Privacy Policy

Effective: This policy is effective from October 2nd, 2025.

0. Introduction

At ipQuants AG, we believe in data privacy and security as core principles of our services.

This Privacy Policy describes how ipQuants AG (“we,” “us,” or “our”) collects, uses, and protects your personal data when you use the ipQuants Qthena platform and the different services thereof (the “Services”). This Privacy Policy complements our Terms and Conditions and applies to all users of our Services.

The Privacy Policy states (i) what data we collect through your access and uses of the Services; (ii) the use we make of such data; and (iii) the safeguards put in place to protect your data. The Privacy Policy is to be read and understood as being a complement to our Terms and Conditions.

At ipQuants AG, safeguarding your data is fundamental to our operations. We affirm that the Qthena Solution does not use any user data – whether document content, prompts, instructions, or other user-provided information – for training, fine-tuning, or improving any artificial intelligence (AI), machine learning models, large language models (LLMs), or any other components of our tools. All user activity within Qthena remains completely confidential. The only user-related data we monitor is aggregate activity data strictly necessary to maintain platform security, ensure system integrity, and fulfill our contractual obligations (such as login monitoring, and usage statistics). This approach reinforces our commitment to privacy, transparency, and data security.

1.Legal Framework

The Services are operated by ipQuants AG (the “Company”), headquartered at Bahnhofstrasse 28, 8200 Schaffhausen, Switzerland. The Services are therefore governed by Swiss data protection laws and regulations.

ipQuants is also General Data Protection Regulation (GDPR) compliant. The designated representative in the European Union (notably for the purpose of Art 27 GDPR) is our Data Protection Officer (DPO) at: Eagle lsp GmbH, Neustädter Neuer Weg 22, 20459 Hamburg (e-mail: datenschutz (at) eagle-lsp.de).

2.What Information do we collect, and how do we use it

Our guiding principle is to collect the minimum amount of personal data necessary to fulfill our contractual obligations and deliver secure services.

The data collection is therefore limited to the following:

2.1 Account creation: Creating a Qthena account will give you access to the Services. When you, or your organization on your behalf creates an account for you, we use your email to manage your account, send important service-related notifications, verify your identity, and facilitate password recovery. You can provide an anonymized email, and it is not necessary for our services that the email contains your personal information. It is required that your email is used only by a single individual according to our Terms and Conditions

2.2 Account Activity: The processing activities carried out by ipQuants for the operation of our Services may vary depending on the Service functionality used. Data mentioned in this policy may be used to detect abusive and fraudulent use of our Services and to enable us to take appropriate measures. This includes monitoring login attempts, user behavior patterns, and system interactions to identify unusual or suspicious activities. The legal basis for this processing is our legitimate interest in protecting our services against non-compliant or fraudulent activities.

2.3 Technical Information: We collect technical data such as IP addresses, browser types, operating systems, and usage patterns. This information is gathered through standard logging mechanisms and is used to ensure the security, stability, and performance of our Services. It also helps us verify compliance with our Terms and Conditions and detect potential security threats.

2.4 Cookies: We use cookies strictly for security-related purposes. These include detecting and preventing fraudulent activities, enhancing security features, and identifying potential threats through location information and session validation. Our cookies do not track personal information for advertising or marketing purposes. They are essential to maintaining the integrity and security of our Services.

2.5 Communication with the Qthena Customer Success Team: When you communicate with our customer success team regarding support, feature requests, or consulting inquiries, your communications may be recorded and stored by our staff. We may use third-party platforms, such as Zoho or Microsoft 365, to manage these communications securely. The legal basis for processing this information is our legitimate interest in fulfilling our contractual obligations to you and improving the quality of our services.

Additionally, the information you provide may be analyzed for reporting purposes, such as informing your organization about the number of support requests we have received and resolved. This analysis helps us meet our contractual obligations. We do not use this data for profiling or targeted advertising.

All staff members are instructed to keep your information confidential and to share it only on a need-to-know basis with other staff members of our organization. This ensures that access to your data is limited to personnel who require it to perform their job responsibilities

2.6 Communication with the Qthena Sales Team: When you communicate with our sales team regarding inquiries, product demonstrations, or service requests, your communications may be recorded and stored. We may use third-party platforms, such as Zoho or Microsoft 365, to manage these interactions securely. Additionally, we may share your information with our authorized distribution partner to better address your request. By submitting a sales inquiry, you consent to us passing on your request to our distribution partner, who is subject to the same stringent data protection obligations outlined in this Privacy Policy.

