Privacy Policy

How k&z collects, processes, protects, and manages your personal data in connection with our quantum AI infrastructure services.

Effective Date: January 1, 2026 — Version: 1.0

1. Introduction

K&z Limited (“k&z,” “we,” “us,” or “our”) is committed to protecting the privacy and security of your personal data. This Privacy Policy explains how we collect, use, store, share, and protect personal data when you visit our website (kandz.co), use our quantum AI infrastructure platform, APIs, and related services (collectively, the “Services”), or interact with us in any other capacity.

K&z Limited is the data controller for personal data processed in connection with the Services. We are established in Hong Kong, and process personal data in accordance with the Hong Kong Personal Data (Privacy) Ordinance (Cap. 486), the General Data Protection Regulation (GDPR) where applicable, and other relevant data protection legislation.

2. Data We Collect

2.1 Data You Provide Directly

  • Account Information: When you create an account, we collect your name, email address, organizational affiliation, job title, phone number, and billing address.
  • Payment Information: Credit card numbers, bank account details, billing addresses, and tax identification numbers. Payment card data is processed by our PCI DSS-compliant payment processors and is not stored on k&z servers.
  • Identity Verification Data: For KYC compliance purposes, we may collect government-issued identification documents, proof of address, and institutional accreditation documentation.
  • Communications: Records of correspondence when you contact our support team, sales team, or submit inquiries through our website, including email content and chat transcripts.
  • Feedback and Surveys: Responses to surveys, feedback forms, and user research activities.

2.2 Data Collected Automatically

  • Usage Data: Information about how you interact with the Services, including API calls, QPU job submissions, resource consumption metrics, session duration, feature usage, and error logs.
  • Device and Browser Data: IP address, browser type and version, operating system, device type, screen resolution, language preference, and time zone.
  • Log Data: Server logs recording access times, pages viewed, referring URLs, and actions taken within the platform.
  • Cookie Data: Information collected through cookies and similar tracking technologies, as described in our Cookie Policy.

2.3 Data from Third Parties

  • Identity Verification Services: Verification results from third-party KYC/AML service providers.
  • Sanctions Screening: Results from screening against denied party and sanctions lists.
  • Business Information Providers: Organizational and professional information from publicly available databases and business intelligence services.

3. Purposes of Processing

We process your personal data for the following purposes:

3.1 Service Delivery

To provide, operate, maintain, and improve the Services, including provisioning QPU resources, processing API requests, managing your account, providing technical support, and delivering platform updates and notifications.

3.2 Billing and Payments

To process payments, generate invoices, manage subscriptions and reserved capacity, apply service credits, and resolve billing disputes.

3.3 Security and Fraud Prevention

To protect the security and integrity of the Services, detect and prevent fraud, unauthorized access, and abuse, and to investigate and respond to security incidents.

3.4 Compliance

To comply with applicable legal obligations, including KYC/AML regulations, export controls, sanctions compliance, tax reporting, and responding to lawful requests from public authorities.

3.5 Communications

To send you service-related notices, security alerts, and administrative messages. With your consent, to send marketing communications about new features, products, and events.

3.6 Analytics and Improvement

To analyze usage patterns, measure platform performance, conduct research into quantum computing workload optimization, and improve the quality and functionality of the Services.

4. Legal Basis for Processing (GDPR)

Where the GDPR applies, we rely on the following legal bases for processing personal data:

  • Performance of Contract (Article 6(1)(b)): Processing necessary to perform our obligations under the Terms of Service or Master Service Agreement, including account management, service delivery, billing, and technical support.
  • Legitimate Interests (Article 6(1)(f)): Processing necessary for our legitimate interests, including platform security, fraud prevention, service improvement, and business analytics, where such interests are not overridden by your fundamental rights and freedoms.
  • Legal Obligation (Article 6(1)(c)): Processing necessary to comply with our legal obligations, including KYC/AML compliance, tax reporting, export controls, and responding to lawful requests from competent authorities.
  • Consent (Article 6(1)(a)): Where we rely on your consent, such as for marketing communications and certain cookies. You may withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

5. Data Retention

5.1 General Retention Periods

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. Specific retention periods include:

  • Account Data: Retained for the duration of your account and for thirty (30) days following account deletion, unless a longer retention period is required by law.
  • Billing and Transaction Data: Retained for ten (10) years in accordance with Hong Kong commercial law record-keeping requirements.
  • KYC/Identity Verification Data: Retained for five (5) years following the end of the business relationship, in accordance with AML regulations.
  • Usage and Log Data: Retained for twelve (12) months for operational purposes, after which it is anonymized or deleted.
  • Communications and Support Data: Retained for three (3) years following resolution of the inquiry or support case.
  • Marketing Consent Records: Retained for as long as consent remains active, plus three (3) years for compliance documentation.

