (Article 25 GDPR)
- Maintain transparency about our data practices
- Provide you with control over your personal data
- Use industry-standard security measures to protect your information (Article 32 GDPR)

---

## 3. Information We Collect

### 3.1 Information You Provide Directly

**Account Information:**

- Business name and registration details
- Name, job title, and department
- Business email address
- Phone number (optional)
- Billing address and VAT number

**Payment Information (via Paddle):**

- Paddle, our Merchant of Record, collects and processes:
  - Payment card details
  - Billing information
  - Transaction history
- We receive only limited payment data from Paddle (transaction IDs, subscription status)

**Service Data:**

- Time-series data you upload for analysis
- Custom models and configurations
- API keys and integration settings
- Support tickets and communications

### 3.2 Information Collected Automatically

**Authentication Data (via Auth0):**

- Login credentials (managed by Auth0)
- Authentication tokens
- Multi-factor authentication settings

**Technical Data:**

- IP address and approximate location
- Browser type and version
- Device type and operating system
- Timezone and language preferences
- Unique device identifiers

**Usage Data:**

- Features accessed and actions performed
- API calls and endpoints used
- Error logs and debugging information
- Performance metrics and response times
- Session duration and frequency

**Cookie Data:**

- Essential cookies for session management
- Preference cookies for user settings
- Analytics cookies (if consented)
- See Section 8 for detailed Cookie Policy

### 3.3 Information from Third Parties

**From Auth0:**

- Authentication status and user identifiers
- SSO provider information (if applicable)
- Security event notifications

**From Paddle:**

- Subscription status and tier
- Payment success/failure notifications
- Tax compliance information
- Refund and chargeback notifications

**From Business Partners:**

- Referral source information
- Integration partner data (with your consent)

---

## 4. How We Use Your Information

### 4.1 Legal Basis for Processing (Article 6 GDPR)

We process personal data based on:

- **Contract Performance (Article 6(1)(b) GDPR):** To provide the Service you've subscribed to
- **Legitimate Interests (Article 6(1)(f) GDPR):** For business operations, security, and improvement
- **Legal Obligations (Article 6(1)(c) GDPR):** To comply with laws and regulations
- **Consent (Article 6(1)(a) GDPR):** Where required, particularly for marketing communications and non-essential cookies

### 4.2 Purposes of Processing

**Service Delivery:**

- Create and manage your account
- Provide access to the Service features
- Process and analyze your time-series data
- Generate forecasts and analytical reports
- Provide API access and integrations

**Business Operations:**

- Process payments via Paddle
- Send service-related communications
- Provide customer support
- Maintain service quality and performance
- Conduct internal audits and compliance checks

**Security and Legal:**

- Detect and prevent fraud
- Monitor for security threats
- Investigate policy violations
- Comply with legal obligations
- Establish, exercise, or defend legal claims

**Improvement and Development:**

- Analyze usage patterns (aggregated)
- Develop new features
- Optimize algorithms and models
- Conduct A/B testing
- Create aggregated industry insights

**Marketing (with consent):**

- Send newsletters and product updates
- Inform about new features
- Share industry insights and best practices
- Invite to webinars and events

---

## 5. How We Share Your Information

### 5.1 Service Providers (Processors under Article 28 GDPR)

We share data with carefully selected service providers:

**Authentication Services:**

- **Provider:** Auth0 (Okta, Inc.)
- **Purpose:** Identity management and authentication
- **Location:** United States (with EU data residency options)
- **Safeguards:** Standard Contractual Clauses (Article 46 GDPR), technical measures
- **Privacy Policy:** https://auth0.com/privacy

**Payment Processing:**

- **Provider:** Paddle.com Market Ltd
- **Purpose:** Payment processing, tax calculation, invoicing
- **Location:** United Kingdom
- **Safeguards:** UK adequacy decision, PCI DSS certification
- **Note:** Paddle acts as independent data controller for payment data
- **Privacy Policy:** https://paddle.com/privacy

**Infrastructure:**

- **Provider:** Hetzner Online GmbH
- **Purpose:** Cloud hosting, data storage, processing, and backup
- **Location:** Germany (EU)
- **Safeguards:** ISO 27001 certified, GDPR compliant (Article 28 processing agreement)
- **Privacy Policy:** https://www.hetzner.com/legal/privacy-policy

