Privacy statement

1.0. INFORMATION COLLECTION

1.1 GENERAL

The Company collects Personal Data for identified and appropriate business purposes, or as may otherwise be required or permitted by Law, and does not Process Personal Data in ways that conflict with those purposes, unless otherwise required or permitted by Law.

1.3      COOKIES

The Company may also collect Personal Data automatically using cookies or other similar tracking technologies located on any Company website, application, software or similar electronic system Company-issued or Company-authorized. For more information about the cookies the Company uses, users should consult the Company’s online Cookie Notice at www.quantinuum.com/cookie-notice. In order to receive further information about the cookies used in a particular Company electronic system, please contact compliance@quantinuum.com.

1.4 OUR COLLECTION OF PERSONAL INFORMATION 

Information collected directly from you. We may ask you for personal information to provide a service or carry out a transaction that you have requested. You may also provide personal information to us when you contact or engage with us (e.g., with a comment, inquiry or customer support request, site visitors) or register for an account to use our Sites. This personal information may include:

• Identity data, such as your name, title, company/organization name, e-mail address, telephone number and physical address (including street, city, state, postal or zip code, and/or country);
• Registration data, provided by you when you register for an account to use our Sites, including username and password; 
• Recruitment data, provided by you when you register for an account to use our Sites, including usernames and passwords; 
• Business contact data, such as information related to other employees, owners, directors, officers, or contractors of a third-party organization (e.g., business, company, partnership, sole proprietorship, non-profit, or government agency); 
• Marketing and communications data, including your marketing preferences and your subscriptions to our publications; 
• Financial information, including credit card or other financial account information for the purpose of enabling us to facilitate your purchase of Company products and services that may be available on our Sites or otherwise; 
• Export control information, such as your nationality, citizenship, and country of residence, that allows us to determine your eligibility under export control regulations to receive information about certain technologies; 
• Transaction data, including inquiries about our products and services and details of payments to and from you, including purchase order history and information needed to facilitate payment transactions; 
• Event registration information, including information you provide when filing in e-registration forms; and 
• Your feedback, including surveys, recommendations or other feedback from you about our Sites as well as our products and services generally. 

When you do not provide the requested information, we may not be able to provide you the requested service or complete your transaction. 

Information we collect automatically about you. We collect certain information about your visit to our Sites using cookies and similar tracking technologies. We will respect any legal rights you may have to prevent us doing this. Data collected in this way includes:

• Usage data, including information about how you use our Sites, what pages you view, the number of bytes transferred, the links you click, the materials you access, the date and time you access the Site, the website from which you linked to one of our Sites and other actions taken within the Sites; and
• Technical data, such as your Internet Protocol (IP) address, your browser type and capabilities and language and your operating system

For information about the cookies and other similar tracking technologies we use on our Sites, please refer to our Cookie Notice and the Cookie disclosure discussed above.

Geo-location information. For certain Sites, with your consent, we may collect the precise, real-time location (i.e., geo-location) of your mobile device. This information will be used only for the purpose of facilitating your use of the Sites including by our service providers who may process this information in connection with providing services on our behalf. If given, you may adjust this consent by managing your Location Services preferences through the settings of your mobile device.

Information collected from third parties. In accordance with applicable law, we may collect personal information about you from third parties, such as social media websites and applications and combine it with information we already hold, to help us improve and customize our Sites to your preferences and for other purposes set forth in this Policy. We may also collect your business contact information from your employer or other third parties to facilitate or otherwise engage in traditional business activities and similar administrative matters.

1.5 OUR USE OF INFORMATION

We may use the personal information via our Sites or when you contact us for purposes that include:    

• Business Contact Data. Quantinuum collects and uses business contact data to engage in communications or transactions, including for conducting due diligence regarding, or providing or receiving, a product or service. For example, Quantinuum may collect and use this business contact data in order to facilitate and manage orders, contracts, warranties, maintenance, and similar business functions, for credit analysis and collection purposes, to assist with our own internal compliance and legal requirements, and (if necessary) to defend our interests and claims. 

• Services and transactions. We may use your personal information to deliver services to you or carry out transactions you have requested, including, but not limited to, providing information on Company products or services you have purchased or otherwise use, registering purchased products, processing product orders, handling warranty claims, replacing product manuals, answering customer service requests and facilitating the use of our Sites.

