Privacy Policy

1. Scope

This Privacy Policy describes how Quantum Pipes Technologies LLC, a Wyoming limited liability company ("Quantum Pipes," "we," "our," "us"), handles information about you when you visit www.askqp.com, create an AskQP account, download or run the AskQP desktop application, or use the AskQP cloud-action service (together, the Service).

The AskQP desktop application runs on your device. Your files, your Vault, your conversations, and your audit chain live on your hardware. This Policy explains the limited circumstances in which information leaves your device, what we receive, what we do with it, and what we never do with it.

Separate written agreements (for example, an enterprise subscription contract, a Business Associate Agreement, or a Data Processing Addendum) govern any commercial relationship you sign with us. Where a written agreement conflicts with this Policy, the written agreement controls for that relationship.

2. The data path

AskQP is a local-first product with optional cloud actions. Two paths exist, and they handle data differently.

What stays on your device, always

• Your Vault. Documents, code, spreadsheets, images, and other files you index into AskQP are stored in an encrypted local database on your hardware.
• Your conversations and outputs. The full history of prompts and generated work lives locally.
• Your Capsule audit chain. Every AI decision is sealed into a tamper-evident, cryptographically signed record on your device.
• Your local-AI inference. When you run a command against a local model, no data leaves your device for that request.

What transits when you run a cloud action

When you choose to run a cloud action (any operation that uses our cloud GPU, for example a frontier-model research report or a cascade phase), the following is sent to a Quantum Pipes inference endpoint over TLS 1.3:

• The prompt for that specific action.
• The context you selected for that action (for example, specific Vault excerpts you attached). Files you did not attach to the request are not transmitted.
• Authentication metadata (your account identifier and a short-lived token) so we can attribute the action to your subscription.

What happens on the cloud GPU

Cloud actions execute on dedicated GPU instances. Each instance is configured so that:

• GPU memory is wiped after every request.
• Your prompts and your context are not written to persistent disk.
• Your inputs and outputs are not used to train any model.
• Operational logs record the bare minimum required for billing and reliability: action type, action count, error type, and duration. Logs do not contain your prompts, your context, or your generated outputs.

Cloud actions are an opt-in capability. Every request that would use the cloud GPU is initiated by you (by issuing a command in AskQP). You can run AskQP with local-only models and never invoke a cloud action.

3. Information we collect

Account information

• Email address. You provide it to receive a magic-link sign-in, to receive your license, and so we can contact you about your subscription.
• License identifier and signature. When your subscription begins, we issue an Ed25519-signed license keyed to your email and your tier. The license is stored on your device.
• Subscription state. Your plan, billing cycle, included cloud-action allowance, and overage usage for the current period.
• Device records. The number of devices a given license is bound to (one, three, or ten depending on tier). We record device counts, not device contents.
• Magic-link tokens. Single-use, short-lived tokens issued for sign-in and for the optional onboarding email-migration flow. Tokens expire quickly and are deleted on use.

Information you give us directly

• Email correspondence. When you write to wecare@quantumpipes.com or hello@quantumpipes.com, we receive whatever you send so we can respond.
• Onboarding inputs. If you complete the in-app onboarding checklist, the values you enter (for example, your domain or your role) are stored to personalize your starter Spaces.

Information collected automatically

• Edge request logs. Our hosting provider, Cloudflare, Inc., processes routine network metadata for every request: IP address, user-agent string, requested URL, response status, and approximate timing. This is standard CDN telemetry used to deliver pages, mitigate abuse, and keep the Service online.
• Cloud-action telemetry. For each cloud action, we record: action type, action count, error type if any, duration, and the tier the action was billed against. We do not record your prompts, your context, or your generated outputs.
• Privacy-respecting analytics (when enabled). On the marketing site we may use Cloudflare Web Analytics, which records aggregate page metrics without setting cookies, fingerprinting browsers, or identifying individual visitors.

Cookies

The Service uses one application cookie: __Host-session, set on the askqp.com domain after you complete a magic-link sign-in. It is HttpOnly, Secure, SameSite=Lax, scoped to the askqp.com host, and contains an opaque session identifier with no personal data. It expires when your session ends.

