Legal operations for frontier AI

Terms, GDPR & Privacy Policy.

Legal framework for responsible agentic AI, quantum-inspired optimisation, consulting, research, prototyping, and digital services.

Read legal terms Review privacy policy

Legal entityQubitropy Ltd.

Version1.0 • Effective 9 June 2026

Websitehttps://www.qubitropy.com

Privacy contacthello@qubitropy.com

Overview

One legal hub for a high-trust AI website.

This page combines website terms and conditions, a GDPR compliance statement, a privacy policy, and a cookies notice. It is intentionally written for an agentic AI and quantum-inspired R&D organisation where client work may involve sensitive data, advanced prototypes, model providers, cloud platforms, and research collaboration.

Terms

Commercial rules

Use of the website, proposals, statements of work, acceptable use, intellectual property, liability, payment, confidentiality, AI outputs, and R&D limitations.

GDPR

Compliance framework

Controller/processor roles, lawful bases, data subject rights, DPIAs, security, breach response, processors, international transfers, and privacy-by-design controls.

Privacy

Transparent processing

What data is collected, why it is used, how long it is retained, who it is shared with, and how individuals can exercise their rights.

Low-tracking default

This template assumes no non-essential cookies by default. Add a consent banner only if analytics, advertising, or similar tracking is enabled.

Home Overview Terms GDPR Privacy Cookies Rights Security Contact

Terms and Conditions

Website and service terms.

§1. About these terms

These Terms and Conditions govern access to and use of this website, our online materials, downloadable documents, demo interfaces, enquiry forms, and related digital resources. Separate written agreements, proposals, order forms, data processing agreements, research collaboration agreements, consortium agreements, non-disclosure agreements, or statements of work may apply to paid consulting, research, development, prototyping, implementation, training, support, or managed services.

Where a signed written agreement conflicts with these website terms, the signed agreement will prevail for the specific services covered by that agreement. These terms do not create an obligation for us to provide any services unless we have accepted an order, proposal, or statement of work in writing.

§2. Services and professional scope

We provide agentic AI consulting, quantum-inspired optimisation, research and development, AI governance, evaluation, prototyping, system design, implementation support, and related advisory services. Our services may involve experimental research, emerging technologies, probabilistic systems, third-party platforms, open-source components, model providers, cloud infrastructure, datasets, simulations, and human review workflows.

Unless expressly agreed in writing, our materials are for general business, technical, research, and strategic information only. They are not legal, financial, medical, accounting, investment, tax, safety-critical engineering, or regulated professional advice.

§3. Website access and acceptable use

You may use the website for lawful business and informational purposes. You must not misuse the website, interfere with its operation, attempt unauthorised access, upload malicious code, scrape content at scale without permission, bypass security controls, or use the website in a way that infringes the rights of any person or violates applicable law.

You must not use our website, demos, code samples, or resources to develop, procure, or deploy systems that are unlawful, deceptive, discriminatory, exploitative, abusive, unsafe, or designed to harm individuals, groups, critical infrastructure, democratic processes, or security-sensitive environments.

§4. Proposals, statements of work, and deliverables

Any consultancy or R&D engagement should be governed by a written proposal or statement of work defining scope, assumptions, dependencies, client responsibilities, milestones, acceptance criteria, fees, payment terms, intellectual property treatment, confidentiality terms, data protection responsibilities, security requirements, and termination rights.

Unless agreed otherwise, timelines, estimates, research hypotheses, technical roadmaps, model-performance projections, commercial benefits, and innovation outcomes are indicative only and depend on data quality, access permissions, infrastructure, third-party systems, personnel availability, regulatory constraints, and validation results.

§5. AI, quantum, and R&D limitations

Agentic AI systems, language models, optimisation methods, simulations, and quantum-inspired techniques may produce incomplete, biased, unexpected, non-deterministic, or incorrect outputs. You are responsible for human review, domain validation, safety testing, compliance assessment, monitoring, and approval before relying on outputs in operational, commercial, legal, regulated, or high-impact settings.

Research and development activities may not produce a commercially deployable result. Proofs of concept, prototypes, benchmarks, evaluation reports, technical notes, and demos should be treated as exploratory unless we expressly classify them as production-ready in a signed deliverable.

§6. Intellectual property

The website, visual identity, text, diagrams, software examples, documentation, methodologies, templates, designs, research notes, and other materials are owned by us or our licensors unless stated otherwise. You may not copy, resell, sublicense, reverse engineer, reproduce, adapt, publish, or exploit them beyond normal website viewing or rights expressly granted in writing.

For client projects, ownership and licensing of deliverables, background IP, pre-existing tools, open-source components, client materials, improvements, inventions, models, prompts, datasets, configurations, and reusable methodologies should be defined in the relevant written agreement. Unless agreed otherwise, each party retains ownership of its pre-existing materials.

