INITIALIZING SYSTEMS

0%
EN
GET CONSULTATION
LEGAL

Privacy Policy

Last updated: February 9, 2026

1. Introduction

Seraphim, a QNTM Venture ("Seraphim," "we," "us," or "our") respects your privacy and is committed to protecting your personal data. This privacy policy explains how we collect, use, disclose, and safeguard your information when you visit our website, use our services, or otherwise interact with us.

This policy is designed to comply with the EU General Data Protection Regulation (GDPR), the People's Republic of China Personal Information Protection Law (PIPL), the Singapore Personal Data Protection Act (PDPA), the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), and other applicable international privacy laws. Where the laws of your jurisdiction grant you additional rights or impose additional obligations on us, those rights and obligations apply.

2. Information We Collect

2.1 Information You Provide

We collect information you voluntarily provide, including:

  • Contact information (name, email address, phone number, company name)
  • Business information (job title, industry, company size)
  • Communication content (messages, inquiries, feedback)
  • Payment information (processed through secure third-party providers)
  • Job application materials (resume, cover letter, portfolio)

2.2 Automatically Collected Information

When you visit our website, we may automatically collect:

  • Device information (browser type, operating system, device type)
  • Usage data (pages visited, time spent, referral source)
  • IP address and approximate geographic location
  • Cookies and similar tracking technologies

3. How We Use Your Information

We use collected information for the following purposes:

  • Providing, maintaining, and improving our services
  • Responding to inquiries and providing customer support
  • Processing transactions and sending related information
  • Sending promotional communications (with your consent)
  • Analyzing website usage to improve user experience
  • Complying with legal obligations
  • Protecting our rights and preventing fraud

4. Legal Basis for Processing (GDPR)

For individuals in the European Economic Area (EEA), the United Kingdom, and Switzerland, we process personal data on one or more of the following lawful bases under Articles 6 and 9 of the GDPR:

  • Consent (Art. 6(1)(a)): Where you have given explicit, informed consent to the processing of your personal data for one or more specific purposes. You may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.
  • Performance of a Contract (Art. 6(1)(b)): Where processing is necessary for the performance of a contract to which you are a party, or to take steps at your request prior to entering into a contract.
  • Legal Obligation (Art. 6(1)(c)): Where processing is necessary for compliance with a legal obligation to which we are subject.
  • Legitimate Interests (Art. 6(1)(f)): Where processing is necessary for our legitimate business interests (such as fraud prevention, network security, and direct marketing) and those interests are not overridden by your fundamental rights and freedoms. You have the right to object to processing based on legitimate interests.

5. Data Sharing and Disclosure

We may share your information with:

  • Service Providers: Third parties who assist in our operations (hosting, analytics, payment processing), acting as data processors under appropriate contractual safeguards.
  • Business Partners: With your consent, for joint marketing or service delivery.
  • Legal Requirements: When required by law, regulation, or legal process in any applicable jurisdiction.
  • Business Transfers: In connection with merger, acquisition, or asset sale.

We do not sell your personal information to third parties.

6. International Data Transfers

6.1 Transfer Destinations

Your personal data may be transferred to, stored in, and processed in countries outside your jurisdiction, including the following:

Country/Region Purpose Service Providers
United States Cloud hosting, analytics, communication tools AWS, Google Cloud, Microsoft Azure, Cloudflare
Singapore Regional data processing, business operations AWS Singapore, regional partners
European Union GDPR-compliant data processing, EU market services EU-based infrastructure providers
People's Republic of China Chinese market services, localization Alibaba Cloud, regional partners

6.2 Safeguards for Cross-Border Transfers

When transferring your personal data internationally, we implement the following safeguards as appropriate under applicable law:

  • EU Standard Contractual Clauses (SCCs): For transfers from the EEA, we use EU Commission-approved Standard Contractual Clauses with all international data recipients.
  • Adequacy Decisions: Where available, we rely on adequacy decisions by the European Commission or equivalent regulatory determinations.
  • PIPL Transfer Mechanisms: For transfers of personal information from China, we comply with PIPL cross-border transfer requirements, including security assessments, standard contracts filed with the Cyberspace Administration of China (CAC), and personal information protection certifications where applicable.
  • Technical Safeguards: Encryption in transit (TLS 1.3) and at rest (AES-256) for all international transfers.
  • Access Controls: Strict access controls limiting who can access transferred data.
  • Transfer Impact Assessments: We conduct transfer impact assessments for cross-border data flows as required by applicable law.

