Privacy Policy

Welcome to Quantic Aether ("we", "our", "us"). We are committed to protecting the personal information you share with us when using our platform at https://quanticaether.com ("Platform").

This Privacy Policy explains what data we collect, why we collect it, how we use it, and your rights regarding that data. It is addressed to users of our Therapeutic Assistant platform, designed for licensed healthcare professionals.

By using our Platform, you agree to the practices described in this policy. If you do not agree with any part of this policy, please discontinue use of the Platform.

Data Controller: Quantic Aether, reachable at privacy@quanticaether.com.

Account Information When you create an account, we collect: - Full name and email address — to identify your account and communicate with you - Encrypted password (never stored in plain text) — for authentication - Professional role or license type (optional) — to tailor content to your professional context - Account creation date and login history — for security and fraud prevention

Usage Data We automatically collect: - Pages visited and features used — to improve platform functionality - Time spent on content — to understand which resources are most useful - Device type, browser, and operating system — for compatibility and support - IP address — used for geographic analytics and fraud prevention (pseudonymized) - Referral source and UTM parameters — to measure marketing effectiveness

Payment Data Payments are processed through Stripe. We do not store full credit card numbers or CVV codes. We retain only the last 4 digits of your card and the Stripe customer ID for subscription management.

Communication Data If you contact us by email or through our support channel, we retain those communications to resolve your inquiry and improve our support.

AI Chat and Atlas Doctor Data When you use our AI features (powered by the 369-Atlas Advanced System), conversation content is processed server-side. We store conversation history associated with your account to provide continuity and to improve the service. No individually identifiable patient data should be entered into the AI assistant.

Voluntarily Submitted Data Content you submit to the platform (feedback, reviews, or custom prompts) is stored and associated with your account.

This platform is designed for licensed healthcare professionals. We do not intentionally collect health data about end patients. However, users may voluntarily share health-related information in the context of using the AI assistant or support channels.

If health data is processed, the legal basis is: - Explicit consent (Article 9(2)(a) GDPR): where you voluntarily provide health-related information about yourself - Professional healthcare purposes (Article 9(2)(h) GDPR): where the processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, or the provision of health care, carried out by a health professional

Our recommendations: - Do not enter identifiable patient data (names, ID numbers, contact details) into the AI assistant - Use anonymized or pseudonymized case descriptions when seeking clinical decision support - Ensure your own use of this platform complies with your professional obligations regarding patient confidentiality

We treat any health-related content submitted to us with the highest level of confidentiality and security.

We use your personal data to:

• •Provide the Service: Create and manage your account, process payments, deliver purchased content.
• •Personalization: Remember your preferences, language settings, and recently viewed content.
• •Communication: Send transactional emails (receipts, password resets, subscription notices). We do not send marketing emails without your explicit consent.
• •Analytics: Understand how users interact with the Platform to improve features and content.
• •Security: Detect fraud, prevent unauthorized access, and comply with legal obligations.
• •Customer Support: Respond to your inquiries and resolve issues.
• •Legal Compliance: Meet our obligations under applicable laws and regulations.

We do not sell, rent, or trade your personal data to third parties for their marketing purposes.

If you are located in the European Economic Area (EEA), our legal bases for processing your personal data are:

• •Contract performance (Art. 6(1)(b) GDPR): Processing necessary to provide the services you requested — account management, content delivery, payment processing.
• •Legitimate interests (Art. 6(1)(f) GDPR): Analytics, fraud prevention, and platform improvement — balanced against your rights and freedoms.
• •Consent (Art. 6(1)(a) GDPR): Marketing communications and optional analytics cookies. You may withdraw consent at any time without affecting the lawfulness of prior processing.
• •Legal obligation (Art. 6(1)(c) GDPR): Processing required to comply with applicable laws (e.g., tax and accounting obligations).

For special category data (health data), the applicable bases are Art. 9(2)(a) (explicit consent) and Art. 9(2)(h) (healthcare professional context), as described in Section 3.

We use the following types of cookies:

Essential Cookies (always active) - Authentication token (keeps you logged in) - Session security tokens - Language preference

Analytics Cookies (with consent) - Anonymous usage statistics to understand platform performance - We use privacy-respecting analytics that do not share data with third parties

Payment Cookies (Stripe) - Required for secure payment processing

You can control non-essential cookies through your browser settings or our Cookie Preference Center. Disabling essential cookies will prevent you from using the Platform. For full details, see our Cookie Policy at https://quanticaether.com/legal/cookies.