The legal basis for processing this information is our legitimate interest in managing sales inquiries and fulfilling our contractual obligations effectively.

2.7 Communication from ipQuants Staff: ipQuants staff primarily communicates with you via email and web conferencing technologies. We may use third-party platforms, such as Microsoft 365 and Zoho, to conduct and manage these communications securely. Your email address will be used to initiate communication related to your account, including creation, support, recovery, inquiries, feedback, and similar matters.

By subscribing to our Services, you are providing consent to this Privacy Policy, including the communication practices outlined herein. It is important to note that we may receive your contact information, such as your email address, from your organization to fulfill our contractual obligations. In such cases, your email will be added to our communication channels as necessary to provide our Services.

We may use your contact information, such as your email address, to send you or your organization information about new feature releases, new product offerings, services, upcoming events, surveys, or other promotions. If you receive an email that you deem unwanted

Kindly note that if you opt out of marketing communications, we may still contact you regarding issues related to our Services, including essential notifications about system maintenance, security updates, feature changes, service disruptions, and other matters necessary to fulfill our contractual obligations and ensure the proper functioning of our Services. We will also continue to respond to your requests as needed.

Where required by applicable law (for example, if you are an EU data subject), we will only send you marketing information by email or contact you by phone if you consent to us doing so when providing your personal data.

When you provide consent to be contacted for marketing purposes, you have the right to withdraw your consent at any time by following the unsubscribe instructions in our emails. Additionally, if you no longer wish to receive future marketing communications or would like your information removed from our mailing list, please contact our customer support team at: cs (at) ipquants.com.

 2.8 Third-party Links Embedded in Our Communication with You and/or Services: Our Services may contain links to other websites, and we may use third-party platforms, such as Helpscout and Wistia, to provide embedded knowledge base articles and videos in our Services, or direct links to national and regional patent offices. We are, however, not responsible for the content of any website we link to, and such external websites are regulated by their own terms and conditions and privacy policies.

The legal basis for this processing is our legitimate interest in fulfilling our contractual obligations to provide training and ongoing support to our users effectively and economically.

3. Data Processors

In order to deliver the Services and fulfill our contractual obligations towards you, we rely on different data processors that process different categories of data. Processors never store that outside of the scope of their specific purpose.

3.1 Third-party processors

3.1.1 CookieYes

• Purpose: Obtain and manage the consent of website users
• Processed data: IP address, geolocation, metadata, consent status, device and browser data
• Legal basis: legitimate interest
• Retention period: 1 year
• Guarantees for transfers: Data Processing Agreement, Adequacy Decision, and Standard Contractual Clauses

3.1.2 Greengeeks

• Purpose: Provision of the website
• Processed data: IP address, date and time of access, host name of the accessing computer, referrer, visited pages, browser type and version, operating system, access status, use of website functions, access frequency of an individual page, other websites that you visit from this website, either by clicking on a link on this website or by entering the domain directly in the input bar in the same window of your browser
• Legal basis: legitimate interest
• Retention period: 24 hours for log data and four weeks for backups
• Guarantees for international transfer: Data Processing Agreement, and Standard Contractual Clauses

3.1.3 hCaptcha

• Purpose: Ensuring user actions on our online service (such as submitting a login or contact form) meet our security requirements, bot detection
• Processed data: IP address, duration of website visit, mouse movements
• Legal basis: our legitimate interest, performance of contract under IpQuants Terms and Conditions, and provision of Services
• Retention period: 1 year
• Guarantees for transfers: Data Processing Agreement, Adequacy Decision, and Standard Contractual Clauses

3.1.4 Zoho

• Purpose: Store data in relation with customer support and sales activity
• Processed data: Customer data for in order to fulfill the purposes, including but not limited to email address, name, surname, company info, professional position
• Legal basis: Legitimate interest, performance of contract under IpQuants Terms and Conditions, and provision of Services
• Retention period: Limited to fulfillment of purposes
• Guarantees for transfers: Standard Contractual Clauses and Data Processing Agreement
• More information at: https://www.zoho.com/privacy.html?zredirect=f&zsrc=langdropdown&lb=de

