Privacy & Policy
Updated: 2025-10-30
1. Overview
1.1. This Quantum L7 AI Privacy Policy (hereinafter — the “Policy”) describes what data we collect, the legal bases for processing, where and how we store it, how we protect it, and how we transfer it within the ecosystem: website, Web-MiniApp, Telegram Mini App, Telegram bot(s), API, Forum, analytics services, and trading interfaces (incl. the Exchange under development).
1.2. By using Quantum L7 AI services (“Service”), you confirm that you have read the Policy and accept its terms. The Policy is intended to transparently inform users, is not individual legal advice, and does not replace contracts/offers/policies of specific vendors.
1.3. We act as a data controller with respect to personal data we collect and for which we determine the purposes/means of processing, and as a processor where we process data on behalf of clients/partners.
1.4. The terms “personal data,” “processing,” “controller,” “processor,” “data subject,” and “international transfer” are used as defined by global regulatory frameworks (GDPR/UK GDPR, CCPA/CPRA, etc.).
1.5. Our services interact with on-chain sources and market feeds: public blockchain data is inherently open and is not our “personal data,” but correlations with your account may constitute personal data.
2. What We Collect
2.1. Account and identification data: Telegram ID/username/display name (when logging in via Telegram Mini App or bot), internal Account ID, subscription status labels (VIP/Free), interface language.
2.2. Contact data: email (if provided), Forum nickname, reference identifiers of external accounts (Google, Apple, Twitter/X, Discord, etc.) when linked.
2.3. Authorization and linkages: the fact and route of login through a multi-provider ecosystem (OAuth/OIDC, Telegram WebApp initData, Sign in with Apple/Google/Twitter/X/Discord, wallet signature, magic link), technical tokens/stamps/signatures (without storing private keys or seed phrases).
2.4. Wallets and networks: public addresses, networks used (L1/L2), transaction metadata related to subscription payments via NowPayments and on-chain confirmations.
2.5. Usage data: visited pages/screens, interface actions, timestamps, hashed IP, user agent, client performance parameters, error telemetry.
2.6. Forum and content: posts, topics, upload metadata (images/video/audio), system scoring artifacts (quality/engagement/anti-spam/anti-sybil), activity statistics for QCoin mining.
2.7. Payments and billing: invoice statuses, payment confirmations (via the integrated payment provider), amounts/currencies/timestamps, technical routing logs.
2.8. On-chain and market data: we index and aggregate public chains/exchange feeds/order books/historical candles for analytical purposes and to provide Service functionality.
3. On-chain and Public Data
3.1. Public blockchain records are available to any network participant; their processing for analytics, indicators, and recommendations is carried out within the permitted use of publicly available information.
3.2. Matching on-chain activity with your account is possible when a wallet/payments/subscriptions are voluntarily linked. In this case, a personal usage profile is created.
3.3. Requests to public nodes/RPC/indexing providers and market aggregators may be logged for reliability, security, abuse prevention, and service quality improvement.
4. Cookies, localStorage, and Other Client Artifacts
4.1. We apply minimally necessary mechanisms: language storage, secure session tokens, anti-abuse parameters, UX settings.
4.2. If cookies/localStorage are blocked, some functions may become unavailable or degraded (e.g., sessions, personal limits, language).
4.3. Where required by law, we request consent for non-critical cookies/analytics.
5. How We Use Data
5.1. Providing functionality: authorization/linking of accounts, synchronization of subscription statuses, access to the Forum, MiniApp, bot, analytics dashboards, and recommendations.
5.2. Product improvement: aggregated usage analytics, A/B evaluations, performance telemetry, troubleshooting, improving AI model accuracy.
5.3. Security and integrity: abuse protection (rate limit, anti-spam, anti-sybil), anomaly control, audit of service actions, incident investigation.
5.4. Billing and compliance: processing payment statuses, confirmations, access rights accounting, compliance with financial reporting and counter-illegal activity laws.
5.5. Communications and support: responses to requests, status notifications (e.g., successful VIP activation), service messages.
5.6. We do not conduct marketing profiling; mailings are carried out only when a lawful basis exists (e.g., consent).
6. Transfer and Disclosure to Third Parties
6.1. We do not sell personal data.
6.2. Data may be processed by our subprocessors under our instructions and only for the purposes described in the Policy: compute platforms/hosting, CDN, object storage, queues and caches, monitoring/logging/error tracking, payment gateways, messaging providers (email/Telegram), analytics platforms.
6.3. Disclosure is possible in compliance with the law, lawful requests by competent authorities, and to protect the rights/safety of users and the Service.
6.4. In the event of a change in corporate control (merger/sale of assets), data may be transferred to the successor provided equivalent protection is maintained and notice is given where required by law.
