Website Privacy Policy

1. Data Controller

The data controller for the processing described in this Privacy Policy is:

Quanta Labs GbR
Schellingstr. 101, 80798 München, Germany
Represented by: Ahmed Tageldin, Florian Schmidt
Email: privacy@quanta-labs.ai
Website: www.quanta-labs.ai

[Note: Quanta Labs GmbH incorporation is in progress. Upon registration, the GmbH will succeed the GbR as the contracting party. All rights and obligations transfer automatically.]

If we appoint a Data Protection Officer under § 38 BDSG, their contact details will be published at www.quanta-labs.ai/privacy.

Supervisory authority: Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach, Germany | Email: poststelle@lda.bayern.de | Website: www.lda.bayern.de

2. Personal Data We Collect

2.1 Server Log Files (Automatic)

When you visit our website, our hosting provider (Hetzner Online GmbH) automatically collects: IP address (anonymized after processing), browser type and version, operating system, referring URL, pages visited, date and time of access, and amount of data transferred. This data is processed for security purposes and website optimization.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in website security and stability). Retention: 30 days, then deleted or anonymized.

2.2 Contact Form and Email Inquiries

When you contact us via our contact form or email, we collect: your name, email address, company name (if provided), phone number (if provided), and the content of your message. This data is processed to respond to your inquiry and, where applicable, to initiate a business relationship.

Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures) or Art. 6(1)(f) GDPR (legitimate interest in responding to inquiries). Retention: Duration of business relationship + 3 years (§ 195 BGB limitation period); for commercial correspondence, 6 years (§ 257 HGB).

2.3 Client Account and Contract Data

When you become a client, we collect: company name, billing address, contact person details, VAT ID, payment information, and contractual correspondence. This data is processed for contract performance, invoicing, and compliance with legal obligations.

Legal basis: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(c) GDPR (legal obligations under AO, HGB). Retention: Financial data 10 years (§ 147 AO); commercial correspondence 6 years (§ 257 HGB).

2.4 Cookies and Analytics

Our use of cookies is described in our separate Cookie Policy. In summary: strictly necessary cookies are set without consent; analytics cookies (Google Analytics) and functional cookies are only set after you give explicit consent via our cookie consent banner.

Legal basis: § 25 TDDDG (consent for non-essential cookies); Art. 6(1)(a) GDPR (consent) or Art. 6(1)(f) GDPR (legitimate interest for strictly necessary cookies).

2.5 Newsletter and Marketing

If you subscribe to our newsletter, we collect your email address and, optionally, your name and company. We use the double opt-in procedure required under German law: after signing up, you receive a confirmation email and must click the confirmation link before receiving any marketing communications.

Legal basis: Art. 6(1)(a) GDPR (consent). You may unsubscribe at any time via the link in each email or by contacting privacy@quanta-labs.ai. Retention: Until you unsubscribe; withdrawal records retained for 3 years for accountability.

3. Recipients of Your Personal Data

We may share your personal data with:

• Hosting provider: Hetzner Online GmbH (Germany) — website hosting and content delivery
• Analytics provider: Google Ireland Limited — website analytics (only with your consent)

We do not sell your personal data. We do not share your data with advertisers.

4. International Data Transfers

Your personal data is primarily processed within the EEA. Where we use service providers in countries outside the EEA (currently: USA for Google services), we ensure appropriate safeguards:

• EU-US Data Privacy Framework for transfers to certified US organizations;
• Standard Contractual Clauses (SCCs) as fallback mechanism;
• Transfer Impact Assessments where required.

You may request a copy of the transfer safeguards by contacting privacy@quanta-labs.ai.

5. Your Data Protection Rights

Under the GDPR, you have the following rights: right of access (Art. 15), right to rectification (Art. 16), right to erasure (Art. 17), right to restriction of processing (Art. 18), right to data portability (Art. 20), right to object (Art. 21), and the right to withdraw consent at any time (Art. 7(3)).

Right to Object (Art. 21 GDPR): Where we process your personal data on the basis of legitimate interests (Art. 6(1)(f) GDPR), you have the right to object at any time on grounds relating to your particular situation. We will cease processing unless we demonstrate compelling legitimate grounds. Where your data is processed for direct marketing, you may object at any time without giving reasons, and we will cease such processing immediately.

To exercise any right, contact privacy@quanta-labs.ai. We respond within one (1) month; complex requests may require an additional two (2) months with notification. You may also lodge a complaint with Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach, Germany.

6. Security

We implement appropriate technical and organizational measures to protect your personal data, including TLS encryption for all website traffic, access controls, regular security assessments, and data minimization practices. While no system is completely secure, we are committed to protecting your data and will notify you and the relevant authority in the event of a breach as required by GDPR Articles 33 and 34.

7. Children's Data

Our website and services are not directed at individuals under 18. We do not knowingly collect personal data from minors. If we learn that we have collected data from a person under 18, we will delete it promptly.

8. Self-Hosted Fonts

We use self-hosted web fonts. No connection to external font servers (such as Google Fonts) is established when you visit our website. Font files are served from our own infrastructure.

[Note: Ensure fonts are actually self-hosted. Per LG München I (Az. 3 O 17493/20, January 2022), loading Google Fonts from Google servers without consent constitutes a GDPR violation. Self-hosting eliminates this risk entirely.]

9. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material changes will be communicated prominently on our website. The current version is always available at www.quanta-labs.ai/privacy.