3.1.5 Helpscout

• Purpose: Deliver knowledge base
• Processed data: IP address, location data, usage data
• Legal basis: Performance of contract under IpQuants Terms and Conditions, and provision of Services
• Retention period: 2 years in general based on type of personal data
• Guarantees for transfers: Standard Contractual Clauses and Data Processing Agreement
• More information at: https://www.helpscout.com/company/legal/privacy/

  3.1.6 Microsoft Advertising

• Purpose: Marketing and ads analysis
• Processed data: IP addresses, device information, browser type, and version, operating system, search terms and search queries, click behavior, websites visited time, and duration of website visit, demographic data (e.g., age, gender), location data, interests and preferences, conversion data, cookie IDs, advertising IDs for mobile devices
• Legal basis: Consent
• Retention period: 36 months
• Guarantees for transfers: Data Processing Agreement, EU-US Data Privacy Framework, and Standard Contractual Clauses
• More information at: https://privacy.microsoft.com/de-de/privacystatement

3.1.7 Google Tag Manager

• Purpose: Control the use of code snippets (“tags”), such as tracking code on our website
• Processed data: IP address, device data, such as operating system, browser version, screen resolution
• Legal basis: Consent
• Retention period: 14 days for HTTP request logs and 14 months for other data
• Guarantees for transfers: Data Processing Agreement, EU-US Data Privacy Framework, and Standard Contractual Clauses
• More information at: https://policies.google.com/technologies/ads?hl=de

3.1.8 Cloudflare

• Purpose: Data security, content delivery
• Processed data: Log files containing IP addresses, security fingerprints and performance data
• Legal basis: Legitimate interest, performance of contract under IpQuants Terms and Conditions, and provision of Services
• Retention period: 2 months
• Guarantees for transfers: Data Processing Agreement, EU-US Data Privacy Framework, and Standard Contractual Clauses
• More information at: https://www.cloudflare.com/trust-hub/gdpr/

3.1.9 Microsoft Azure and/or Microsoft 365

• Purpose: Cloud storage and delivery of the Services
• Processed data: IP address, date and time of access, host name of the accessing computer, referrer, visited pages, browser type and version, operating system, access status, use of website functions, access frequency of an individual page, other websites that you visit from this website, either by clicking on a link on this website or by entering the domain directly in the input bar in the same window of your browser, email address, name, surname, company info and content of customer data
• Legal basis: Legitimate interest, performance of contract under IpQuants Terms and Conditions and provision of Services
• Retention period: Limited to fulfillment of purposes
• Guarantees for transfers: Data Processing Agreement, EU-US Data Privacy Framework, and Standard Contractual Clauses

3.1.10 Hetzner

• Purpose: Cloud storage and delivery of the Services
• Processed data: IP address, date and time of access, host name of the accessing computer, referrer, visited pages, browser type and version, operating system, access status, use of website functions, access frequency of an individual page, other websites that you visit from this website, either by clicking on a link on this website or by entering the domain directly in the input bar in the same window of your browser
• Legal basis: Legitimate interest, performance of contract under IpQuants Terms and Conditions, and provision of Services
• Retention period: 24 hours for log data and four weeks for backups
• Guarantees for transfers: Data Processing Agreement, Adequacy Decision and Standard Contractual Clauses

3.1.11 Large Language Models (LLMs) API Providers

• Purpose: Delivery of generative AI-powered functionalities
• Processed data: Unique UserID, chat inputs, uploaded content (images, documents etc.). User prompts, or generated responses are not used to train or improve LLM models.
• Legal Basis: Performance of contract under IpQuants Terms and Conditions, and provision of Services
• Retention period: Zero Data Retention Policy for OpenAI LLM API and Azure OpenAI LLM API with the exception of 30 days retention period for API inputs and outputs for abuse protection; up to 72 hours for chat inputs and conversations in Google LLM API
• Guarantees for transfers: Data Processing Agreement, EU-US Data Privacy Framework, and Standard Contractual Clauses
• LLM API Providers: The currently available LLM API providers in the Services are:
  • OpenAI LLM API
  • Microsoft Azure OpenAI LLM API
  • Google LLM API
• More information at:
  • https://openai.com/api/
  • https://learn.microsoft.com/en-us/legal/cognitive-services/openai/data-privacy?tabs=azure-portal
  • https://ai.google.dev/gemini-api/terms

3.1.12 Wistia

• Purpose: Delivering knowledge base, video material and product information
• Processed data: Anonymized IP address, cookies for A/B testing, Anonymous Viewer Analytics, viewer preferences, such as watch progress, captions settings, and interaction history
• Retention period: 30 days
• Legal basis: Legitimate interest
• Guarantees for transfers: Data Processing Agreement, EU-US Data Privacy Framework, and Standard Contractual Clauses
• More information at: https://wistia.securitypal.com/?utm_source=help-center

 

4. Our Implementation of Large Language Model (LLM) API

In providing generative AI-powered functionalities through the Qthena platform, we integrate with third-party Large Language Models (LLMs) API providers. This section outlines how user data is handled in connection with these integrations.