**Communication Services:**

- **Provider:** SendGrid (Twilio Inc.)
- **Purpose:** Transactional emails, service notifications, password resets
- **Location:** United States
- **Safeguards:** Standard Contractual Clauses (Article 46 GDPR)

**Analytics (with consent):**

- **Provider:** Plausible Analytics
- **Purpose:** Privacy-focused web analytics and usage statistics
- **Location:** European Union
- **Safeguards:** GDPR compliant, no personal data collection, no cookies
- **Privacy Policy:** https://plausible.io/privacy

- **Provider:** Google Analytics (Google LLC)
- **Purpose:** Website usage statistics, traffic analysis, user behavior insights
- **Location:** United States
- **Safeguards:** Standard Contractual Clauses (Article 46 GDPR), IP anonymization enabled
- **Privacy Policy:** https://policies.google.com/privacy
- **Note:** Only used with your explicit cookie consent on our website

**Email Marketing:**

- **Provider:** SmartSelling a.s.
- **Purpose:** Marketing emails, newsletters, promotional communications
- **Location:** Czech Republic (EU)
- **Safeguards:** GDPR compliant, EU-based processor
- **Privacy Policy:** https://www.smartemailing.cz/gdpr/
- **Note:** Only used with your explicit consent; you can unsubscribe anytime

**Backup Storage:**

- **Provider:** Scaleway SAS
- **Purpose:** Database backups, trained model storage (S3-compatible object storage)
- **Location:** Poland (EU)
- **Safeguards:** GDPR compliant, EU-based processor, ISO 27001 certified
- **Privacy Policy:** https://www.scaleway.com/en/privacy-policy/

### 5.2 Business Transfers

In the event of:

- Merger, acquisition, or sale of assets
- Bankruptcy or reorganization
- Business partnership or joint venture

Your information may be transferred to the successor entity, subject to this Privacy Policy or equivalent protections. We will notify you via email before any such transfer.

### 5.3 Legal Disclosures (Article 6(1)(c) GDPR)

We may disclose information when required to:

- Comply with legal obligations
- Respond to lawful requests from authorities
- Protect our rights, property, or safety
- Prevent fraud or security threats
- Enforce our Terms and Conditions

### 5.4 With Your Consent

We may share information:

- With third parties you explicitly authorize
- For purposes you specifically request
- With integration partners you connect

### 5.5 What We Don't Do

We do **NOT**:

- Sell your personal data
- Share your data for third-party marketing
- Transfer data outside the purposes stated
- Allow unauthorized access to your business data

---

## 6. Data Retention

### 6.1 Retention Periods

| Data Category | Retention Period | Justification |
|---------------|------------------|---------------|
| Account Data | Duration of service + 90 days | Service delivery, account recovery |
| Payment Records | 7 years | Legal/tax requirements (Slovak law) |
| Usage Logs | 24 months | Service improvement, security |
| Support Tickets | Resolution + 12 months | Quality assurance |
| Security Logs | 12 months | Security monitoring |
| Marketing Preferences | Until withdrawn | Consent management (Article 7(3) GDPR) |
| Trained Models | Duration of service | Service delivery |
| Uploaded Data | Selected by User | Service delivery |
| API Logs | 24 months | Debugging, rate limiting |

### 6.2 Deletion Process

Upon account termination or deletion request (Article 17 GDPR):

- Active data deleted within 30 days
- Backups purged within 90 days
- Anonymized aggregates may be retained indefinitely (no longer personal data under GDPR)
- Legal obligations may require longer retention (Article 17(3)(b) GDPR)

---

## 7. International Data Transfers

### 7.1 Data Location

Primary data processing occurs within the European Union:

- **Primary Servers:** Hetzner data centers in Nuremberg, Germany
- **Backups:** EU-based locations only
- **CDN:** European edge locations where available

### 7.2 Transfers Outside the EEA (Chapter V GDPR)

When necessary, we transfer data outside the EEA with appropriate safeguards:

**To the United States:**

- **Service:** Auth0 (authentication services)
- **Safeguards:** Standard Contractual Clauses (Article 46(2)(c) GDPR), supplementary technical measures (encryption, data minimization)

