Privacy Policy

1. Introduction and Scope

This Privacy Policy explains how QuantenRam.Net powered by Itlerhilfe OÜ ("we", "us", "our") collects, processes, and uses your personal data when you use our API Gateway service, website, and related services (collectively, the "Service").

We take the protection of your personal data seriously and process it in accordance with the General Data Protection Regulation (GDPR), the Estonian Personal Data Protection Act, and other applicable data protection laws.

Important: This Service is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16.

2. Data We Collect

2.1 Account Information

When you register for an account, we collect:

Email address (required for account creation and communication)
Name (optional, for personalization)
Password (stored hashed, never in plain text)
OAuth provider data (when using Google, GitHub, or Discord login)
Company name and VAT ID (for B2B accounts, optional)

2.2 Usage Data

When you use our Service, we automatically collect:

API request metadata (timestamp, endpoint, model used, token count)
IP address (for security and rate limiting)
Browser type and version
Device information
Operating system
Referrer URL
Access timestamps

2.3 API Content

When using our API, the following may be processed:

Prompts/messages sent to AI models
Generated responses (temporarily for delivery)
Uploaded files (for applicable endpoints, temporary processing)

Data Retention for API Content: We do not permanently store the content of API requests and responses unless explicitly required for debugging (with your consent) or legal obligations. Processing is temporary for the purpose of delivering the service.

2.4 Payment Information

For paid subscriptions, payment processing is handled by Stripe. We do not store complete credit card numbers. We receive and store:

Payment confirmation from Stripe
Subscription status and history
Last 4 digits of credit card (for identification)
Billing address (if provided)

3. Legal Basis for Processing (GDPR Article 6)

We process your personal data based on the following legal grounds:

Contract performance (Art. 6(1)(b) GDPR): Processing necessary to provide the Service you requested
Legal obligation (Art. 6(1)(c) GDPR): Compliance with tax, accounting, and other legal requirements
Legitimate interests (Art. 6(1)(f) GDPR): Fraud prevention, security, service improvement, and direct marketing (where permitted)
Consent (Art. 6(1)(a) GDPR): For optional features and non-essential cookies

4. Purposes of Processing

We use your personal data for the following purposes:

Service Provision: To provide, maintain, and improve our API Gateway service
Authentication: To verify your identity and secure your account
Billing: To process payments and manage subscriptions
Communication: To send service-related notifications, updates, and security alerts
Security: To detect and prevent fraud, abuse, and unauthorized access
Analytics: To understand usage patterns and improve our service
Legal Compliance: To comply with applicable laws and regulations
Support: To respond to your inquiries and provide customer support

5. Data Sharing and Third-Party Processors

We may share your data with the following categories of recipients:

5.1 AI Model Providers

When you use third-party AI models through our gateway (OpenAI, Anthropic, Google, etc.), your API requests are forwarded to these providers. Their privacy policies apply to this data transmission:

OpenAI: Privacy Policy
Anthropic: Privacy Policy
Google: Privacy Policy

5.2 Service Providers (Data Processors)

We engage trusted third-party service providers to perform functions on our behalf:

Stripe, Inc. - Payment processing (USA - Standard Contractual Clauses apply)
Hetzner Online GmbH - Hosting infrastructure (Germany/EU)
Cloudflare, Inc. - CDN and DDoS protection (USA - Standard Contractual Clauses apply)
Postmark (ActiveCampaign) - Transactional email delivery (USA - Standard Contractual Clauses apply)

5.3 Legal Requirements

We may disclose your data if required by law, court order, or governmental authority, or to protect our rights, property, or safety, or that of our users or the public.

5.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity, subject to the same privacy commitments.

6. International Data Transfers

We are based in Estonia (EU) and primarily process data within the European Economic Area (EEA). However, some of our service providers (e.g., Stripe, Cloudflare, OpenAI) are located in the United States.

When we transfer your personal data outside the EEA, we ensure appropriate safeguards are in place:

Standard Contractual Clauses (SCCs) approved by the European Commission
EU-US Data Privacy Framework certifications (where applicable)
Adequacy decisions for countries recognized by the EU Commission

You have the right to request a copy of the safeguards we use for international transfers by contacting us.

7. Data Retention

We retain your personal data only as long as necessary for the purposes outlined in this Privacy Policy:

Account data: Retained for the duration of your account plus 2 years after deletion (for legal compliance)
Usage logs: Retained for 12 months (for security, fraud prevention, and analytics)
API content: Not retained unless required for debugging (with consent) or legal obligations
Payment records: Retained for 7 years (tax and accounting requirements)
Marketing data: Until you withdraw consent or object

After the retention period expires, personal data is securely deleted or anonymized.

