How Quantum Dynamics handles your information.

This Privacy Policy explains how Quantum Dynamics LLC ("Quantum Dynamics", "we", "us", or "our") collects, uses, shares, and protects information when you visit quantum-dynamics.org, request a quote through our Smart IT order wizard, or otherwise interact with us. We've written it to be readable, but it's also a binding statement of our practices.

Two things this Policy does not cover, and where to find their separate documents:

• Customer tenant data. When you become a Smart IT paying customer, we operate Microsoft 365 services on your behalf. The data inside your tenant — your employees' emails, files, identities — is governed by your Master Services Agreement and our Data Processing Addendum, not by this Privacy Policy.
• Microsoft's, Stripe's, and other providers' practices. We use a small number of carefully chosen service providers (listed in §6 below). Their handling of your information is also governed by their own policies, which we link to.

1. Who we are

Quantum Dynamics LLC is a California limited liability company. Our registered office is:

Quantum Dynamics LLC
2121 Avenue of the Stars, Suite 800
Los Angeles, CA 90067
United States

For privacy-related questions, including to exercise the rights described in §10, contact us at michael@quantum-dynamics.org or by phone at +1 (310) 504-4075. See §16 for full contact options.

2. What this Policy covers

This Policy covers personal information we collect about visitors to our website, prospects who request a quote through our Smart IT order wizard, prospective customers we communicate with by email or phone, and individuals who interact with us in other commercial or pre-commercial contexts.

We are a small business-to-business company. Most of the personal information we collect is "business contact information" — your name, work email, work phone, company name, and similar — provided by you for the purpose of evaluating or purchasing our services. We do not run consumer advertising. We do not target individual consumers. We do not maintain accounts for natural persons in their personal capacity.

3. Information we collect

3.1 Information you provide directly

When you use our order wizard, fill out a contact form, or correspond with us, you may provide the following:

• Your name (typically used as the contact name on a corporate quote)
• Your work email address
• Your work phone number (optional)
• Your role or title (optional)
• The name of your company
• Your company's primary domain (optional)
• Your company's country
• The number of users at your company (a sizing input for our pricing)
• Your current IT environment (e.g., Google Workspace, on-premises Exchange) if you're considering migration
• Your target go-live date
• Free-text notes you choose to include with your inquiry
• If you proceed to payment via Stripe (for our Starter tier): your billing details, which are collected and processed by Stripe directly, not by us

3.2 Information collected automatically

When you visit our website, certain information is collected automatically by our infrastructure:

• Your IP address (collected by Cloudflare for routing, security, and basic analytics)
• Your browser type and version
• The pages you visit and the time of your visits
• Whether your visit was successful (HTTP response codes)
• The referring URL, if any (which site you came from)

We do not use Google Analytics, Facebook Pixel, or any third-party advertising or behavioral analytics tracker on our website. We do not set marketing cookies. We do not build profiles of individual visitors for advertising purposes.

3.3 Information from third parties

We may receive information about you from publicly available sources (such as your company's public website or a LinkedIn profile you've made public) when researching prospective customers or responding to inbound inquiries. We do not purchase contact lists.

3.4 Sensitive personal information

We do not knowingly collect or process any "sensitive personal information" as defined under the California Privacy Rights Act (CPRA), including: government identifiers (SSN, driver's license, passport, state ID), account log-in credentials, debit/credit card numbers in combination with security codes (Stripe handles these directly without disclosing them to us), precise geolocation, racial or ethnic origin, religious beliefs, union membership, the contents of mail or email or text messages, genetic data, biometric information for unique identification, health information, or information concerning sex life or sexual orientation.

4. How we use information

We use the personal information described in §3 for the following purposes:

We do not use personal information for: targeted advertising, profile-building for resale, training of artificial intelligence models, or any purpose materially different from the original collection purpose without further notice.

5. Sources of information

We collect information from three sources:

1. Directly from you — when you use our order wizard, send us an email, or interact with our website
2. Automatically from your device or browser — when you visit our website (see §3.2)
3. From publicly available sources — your company's public website, LinkedIn profiles you've made public, business directories

6. How we share information

We share personal information only as necessary to operate our business and only with the following categories of recipients:

6.1 Service providers (subprocessors)

We use the following service providers to operate our infrastructure. Each is bound by a written contract that limits their use of your information to providing the service to us. These are not "sales" or "shares" of personal information under the CCPA/CPRA:

6.2 Business transfers

If Quantum Dynamics is involved in a merger, acquisition, financing, asset sale, or bankruptcy, your information may be transferred as part of that transaction. We will provide notice of any such change in ownership or control of your personal information.