**To the United Kingdom:**

- **Service:** Paddle (payment processing)
- **Safeguards:** UK adequacy decision (Commission Implementing Decision (EU) 2021/1772)

### 7.3 Transfer Safeguards (Article 46 GDPR)

We ensure appropriate safeguards through:

- **Standard Contractual Clauses (SCCs):** EU Commission approved clauses
- **Technical Measures:** Encryption, pseudonymization, data minimization
- **Contractual Obligations:** Data protection clauses in processor agreements (Article 28 GDPR)
- **Regular Assessments:** Monitoring of third-country laws and transfer impact assessments

---

## 8. Cookie Policy

### 8.1 What Are Cookies

Cookies are small text files stored on your device when you visit our website or use our Service.

### 8.2 Cookies We Use

**Essential Cookies (Always Active - Article 6(1)(b) GDPR):**

- Session management
- Authentication state
- Security tokens (CSRF protection)
- Load balancing

These cookies are strictly necessary for the Service to function and cannot be disabled.

**Functional Cookies (Article 6(1)(f) GDPR):**

- Language preferences
- Timezone settings
- UI preferences
- Feature flags

**Analytics Cookies (Article 6(1)(a) GDPR - Consent Required):**

- Usage patterns (via Plausible Analytics)
- Feature adoption metrics
- Performance monitoring

We only set analytics cookies with your explicit consent.

### 8.3 Managing Cookies

You can manage cookies through:

- **Our cookie consent banner** (first visit)
- **Browser settings** (see your browser's Help menu)

**Note:** Disabling essential cookies will prevent Service access.

### 8.4 Cookie Duration

- **Session Cookies:** Deleted when you close your browser
- **Persistent Cookies:** Remain for a set period (typically 30-365 days)
- **Analytics Cookies:** 24 months maximum (with consent)

---

## 9. Your Data Protection Rights

Under GDPR (Regulation (EU) 2016/679), you have the following rights:

### 9.1 Right of Access (Article 15 GDPR)

You have the right to request:

- Confirmation of whether we process your personal data
- A copy of your personal data
- Information about how we process it (purposes, categories, recipients, retention periods)

### 9.2 Right to Rectification (Article 16 GDPR)

You have the right to request correction of inaccurate or incomplete personal data without undue delay.

### 9.3 Right to Erasure - "Right to be Forgotten" (Article 17 GDPR)

You have the right to request deletion of your personal data when:

- Data is no longer necessary for the purposes collected
- You withdraw consent (where processing is based on consent)
- You object to processing and there are no overriding legitimate grounds
- Data has been unlawfully processed
- Deletion is required to comply with legal obligations

**Exceptions:** We may refuse erasure when processing is necessary for:

- Compliance with legal obligations (Article 17(3)(b))
- Establishment, exercise, or defense of legal claims (Article 17(3)(e))

### 9.4 Right to Restriction of Processing (Article 18 GDPR)

You have the right to request limitation of processing when:

- You contest the accuracy of personal data
- Processing is unlawful but you oppose erasure
- We no longer need the data but you need it for legal claims
- You have objected to processing pending verification

### 9.5 Right to Data Portability (Article 20 GDPR)

You have the right to:

- Receive your personal data in a structured, commonly used, machine-readable format (e.g., JSON, CSV)
- Transmit your data to another controller without hindrance

This right applies when processing is based on consent or contract and carried out by automated means.

### 9.6 Right to Object (Article 21 GDPR)

You have the right to object to processing based on:

- **Legitimate interests (Article 6(1)(f)):** We will stop processing unless we demonstrate compelling legitimate grounds
- **Direct marketing:** We will stop processing immediately upon objection

### 9.7 Rights Related to Automated Decision-Making and Profiling (Article 22 GDPR)

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects or similarly significantly affect you.

**Note:** We do not engage in automated decision-making with legal or significant effects.

### 9.8 Right to Withdraw Consent (Article 7(3) GDPR)

Where processing is based on consent (Article 6(1)(a)), you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

### 9.9 How to Exercise Your Rights

**Contact us at:** privacy@quantix-ai.eu

**Response Time:** Within **30 days** (Article 12(3) GDPR). We may extend by 2 months for complex requests with notification.