8. Cookies and Similar Technologies

Our website uses cookies and similar technologies to enhance your experience. Cookies are small text files stored on your device.

8.1 Types of Cookies We Use

Category	Purpose	Duration	Legal Basis
Essential	Session management, authentication, security, CSRF protection	Session - 1 year	Legitimate interest / Contract
Preferences	Theme selection (dark/light mode), language preference	1 year	Consent
Analytics	Understanding website usage (anonymized)	2 years	Consent
Marketing	Not currently used	-	-

8.2 Cookie Consent

Upon your first visit, we request your consent for non-essential cookies. You can change your preferences at any time by clearing cookies or contacting us.

8.3 Managing Cookies

Most web browsers allow you to control cookies through their settings. Please note that disabling essential cookies may affect the functionality of our Service.

9. Your Rights (GDPR)

Under the GDPR, you have the following rights regarding your personal data:

9.1 Right to Access (Art. 15 GDPR)

You have the right to obtain confirmation whether we process your personal data and, if so, access to that data and information about the processing.

9.2 Right to Rectification (Art. 16 GDPR)

You have the right to request the correction of inaccurate personal data and completion of incomplete data.

9.3 Right to Erasure ("Right to be Forgotten") (Art. 17 GDPR)

You have the right to request deletion of your personal data when:

The data is no longer necessary for the purposes it was collected
You withdraw your consent and there is no other legal basis for processing
You object to processing and there are no overriding legitimate grounds
The data has been unlawfully processed

9.4 Right to Restriction of Processing (Art. 18 GDPR)

You have the right to request restriction of processing when:

You contest the accuracy of the data (for a period allowing verification)
The processing is unlawful but you oppose erasure
We no longer need the data but you require it for legal claims

9.5 Right to Data Portability (Art. 20 GDPR)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.

9.6 Right to Object (Art. 21 GDPR)

You have the right to object to processing based on legitimate interests or for direct marketing purposes.

9.7 Right to Withdraw Consent (Art. 7(3) GDPR)

You have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

9.8 Right to Lodge a Complaint (Art. 77 GDPR)

You have the right to lodge a complaint with a supervisory authority, particularly in the Member State of your habitual residence, place of work, or place of the alleged infringement.

How to Exercise Your Rights

To exercise any of your rights, please contact us at support@quantenram.net. We will respond within 30 days of receiving your request. We may need to verify your identity before processing your request.

For complaints, you may also contact the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon): www.aki.ee.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

Encryption: TLS 1.3 for data in transit, AES-256 for data at rest
Access controls: Role-based access, two-factor authentication for staff
API key hashing: API keys are stored using secure hashing (SHA-256 with pepper)
Regular security audits: Penetration testing and vulnerability assessments
Incident response: Documented procedures for breach notification
Staff training: Regular data protection training for employees

Despite our efforts, no security measure is completely impenetrable. We encourage you to use strong passwords and enable two-factor authentication where available.

11. AI Model Data Processing

When you use our Service to access AI models, your data is processed as follows:

11.1 Content You Submit

We temporarily process prompts and messages to route them to the selected AI model
Self-hosted vLLM instances keep data under your control
Third-party model providers may have their own data retention and training policies

11.2 Model Provider Terms

Please review the privacy policies of AI model providers you use through our gateway. Different providers have different approaches to data retention, training, and privacy.

11.3 Enterprise and B2B Options

For enterprise customers requiring enhanced data protection, we offer:

Self-hosted vLLM options (data never leaves your infrastructure)
Data Processing Agreements (DPAs) upon request
Custom security configurations

12. Children's Privacy

Our Service is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately at support@quantenram.net. If we become aware that we have collected personal data from a child under 16 without verification of parental consent, we will delete that information.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Updated" date. For significant changes, we will notify you via email or through the Service.

Your continued use of the Service after changes constitutes acceptance of the revised Privacy Policy. We encourage you to review this page periodically.

14. Contact Information

For any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact:

Data Protection Contact

QuantenRam.Net powered by Itlerhilfe OÜ

Lootsa Tn 2a
11415 Tallinn
Estonia

Email: support@quantenram.net

Instagram: @itlerhilfe

We aim to respond to all privacy-related inquiries within 48 hours.

Data Controller