6.3 Legal requirements and rights protection

We may disclose information when we believe in good faith it's necessary to: (a) comply with a legal obligation, lawful subpoena, court order, or other legal process; (b) protect our rights, property, or safety, or that of our customers or others; (c) investigate and prevent fraud or security issues; or (d) comply with a request from a law enforcement or government agency that we conclude is valid.

6.4 With your consent

We may share information for purposes other than those described above if you specifically consent.

6.5 No sale or sharing for cross-context behavioral advertising

We do not sell personal information for money or other valuable consideration, and we do not share personal information for cross-context behavioral advertising, as those terms are defined under the California Privacy Rights Act. We have not done so in the preceding 12 months.

7. International transfers

Quantum Dynamics is based in California, United States. Our service providers (listed in §6.1) are predominantly US-based, with some maintaining global infrastructure. If you're located outside the United States — particularly in the European Economic Area (EEA), the United Kingdom, or Switzerland — your personal information will be transferred to and processed in the United States.

For transfers from the EEA, UK, and Switzerland, we rely on the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, as appropriate, to provide adequate protection for your personal information. Our service providers Cloudflare, Stripe, Resend, GitHub, and Microsoft are participants in the EU-U.S. Data Privacy Framework or have certified to it; we will update this Policy if their participation changes.

8. Retention

We retain personal information only as long as needed for the purpose for which we collected it, or as required by applicable law. The general approach:

• Quote inquiries that don't become customers: retained for 24 months from last contact, then deleted, unless required for tax/audit purposes
• Active customer engagement records: retained for the duration of the engagement plus 7 years (to satisfy U.S. tax recordkeeping requirements)
• Email communications: retained per the retention policy of our internal Microsoft 365 tenant (currently 7 years for transactional records, in line with tax records requirements)
• Stripe payment records: retained by Stripe per their own retention policy; we receive transaction summary records and retain them for 7 years
• Website server logs (IP addresses, request data): retained by Cloudflare per their retention policy (currently 30-90 days for raw logs)
• Order JSON in our GitHub orders repository: retained indefinitely as part of our audit log; we will delete specific personal information on verifiable consumer request as described in §10

We are evaluating shorter retention windows for inactive prospect data. If you'd like your information deleted earlier than the periods above, you can submit a deletion request as described in §10.

9. Security

We use commercially reasonable technical and organizational measures to protect personal information from unauthorized access, alteration, disclosure, or destruction. These include:

• Encryption of data in transit (HTTPS/TLS) for all interactions with our website and order wizard
• Encryption at rest in our infrastructure providers (Cloudflare, GitHub, Stripe, Resend) by default
• Multi-factor authentication on all administrative accounts
• Principle of least privilege — staff access limited to what's needed for their role
• Audit logging of access to customer information
• Vendor due diligence before adopting new service providers

No security measure is perfect. We cannot guarantee that personal information will never be subject to unauthorized access. If we become aware of a security incident affecting your personal information, we will notify you and applicable authorities as required by law.

10. Your rights

Depending on where you live, you may have the following rights with respect to your personal information:

10.1 Right to know / access

You can ask us to confirm whether we hold personal information about you and to provide you with a copy.

10.2 Right to correct

If the personal information we hold about you is inaccurate, you can ask us to correct it.

10.3 Right to delete

You can ask us to delete personal information we hold about you. We may decline if a legal obligation requires us to retain it (such as tax records).

10.4 Right to opt out of sale or sharing for behavioral advertising

As stated in §6.5, we don't sell or share personal information for cross-context behavioral advertising. If this changes, we'll provide a "Do Not Sell or Share My Personal Information" mechanism on our website.

10.5 Right to limit use of sensitive personal information

As stated in §3.4, we don't collect sensitive personal information. If this changes, we'll provide a "Limit the Use of My Sensitive Personal Information" mechanism on our website.

10.6 Right to non-discrimination

We will not discriminate against you for exercising any of these rights. We will not deny services, charge different prices, or provide a different level of service because you exercised a privacy right.

10.7 How to exercise your rights

Submit a request by emailing michael@quantum-dynamics.org with the subject line "Privacy request — [your request type]". We will:

1. Acknowledge your request within 10 business days
2. Verify your identity by confirming you control the email address you used to interact with us, and where appropriate by asking corroborating questions about your interaction history
3. Substantively respond within 45 calendar days, with a single 45-day extension if reasonably necessary, with notice to you

You can submit a request through an authorized agent, but we may require written proof of authorization and additional identity verification.