**Fees:** No fee unless requests are manifestly unfounded or excessive (Article 12(5) GDPR).

**Verification:** We may request additional information to verify your identity before fulfilling requests.

### 9.10 Right to Lodge a Complaint (Article 77 GDPR)

You have the right to lodge a complaint with a supervisory authority:

**Primary Supervisory Authority (Slovak Republic):**

Office for Personal Data Protection of the Slovak Republic  
Námestie 1.mája 18
811 06 Bratislava
Slovak Republic  
Email: statny.dozor@pdp.gov.sk  
Website: https://dataprotection.gov.sk/

You may also lodge a complaint with the supervisory authority in your EU member state of habitual residence, place of work, or place of alleged infringement.

---

## 10. Data Security (Article 32 GDPR)

### 10.1 Technical Measures

We implement industry-standard security measures including:

**Encryption:**

- **At Rest:** AES-256 encryption for all stored forecast models
- **In Transit:** TLS 1.3 (minimum TLS 1.2) for all data transmissions

**Access Control:**

- Role-based access control (RBAC)
- Multi-factor authentication (MFA) for administrative access
- Principle of least privilege
- Regular access reviews

**Network Security:**

- Firewalls and intrusion detection systems (IDS)
- DDoS protection
- VPN access for remote administration
- Network segmentation

**Monitoring:**

- 24/7 security monitoring
- Automated threat detection
- Audit logging of all access and modifications
- Regular security audits and penetration testing

### 10.2 Organizational Measures

**Staff Security:**

- Regular security awareness training
- Confidentiality agreements (NDAs)
- Background checks for employees with data access
- Clear data handling procedures

**Incident Response:**

- Documented incident response plan
- Regular incident response drills
- Designated incident response team

**Vendor Management:**

- Due diligence on all processors
- Data processing agreements (Article 28 GDPR)
- Regular vendor security assessments

### 10.3 Infrastructure Security (Hetzner)

Our infrastructure provider maintains:

- **ISO 27001 certification**
- Physical security controls (24/7 surveillance, access controls)
- Redundant systems and power supplies
- Regular security updates and patch management
- Fire suppression and climate control

### 10.4 Authentication Security (Auth0)

Auth0 provides:

- Enterprise-grade authentication infrastructure
- Breached password detection
- Anomaly detection and bot prevention
- Brute force protection
- Passwordless and MFA options (if applicable)

### 10.5 Payment Security (Paddle)

Paddle maintains:

- **PCI DSS Level 1 compliance**
- Secure payment processing infrastructure
- Fraud detection and prevention systems
- Tokenization of payment data

**Important:** We never access, store, or process raw payment card data.

### 10.6 Data Breach Notification (Articles 33-34 GDPR)

In the event of a personal data breach:

**To Supervisory Authority (Article 33):**

- We will notify the Slovak Office for Personal Data Protection **within 72 hours** of becoming aware of the breach
- Notification includes nature of breach, categories and approximate number of affected individuals, likely consequences, and measures taken

**To Affected Data Subjects (Article 34):**

- We will notify affected users **without undue delay** (typically within 7 business days) when the breach is likely to result in high risk to rights and freedoms
- Notification via email will include:
  - Nature of the breach in clear and plain language
  - Contact point for more information
  - Likely consequences
  - Measures taken or proposed to mitigate adverse effects

---

## 11. Children's Privacy

Our Service is **not intended for individuals under 18 years of age**. We do not knowingly collect personal data from children.

If we become aware that we have collected personal data from a person under 18 without parental consent, we will:

- Delete the data immediately
- Terminate the account
- Notify the individual (if contact information is available)

If you believe we have collected data from a minor, please contact us immediately at privacy@quantix-ai.eu.

---

## 12. California Privacy Rights (CCPA/CPRA)

For California residents, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides additional rights.