7. Security
7.1. Principles: security by design, least privilege (PoLP), separation of duties, mandatory logging of critical operations.
7.2. Encryption: TLS in transit; encryption at rest for sensitive artifacts; key management with access control.
7.3. Access: multi-factor authentication for admin consoles, role-based access control, environment segmentation (prod/stage/dev).
7.4. Change control: code reviews, signed builds, gradual rollouts, rollbacks, blocking unsafe configurations.
7.5. Testing and monitoring: intrusion detection, alerts, periodic reviews of configurations and permissions.
7.6. Wallet keys and seed phrases: we do not request or store them. Signatures are performed on the user side or in a trusted wallet.
8. International Transfers
8.1. Processing and storage may be carried out in multi-regional infrastructure with geo-replication and load balancing.
8.2. For cross-border transfers, lawful mechanisms are used (including standard contractual clauses, where applicable) and equivalent protective measures.
8.3. The user consents to international data transfer within the scope of providing the Service.
9. Your Rights
9.1. EEA/UK (GDPR): right of access, rectification, erasure, restriction/objection, portability, and the right to lodge a complaint with a supervisory authority.
9.2. USA (including California/CPRA): right to know, correct, delete, opt out of sale/sharing, and the right to non-discrimination for exercising rights.
9.3. Exercising rights: see the “How to Exercise Rights” section. Identity verification is required.
10. Children
10.1. The Service is not intended for children under 13 (or a higher age as required by your jurisdiction).
10.2. If you believe a child has provided us with data, contact us for deletion.
11. Changes
11.1. We may update the Policy to reflect changes in technology, law, and products.
11.2. In the event of material changes, the “Updated” date is revised and, if necessary, a notice is displayed in the interface.
12. Contacts
12.1. Email for privacy requests: quantuml7ai@gmail.com
12.2. Feedback channel (bot): https://t.me/L7ai_feedback
13. Definitions and Scope
13.1. “Service” — websites, Web-MiniApp, Telegram Mini App, Telegram bots, Forum, API, analytics, payment integrations, and trading interfaces.
13.2. “We” — Quantum L7 AI. The Policy covers data where we act as the controller. Third-party services (authorization providers, blockchains, wallets, payment gateways) operate under their own rules.
13.3. The subject of the Policy — user data and operational data necessary for the functioning of the Service.
14. Legal Bases for Processing (GDPR/UK GDPR)
14.1. Contract/necessity for service provision: authorization, access to functionality, billing, and support.
14.2. Legitimate interest: security, abuse prevention, operational analytics with low privacy risk.
14.3. Consent: optional metrics/marketing communications, where applicable. Consent may be withdrawn.
14.4. Legal obligation: storage and disclosure where required by law (e.g., accounting records).
15. Data Storage (Retention)
15.1. We retain personal data no longer than necessary for the purposes of processing or as required by law.
15.2. Benchmarks: service logs 30–180 days; performance telemetry up to 90 days; support correspondence up to 12 months; billing records — according to legal retention periods.
15.3. Anonymized aggregates may be stored longer for research and statistical purposes.
16. Subprocessors and Infrastructure
16.1. Categories of subprocessors: compute platforms and hosting, CDN, object storages, SQL/NoSQL databases, caches and message queues, monitoring/logging/tracing, email/messaging dispatch, payment operators, providers indexing on-chain/market feeds.
16.2. Data Protection Agreements (DPAs) are in place with each subprocessor, and technical/organizational security measures are applied.
16.3. The up-to-date list of categories is available in the Policy; a detailed current list is provided upon request subject to security requirements.
17. Analytics and Metrics
17.1. We may collect aggregated usage metrics (interface coverage, performance, feature adoption) to the extent necessary to improve the product.
17.2. Analytics settings aim to exclude sensitive data and minimize personal identifiers.
17.3. Where required, a consent mechanism is used for non-essential metrics.
18. Logs and Telemetry
18.1. Operational logs may include timestamps, hashed IP, user agent, error traces, request/correlation IDs, response codes.
18.2. Logs are rotated, access-restricted, and used for debugging, capacity planning, DDoS/bot traffic protection, and auditing.
18.3. Logging points are designed in line with the principle of minimization.
19. Mail, Notifications, and Communications
19.1. Messages sent to our addresses/bots are processed for support, contract performance, and service quality accounting.
19.2. You may opt out of non-service mailings; service notifications (e.g., subscription status) are essential for functionality.
20. Webhooks and API
20.1. When using Webhook/API, payloads may be temporarily buffered for reliable delivery, deduplication, and replay protection.
20.2. Do not transmit secrets, private keys, or other materials not intended for third parties via Webhook/API; use signatures, token rotation, and source restrictions.