Cloudflare may set short-lived strictly-necessary cookies (for example, __cf_bm for bot management or _cfuvid for rate limiting) when its security features are active. These cookies do not contain personal information, are not used for advertising or cross-site tracking, and expire on a short timeline.

We set no advertising cookies, no cross-site tracking cookies, and no marketing-automation pixels.

4. What we do not do

• We do not sell or rent your information to anyone.
• We do not share your information with data brokers or advertisers.
• We do not load third-party advertising or marketing-automation scripts.
• We do not write your prompts, your Vault contents, your attached context, or your generated outputs to long-term storage on our infrastructure.
• We do not retain your prompts or outputs after a cloud action completes.
• We do not perform browser fingerprinting on the marketing site.
• We do not use session-recording, replay, or heatmap tools.
• We do not engage in cross-site tracking of any kind.

5. AI training and model improvement

We do not use your prompts, your context, your Vault contents, or your generated outputs to train any AI model, ours or any third party's.

This is an architectural commitment, not a marketing posture: cloud-action GPU instances are configured to wipe memory after every request, training pipelines have no read access to inference endpoints, and the only telemetry that crosses the boundary is the operational metadata described in Section 3.

If we ever introduce an opt-in evaluation or feedback program (for example, a "rate this output" feature that asks you to submit a specific prompt and response for quality review), participation will be explicit, per-submission, and revocable. We will not enroll you in such a program by default and will never derive blanket training consent from your subscription.

6. Sub-processors

We engage a small set of vendors to operate the Service. Each is contractually bound to handle data on our behalf only.

We update this list when it changes. Material additions are reflected here with an updated effective date and announced to active subscribers by email at least thirty (30) days before they take effect, except where the addition is required for security or fraud prevention.

7. Healthcare and HIPAA

Quantum Pipes is not a Covered Entity under the U.S. Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). The standard AskQP subscription does not establish a Business Associate relationship and is not intended for processing Protected Health Information ("PHI") through cloud actions.

For qualifying enterprise customers who need to use AskQP in workflows that involve PHI, we offer an optional Business Associate Agreement and a dedicated deployment configuration on request. Until you have signed a Business Associate Agreement with us, you must not transmit PHI through cloud actions, and you must take reasonable steps to keep PHI inside your local Vault where it stays on your device.

To request a BAA, contact hello@quantumpipes.com.

8. Legal bases (EU/UK visitors)

If the EU or UK General Data Protection Regulation applies to you, we rely on the following legal bases:

• Performance of a contract. Operating your account, issuing your license, processing your subscription, and delivering cloud actions you request.
• Legitimate interests. Securing the Service, preventing abuse, and operating it reliably. Our interest is keeping the Service available and trustworthy, balanced against your reasonable expectations.
• Consent. Optional features that require explicit opt-in (for example, future feedback programs).
• Legal obligation. Tax, accounting, fraud prevention, and responses to lawful process.

9. Your rights

Depending on where you live, you may have rights to access, correct, delete, port, restrict, or object to the processing of personal information about you. We honor these rights for all users, regardless of jurisdiction.

To exercise any right, email wecare@quantumpipes.com with the subject line "Privacy Request." We verify your request and respond within thirty (30) days, or sooner where the law requires.

California (CCPA / CPRA)

In the past twelve months we have collected the categories of information described in Section 3: identifiers (email, IP, license ID), commercial information (subscription state), internet activity (request logs), and the contents of communications you initiate. We do not sell or share personal information as those terms are defined under California law and have not done so in the past twelve months. We do not use sensitive personal information for purposes that trigger a right to limit.

You may submit "Right to Know," "Right to Delete," "Right to Correct," and opt-out requests to wecare@quantumpipes.com. We will not discriminate against you for exercising any right.

Virginia, Colorado, Connecticut, Utah, Oregon, Texas, Florida, and other state frameworks

Residents of states with comprehensive privacy laws (including VCDPA, CPA, CTDPA, UCPA, OCPA, TDPSA, FDBR, and analogous frameworks in Indiana, Iowa, Tennessee, Montana, Delaware, New Hampshire, New Jersey, Kentucky, and others as enacted) have rights to access, correct, delete, and obtain a portable copy of personal information; to opt out of targeted advertising, sale, and certain profiling; and to appeal a denied request. Use the same email address above to exercise these rights.

