Privacy Policy
Last updated: July 11, 2026
1. What We Collect
- Account data: email address, display name, and hashed authentication credentials.
- Job data: the circuits you submit (serialized gate lists), execution parameters, and computed results.
- Job metadata: qubit counts, depths, methods used, runtimes, resource consumption, error estimates, and timestamps.
- Billing data: payments are processed by Stripe, our payment provider. Stripe is PCI DSS certified and manages card-data security; it may collect and store your payment and identity information under its own privacy policy. We never see or store full card numbers, only tokens/references and invoice records.
- Technical data: IP address, user-agent, and API request logs kept for security and abuse prevention.
2. What We Do With It
- Execute your jobs and return results, the core of the Service.
- Use job metadata (never circuit contents) to calibrate cost estimates, improve engine routing, and publish aggregate statistics that cannot identify you or your research.
- Send transactional email (receipts, job failures, security notices). Marketing email only with your consent, always with unsubscribe.
- Detect abuse, fraud, and attempts to disrupt the Service.
3. What We Never Do
- We do not sell your data. To anyone. Ever.
- We do not use your circuit contents or results to train machine-learning models made available to others.
- We do not share your circuits with third parties, with one necessary exception: if you explicitly route a job to third-party quantum hardware, the circuit is transmitted to that provider (e.g., Rigetti) to execute it, under their privacy terms.
- We do not claim ownership or publication rights over your research.
4. Storage, Security & Retention
- Your data is encrypted at rest and in transit, and stored securely.
- API access requires per-account tokens, and internal access follows least-privilege controls.
- Job records and results are retained while your account is active or until you delete them; operational logs are retained for a maximum of 30 days; low-level service logs currently rotate after 3 days.
- On account deletion, personal data and stored circuits/results are removed within 30 days, except minimal records we must keep for tax/accounting law.
5. Cookies & Analytics
- The marketing site uses no advertising trackers and no third-party ad cookies.
- The app uses strictly necessary cookies/local storage for sessions.
- If we adopt privacy-respecting analytics (e.g., aggregate page counts), this policy will be updated first.
6. Your Rights
- Access, export, correct, or delete your data at any time via the app or by emailing us.
- EU/EEA users: rights under GDPR including portability, restriction, and objection; our lawful bases are contract performance (Art. 6(1)(b)) and legitimate interest in service security (Art. 6(1)(f)).
- California users: rights under CCPA/CPRA; we do not “sell” or “share” personal information as defined there.
- Complaints may be directed to your local supervisory authority; we’d appreciate the chance to fix it first.
7. Account Deletion
- To delete your account, email info@zksf.org from the address on file.
- Before you request deletion, download or save any certificates, job history, and results you want to keep. Once the account is deleted, all of this information is permanently wiped and cannot be recovered or reissued.
- You have 7 days from your request to save anything you need. On the 7th day, the account and all associated data are deleted.
8. Children
- The Service is not directed to children under 16 and we do not knowingly collect their data.
9. Changes & Contact
- Material changes to this policy are dated at the top and announced by email before taking effect.
- Privacy questions or requests: info@zksf.org.