Privacy Policy

Welcome to AImusphere, an AI entertainment service operated by Quant Vortex Inc., a New York corporation ("we", "us", "our"). This Privacy Policy explains what personal information we collect, why we collect it, how we use it, and your rights regarding it. By using AImusphere you agree to this Privacy Policy and to our Terms of Service. If you do not agree, please do not use the Services. Privacy contact: [email protected]. We respond to data subject requests within 30 days (45 days for CCPA per §1798.130(a)(2)).

Information you provide: - Account information (email address, username, password or third-party SSO identifier) - Date of birth (for age verification per ToS §2 — see §2.6 below for the strict purpose limitation) - Communications you send to us (support inquiries, feedback) - Content you create within the Services (chat messages, persona configurations, generated media) - Payment-related information that you provide directly to our third-party payment processor — see §2.4 Information collected automatically: - Device information (browser type, operating system, screen size) - Usage data (pages visited, time spent, click patterns, error logs) - Approximate location (country / region level, derived from IP) - Cookies and similar technologies (see §7) Information from third parties: - Authentication providers (Clerk, Google, Apple) if you sign in via SSO — typically email + verified-email-address indicator - Our third-party payment processor for billing-related identifiers (last 4 of card, billing country, charge status)

Paid checkout is temporarily unavailable while we enable our PCI-DSS compliant hosted payment processor. When checkout is enabled, card numbers, CVCs, and full payment details will be entered on the processor's hosted pages and will never touch our servers (PCI-DSS SAQ A scope). We retain only: - Subscription and customer identifiers from our processor (to manage your subscription) - Last 4 digits of your card (for receipt display) - Billing country (for tax and jurisdiction routing) - Charge amount, currency, and timestamp (for receipts and accounting)

AI prompt processors — these subprocessors receive the actual content of your conversations for inference: - OpenAI — LLM inference (chat fallback). Default retention up to 30 days; 0 days with Zero Data Retention. DPA: https://cdn.openai.com/pdf/openai-data-processing-addendum.pdf · Data usage: https://platform.openai.com/docs/models/how-we-use-your-data - DeepSeek — LLM inference (chat, voice transcription). Per their published privacy terms (DPA review in progress; EU-resident user data is not routed to DeepSeek until that DPA is executed). - Replicate — Image generation inference. Per their privacy + processor terms. https://replicate.com/privacy - RunPod — GPU compute for inference (image / voice). Per their DPA. https://www.runpod.io/legal/data-processing-agreement Other service providers (process other personal data — auth identifiers, payment, network metadata — but do NOT receive your prompt content): - Payment processor (PCI-DSS compliant third party) — payment processing; card data never touches our servers. DPA on file; vendor identity available upon GDPR Art. 15 data subject request. - Clerk — Authentication / identity / session management (email, OAuth identifiers, session tokens). https://clerk.com/legal/dpa - Cloudflare — CDN, edge cache, DDoS protection, geo-IP routing. Network metadata (IP, headers); no prompt content visible. https://www.cloudflare.com/cloudflare-customer-dpa/ Our commitments: - Quant Vortex Inc. does not use your conversations to train, fine-tune, or improve any AI model. We have no model-training infrastructure. - We do not sell or share your conversation data with third parties for advertising or model training purposes. - We have signed Data Processing Agreements with each subprocessor named above (DeepSeek DPA review in progress as noted). - International data transfers (US-based subprocessors processing EU/UK personal data) rely on Standard Contractual Clauses (SCCs) per GDPR Art. 46(2)(c). Where a subprocessor is in a jurisdiction with an EU adequacy decision, that adequacy basis is used instead. Your rights: You may object to specific subprocessor processing by requesting account deletion (see §6). For data subject requests (access, erasure, portability, rectification, opt-out), contact [email protected].