§7. Confidentiality

Information marked confidential, disclosed in circumstances reasonably indicating confidentiality, or covered by a non-disclosure agreement must be protected and used only for the permitted purpose. Confidential information may include research ideas, source code, architecture diagrams, model evaluations, security findings, client data, financial information, proposals, product plans, and trade secrets.

Confidentiality obligations do not apply to information that is public through no breach, already lawfully known, independently developed without use of confidential information, or lawfully received from a third party without restriction.

§8. Fees, taxes, and payment

Fees, expenses, taxes, payment schedules, invoicing details, late payment consequences, and cancellation terms will be set out in the relevant proposal, order, or agreement. Unless agreed otherwise, quoted prices exclude VAT, sales tax, withholding tax, transfer fees, travel expenses, cloud usage, model API usage, licences, data acquisition costs, specialist tooling, and third-party charges.

We may suspend or delay services where invoices are overdue, required client inputs are unavailable, security requirements are not met, or continuing the engagement would create legal, compliance, safety, ethical, or operational risk.

§9. Third-party services and open-source components

The website and our services may refer to or integrate third-party services such as cloud platforms, model APIs, data providers, code repositories, communication tools, payment providers, analytics services, security tools, or open-source libraries. Third-party services are governed by their own terms, licences, policies, availability commitments, and security practices.

We are not responsible for third-party services beyond the commitments expressly stated in a signed agreement. You must ensure that your use of third-party tools and open-source components is compatible with your legal, security, procurement, export control, and data protection obligations.

§10. Warranties and disclaimers

The website is provided on an “as is” and “as available” basis. We do not guarantee that the website, downloadable materials, code examples, graphics, or public resources will be uninterrupted, error-free, secure, complete, current, or suitable for your specific purpose.

To the maximum extent permitted by law, we disclaim implied warranties including merchantability, fitness for a particular purpose, non-infringement, accuracy, and availability. Nothing in these terms limits liability that cannot legally be limited, including liability for fraud or fraudulent misrepresentation.

§11. Liability

Subject to mandatory law and any signed agreement, we are not liable for indirect, consequential, special, incidental, punitive, exemplary, or economic losses, including loss of profits, revenue, goodwill, data, business opportunity, anticipated savings, or business interruption arising from website use or reliance on public materials.

For paid services, any liability cap, exclusions, professional obligations, indemnities, and insurance requirements should be stated in the relevant signed agreement. You are responsible for maintaining backups, security controls, governance, human review, compliance checks, and internal approvals for your systems and decisions.

§12. Suspension, termination, and changes

We may update, suspend, withdraw, or restrict access to the website or any content at any time. We may update these terms by publishing a revised version with a new effective date. Continued use of the website after changes are published means you accept the updated terms.

We may terminate or refuse access where we reasonably believe there has been misuse, legal risk, security risk, breach of these terms, non-payment, infringement, abusive conduct, or activity inconsistent with responsible AI and research practices.

§13. Governing law and disputes

These terms are governed by the laws of England and Wales, unless mandatory local consumer or data protection laws provide otherwise. Subject to mandatory law, disputes relating to these website terms will be subject to the jurisdiction of the courts of England and Wales.

For client engagements, the governing law, jurisdiction, escalation process, mediation, arbitration, service-level remedies, and dispute handling should be defined in the relevant signed agreement.

GDPR Compliance

Operational privacy controls.

Controller and processor role mapping

For website visitors, enquiries, marketing, recruitment, and our own business operations, we normally act as controller. For client projects where we process personal data only on documented client instructions, we may act as processor. Roles must be confirmed in each engagement.

Lawful, fair, transparent processing

Personal data is processed for specified purposes using an appropriate lawful basis. Privacy notices, project notices, research participant information sheets, and contract schedules should explain processing in clear language.

Data minimisation and purpose limitation

Projects should collect the minimum personal data needed for the stated purpose. Production data should not be used for testing, benchmarking, or model evaluation unless a lawful basis, safeguards, and client approval are in place.

Privacy by design and by default

Architectures should prefer anonymisation, pseudonymisation, least privilege, encryption, access segregation, retention limits, audit logging, and human review, especially for agentic workflows and AI-assisted decision support.

Records, DPIAs, and risk reviews

Maintain records of processing activities where required. Use data protection impact assessments for high-risk processing, large-scale monitoring, sensitive data, vulnerable individuals, AI profiling, or novel technical deployments.

Processor and sub-processor governance

Use written data processing agreements for processors. Maintain an inventory of core processors and sub-processors, review security measures, and ensure processors support rights requests, breach response, deletion, return, audits, and transfer safeguards.

