Privacy Policy

Effective Date: January 1, 2025 | Last Updated: January 1, 2025

1. Introduction

This Privacy Policy explains how HackiHub s.r.o., a company incorporated under the laws of the Czech Republic ("KvantumCI", "we", "us", "our"), processes personal and technical data in connection with the provision of the KvantumCI SaaS platform and related services (the "Service").

We are committed to protecting the privacy and security of your information in compliance with the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"), the Czech Act No. 110/2019 Coll. on the Processing of Personal Data, and other applicable data protection laws.

By using our Service, you acknowledge that you have read and understood this Privacy Policy.

2. Data Controller

HackiHub s.r.o.
Registered office: Prague, Czech Republic
Email: privacy@kvantumci.com
Website: https://kvantumci.com

HackiHub s.r.o. acts as the Data Controller with respect to personal data processed through the Service.

3. Scope of Processing

KvantumCI provides a cloud-based platform for DevSecOps analysis, continuous integration pipelines, and project metadata management. We process only technical and non-sensitive data that is required for platform functionality, analytics, and customer account management.

We do not store or process:

  • Source code contents beyond transient analysis
  • End-user personal data from customer systems
  • Special categories of data under Article 9 GDPR (e.g., health, biometric, political opinions, etc.)

We only temporarily process data necessary for performing automated analysis, after which only aggregated metadata and statistical results are stored.

4. Types of Data Processed

(a) Account and Contact Data

  • Name, surname, email address, organization name, role, and account credentials.
  • Billing and invoicing details (if applicable).
  • Communication history (support requests, emails).

(b) Operational Metadata

  • Project identifiers, repository names, integration metadata (e.g., GitHub/GitLab project IDs).
  • Scan metrics, timestamps, analysis results, and configuration parameters.
  • Platform usage statistics and audit logs.

(c) Technical Data

  • IP address, browser user agent, device and connection data.
  • System and event logs required for security, debugging, and service continuity.
  • Cookies and session identifiers (see Section 10).

5. Purpose and Legal Basis of Processing

We process data strictly for the following purposes and on the following legal bases:

Purpose Legal Basis (GDPR)
To register and manage customer accounts Article 6(1)(b) – Contractual necessity
To operate, maintain, and improve the Service Article 6(1)(b) – Contractual necessity
To provide customer and technical support Article 6(1)(b) – Contractual necessity
To perform billing and accounting obligations Article 6(1)(c) – Legal obligation
To ensure security, monitor abuse, and prevent fraud Article 6(1)(f) – Legitimate interest
To generate anonymized analytics and platform performance statistics Article 6(1)(f) – Legitimate interest
To comply with legal obligations and regulatory requirements Article 6(1)(c) – Legal obligation

We do not use personal data for automated decision-making or profiling within the meaning of Article 22 GDPR.

6. Data Minimization and Retention

We follow strict data minimization and retention principles:

  • Personal data is stored only as long as necessary to fulfill the contractual or legal purpose.
  • Account-related metadata is retained for the duration of your active subscription and deleted within 30 days after termination.
  • System logs are retained for up to 12 months for audit and security purposes.
  • Backups are encrypted and automatically purged within 90 days.
  • Anonymized or aggregated data (non-personal) may be retained indefinitely for statistical purposes.

7. Data Security

We implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
  • Strict access controls and authentication.
  • Segregation of environments (production vs. testing).
  • Logging and monitoring of system access.
  • Regular vulnerability scans and security assessments.
  • Incident detection and breach notification procedures.

While no system can be guaranteed 100% secure, we continuously enhance our security posture to safeguard all processed information.

8. Data Sharing and Sub-Processors

We may share limited personal or technical data with trusted service providers ("sub-processors") necessary to operate our platform. All sub-processors are contractually bound by GDPR-compliant Data Processing Agreements (DPAs) and act solely under our documented instructions.

Typical categories of recipients include:

  • Cloud infrastructure providers (e.g., AWS, Cloudflare)
  • Payment processors (e.g., Stripe)
  • Logging, analytics, and monitoring services
  • Professional advisors (legal, accounting, compliance)

We do not sell, lease, or otherwise commercialize any personal data.

9. International Data Transfers

Our primary infrastructure is located within the European Union. In the event data must be transferred outside the EEA, such transfer occurs only when:

  • The destination country provides an adequate level of protection (Article 45 GDPR), or
  • Appropriate Standard Contractual Clauses (SCCs) or equivalent safeguards are implemented (Article 46 GDPR).

We continuously monitor our sub-processors to ensure compliance with applicable transfer requirements.

10. Cookies and Tracking Technologies

KvantumCI uses cookies and similar technologies strictly necessary for:

  • Secure authentication and session management.
  • Maintaining user preferences.
  • Measuring basic system performance.

No advertising or tracking cookies are used. You may disable cookies in your browser settings; however, doing so may limit platform functionality.

11. Data Subject Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access – to obtain confirmation and a copy of your personal data.
  • Right to rectification – to correct inaccuracies.
  • Right to erasure – to request deletion when data is no longer needed.
  • Right to restriction of processing – to limit certain data uses.
  • Right to data portability – to receive data in a structured, machine-readable format.
  • Right to object – to object to processing based on legitimate interest.
  • Right to lodge a complaint – with the relevant supervisory authority.

To exercise these rights, contact us at privacy@kvantumci.com. We will respond to verified requests within 30 days in accordance with Article 12 GDPR.

12. Supervisory Authority

If you believe that your data protection rights have been violated, you have the right to lodge a complaint with the competent authority:

Úřad pro ochranu osobních údajů (Office for Personal Data Protection)
Pplk. Sochora 27, 170 00 Prague 7, Czech Republic
Website: https://www.uoou.cz
Email: posta@uoou.cz

13. Changes to This Policy

We may update this Privacy Policy to reflect legal, technical, or operational changes. The latest version will always be available at https://kvantumci.com/privacy. Significant updates will be communicated via email or in-app notifications prior to their effective date.

14. Contact Information

For any questions, concerns, or data protection inquiries, please contact:

HackiHub s.r.o.
Attn: Data Protection Officer
Email: privacy@kvantumci.com
Address: Prague, Czech Republic