### 12.1 Rights Available

- **Right to Know:** What personal information is collected, used, disclosed, and sold
- **Right to Delete:** Request deletion of personal information (subject to exceptions)
- **Right to Opt-Out:** Opt-out of sale of personal information (we do not sell personal information)
- **Right to Correct:** Request correction of inaccurate personal information
- **Right to Limit Use of Sensitive Personal Information:** We do not use sensitive personal information beyond necessary service provision
- **Right to Non-Discrimination:** We will not discriminate against you for exercising your rights

### 12.2 Categories of Information Collected

See Section 3 for detailed categories. In the preceding 12 months, we have collected:

- **Identifiers:** Name, email, IP address
- **Commercial Information:** Purchase history, subscription details
- **Internet Activity:** Usage data, browsing history on our Service
- **Professional Information:** Job title, company name

### 12.3 Use and Disclosure

We use personal information for purposes described in Section 4.

We **do not sell** personal information as defined by CCPA/CPRA.

We disclose personal information to service providers as described in Section 5.1.

### 12.4 Exercising Your Rights

California residents may exercise rights by:

- **Email:** privacy@quantix-ai.eu
- **Subject Line:** "California Privacy Rights Request"

We will verify your identity before fulfilling requests and respond within 45 days (extendable by 45 days with notice).

You may designate an authorized agent to make requests on your behalf by providing written authorization.

---

## 13. Updates to This Policy

### 13.1 Notification of Changes

We will notify you of material changes via:

- **Email notification** to your registered email address
- **Service dashboard notice** upon login
- **Website announcement** on our homepage

### 13.2 Effective Date of Changes

- **Material changes:** Effective 30 days after notification
- **Non-material changes:** Effective immediately upon posting

### 13.3 Acceptance of Changes

Continued use after changes take effect constitutes acceptance. For material changes affecting legal basis or significantly changing how we process data, we may seek renewed consent where required by law.

### 13.4 Version History

See Change Log at the end of this document for version history.

---

## 14. Third-Party Links

Our Service may contain links to third-party websites (e.g., integration partners, educational resources). 

**We are not responsible for:**

- Privacy practices of third-party websites
- Content or accuracy of third-party sites
- Your interactions with third parties

**Please review** their privacy policies before providing personal information to third parties.

---

## 15. Data Processing Agreement (Article 28 GDPR)

Business customers who process personal data of their own users through our Service (acting as data controllers) should execute our **Data Processing Agreement (DPA)**.

The DPA includes:

- Subject matter and duration of processing
- Nature and purpose of processing
- Types of personal data and categories of data subjects
- Controller and processor obligations and rights
- Sub-processor authorizations
- Security measures (Article 32 GDPR)
- Data subject rights assistance
- Data breach notification procedures
- Deletion and return of data after termination
- Audit rights

**To request a DPA:** Email legal@quantix-ai.eu or visit https://quantix-ai.eu/dpa/

---

## 16. Privacy by Design and Default (Article 25 GDPR)

We implement privacy by design and default principles:

**Data Minimization:**

- Collect only data necessary for specified purposes
- Limit data retention to necessary periods
- Anonymize or pseudonymize where possible

**Purpose Limitation:**

- Process data only for specified, explicit, legitimate purposes
- No further processing incompatible with original purposes

**Privacy Defaults:**

- Minimal data collection by default
- Strictest privacy settings as default
- Opt-in (not opt-out) for non-essential processing

**Transparent Processing:**

- Clear, plain language privacy information
- Accessible privacy controls
- Visibility into data processing activities

**User Control:**

- Easy-to-use privacy controls
- Granular consent management
- Simple rights exercise procedures

**Security First:**

- Security integrated into system design
- Regular security assessments
- Proactive threat monitoring

---

## 17. Contact Information

### 17.1 Data Protection Inquiries

**Email:** privacy@quantix-ai.eu  
**Response Time:** Within 48 business hours for initial response

For exercising data subject rights, see Section 9.9.