Per GDPR Art. 5(1)(c) data minimization, we limit our use of your date of birth to the following purposes only: (1) Age verification at signup — confirm you are at least 18 (or the higher legal minimum in your jurisdiction). (2) Child-protection compliance — meet our obligations under COPPA (16 CFR Part 312), GDPR Art. 8, and the UK ICO Children's Code. (3) Re-verification at age boundaries — if future law requires re-attestation as you cross specific age thresholds (e.g. 13, 16, 18). We do not use your date of birth for marketing, advertising, content personalization, profiling, or any secondary purpose. Your date of birth is deleted on account deletion (see §6) along with other personal information.

We use collected information to: - Operate the Services — provide AI chat, image generation, voice features, subscriptions, and credit purchases - Process payments — pass billing information to our third-party payment processor; receive payment status webhooks - Communicate with you — service announcements, billing receipts, security alerts, support replies, and (with your consent) product news - Improve reliability — analyze aggregated usage and error logs to find bugs and improve performance - Prevent abuse — detect and stop fraud, spam, and AUP violations - Comply with law — respond to subpoenas, court orders, and lawful regulatory inquiries; honor data-subject requests; meet incident-notification obligations Legal bases under GDPR (for EU/UK users): - Contract performance (Art. 6(1)(b)) — for processing necessary to deliver the Services you signed up for - Legitimate interest (Art. 6(1)(f)) — for fraud prevention, security, and product improvement - Legal obligation (Art. 6(1)(c)) — for compliance with applicable law - Consent (Art. 6(1)(a)) — for marketing emails and non-essential cookies (you can withdraw consent at any time)

We share personal information with: - Subprocessors listed in §2.5, only for the purposes stated there - Legal authorities and parties when required by law (subpoena, court order, regulatory inquiry, breach-notification statute) or to protect the rights, safety, or property of users or third parties - Successor entity in the event of a merger, acquisition, or sale of substantially all assets — your data may be transferred subject to this Privacy Policy or a successor with equivalent protection - Aggregated, de-identified analytics that do not identify any individual We do NOT: - Sell your personal information (as defined under CCPA / CPRA) - Share your conversation content with advertisers - Allow subprocessors to use your data for their own training or marketing purposes

We use commercially reasonable technical and organizational measures to protect your personal information, including: - Encryption in transit (TLS 1.2+ for all customer-facing traffic) - Encryption at rest for sensitive databases (Neon Postgres + Cloudflare R2) - Authentication via Clerk with industry-standard credential hashing - Access controls limiting subprocessor access to the minimum necessary - Regular security review of dependencies and infrastructure However, no method of transmission or storage is 100% secure. We cannot guarantee absolute security. In the event of a personal data breach, we will notify you and applicable supervisory authorities as required by law (see §10).

All users may: - Access the personal information we hold about you - Correct inaccurate information - Delete your account and associated personal information (see §6.1) - Export a copy of your data (within 30 days of request) - Object to processing based on legitimate interests - Withdraw consent (where processing is based on consent) EU/UK/EEA residents (GDPR / UK GDPR rights): access, rectification, erasure, restriction, portability, objection, and the right to lodge a complaint with your local supervisory authority. California residents (CCPA / CPRA rights): know what we collect, delete, correct, opt-out of sale (we do not sell), opt-out of sharing for cross-context behavioral advertising (we do not share), limit use of sensitive personal information, and non-discrimination for exercising your rights. Brazilian residents (LGPD): confirmation of processing, access, correction, anonymization, portability, deletion, information about sharing, withdrawal of consent. Other jurisdictions: we honor equivalent data-subject rights where required by your local law. To exercise your rights: email [email protected]. We respond within 30 days (45 days for CCPA per §1798.130(a)(2)). Section 6.1 — Account deletion. To request account deletion, email [email protected] from your registered address. Upon a valid request, we: 1. Acknowledge your request and disable access to your account 2. Delete your personal information and generated content from our active systems within a reasonable period 3. Send you a confirmation email 4. Some records may be retained longer where required by law (tax records, dispute evidence, etc.) per §8

We use the following cookie categories: - Essential cookies (always on) — required for the Services to function: Clerk session, locale preference, CSRF tokens - Analytics cookies (off by default in EU/UK/EEA) — PostHog and similar tools to understand product usage; loaded only after you grant consent - Preferences cookies (off by default in EU/UK/EEA) — to remember non-essential UI choices EU / UK / EEA users: We seek your consent before loading non-essential cookies (per ePrivacy Directive Art. 5(3) + GDPR Art. 7). You may withdraw consent at any time by contacting [email protected].