International transfers

Where personal data is transferred outside the EU/EEA or UK, use appropriate safeguards such as adequacy decisions, standard contractual clauses, transfer risk assessments, supplementary security measures, or another lawful transfer mechanism.

Rights handling and complaints

Individuals can request access, correction, deletion, restriction, portability, objection, and review of automated decisions where applicable. Requests should be acknowledged, verified, assessed, and answered within the legally required timeframe.

Lawful basis matrix

Activity	Examples of personal data	Typical lawful basis	Notes
Website enquiries	Name, email, company, role, message, IP/security logs	Legitimate interests; pre-contractual steps; consent where required	Used to respond to requests, qualify leads, prevent abuse, and maintain records.
Client delivery	Business contact details, project communications, meeting notes, access credentials if agreed, system metadata	Contract; legitimate interests; legal obligation	Detailed processing roles should be defined in the statement of work and data processing agreement.
R&D collaboration	Contributor details, research communications, participation records, dataset metadata	Contract; legitimate interests; consent where appropriate; research/public interest where applicable	Use minimisation, anonymisation or pseudonymisation where feasible.
Marketing updates	Name, email, organisation, preferences, engagement metrics	Consent; legitimate interests for B2B soft opt-in where lawful	Unsubscribe or object mechanisms should be available.
Recruitment	CV, portfolio, contact details, interview notes, right-to-work information where applicable	Pre-contractual steps; legitimate interests; legal obligation	Special category data should only be collected where lawful and necessary.
Security and compliance	Access logs, audit trails, device/browser data, incident records	Legitimate interests; legal obligation	Used to protect systems, investigate incidents, and meet compliance obligations.

How personal data is handled.

This policy applies to website visitors, clients, prospective clients, suppliers, consortium partners, applicants, research participants, and other contacts. It should be published where individuals can easily access it before or at the time their data is collected.

01Who we are

Qubitropy Ltd., trading as Qbitropy, is responsible for this website and, where we determine the purposes and means of processing, acts as the data controller.

Registered address: 167-169 Great Portland Street, 5th Floor, London, United Kingdom, W1W 5PF
Company number: 17269480
Privacy contact: hello@qubitropy.com

02Why we process data

Provide, operate, secure, monitor, and improve the website and services.
Respond to enquiries, manage business relationships, prepare proposals, and perform contracts.
Deliver consulting, R&D, prototyping, evaluation, implementation, training, and support services.
Run responsible AI, privacy, security, quality, and project governance processes.
Manage recruitment, suppliers, consortium participation, professional events, and business administration.
Comply with legal, tax, accounting, audit, sanctions, export control, information security, and regulatory obligations.
Send relevant B2B updates or event invitations where lawful, with opt-out controls.

03Categories of personal data

Identity and contact data

Name, organisation, role, professional profile, address, email, phone number, and contact preferences.

Commercial and project data

Proposal history, requirements, statements of work, meeting notes, support requests, billing details, procurement information, and contractual records.

Technical and usage data

IP address, browser/device data, page interactions, security logs, diagnostic logs, demo usage metadata, and system audit trails.

Research and collaboration data

Contributor records, project communications, participant metadata, consent records, research notes, evaluation feedback, and dataset provenance information.

Recruitment data

CVs, portfolios, employment history, interview notes, right-to-work status where applicable, references, and assessment outcomes.

Special category data

Only where strictly necessary and lawful, for example accessibility accommodations, equality monitoring, explicit consent research participation, or legal obligations.

04Sources of personal data

We may receive personal data directly from you, from your organisation, from consortium partners, suppliers, public professional sources, event registrations, recruitment platforms, client systems where authorised, and third-party services used for secure delivery. We do not intentionally collect more personal data than is needed for the relevant purpose.

05Sharing personal data

We may share personal data with authorised personnel, professional advisers, insurers, auditors, payment providers, hosting providers, cloud platforms, model/API providers, security providers, collaboration tools, research partners, subcontractors, and public authorities where lawful and necessary. We do not sell personal data.

Where processors process personal data on our behalf, we use contractual safeguards and require appropriate confidentiality, security, assistance, deletion/return, audit, and sub-processing commitments.

06AI systems, datasets, and automated decisions

We may use AI-assisted tools to draft, analyse, classify, search, summarise, prototype, evaluate, or support project workflows. We aim to avoid feeding personal data into AI systems unless there is a lawful basis, a defined purpose, appropriate safeguards, and client or individual transparency where required.

We do not intend to make legally significant decisions about individuals based solely on automated processing through this website. If an engagement includes profiling, automated decision support, biometric processing, special category data, vulnerable individuals, or high-impact uses, the relevant project should include a written risk assessment and, where required, a DPIA.

Cookies Notice

Tracking-minimised by default.

