Quantiles Privacy Policy

Last updated November 25, 2025

Quantiles (“Quantiles,” “we,” “our,” or “us”) recognizes the importance of protecting your personal information. This Privacy Policy describes how we collect, use, disclose, and safeguard information when you interact with our website, platform, applications, and online services that reference this Privacy Policy (collectively, the “Services”).

Our Services are intended for use only in the United States. We do not offer or market the Services to individuals located outside the United States, including in the European Economic Area (EEA) or United Kingdom.

By accessing or using the Services, you acknowledge that you have read and understand this Privacy Policy.

1. Information we collect

We collect information that identifies, relates to, or is reasonably capable of being associated with an individual or organization.

1.1 Information you provide

We may collect personal information directly from you when you interact with the Services, including when you:

• Request information
• Create an account
• Submit forms
• Upload datasets, models, or evaluation artifacts
• Communicate with us

Categories of data you may provide include:

• Identifiers: name, email address, mailing address, phone number.
• Professional Information: organization, role, account details.
• Health Information (if applicable): Protected Health Information (PHI) only if covered by a Business Associate Agreement (BAA).
• Payment Information: if you make purchases or subscribe to paid Services (processed by third-party payment processors).

Users are solely responsible for ensuring they have the lawful right to upload datasets, models, or any content to the Services. Quantiles is not responsible for any data uploaded in violation of applicable laws, agreements, or third-party rights.

Important: You must not upload or transmit PHI unless a valid HIPAA Business Associate Agreement (BAA) is in place. Quantiles is not responsible for PHI submitted outside a BAA.

1.2 Information collected automatically

When you access or use the Services, we automatically collect:

• Device Information: IP address, browser type, operating system, device identifiers.
• Usage Information: pages viewed, features used, time spent, referring URLs, clicks, interactions, and performance data.
• Cookies and Tracking Technologies: used to support site functionality, analytics, and performance.

1.3 Information from third parties

We may receive information from:

• Service providers (e.g., analytics tools)
• Business partners or enterprise customers
• Publicly available sources

2. How we use information

We use information for the following purposes:

2.1 Service delivery

• Provide, operate, secure, and maintain the Services
• Enable AI model evaluation, benchmarking, logging, and reporting
• Create and manage user accounts
• Process transactions and communicate with you

2.2 Research, development, and analytics

• Improve platform performance
• Conduct internal research
• Develop new products and features
• Analyze usage trends and platform metrics
• Generate de-identified or aggregated data

2.3 Compliance and legal purposes

• Comply with U.S. laws, including HIPAA where applicable
• Enforce agreements
• Prevent fraud, abuse, or misuse
• Respond to lawful requests

2.4 Communications

• Send updates, security notices, and administrative information
• Respond to inquiries and support requests

2.5 With your consent

For any additional purpose disclosed to you at the time of collection.

3. How we share information

We may share personal information as follows:

3.1 With service providers

With third-party vendors performing services on our behalf, including:

• Hosting and cloud infrastructure
• Analytics
• Customer support tools
• Payment processors
• Email or form submission services

Service providers are contractually required to protect the information and use it only for the services provided.

3.2 With affiliates

We may share data with our wholly or majority-owned affiliates to support operations consistent with this Privacy Policy.

3.3 Legal compliance and protection

We may disclose information to:

• Comply with subpoenas, warrants, and lawful requests
• Respond to regulatory inquiries
• Protect the rights, property, or safety of Quantiles, users, or others

3.4 Business transfers

If Quantiles undergoes a merger, acquisition, financing, asset sale, or bankruptcy, information may be transferred to the successor. The recipient must process the data consistent with this Privacy Policy.

3.5 Aggregated or de-identified data

We may share anonymized, aggregated, or de-identified data for:

• Research
• Analytics
• Development
• Reporting

This information does not personally identify individuals.

4. Cookies and tracking technologies

We use cookies, pixels, and similar technologies to:

• Enable core functionality
• Analyze usage
• Improve the Services
• Remember preferences

You can manage cookie preferences in your browser settings. Disabling cookies may affect site functionality.

We do not respond to “Do Not Track” signals at this time. Third parties may collect information through our Services consistent with their own privacy policies.

5. Third-party content and links

The Services may contain links or integrations operated by third parties. We are not responsible for their privacy practices. Review their policies before interacting with them.

6. HIPAA and Protected Health Information (PHI)

6.1 When HIPAA applies

Quantiles may act as a Business Associate under HIPAA only when providing services to HIPAA-covered entities or their Business Associates under a valid BAA.

6.2 No PHI without a BAA

Users must not upload or transmit PHI unless a BAA is executed. Quantiles is not responsible for PHI provided outside a BAA.

6.3 Synthetic data

Synthetic data used or generated in the Services:

• Is not PHI
• Does not contain real patient information
• May be used for research, analytics, evaluation, and improvement of the Services
• Is governed by standard data protection practices, not HIPAA

6.4 Safeguards

We maintain administrative, technical, and physical safeguards appropriate to our role under HIPAA and U.S. privacy law.

7. California Privacy Rights (CCPA/CPRA)

We collect personal information as described in this Privacy Policy. The categories of information collected and purposes for collection are outlined in Sections 1 and 2 of this Privacy Policy, which serve as our Notice at Collection. We do not sell or share personal information as those terms are defined under CCPA/CPRA. If you are a California resident, you may exercise the rights described below.

7.1 Categories of information collected

In the last 12 months, we may have collected:

• Identifiers
• Professional information
• Internet or network activity
• Geolocation (approximate IP-based)
• Inferences from usage data
• Sensitive information only when necessary (e.g., PHI under BAA)

7.2 Your rights

• Right to Know
• Right to Delete
• Right to Correct
• Right to Opt-Out of Sale/Sharing (We do not sell or share data for cross-context advertising.)
• Right to Limit Use of Sensitive Information
• Right to Non-Discrimination

To exercise these rights, email [email protected].

Identity verification may be required.

8. Data retention

We retain information only as long as necessary to:

• Provide and improve the Services
• Comply with legal obligations
• Support research and development
• Maintain evaluation logs, audit trails, and system security
• Enforce agreements

We retain personal information for the periods described below unless a longer retention period is required or permitted by law.

• Account information: retained while your account is active
• Logs and analytics: up to 24 months (unless required longer)
• PHI (under BAA): per HIPAA or contractual requirements
• Support inquiries / communications: up to 7 years

We securely delete or de-identify data once retention periods expire unless law requires otherwise.

9. Data security

We employ administrative, technical, and physical security measures, including:

• Encryption in transit and at rest
• Access controls
• Monitoring and logging
• Secure development practices

However, no system is completely secure. We cannot guarantee absolute security of data transmitted or stored.

9.1 Breach notification

In the event of a breach affecting personal information, we will provide notifications as required by applicable U.S. law.

10. Children's privacy

The Services are not intended for children under 13. We do not knowingly collect personal information from children without verifiable parental consent. If such information is discovered, it will be deleted promptly.

11. Your choices

You may:

• Update your profile information
• Unsubscribe from marketing communications
• Request access, correction, or deletion of your data by contacting [email protected]

12. U.S. Only; International Transfers

Our Services are intended for users located in the United States. We do not purposefully collect or process data from individuals located outside the U.S.

13. Changes to this privacy policy

We may update this Privacy Policy from time to time. Changes become effective upon posting. We encourage you to review this Privacy Policy periodically.

14. Contact information

If you have questions about this Privacy Policy or our practices, contact us at:

Email: [email protected]

Subject Line: Privacy Inquiry – Quantiles