Privacy Policy

Effective: 28 May 2026Version: 1.0Last Updated: 28 May 2026

Vitnis (“we”, “us”, “our”) is operated by Vitnis Ltd, Reg.Office: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ Reg. in England No. 17201606 and registered with the UK Information Commissioner's Office ZC141563. This Privacy Policy explains how we collect, use, store, and protect personal data when you use the Vitnis cloud service at vitnis.com and our related products.

This policy applies to the cloud service only. Customers using Vitnis under bilateral air-gapped deployment agreements operate within their own infrastructure and are governed by the terms of their specific agreement, not this policy.

We are committed to processing personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Who We Are

Vitnis provides classical numerical verification of quantum circuit specifications. We are a UK-based service operated by Vitnis Ltd, with the trading name “Vitnis”.

Data Controller: Stephen Baker, Vitnis Ltd
ICO Registration: ZC141563
Data Protection Contact: dpo@vitnis.com
General Contact: hello@vitnis.com

For data protection enquiries, our published contact details are verifiable via the UK ICO register.

What Data We Collect

We collect different categories of personal data depending on how you use Vitnis. We deliberately minimise data collection wherever possible.

Data You Provide Directly

When you sign up for a free account or paid subscription, we collect:

  • Email address — for account identification and service communications
  • Name (optional, for paid accounts) — for invoicing and support
  • Institutional affiliation (for academic tier) — to verify eligibility
  • Payment information (for paid tiers only) — handled exclusively by Stripe; we never receive or store your card details
  • Account preferences — display preferences, notification settings

Data Generated by Your Use of the Service

When you submit verification requests, we generate:

  • API request logs — timestamps, qubit counts, circuit complexity metrics, and certification levels
  • SHA-3 hashes of your circuit specifications — computationally irreversible cryptographic hashes used for audit trail purposes
  • Wallet consumption data — credits used per request and current balance
  • IP addresses — captured briefly in request logs for rate limiting and abuse prevention; deleted within 30 days

We do notretain the actual content of your quantum circuit specifications. Circuit data is processed in volatile memory and discarded after each verification request. See the “Zero Data Retention” section below.

Data From Other Sources

When you sign up via integrated providers, we receive:

  • From Clerk (identity provider): authenticated user identifier and verified email
  • From Stripe (payment provider): subscription status, payment confirmation, and a Stripe Customer ID reference

We do not receive payment card details or full billing addresses from Stripe — these remain within Stripe's infrastructure.

How We Use Your Data

We use your personal data for the following purposes, each with a specific legal basis under UK GDPR.

Service Provision Article 6(1)(b)

  • Authenticating you and managing your account
  • Processing your verification requests
  • Generating signed receipts that you can verify offline
  • Tracking your wallet balance and applying tier-appropriate limits
  • Communicating service updates, billing notifications, and security alerts
  • Providing customer support

Legal Compliance Article 6(1)(c)

  • Maintaining records required by UK tax law (HMRC)
  • Maintaining records required by financial regulators (where applicable to billing)
  • Responding to lawful requests from regulators or law enforcement (we will challenge requests we believe to be unlawful or disproportionate)

Legitimate Interests Article 6(1)(f)

  • Detecting and preventing abuse of free tiers
  • Maintaining the security of our infrastructure
  • Improving the service through aggregate usage analysis (no individual user analytics)
  • Communicating about features genuinely relevant to your use of Vitnis (you may opt out at any time)

Academic Verification Article 6(1)(f)

For academic tier applicants, verifying institutional eligibility through email domain checks and, where required, manual review of provided affiliation information.

Zero Data Retention for Circuit Data

This deserves a dedicated section because it differs from how most SaaS services handle customer-submitted data.

When you submit a quantum circuit for verification:

  1. The circuit specification is held in volatile memory (RAM) only during the verification process
  2. No copy is written to disk
  3. No copy is transmitted to any third party
  4. Once the verification completes, the original circuit specification is discarded
  5. Only a SHA-3 hash, runtime metadata, and the signed receipt are retained

The SHA-3 hash is computationally irreversible. From the hash, the original circuit cannot be reconstructed. We cannot produce your circuit content even if compelled by legal process — it does not exist in our infrastructure beyond the duration of your verification request.

This is not a policy commitment that we could later weaken; it is an architectural guarantee built into how the verification engine operates.

How Long We Keep Your Data

We retain personal data only as long as necessary for the purposes described above.

Data CategoryRetention Period
Email address (active account)Until account deletion + 30 days
Account preferencesUntil account deletion
Verification logs (timestamps, hashes, qubit counts)12 months for billing reconciliation
IP addresses in request logs30 days
Wallet consumption history12 months
Stripe subscription referencesWhile subscription active + 7 years for tax records
Academic verification documentationWhile academic account active + 30 days
Support correspondence24 months
Anonymised aggregate analyticsIndefinitely (no individual identification possible)

Some data must be retained longer to comply with legal obligations, principally UK tax law (7-year retention for financial records).

Who We Share Data With

We share your personal data only with the third-party providers we use to deliver the service. We do not sell your data, and we do not share it for marketing purposes.

Service Providers (Data Processors)

Each provider processes data on our behalf under appropriate contractual terms. Each maintains its own appropriate compliance certifications.