5.2 Anonymization

Where possible, k&z anonymizes or aggregates personal data for analytical purposes, in which case such data is no longer considered personal data and may be retained indefinitely.

6. Third-Party Sharing

6.1 Service Providers

We share personal data with trusted third-party service providers who perform services on our behalf, including cloud hosting providers, payment processors, identity verification services, analytics providers, and customer support tools. All service providers are bound by data processing agreements that require them to protect personal data in accordance with applicable law.

6.2 Legal and Regulatory Disclosures

We may disclose personal data to comply with applicable law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of k&z, our users, or others.

6.3 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of all or a portion of our assets, personal data may be transferred as part of the transaction, subject to the acquirer agreeing to protect personal data in a manner consistent with this Privacy Policy.

6.4 No Sale of Personal Data

k&z does not sell personal data to third parties. We do not share personal data with third parties for their own marketing purposes without your explicit consent.

7. International Data Transfers

k&z is headquartered in Hong Kong. When we transfer personal data outside of Hong Kong or the European Economic Area (EEA), we ensure appropriate safeguards are in place, including:

  • Transfers to countries recognized by the European Commission or the Hong Kong Office of the Privacy Commissioner for Personal Data (PCPD) as providing adequate protection;
  • Standard Contractual Clauses (SCCs) approved by the European Commission;
  • Binding Corporate Rules where applicable; or
  • Your explicit consent for specific transfers.

You may request a copy of the applicable safeguards by contacting our Data Protection Officer.

8. Data Subject Rights

Under the GDPR, PDPO, and other applicable data protection laws, you have the following rights regarding your personal data:

  • Right of Access: You have the right to request a copy of the personal data we hold about you.
  • Right to Rectification: You have the right to request correction of inaccurate or incomplete personal data.
  • Right to Erasure: You have the right to request deletion of your personal data, subject to certain exceptions (e.g., legal retention obligations).
  • Right to Restriction: You have the right to request restriction of processing of your personal data in certain circumstances.
  • Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format.
  • Right to Object: You have the right to object to processing based on legitimate interests or for direct marketing purposes.
  • Right to Withdraw Consent: Where processing is based on consent, you may withdraw your consent at any time.
  • Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority (the Office of the Privacy Commissioner for Personal Data (PCPD) in Hong Kong, or the relevant data protection authority in your jurisdiction).

To exercise any of these rights, please contact our Data Protection Officer at the address provided below. We will respond to your request within thirty (30) days, or as required by applicable law.

9. Cookies

We use cookies and similar tracking technologies on our website. For detailed information about the types of cookies we use, their purposes, and how to manage your cookie preferences, please see our Cookie Policy.

10. Security

k&z implements appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include encryption of data in transit and at rest, access controls, regular security audits, and employee security training. For more information about our security practices, please see our Security Policy.

11. Children’s Privacy

The Services are not directed to individuals under the age of eighteen (18). We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child under 18, we will take steps to delete such data promptly.

12. Data Protection Officer

k&z has appointed a Data Protection Officer (DPO) who can be contacted regarding any questions or concerns about this Privacy Policy or our data protection practices:

  • Email: support@kandz.co
  • Mail: K&z Limited, Data Protection Officer, Flat 10198, 10/F, Liven House, No. 61-63 King Yip Street, Kwun Tong, Kowloon, Hong Kong

13. Policy Updates

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will post the updated Privacy Policy on our website with a revised “Effective Date.” For material changes, we will provide additional notice, such as email notification to account holders. We encourage you to review this Privacy Policy periodically.

14. Contact Information

If you have any questions about this Privacy Policy, please contact us at:

  • Data Protection Officer: support@kandz.co
  • General Inquiries: support@kandz.co
  • Mail: K&z Limited, Privacy Team, Flat 10198, 10/F, Liven House, No. 61-63 King Yip Street, Kwun Tong, Kowloon, Hong Kong