We retain personal information only as long as necessary to provide the Services and to comply with our legal obligations: - Account information: while your account is active; deleted within a reasonable period after a valid deletion request (see §6.1) - Chat content: retained for the lifetime of your account; deleted upon account deletion (subject to backup retention) - Payment records: retained for 7 years to comply with US tax and accounting obligations (and corresponding EU/UK tax law) - Billing-dispute records: retained for the duration of any active dispute + 12 months - Backups: Neon Postgres point-in-time recovery 7 days; daily snapshots retained 30 days - Support correspondence: retained for 3 years for service-quality and dispute purposes After the applicable retention period, data is deleted or anonymized.

Quant Vortex Inc. is established in the United States. Our subprocessors (see §2.5) are based primarily in the United States and may have sub-subprocessors elsewhere. When we transfer personal data of EU / UK / EEA users to the United States or to other jurisdictions without an adequacy decision, we rely on Standard Contractual Clauses (SCCs) per GDPR Art. 46(2)(c) (and the UK Addendum to the SCCs for UK transfers per the UK International Data Transfer Agreement). Where a subprocessor is in a jurisdiction with an EU adequacy decision, that adequacy basis is used instead. Copies of the SCCs and additional information are available on request to [email protected].

In the event of a personal data breach affecting your personal information: - EU / UK users: we notify the relevant supervisory authority within 72 hours where required (GDPR Arts. 33-34, UK GDPR identical), and notify you without undue delay where the breach is likely to result in high risk to your rights and freedoms. - Brazilian residents: we notify ANPD and affected users in a reasonable time per LGPD Art. 48. - Canadian residents: we notify the Office of the Privacy Commissioner of Canada and affected individuals as soon as feasible per PIPEDA s.10.1. - Australian residents: we notify OAIC and affected individuals as soon as practicable per the Notifiable Data Breaches scheme (Privacy Act Part IIIC). - California residents: we notify affected California residents (and the California AG if 500+ residents are affected) per Civ. Code §§1798.29 / 1798.82. - Other US states: we comply with the breach-notification statute of every applicable state. For details of our incident-response procedure, contact [email protected].

AImusphere is not directed to children under 13. We do not knowingly collect personal information from children under 13. If we discover that we have collected personal information from a child under 13 (whether through user report, support ticket, or other actual knowledge), we will: 1. Delete the account immediately 2. Delete all related personal information 3. Report to authorities as required by COPPA (16 CFR Part 312) If you believe we may have collected information from a child under 13, please notify us at [email protected] immediately.

We may update this Privacy Policy from time to time. When we make material changes we will: - Post the updated Policy on this page with a new "Last updated" date - For substantive changes affecting how we use your data, send an email to your registered address at least 5 business days before the effective date - For changes that require renewed consent (such as adding a new processing purpose for sensitive data), prompt you to re-consent before such processing begins Your continued use of the Services after the effective date of an updated Privacy Policy constitutes your acceptance of the new Policy. If you do not agree, you may delete your account per §6.

For privacy questions, data subject requests, or to report a privacy concern: Quant Vortex Inc. Privacy contact: [email protected] Mailing address: 21673 68th Ave, Oakland Gardens, NY 11364 For complaints to a supervisory authority: - EU residents: your local Data Protection Authority (https://edpb.europa.eu/about-edpb/about-edpb/members_en) - UK residents: Information Commissioner's Office (https://ico.org.uk) - California residents: California Privacy Protection Agency (https://cppa.ca.gov) or California Attorney General - Other US states: your state Attorney General