Clerk — Identity and authentication

  • Processes: your email address, password (cryptographically hashed), authentication tokens
  • Compliance: SOC 2 Type II, GDPR compliant
  • Location: Primarily United States; EU residency available for Enterprise tier

Stripe — Payment processing

  • Processes: name, billing address, payment method details, transaction records, tax information
  • Compliance: PCI-DSS Level 1, SOC 2 Type II, ISO 27001
  • Location: UK and EEA customers served by Stripe Payments UK Limited and Stripe Payments Europe Limited respectively, with primary processing in UK and EU regions

Amazon Web Services (AWS) — Service infrastructure

  • Processes: verification logs, account state, wallet data
  • Compliance: SOC 1/2/3, ISO 27001/27017/27018, Cyber Essentials Plus
  • Location: London (eu-west-2) at launch; additional regions available on commercial commitment

Vercel — Marketing site hosting

  • Processes: no customer personal data; serves marketing pages only
  • Verification API requests bypass Vercel and connect directly to AWS infrastructure
  • Compliance: SOC 2 Type II, ISO 27001

Legal Disclosure

We may disclose personal data when required by law, including in response to:

  • Valid court orders
  • Lawful requests from regulators (ICO, HMRC, etc.)
  • Lawful requests from law enforcement

Where legally permitted, we will notify affected users of such disclosure. We will challenge requests that we believe are unlawful or disproportionate.

International Data Transfers

Some of our service providers operate internationally. When personal data is transferred outside the UK, we rely on appropriate safeguards under UK GDPR:

  • UK-EU transfers: Adequacy decision (EU is recognised as providing adequate protection)
  • UK-US transfers: UK addendum to EU Standard Contractual Clauses (SCCs)
  • Other transfers: Standard Contractual Clauses or other approved mechanisms

Each of our service providers maintains its own transfer infrastructure. You can request copies of relevant transfer mechanisms by contacting dpo@vitnis.com.

Your Rights

Under UK GDPR, you have the following rights regarding your personal data. We will respond to all valid requests within one month.

Right of Access Article 15

You can request a copy of the personal data we hold about you. We will provide it in a commonly readable format, typically JSON for machine-readable data and PDF for documents.

Right to Rectification Article 16

You can request correction of inaccurate or incomplete personal data. For most account information, you can update directly in your account settings.

Right to Erasure Article 17

You can request deletion of your personal data. Some data may be retained for legal obligations (tax records, etc.) — we will explain what cannot be deleted and why.

Right to Restriction Article 18

You can request that we limit how we use your data while a dispute is resolved.

Right to Data Portability Article 20

You can request your data in a machine-readable format suitable for transfer to another service.

Right to Object Article 21

You can object to processing based on legitimate interests. We will stop unless we can demonstrate compelling grounds.

Right Not to Be Subject to Automated Decisions Article 22

We do not make solely automated decisions with legal or similarly significant effects on you. The verification engine is automated, but it does not make decisions about you — it processes circuits you submit.

How to Exercise Your Rights

Email dpo@vitnis.com with your request. We may need to verify your identity before responding to protect your data from unauthorised disclosure.

You can also lodge a complaint with the UK Information Commissioner's Office (ICO) at https://ico.org.uk/ if you believe we have not handled your data properly. We would always prefer the opportunity to address concerns directly first, but your right to complain to the ICO is independent of any direct discussion with us.

Security

We implement appropriate technical and organisational measures to protect personal data, including:

  • Encryption in transit: All connections use TLS 1.2 or higher
  • Encryption at rest: Customer data at rest is encrypted using AES-256
  • Access controls: Production systems are accessed only with multi-factor authentication
  • Audit logging: All access to personal data is logged
  • Provider compliance: We rely on the certified compliance posture of Clerk, Stripe, and AWS for the layers they handle
  • Zero retention of circuit data: Architectural protection against breach exposure of your circuit specifications

For details of our security architecture, see our Security & Sovereignty page.

In the event of a personal data breach affecting your data, we will:

  • Notify the ICO within 72 hours where required
  • Notify you directly if the breach is likely to result in high risk to your rights
  • Provide guidance on protective steps you can take

Cookies and Tracking

The Vitnis website uses minimal cookies. We do not use third-party advertising or tracking cookies.

Strictly Necessary Cookies

These cookies are essential for the service to function. They cannot be disabled without breaking the service.

  • Authentication cookies — set by Clerk to keep you logged in
  • CSRF tokens — protect against cross-site request forgery
  • Session cookies — maintain your active session

No Analytics Cookies

We do not use Google Analytics, Facebook Pixel, or similar tracking tools.

If we add aggregate analytics in the future (for service improvement, never for advertising), we will update this policy and seek consent where required.

Children

Vitnis is not directed at children under 13, and we do not knowingly collect personal data from children. The service is intended for researchers, developers, and commercial users — typically over 18.

If you believe a child has provided us with personal data, please contact dpo@vitnis.com and we will delete the information.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect:

  • Changes in our services
  • Changes in legal requirements
  • Improvements in our practices
  • Customer feedback

When we make material changes, we will:

  • Update the “Last Updated” date
  • Increment the version number
  • Email registered users about the change at least 30 days before it takes effect (where the change is material)
  • Maintain a public changelog of policy versions

For material changes, you will be given the opportunity to review the changes before they apply to you. Continued use of the service after the effective date constitutes acceptance of the updated policy.

Contact Us

For any questions about this Privacy Policy or our data practices:

Email: dpo@vitnis.com (data protection enquiries)
Email: hello@vitnis.com (general contact)
Postal address: Available on request via dpo@vitnis.com

For Complaints

For complaints about how we handle your personal data:

  • First contact us at dpo@vitnis.com — we welcome the opportunity to resolve concerns directly
  • Or contact the UK Information Commissioner's Office:
    • Website: https://ico.org.uk/
    • Phone: 0303 123 1113
    • Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Document History

VersionDateNotes
1.02026-05-28Initial policy. Effective from launch of cloud service.

This privacy policy is governed by the laws of England and Wales.