EU, UK, and Switzerland (GDPR / UK GDPR)

You have rights to access, rectification, erasure ("right to be forgotten"), restriction, portability, objection, and to lodge a complaint with your supervisory authority. We prefer that you contact us first so we can resolve the issue directly.

Authorized agents

You may use an authorized agent to submit a request on your behalf. We will ask for written proof of authorization and, where required, may also verify directly with you.

10. International transfers

Our infrastructure is operated primarily in the United States. Cloudflare's edge network is global, which means a request to the marketing site may be served from a data center outside your country. Where the GDPR applies, we rely on Standard Contractual Clauses and supplementary measures with each sub-processor for international transfers.

The Service is offered from the United States and is not actively targeted to residents of the European Economic Area, the United Kingdom, or Switzerland. We have not appointed an Article 27 representative under the GDPR. If you access the Service from those regions, you do so at your own initiative and are responsible for ensuring that your use complies with local law. EU/UK/Swiss residents retain the rights described in Section 9 and may exercise them by contacting wecare@quantumpipes.com.

11. Retention

• Account information. Retained while your account is active. On account deletion, deleted within thirty (30) days, except where retention is required by law, audit obligations, or fraud prevention.
• Subscription and billing records. Retained for the period required by tax, accounting, and consumer protection law (typically seven years).
• Magic-link tokens. Single-use; expire and are deleted within minutes of issue.
• Cloud-action telemetry. Action counts and billing data are retained for the billing cycle plus a reasonable archival period. Operational metrics are aggregated and retained in summary form only.
• Edge request logs. Retained by Cloudflare under their default retention policy.
• Email correspondence. Retained for as long as needed to address your inquiry plus a reasonable archival period.

12. Security

AskQP authenticates accounts with magic-link sign-in, not passwords. Sign-in tokens are single-use, short-lived, and generated from a cryptographically secure random source. Sessions ride on __Host-prefixed, HttpOnly, Secure first-party cookies containing only an opaque session identifier. Cloud actions are authenticated with short-lived bearer tokens. The desktop sidecar binds to loopback only and fails closed.

The Service uses modern cryptography throughout: AES-256-GCM for symmetric encryption, SHA3-256 for hashing, Ed25519 and ML-DSA-65 for signatures (a dual classical and post-quantum scheme so the audit chain remains verifiable after large-scale quantum computing is practical), and X25519 and ML-KEM-768 for key exchange. The cryptographic posture claims here describe what the supported configuration permits; see the forward-looking-statements note in the Terms of Service.

No Internet service can guarantee perfect security. If you discover a vulnerability, please follow our Vulnerability Disclosure Policy: email hello@quantumpipes.com with the subject line "Security: ASKQP <short description>." Good-faith research within the policy's scope is covered by an explicit safe harbor.

13. Do Not Track and Global Privacy Control

Because the marketing site does not engage in cross-site tracking and the Service sets no advertising cookies, browser signals such as Do Not Track (DNT) and Global Privacy Control (GPC) have no third-party tracking to suppress. We do not change behavior based on those signals because we do not engage in the conduct they are designed to prevent.

14. Children

The Service is intended for adults. We do not knowingly collect personal information from anyone under eighteen (18) years of age, and consistent with the Children's Online Privacy Protection Act ("COPPA"), we do not knowingly collect personal information from children under thirteen (13). If you believe a minor has provided information to us, contact wecare@quantumpipes.com and we will delete it.

We do not subject any user to decisions based solely on automated processing that produce legal or similarly significant effects (GDPR Article 22). California residents may also request, under California Civil Code § 1798.83 ("Shine the Light"), a list of any third parties to whom we disclosed personal information for those parties' direct marketing in the past calendar year. We do not engage in such disclosures.

15. Changes to this policy

We may update this Policy as the Service evolves. The "Last updated" date at the top reflects the most recent material change. For substantive changes, we will publish a notice on the marketing site and, for active subscribers, by email at least thirty (30) days before the change takes effect.

16. Contact

Quantum Pipes Technologies LLC
30 N Gould St, Ste N
Sheridan, WY 82801, USA
General: hello@quantumpipes.com
Support and privacy requests: wecare@quantumpipes.com (subject line "Privacy Request")