Cookie categories

Type	Purpose	Consent position in this template
Strictly necessary cookies	Security, session continuity, load balancing, accessibility, and essential site functions.	May be used without consent where strictly necessary.
Preference cookies	Remembering display, language, or accessibility preferences.	Use consent or clear controls where required.
Analytics cookies	Understanding site usage and improving content.	Enable only after consent unless configured in a legally exempt privacy-preserving manner.
Marketing cookies	Advertising, retargeting, cross-site profiling, and campaign measurement.	Do not enable without prior consent and a clear opt-out mechanism.

Individual Rights

Rights request process.

Individuals can contact us using the privacy contact below. We may need to verify identity and may refuse or limit requests where the law allows, for example where rights conflict with another person’s rights, legal privilege, security, confidential information, or legal retention obligations.

Access

Request confirmation and a copy of personal data processed about you.

Rectification

Ask us to correct inaccurate or incomplete personal data.

Erasure

Ask us to delete personal data where there is no overriding reason to keep it.

Restriction

Ask us to restrict processing while a concern is assessed.

Portability

Receive certain data in a structured, commonly used, machine-readable format.

Objection

Object to processing based on legitimate interests or direct marketing.

Withdraw consent

Withdraw consent where processing depends on consent, without affecting earlier lawful processing.

Automated decisions

Request human review or contest decisions where legally significant solely automated decisions occur.

Complain

How to make a request: email hello@qubitropy.com with the subject “Data Protection Request”. Include enough information for us to identify you and understand your request. You also have the right to contact UK Information Commissioner.

Security, Retention & Transfers

Controls for trusted delivery.

SECSecurity measures

Role-based access control and least-privilege permissions.
Encryption in transit and, where appropriate, encryption at rest.
Multi-factor authentication for key systems where available.
Supplier security review and contractual confidentiality requirements.
Secure development, code review, dependency review, and environment separation for client work where appropriate.
Human approval gates for high-impact agentic AI workflows.
Logging, monitoring, backup, vulnerability management, and incident escalation procedures.
Data minimisation, pseudonymisation, anonymisation, and deletion workflows where feasible.

TRFInternational transfers

Personal data may be processed in countries where we, our clients, partners, processors, model providers, or cloud providers operate. Where GDPR transfer restrictions apply, we use an appropriate transfer mechanism such as an adequacy decision, standard contractual clauses, supplementary measures, or another lawful mechanism.

BRBreach response

Actual or suspected personal data breaches should be escalated promptly. We assess scope, risk, containment, notification duties, evidence preservation, remediation, and communications. Where legally required, the competent authority and affected individuals will be notified within applicable deadlines.

Retention schedule

Record type	Indicative retention period	Reason
Website enquiries	Up to 24 months after last meaningful contact	Business follow-up, audit trail, abuse prevention.
Client contracts and statements of work	Up to 7 years after contract end, or longer if required by law	Contract enforcement, accounting, audit, tax, and legal claims.
Project working files	Defined in the statement of work or data processing agreement	Delivery, acceptance, support, deletion/return obligations.
Security logs	Typically 6–24 months unless needed for investigation	Security monitoring, incident response, fraud prevention.
Marketing contacts	Until unsubscribe, objection, inactivity threshold, or withdrawal of consent	Marketing preference management and suppression lists.
Recruitment records	Typically 6–12 months for unsuccessful applicants unless consent or law allows longer	Recruitment decisions, future roles, legal claims.

Contact & Governance

Responsible publication details.

Document control

9 June 2026Last updated

9 June 2026Effective date

1.0Version

Data Protection LeadPolicy owner

Controller / legal entityQubitropy Ltd.
167-169 Great Portland Street, 5th Floor, London, United Kingdom, W1W 5PF

Privacy contacthello@qubitropy.com
+44 (0) 33 022 0044 7

Commercial contacthello@qubitropy.com
https://www.qubitropy.com

Regulation (EU) 2016/679 — General Data Protection Regulation
https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng

European Commission — Data protection rules for business and organisations
https://commission.europa.eu/law/law-topic/data-protection/rules-business-and-organisations_en

European Commission — Controller and processor obligations
https://commission.europa.eu/law/law-topic/data-protection/rules-business-and-organisations/obligations/controllerprocessor/what-data-controller-or-data-processor_en

European Data Protection Board — SME guide: individual rights
https://www.edpb.europa.eu/sme-data-protection-guide/respect-individuals-rights_en

European Commission — Standard contractual clauses for controllers and processors in the EU/EEA
https://commission.europa.eu/publications/standard-contractual-clauses-controllers-and-processors-euea_en

Printed copy of Terms, GDPR Compliance & Privacy Policy — Qubitropy — version 1.0.