6.3 Your Rights Regarding Cross-Border Transfers

You have the right to:

  • Be informed about which countries your data is transferred to (as disclosed above)
  • Object to cross-border transfers in certain circumstances
  • Request information about the safeguards in place for specific transfers
  • Withdraw consent for transfers (which may affect our ability to provide certain services)

7. Data Retention

We retain personal data only as long as necessary for the purposes described in this policy, or as required by law. Retention periods vary based on:

  • Client data: Duration of engagement plus 7 years for legal compliance
  • Marketing contacts: Until you withdraw consent or 3 years of inactivity
  • Job applications: 2 years from application date
  • Website analytics: 26 months

8. Your Rights Under Applicable Privacy Laws

8.1 Rights Under GDPR (European Union)

If you are located in the EEA, the United Kingdom, or Switzerland, you have the following rights under the GDPR:

  • Right of Access (Art. 15): The right to obtain confirmation of whether we process your personal data and to receive a copy of that data.
  • Right to Rectification (Art. 16): The right to have inaccurate personal data corrected and incomplete data completed.
  • Right to Erasure (Art. 17): The right to request deletion of your personal data when it is no longer necessary, when you withdraw consent, or when processing is unlawful ("right to be forgotten").
  • Right to Restriction of Processing (Art. 18): The right to request restriction of processing where you contest accuracy, processing is unlawful, we no longer need the data, or you have objected to processing.
  • Right to Data Portability (Art. 20): The right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
  • Right to Object (Art. 21): The right to object to processing based on legitimate interests or for direct marketing purposes. Where you object to direct marketing, we will cease processing without exception.
  • Right Regarding Automated Decision-Making (Art. 22): The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significant effects. You have the right to obtain human intervention, express your point of view, and contest such decisions.
  • Right to Withdraw Consent (Art. 7(3)): Where processing is based on consent, the right to withdraw that consent at any time without affecting the lawfulness of processing prior to withdrawal.
  • Right to Lodge a Complaint with a DPA: The right to lodge a complaint with a supervisory authority (Data Protection Authority) in the EU Member State of your habitual residence, place of work, or place of the alleged infringement. For Germany, this is the relevant state data protection authority (Landesdatenschutzbehoerde) or the Federal Commissioner for Data Protection (BfDI).

We will respond to GDPR rights requests within 30 days of receipt. This period may be extended by two further months where necessary, taking into account the complexity and number of requests.

8.2 Rights Under PIPL (People's Republic of China)

If you are located in the People's Republic of China or your personal information is processed under PIPL, you have the following rights:

  • Right to Know and Decide: The right to know about and make decisions regarding the processing of your personal information, and the right to restrict or refuse the processing of your personal information by others (unless otherwise provided by law).
  • Right to Access and Copy: The right to consult and copy your personal information from us, except where laws or regulations provide otherwise.
  • Right to Portability: The right to request that we transfer your personal information to another personal information handler you designate, where conditions prescribed by the CAC are met.
  • Right to Rectification and Supplementation: The right to request correction or supplementation of your personal information if it is inaccurate or incomplete.
  • Right to Deletion: The right to request deletion of your personal information where the processing purpose has been achieved or is impossible to achieve, we cease providing services, the retention period has expired, you withdraw consent, processing violates laws, or other circumstances prescribed by law apply.
  • Right to Explanation: The right to request an explanation of our personal information processing rules.
  • Right Regarding Automated Decision-Making: Where automated decision-making significantly affects your rights and interests, you have the right to demand an explanation and to refuse decisions made solely through automated decision-making.
  • Rights of Deceased Persons: Close relatives of a deceased individual may exercise the rights of the deceased for their own lawful and legitimate interests, unless the deceased made other arrangements during their lifetime.

We will respond to PIPL rights requests within 15 business days unless otherwise provided by law.

8.3 Rights Under PDPA (Singapore)

If you are located in Singapore, you have the following rights under the PDPA:

  • Right of Access: The right to request access to your personal data held by us and information about how it has been used or disclosed in the past year.
  • Right to Correction: The right to request correction of errors or omissions in your personal data.
  • Right to Withdraw Consent: The right to withdraw consent for the collection, use, or disclosure of your personal data, subject to legal and contractual restrictions. Upon withdrawal, we will inform you of the likely consequences.
  • Data Portability Right: The right to request that we transmit your data to another organisation in a commonly used machine-readable format, where applicable under the Data Portability Obligation.

We will respond to PDPA access requests within 30 days of receipt.

8.4 Rights Under CCPA/CPRA (California, USA)

If you are a California resident, you have the following rights under the CCPA/CPRA:

  • Right to Know: The right to request disclosure of the categories and specific pieces of personal information we have collected, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share personal information.
  • Right to Delete: The right to request deletion of your personal information, subject to certain exceptions.
  • Right to Correct: The right to request correction of inaccurate personal information.
  • Right to Opt-Out of Sale/Sharing: We do not sell personal information. If we were to do so, you would have the right to opt out.
  • Right to Limit Use of Sensitive Personal Information: The right to limit the use and disclosure of sensitive personal information to purposes necessary for performing the services.
  • Right to Non-Discrimination: The right not to be discriminated against for exercising your CCPA/CPRA rights.

