QubitHub

Legal · Last updated 2026-05-13 · v1.0.0-draft

Privacy Policy

This policy describes how QubitHub collects, uses, stores, and shares your personal data when you use qubithub.co and our related services. It applies to everyone who visits the site or holds a QubitHub account, including visitors from the European Economic Area (EEA), the United Kingdom, and Switzerland.

1. Summary

QubitHub is a public platform for hosting and collaborating on quantum circuits, datasets, and related research artifacts. To run the service we process personal data — primarily your account information, the content you upload, and a small amount of technical data about how you use the site.

The short version: we collect what we need to run the service. We do not sell your data. We use a short list of third-party processors (listed in Section 6). We rely on consent for optional analytics and error tracking — everything non-essential is off by default. You have the rights set out in Section 9, and you can contact us at the addresses in Section 14 to exercise them.

Stage-honest disclosure. QubitHub is operated by Nandan Joshi as an unincorporated solo project. Quantputation GmbH is not yet registered. This policy will be updated upon registration. We are committed to the GDPR-required obligations irrespective of corporate form.

2. Who we are

The controller of your personal data, within the meaning of Article 4(7) of the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), is:

  • Nandan Joshi, operating as QubitHub (an unincorporated solo project; commercial register and VAT-ID not applicable until registration of Quantputation GmbH)
  • Postal address: [IMPRESSUM_POSTAL_ADDRESS]
  • Email: privacy@qubithub.co

We have not designated a Data Protection Officer (DPO). Our processing activities do not currently meet the thresholds in GDPR Article 37(1). If that changes we will designate a DPO and update this policy.

For everything else (general questions, support, partnerships), email hi@qubithub.co. For privacy-specific questions and to exercise the rights described in Section 9, please use privacy@qubithub.co.

3. Information we collect

3.1 Account information you provide

When you create a QubitHub account, we collect:

  • Identifiers: your full name, username (chosen by you), and email address
  • Authentication credentials: a salted, hashed password (we never store passwords in plaintext)
  • Optional profile data: bio, location, links — only if you choose to add them

3.2 Content you upload

When you create circuits, datasets, README files, or other artifacts, we store the content you upload. This may include:

  • Source code, configuration files, and manifest files
  • Documentation, README markdown, and inline comments
  • Run inputs, parameters, and results
  • Any personal data you choose to include in the content itself (for example, author attributions in a README)

You retain copyright in this content; QubitHub holds only the minimal license necessary to operate the service. See the Terms of Service for the exact license grant.

3.3 Billing information

If you subscribe to a paid plan, our payment processor Stripe collects and processes your payment-card data directly. QubitHub never sees or stores raw payment-card details; we receive only the subscription status, plan tier, billing-period identifiers, and customer ID needed to apply your plan to your account.

3.4 Technical data we collect automatically

When you visit the site or use the API, our servers automatically log a small set of technical data for security, abuse-prevention, and operational purposes:

  • Your IP address (for the duration of the request and short-term logs)
  • Browser type and version, operating system, device class
  • Pages requested, response status codes, timestamps
  • Referring URL (if your browser sends one)
  • Audit-log entries when you perform account- or content-changing actions (account creation, login, circuit creation, transfer, deletion, etc.)

3.5 Optional analytics and error tracking

With your consent (via the cookie banner that appears on your first visit), we use the following optional services:

  • PostHog — product analytics, to understand how visitors and users navigate the site so we can improve it. Collects page views, click events, and a device identifier stored in your browser's local storage.
  • Sentry — error tracking, to identify and fix bugs. Collects error stack traces, browser context, and (when you have consented) a session-replay recording of the page state immediately before the error. Session replay defaults to masking all text input and media; you can disable it entirely in your account settings.

If you decline consent, neither of these services runs in your browser and neither collects any data from your session. You can withdraw or change consent at any time from the link in the site footer.

3.6 Communications you send us

If you email us (at hi@qubithub.co, privacy@qubithub.co, or another address) we receive the content of your message and any data you include. We store these emails for as long as they remain operationally relevant; you can request earlier deletion at any time.

5. How we use information

We use personal data to:

  • Create and operate your QubitHub account
  • Store, display, index, and serve the content you upload
  • Process the runs you start and return their results to you
  • Process payments and manage subscriptions (via Stripe)
  • Send transactional emails (welcome, password reset, run completion, billing receipts)
  • Detect and prevent abuse, fraud, and security incidents
  • Comply with legal obligations and lawful requests
  • Improve the service through aggregated analytics (only with consent)

We do not sell personal data. We do not engage in automated decision-making with legal or similarly significant effects under GDPR Article 22.

6. Who we share information with

We share personal data with a short, audited list of processors who help us run the service. Each processor is bound by GDPR Article 28 processor obligations, either through their standard data-processing terms (which we have accepted) or a custom DPA:

ProcessorPurposeRegion
HetznerPrimary infrastructure (servers, storage, network)Germany
Cloudflare R2Object storage for circuit files, datasets, run artifactsEU jurisdiction
StripePayment processing and subscription billingEU + global
ResendTransactional email deliveryEU available
PostHogProduct analytics (consent-gated)EU (eu.posthog.com)
SentryError tracking and session replay (replay consent-gated)EU region
BetterStackUptime monitoring and log aggregationEU available

Beyond these processors, we share personal data only:

  • With your consent — for example, when you make a circuit public, the content (and any author attributions you chose to include) is visible to other QubitHub users and to anyone on the public internet.
  • In response to lawful legal process — court orders, subpoenas, regulatory requests, or other legal obligations. We do not voluntarily disclose user data to law enforcement absent a valid legal basis.
  • In connection with a corporate transaction — if QubitHub or its operating entity is involved in a merger, acquisition, asset sale, or financing, personal data may be transferred as part of that transaction. We will notify you and update this policy if such a transfer occurs.