We share your data only with:

Service Providers (data processors acting under our instruction): - Stripe — payment processing - 369-Atlas Advanced System — AI chat and analysis functionality - OpenAI — AI image generation (DALL-E 3) - Cloud infrastructure providers — secure hosting and CDN

All service providers are bound by Data Processing Agreements (DPAs) that require them to protect your data in accordance with GDPR standards.

Legal Requirements We may disclose your information if required by law, court order, or governmental authority, or to protect the rights, property, or safety of Quantic Aether, our users, or others.

Business Transfers In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity. You will be notified in advance by email and/or prominent notice on our Platform.

We do not sell personal data. We do not share personal data with advertising networks.

We retain your personal data for as long as your account is active or as needed to provide services. Specific retention periods are:

• •Account data: Duration of your account plus 90 days after deletion request
• •Payment records: 7 years (legal/tax compliance under Spanish and EU law)
• •Support communications: 2 years from the date of the last interaction
• •Analytics data: 24 months; aggregated and anonymized after 90 days
• •AI chat history: Retained while account is active; deleted upon account deletion or explicit request
• •Health-related content voluntarily submitted: Deleted within 30 days of account deletion unless a longer retention is required by law

When data is no longer needed, we securely delete or anonymize it using industry-standard procedures.

Under GDPR and applicable data protection law, you have the following rights:

Right of Access (Art. 15 GDPR) Request a copy of all personal data we hold about you, along with information on how it is processed.

Right to Rectification (Art. 16 GDPR) Request correction of inaccurate or incomplete data. You can update most account information directly in your dashboard.

Right to Erasure — "Right to be Forgotten" (Art. 17 GDPR) Request deletion of your personal data. Note: some data may be retained to comply with legal obligations (e.g., payment records for 7 years).

Right to Data Portability (Art. 20 GDPR) Receive your personal data in a structured, commonly used, machine-readable format (JSON/CSV) and transfer it to another controller.

Right to Object (Art. 21 GDPR) Object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we demonstrate compelling legitimate grounds.

Right to Restrict Processing (Art. 18 GDPR) Request that we limit how we use your data in certain circumstances (e.g., while you contest its accuracy).

Right to Withdraw Consent (Art. 7(3) GDPR) Where processing is based on consent, withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

Right to Lodge a Complaint File a complaint with the competent supervisory authority. In Spain: Agencia Española de Protección de Datos (AEPD) — www.aepd.es. In the UK: ICO. In France: CNIL.

To exercise any of these rights, contact us at privacy@quanticaether.com. We will respond within 30 days. In complex cases we may extend this by a further 2 months, notifying you within the initial 30 days.

We implement industry-standard security measures to protect your data:

• •All data transmitted over HTTPS/TLS 1.3 encryption
• •Passwords hashed with bcrypt (cost factor 12+)
• •Database encrypted at rest
• •Access controls limiting employee access to personal data on a need-to-know basis
• •Regular security audits and vulnerability assessments
• •API tokens stored encrypted, never in plain text

No method of transmission over the internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. We will notify you and the competent supervisory authority of any data breach affecting your personal information within 72 hours of becoming aware of it, as required by GDPR Art. 33–34.

Your data may be processed in countries outside your home country, including the United States, where some of our infrastructure providers operate.

For transfers from the EEA to third countries, we rely on: - Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914) - Adequacy decisions where applicable

By using our Platform, you acknowledge that your data may be processed in these jurisdictions under the safeguards described above.

Our Platform is not directed to individuals under 16 years of age. We do not knowingly collect personal information from minors under 16. If we become aware that we have collected data from a minor under 16, we will delete that information promptly.

If you believe a minor under 16 has provided us with personal information, please contact us at privacy@quanticaether.com.

We may update this Privacy Policy from time to time. We will notify you of material changes by: - Sending an email to your registered address - Displaying a prominent notice on our Platform - Updating the "Last Updated" date at the top of this page

Continued use of the Platform after changes constitutes acceptance of the updated policy. We encourage you to review this page periodically.

Data Controller Quantic Aether https://quanticaether.com

Privacy inquiries and rights requests Email: privacy@quanticaether.com Response time: Within 30 days

Data Protection Officer (DPO) Email: dpo@quanticaether.com For GDPR-specific inquiries, escalations, or complaints.

For urgent security concerns, mark your email subject "URGENT — Privacy".

You also have the right to lodge a complaint with the Spanish data protection authority: Agencia Española de Protección de Datos (AEPD) www.aepd.es