11. California disclosures

This section provides specific disclosures required by the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"), for California residents.

11.1 Categories of personal information collected

In the preceding 12 months, we have collected the following categories of personal information, as defined by the CCPA/CPRA:

11.2 Business and commercial purposes

We collect personal information for the purposes described in §4 above. These constitute "business purposes" under the CCPA/CPRA: providing requested services, performing a contract, processing payments, customer service, security, fraud prevention, legal compliance, internal analytics on aggregated data, and improving our services.

11.3 Categories disclosed for business purposes

We disclose categories A, B, D, F, G, and I to the service providers listed in §6.1, each of whom is contractually limited to using the information solely for the purpose of providing services to us.

11.4 No sale or sharing

In the preceding 12 months we have not sold personal information and we have not shared personal information for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA. We do not have actual knowledge of selling or sharing personal information of consumers under 16 years of age.

11.5 California "Shine the Light"

California residents may request information about disclosures of personal information to third parties for direct marketing purposes by emailing michael@quantum-dynamics.org. We do not currently make such disclosures.

12. European / UK disclosures

If you're located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights under the EU/UK General Data Protection Regulation (GDPR):

• Right of access (Article 15) — to obtain confirmation of whether we process your data and a copy
• Right to rectification (Article 16) — to correct inaccurate data
• Right to erasure (Article 17) — to have data deleted, subject to limitations
• Right to restrict processing (Article 18) — to limit how we use it in certain circumstances
• Right to data portability (Article 20) — to receive your data in a portable format
• Right to object (Article 21) — to object to certain processing
• Right to withdraw consent — where consent is the legal basis for processing
• Right to lodge a complaint with your supervisory authority (e.g., a Data Protection Authority in your EU member state, the ICO in the UK, the FDPIC in Switzerland)

Legal bases for processing: we rely on Article 6(1)(b) (performance of a contract) for processing necessary to respond to your inquiry or perform a contract with you, Article 6(1)(c) (legal obligation) for compliance-driven processing, and Article 6(1)(f) (legitimate interests) for security, fraud prevention, and limited internal analytics. We balance our legitimate interests against your rights and freedoms, and you may object as described above.

International transfers: see §7. Where your data is transferred to the United States, we rely on Standard Contractual Clauses or equivalent transfer mechanisms.

Quantum Dynamics has not appointed an EU representative under Article 27 GDPR because we do not regularly target European data subjects and our processing in the EU is occasional. If our activities change, we will appoint a representative and update this Policy.

13. Cookies and tracking

We use a minimal set of cookies and similar technologies on our website. As of the effective date of this Policy:

We do not set marketing cookies, advertising cookies, or third-party tracking pixels. We do not use Google Analytics, Facebook Pixel, LinkedIn Insight Tag, Hotjar, Intercom, or similar.

You can configure your browser to refuse cookies or alert you when cookies are being sent. Refusing strictly necessary cookies may break functionality (such as the order wizard's anti-bot protection).

14. Children's privacy

Our services are intended for businesses, not for individuals under 18 years of age. We do not knowingly collect personal information from children under 13, and we do not knowingly process personal information of California residents under 16 for purposes of selling or sharing. If you believe a child under 13 has provided us with personal information, please contact us at michael@quantum-dynamics.org and we will delete it promptly.

15. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, our service providers, or applicable law. The "Last updated" date at the top of this Policy indicates when it was most recently changed. For material changes, we will provide additional notice — for instance, by posting a prominent notice on our website or, where we have your email address, by sending you a notification.

Continued use of our website or services after a change to this Policy constitutes acceptance of the updated Policy.

16. How to contact us

For privacy questions, requests, or complaints:

• Email: michael@quantum-dynamics.org with subject "Privacy request"
• Phone: +1 (310) 504-4075
• Mail: Quantum Dynamics LLC, Attn: Privacy, 2121 Avenue of the Stars, Suite 800, Los Angeles, CA 90067, USA

If you're a California resident and you'd prefer not to email, you can leave a voicemail with your name and phone number and we'll call you back within five business days.

If you're an EEA, UK, or Swiss resident, you also have the right to lodge a complaint with your local supervisory authority. We'd appreciate the chance to address your concerns first; please contact us before escalating.