We will respond to verifiable consumer requests within 45 days of receipt.

8.5 Rights Under Other Jurisdictions

Depending on your location, you may also have rights under other applicable data protection laws, including but not limited to PIPA (South Korea), APPI (Japan), LGPD (Brazil), and other national or regional privacy frameworks. We are committed to honoring your rights under the applicable law of your jurisdiction. If you are unsure which rights apply to you, please contact our Data Protection Officer.

8.6 How to Exercise Your Rights

To exercise any of your data protection rights, please contact our Data Protection Officer:

  • Email: [email protected]
  • Response Times: 30 days (GDPR), 15 business days (PIPL), 30 days (PDPA), 45 days (CCPA/CPRA), or as otherwise required by applicable law

We may need to verify your identity before fulfilling your request. If we cannot verify your identity, we may ask for additional information. We will not charge a fee for responding to your request unless the request is manifestly unfounded or excessive.

9. Security Measures

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encryption of data in transit (TLS 1.3) and at rest (AES-256)
  • Access controls and multi-factor authentication requirements
  • Regular security assessments and penetration testing
  • Employee training on data protection and security awareness
  • Incident response procedures with notification within timescales required by applicable law (72 hours under GDPR, promptly under PIPL, as soon as practicable under PDPA)
  • Regular audits of sub-processors and service providers

10. Cookies

We use cookies and similar technologies for functionality, analytics, and marketing. You can control cookies through your browser settings. For visitors in the EEA, we obtain consent before placing non-essential cookies in compliance with the ePrivacy Directive. For details, see our Cookie Policy section on this page.

11. Children's Privacy

Our services are not directed to individuals under 18 (or under the age of digital consent in your jurisdiction -- 16 under GDPR, 14 under PIPL). We do not knowingly collect personal data from children. If you believe we have collected information from a child, please contact us immediately and we will delete it.

12. Changes to This Policy

We may update this privacy policy periodically. We will notify you of material changes by posting the new policy on this page and updating the "Last updated" date. Where required by applicable law (such as GDPR or PIPL), we will provide additional notice or obtain your renewed consent for material changes. Continued use of our services after changes constitutes acceptance of the updated policy where permitted by law.

13. Governing Law and Dispute Resolution

This privacy policy and any disputes arising from or related to it shall be governed by and construed in accordance with the laws of the Hong Kong Special Administrative Region of the People's Republic of China, without regard to its conflict of law principles, except where:

  • US-based individuals: The laws of the State of California, USA shall apply.
  • GCC/Middle East-based individuals: The laws of the Kingdom of Saudi Arabia shall apply.

Any dispute, controversy, or claim arising out of or relating to this privacy policy, including its validity, invalidity, breach, or termination, shall be resolved by arbitration administered as follows:

  • Default: Hong Kong International Arbitration Centre (HKIAC) under its Administered Arbitration Rules, seated in Hong Kong, conducted in English.
  • US-based individuals: JAMS under its Comprehensive Arbitration Rules, seated in Los Angeles, California, conducted in English.
  • GCC/Middle East-based individuals: Saudi Center for Commercial Arbitration (SCCA) under its Arbitration Rules, seated in Riyadh, conducted in English or Arabic.

Nothing in this section shall prevent you from exercising your rights to lodge a complaint with a supervisory authority under applicable data protection law (e.g., a DPA under GDPR, PDPC under PDPA, or the CAC under PIPL).

14. Data Protection Officer & Contact Information

14.1 Data Protection Officer (DPO)

We have designated a Data Protection Officer responsible for overseeing our data protection practices and handling data subject requests across all jurisdictions:

Data Protection Officer Privacy & Compliance Team
DPO Email [email protected]
Response Time Within 30 days (GDPR/PDPA) / 15 business days (PIPL) / 45 days (CCPA/CPRA)
Entity Seraphim, a QNTM Venture

14.2 General Inquiries

For general privacy-related inquiries or business matters:

Email: [email protected]

Website: https://srphm.ai

14.3 Regulatory Authorities

If you are not satisfied with our response or believe we have violated data protection laws, you have the right to lodge a complaint with the relevant supervisory authority:

  • European Union: Your local Data Protection Authority (DPA). For Germany: the relevant Landesdatenschutzbehoerde or the Bundesbeauftragte fuer den Datenschutz und die Informationsfreiheit (BfDI).
  • United Kingdom: Information Commissioner's Office (ICO) - ico.org.uk
  • Singapore: Personal Data Protection Commission (PDPC) - pdpc.gov.sg
  • People's Republic of China: Cyberspace Administration of China (CAC) or the relevant provincial cyberspace administration department.
  • California, USA: California Attorney General's Office - oag.ca.gov
// SUMMARY

Your privacy matters to us

We collect only what's necessary, protect it rigorously, and never sell your information.

// Enterprise Technology Partner