21. Wallet Linking and Payments
21.1. We store public addresses and network parameters necessary for identification and billing functions. Private keys/seed phrases are not collected or stored.
21.2. Payment processing is performed via an integrated provider; we receive invoice/confirmation statuses and identifiers necessary for VIP subscription activation.
21.3. On-chain payment confirmations are public information; we match them with your account solely for access purposes.
22. Execution Limiters and Risk Contour
22.1. Technical limiters (rate limit, sanity checks) and risk rules apply to trading/analytical modes. These are engineering mechanisms, not guarantees of results.
22.2. The user is responsible for trading decisions, legal compliance, and risk management.
23. Research, Models, and AI
23.1. We may train/validate models on aggregated/pseudonymized datasets where appropriate and lawful.
23.2. When using third-party models, we comply with contractual and technical restrictions on transferring personal data and apply minimization.
24. Automated Decisions
24.1. We do not make solely automated decisions with a legally significant effect on the user.
24.2. Recommendations and assessments are auxiliary signals to support decisions. The final choice remains with the user.
25. Pseudonymization, Aggregation, and Minimization
25.1. Where possible, we pseudonymize identifiers and aggregate metrics, separating keys and data payloads.
25.2. Access to the “key—data” linkage is limited by roles and necessity.
26. Portability and Export
26.1. You may request an export of personal data associated with your account/bot identifier.
26.2. We will provide the data in a machine-readable format, if there are no legal restrictions, and after verification.
27. Exercising Data Subject Rights
27.1. Send a request by email to quantuml7ai@gmail.com or via the feedback bot.
27.2. For identity verification, we may ask you to send a message from the linked Telegram/bot account or to confirm ownership of the associated account/wallet.
27.3. A response is provided within the timeframes established by applicable law; some requests may be limited by security/legislative requirements.
28. Incidents and Breach Notifications
28.1. Response procedures are in place: incident classification, impact containment, root cause investigation, service restoration.
28.2. Where required by law, affected users and regulators are notified and provided with relevant information about the nature of the incident and the measures taken.
29. Jurisdictional Notes
29.1. EEA/UK: GDPR/UK GDPR norms apply regarding data subject rights, lawfulness of processing, and international transfers.
29.2. USA: applicable state laws apply (including CPRA). Where supported technical opt-out signals exist, we strive to honor them.
29.3. Other regions: local rules apply regarding mandatory storage, notification, and protection requirements.
30. Do Not Track (DNT) and Global Privacy Control (GPC)
30.1. If your browser sends DNT/GPC, we account for these signals to the extent technically supported and required by law.
31. Opt-Out Options and Privacy Settings
31.1. You may disable non-essential cookies/analytics, unsubscribe from non-service emails, and restrict bot permissions.
31.2. Core security/functional mechanisms may require minimal processing and cannot be disabled.
32. Accessibility, Languages, and Interpretation
32.1. We provide texts in multiple languages. In case of discrepancies, the English version may prevail for legal interpretation.
32.2. Translations aim to maintain legal equivalence.
33. Data Stores and Location
33.1. Operational databases: relational and/or document-oriented DBMS deployed in a multi-zone architecture with redundancy and replication.
33.2. Caches and queues: Redis clusters/streams/queues to accelerate sessions, anti-abuse logic, and temporary artifacts.
33.3. Object storage: storage of user-uploaded media and backups with managed versioning and lifecycle policies.
33.4. Backups: periodic backups, recovery verification, separation of access rights, encryption at rest.
33.5. Authorization integrations: identity providers (Google, Apple, Twitter/X, Discord, Telegram) provide us with tokens/confirmations; we do not store their passwords or manage their internal databases.
33.6. Geography: data may be processed in multi-regional infrastructure for fault tolerance and performance, using lawful international transfer mechanisms.
34. Policy Term and Versions
34.1. The Policy enters into force as of the “Updated” date indicated above.
34.2. We may retain previous editions for archival purposes and transparency of changes.
Appendix A: Glossary
A.1. Controller — a person/organization determining the purposes and means of processing personal data.
A.2. Processor — a person/organization processing data on behalf of the controller.
A.3. Personal data — any information about an identified or identifiable person.
A.4. International transfer — the transfer of personal data outside the country/region of their initial collection.
Appendix B: Categories of Subprocessors
B.1. Hosting/compute and container orchestration.
B.2. CDN and edge content delivery.
B.3. Databases (SQL/NoSQL) and Redis caches.
B.4. Object storages and backup systems.
B.5. Monitoring/logging/tracing/error tracking.
B.6. Payment operators and on-chain confirmation gateways.
B.7. Messaging providers (email/Telegram) and queue services.
B.8. Blockchain data/market feed indexing and analytics platforms.