4.1 Data Processing by LLM APIs: User data processed through LLM APIs is strictly limited to what is necessary for the performance of the specific AI-driven functionality requested. This may include document content, prompts, and instructions provided by the user. Importantly, our implementation of LLMs ensures that no user data – whether document content, prompts, instructions, or any other information – is used for training, fine-tuning, or improving any current or future language models. All data processed through our LLM APIs remains isolated from any datasets used for model development, ensuring complete data privacy and security.

 4.2 Data Security Measures: We implement robust security measures to ensure that data shared with LLM API providers is transmitted securely. This includes encryption in transit and at rest, strict access controls, and monitoring of data flows.

Additionally, ipQuants AG has designed extra measures to ensure that no personally identifiable information (PII), such as email addresses or IP addresses, is sent to LLMs API providers by ipQuants. This adds an extra layer of confidentiality and security.

LLMs API providers cannot identify users of ipQuants AG, as any request sent to them is processed solely under “ipQuants AG” without user-specific identifiers. The encrypted responses from LLMs API providers are routed back to our infrastructure, where they are securely delivered to the respective user, maintaining strict data privacy throughout the process.

4.3 Data Retention and Deletion: LLMs API providers process data only transiently to perform the requested tasks. No user data is stored permanently by the API providers unless explicitly stated. Data is deleted automatically after processing is complete, in accordance with our data retention policies and contractual agreements with the API providers.

4.4 Legal Basis for Processing: The processing of data through LLM API providers is based on our legitimate interest in enhancing the functionality and efficiency of our Services, as well as fulfilling contractual obligations to users.

4.5 Third-party Compliance: Our LLMs API providers are required to comply with GDPR and other applicable data protection laws. They are bound by data processing agreements that include standard contractual clauses where applicable, ensuring that your data is handled with the highest standards of privacy and security.

4.6 LLM API Abuse Monitoring: Abuse monitoring features may be configured differently by ipQuants AG depending on the LLM provider or CUSTOMER request. By default, ipQuants deactivates abuse monitoring for specific LLM providers (e.g., Google Gemini).

When abuse monitoring is activated, third-party LLM API providers may automatically scan prompts and outputs for potential policy violations, such as hate speech, harassment, sexually explicit content, or dangerous activities. These scans are fully automated and limited to isolated portions of the prompt or output — not the entire document or session.

Even in such cases of abuse monitoring, prompts cannot be traced back to the USER by the LLM provider. ipQuants ensures that no personally identifiable information — such as email addresses or IP addresses — is transmitted. Any review by the LLM provider is restricted to pseudonymized content linked only to an internal chat ID.

 Even if third-party LLM abuse monitoring is deactivated, IPQUANTS may apply its own internal abuse detection measures to ensure platform integrity and compliance with applicable laws.

5. Data Disclosure

ipQuants will only disclose the limited user data that we might possess if we are legally obligated to do so by a binding request coming from the competent Swiss authorities.

ipQuants AG’s general policy is to challenge requests whenever possible, especially where there are doubts as to the validity of the request. In such situations, we will not comply with the request until all legal or other remedies have been exhausted.

Under Swiss law, subjects of judicial procedures have to be notified of such procedures, although such notification must come from the authorities and not from ipQuants AG.

Under no circumstances can ipQuants AG decrypt end-to-end encrypted content or disclose decrypted copies.

6. Your Data Privacy Rights

You can at anytime access, edit, delete or export your account data via the Services account interface.

You can at anytime contact the Services customer success team to support you with deleting your account data.

If you want the account to be permanently deleted, you can instruct our customer support at anytime accordingly.

If you do not renew your Services subscription,

ipQuants retains personal data only as long as necessary to fulfill the purposes for which it was collected or to comply with legal obligations. Account-related data is deleted upon account termination, unless otherwise required by law

7. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of significant changes via email or through our Services. Continued use of the Services after updates constitutes your acceptance of the new terms.