### 17.2 General Contact

**Website:** www.quantix-ai.eu  
**Support:** support@quantix-ai.eu  
**Legal:** legal@quantix-ai.eu

### 17.3 Postal Address

QuantixAI s.r.o.  
[Street Address]  
[Postal Code] Bratislava  
Slovak Republic

### 17.4 Supervisory Authority

**Office for Personal Data Protection of the Slovak Republic**  
Námestie 1.mája 18
811 06 Bratislava
Slovak Republic

**Email:** statny.dozor@pdp.gov.sk  
**Phone:** +421 2 3231 3214  
**Website:** https://dataprotection.gov.sk/

---

## 18. Definitions

**Personal Data:** Any information relating to an identified or identifiable natural person (Article 4(1) GDPR)

**Processing:** Any operation performed on personal data, whether automated or not (Article 4(2) GDPR)

**Controller:** Entity determining purposes and means of processing (Article 4(7) GDPR)

**Processor:** Entity processing personal data on behalf of controller (Article 4(8) GDPR)

**Data Subject:** Individual whose personal data is processed (Article 4(1) GDPR)

**Consent:** Freely given, specific, informed, and unambiguous indication of agreement (Article 4(11) GDPR)

**Recipient:** Person, authority, or body to whom personal data is disclosed (Article 4(9) GDPR)

**Third Party:** Person, authority, or body other than data subject, controller, processor, and persons authorized to process (Article 4(10) GDPR)

**Merchant of Record (MoR):** Entity handling payment processing, invoicing, and tax compliance (Paddle acts as MoR)

**Standard Contractual Clauses (SCCs):** EU Commission approved contract terms for international data transfers (Article 46(2)(c) GDPR)

---

## Appendix A: Specific Service Provider Privacy Information

### Auth0 Privacy

- **Privacy Policy:** https://auth0.com/privacy
- **GDPR Compliance:** https://auth0.com/docs/compliance/gdpr
- **Data Processing Agreement:** Available upon request
- **EU Data Residency:** Available for applicable plans
- **Certifications:** SOC 2 Type II, ISO 27001, Privacy Shield (historic)

### Paddle Privacy

- **Privacy Policy:** https://paddle.com/privacy
- **Role:** Independent data controller for payment data
- **Compliance:** PCI DSS Level 1, UK GDPR
- **Location:** United Kingdom (adequacy decision applies)
- **Data Processed:** Payment card data, billing information, tax data

### Hetzner Privacy

- **Privacy Policy:** https://www.hetzner.com/legal/privacy-policy
- **Location:** Germany (EU) - Nuremberg data centers
- **Certifications:** ISO 27001
- **Role:** Processor under Article 28 GDPR
- **Data Processed:** All Service data, backups

### Plausible Analytics

- **Privacy Policy:** https://plausible.io/privacy
- **Location:** European Union
- **GDPR Compliance:** Fully compliant, no cookies, no personal data
- **Data Processed:** Aggregated, anonymous website usage statistics
- **Role:** Processor (with consent for analytics cookies)

### Google Analytics

- **Privacy Policy:** https://policies.google.com/privacy
- **Location:** United States (Standard Contractual Clauses apply)
- **GDPR Compliance:** https://support.google.com/analytics/answer/9019185
- **Data Processed:** Website usage data, IP addresses (anonymized), browser information, pages visited
- **Role:** Processor (with user consent for analytics cookies)
- **Safeguards:** IP anonymization enabled, Standard Contractual Clauses, data retention controls
- **Opt-out:** Via cookie consent banner or browser settings
- **Note:** Only active on public website (www.quantix-ai.eu) with explicit cookie consent

### SmartSelling Privacy

- **Privacy Policy:** https://www.smartemailing.cz/gdpr/
- **Location:** Czech Republic (EU)
- **GDPR Compliance:** Fully compliant, EU-based
- **Role:** Processor for email marketing communications
- **Data Processed:** Email addresses, names, marketing preferences, email engagement metrics
- **Opt-out:** Unsubscribe link in every marketing email

### Scaleway Privacy

- **Privacy Policy:** https://www.scaleway.com/en/privacy-policy/
- **Location:** Poland (EU) - Warsaw data centers
- **Certifications:** ISO 27001
- **Role:** Processor for backups and object storage
- **Data Processed:** Database backups, trained machine learning models

---

## Change Log

| Version | Date | Changes |
|---------|------|---------|
| 1.0 | November 17, 2025 | Initial release |
---

**This Privacy Policy was last reviewed and updated on November 17, 2025.**

**By using the Service, you acknowledge that you have read and understood this Privacy Policy and agree to the collection, use, and disclosure of your personal information as described herein.**

---

*For questions about this Privacy Policy, contact us at privacy@quantix-ai.eu*