7. International transfers

Our primary infrastructure is located in Germany (Hetzner), and our object storage and analytics processors are configured for EU regions where available. Some of our processors (notably Stripe) operate globally and may transfer personal data outside the EEA — in those cases the transfer relies on:

  • An adequacy decision by the European Commission for the receiving country, where one exists, or
  • The European Commission's Standard Contractual Clauses (SCCs), supplemented by additional technical and contractual measures where required by the Schrems II ruling.

We do not currently rely on derogations under GDPR Article 49 for any routine processing. If that changes we will update this section.

8. Data retention

We keep personal data only for as long as we need it for the purposes described in this policy, plus any period required by applicable law:

  • Account data: for the lifetime of your account, plus up to 90 days after deletion to allow for backup purge and operational rollback.
  • Uploaded content: for the lifetime of the corresponding repository or artifact. When you delete content, we remove it from active systems immediately and from backups within 90 days.
  • Run logs and results: retained alongside the associated circuit unless you delete them.
  • Server access logs: 30 days, then purged.
  • Audit logs (account-changing and content-changing events): retained 365 days, then archived. We may retain audit records longer where necessary to investigate fraud or abuse, or to comply with legal obligations.
  • Billing records: retained as required by German commercial and tax law (currently up to 10 years for invoices and related accounting records under §147 AO).
  • Analytics and error data (PostHog, Sentry): per the retention policies of each processor — typically 7–90 days for raw event data and longer for aggregated metrics.

9. Your rights

If you are in the EEA, the UK, or Switzerland, you have the following rights under the GDPR (and equivalent local laws):

  • Right of access (Art. 15) — to obtain a copy of the personal data we hold about you, along with information about how we process it.
  • Right to rectification (Art. 16) — to correct inaccurate or incomplete data.
  • Right to erasure (Art. 17) — to have your personal data deleted, subject to the lawful retention obligations described in Section 8.
  • Right to restriction of processing (Art. 18) — to ask us to stop processing your data in certain circumstances while you contest its accuracy or our lawful basis.
  • Right to data portability (Art. 20) — to receive your data in a structured, commonly used, machine-readable format (we provide JSON exports for account data and the corresponding Git repository for content).
  • Right to object (Art. 21) — to object to processing based on our legitimate interests; we will stop unless we can demonstrate compelling legitimate grounds that override yours.
  • Right to withdraw consent (Art. 7(3)) — at any time, with future effect, where we rely on consent. Withdrawal does not affect the lawfulness of processing before withdrawal.
  • Right to lodge a complaint — with a supervisory authority (see Section 15).

10. How to exercise your rights

Today (manual workflow). To exercise any of the rights in Section 9, email privacy@qubithub.co from the email address associated with your QubitHub account. We will respond within 30 days as required by GDPR Article 12(3). For complex requests we may extend by up to 60 additional days and will tell you within the first 30 days if we need that extension.

We may need to verify your identity before fulfilling certain requests, particularly access and erasure. We will not ask for any documents beyond what is necessary to confirm the request comes from you.

Self-service is coming. Account deletion and data export are currently handled by the manual email workflow above. A self-service flow for both is scheduled to ship in our next service update (Sprint 18, Q3 2026). We will update this section when it is live. In the meantime, the manual workflow delivers the same rights on the same statutory timelines.

Your consent record. From May 2026, we record your consent to these Terms and this Privacy Policy at account creation — the timestamp and the version of each policy you agreed to. You can request the exact timestamp and policy versions on file for your account by emailing privacy@qubithub.co.

11. Cookies and similar technologies

We use a small number of strictly-necessary cookies for authentication and security (these do not require consent under ePrivacy Article 5(3)). We use optional cookies and local-storage entries for analytics and error tracking — these only run after you give consent through the cookie banner.

Full details — every cookie or storage entry we use, its purpose, its lifetime, and how to opt out — are in our Cookie Policy. You can withdraw consent at any time from the "Cookie preferences" link in the site footer.

12. Children

QubitHub is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you are under 16, please do not create an account or send us your personal data. If you are a parent or guardian and believe your child has provided us with personal data, contact us at privacy@qubithub.co and we will delete the data.

13. Changes to this policy

We may update this policy from time to time to reflect changes in our practices, the services we use, or applicable law. The "Last updated" date at the top of this page indicates when the policy was last revised. Material changes will be announced through an in-app notice or by email to your account address before they take effect. Earlier versions are available on request.

14. Contact us

For privacy-related questions, to exercise the rights in Section 9, or to report a concern about our handling of your data:

  • Email: privacy@qubithub.co
  • Postal mail: [IMPRESSUM_POSTAL_ADDRESS]

For general inquiries unrelated to privacy, please use hi@qubithub.co.

15. Supervisory authority

You have the right to lodge a complaint with a data-protection supervisory authority. The lead authority for QubitHub is the data protection authority for the Bundesland where the controller is established ([LAWYER-REVIEW-REQUIRED: confirm correct Land authority based on the postal address in Section 2]).

At the federal level you may also contact:

  • Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI)
  • Website: bfdi.bund.de

If you are in another EEA Member State, the UK, or Switzerland, you may also contact your local supervisory authority.