• Administering and protecting our business and Sites. We may use your personal information to administer and protect our business and our Sites, including troubleshooting, system maintenance, support, reporting and hosting of data.

• Improving our business, Sites, products and services. We may use your personal information to perform business analyses or for other purposes that help us to develop and improve the quality of our business, Sites, products and services (including new products and services), for example, by customizing our Sites to your particular preferences or interests.

•Marketing. In accordance with applicable laws and regulations, we may use your personal information to inform you of products or services which may be of interest to you, and to otherwise communicate with you about offerings, events and news, surveys, special offers, and related topics. You are able to opt-out from marketing communications sent via e-mail at any time, free of charge by using the “unsubscribe” link in any e-mail marketing materials you receive from us, or by contacting us using the contact information listed in this Policy. Depending on your country of residence, you may also be able to opt out of other types of marketing communications; please contact us using the contact information listed below for more information. Some jurisdictions provide individuals (e.g., California residents) with the right to request certain information regarding our disclosure of personal information to third parties for the third party’s direct marketing purposes. For more information on our data disclosure practices for marketing purposes, please contact us in accordance with the instructions listed below.

• Interest-Based Advertising. We may collect data about your online activities and identify your interests so that we can provide advertising that is most relevant to you. You can opt out of receiving interest-based advertising from Quantinuum as described in our Cookie Notice.

• Research and analysis. We may use your personal information to conduct research and analysis to help us analyze your purchasing preferences, identify the products and services that best meet your requirements and measure the effectiveness of the advertising we serve you.

• Legal Obligations and Enforcement: We may use your personal information to comply with laws and regulations or to perform a contract we have entered into with you. We may use the personal information we collect in order to detect, prevent and respond to fraud, intellectual property infringement, violations of our terms and conditions, violations of law or other misuse of our Sites.

Where permitted by law, we may combine the information that we collect via our Sites with other information we hold about you (such as information about your use of our products and services) in order to offer you an improved and consistent customer experience when interacting with us or for other purposes set forth in this Policy.

LEGAL BASIS ON WHICH WE PROCESS INFORMATION 

Where required by law, we will ensure there is a legal basis for the processing of your personal information. In most cases, our legal basis will depend on the personal information concerned and the specific context in which we collect it. 

• Contract: the processing is necessary for the performance of the services we provide to you, or in order to take steps (at your request) prior to, and anticipation of, performing, such services;

• Legal obligation: the processing is necessary to comply with our legal obligations, including compliance with applicable laws, regulations, governmental and quasi-governmental requests, court orders or subpoenas;

• Consent: the processing is based on your consent to the processing of your personal information for one or more specified purposes (e.g., marketing);

• Legitimate interests: the processing is necessary to meet our legitimate interests, for example to develop and improve our Sites, products and/or services for the benefit of our customers; or

• Vital interests: the processing is necessary to protect your vital interests (for example, health and safety reasons if you attend a meeting at a Quantinuum location).

If you have any questions about or need further information concerning the legal basis on which we collect and use your personal information, please send an email to compliance@quantinuum.com.

Anonymizing information

In accordance with applicable law, we may anonymize your personal information so that it can no longer be used to identify you. Anonymized information is not considered personal information and is therefore not subject to this Policy. We may collect, use, aggregate and share anonymized information for any purpose.

How long we keep information

The period during which we store your personal information varies depending on the purpose for the processing. For example, we store personal information needed to provide you with products and services, or to facilitate transactions you have requested, for so long as you are a customer of Quantinuum or if you submit an employment application via our Sites, we will retain details of your application as set forth in the privacy notice made available to you in connection with your application or as otherwise required by law. In all other cases, we store your personal information for as long as is needed to fulfil the purposes outlined in this Policy, following which time it is either anonymized (where permitted by applicable law), deleted or destroyed.

1.6 TRANSFERS OF DATA 

Quantinuum is a global company and your personal information may be transferred to, held, stored, or used across various locations worldwide as necessary for the uses stated above and in accordance with this Policy and in applicable law. This means that when we collect your personal information it may be processed in countries that may have data protection laws that are different to the laws of your country. 

However, Quantinuum will take commercially reasonable steps to protect your privacy and to provide a level of protection of personal information that is comparable to that of your country of residence which may include implementing the European Commission’s Standard Contractual Clauses, or another adequate transfer mechanism. For more information on the appropriate safeguards in place to protect your personal information, please see the jurisdiction-specific notices below or contact us at compliance@quantinuum.com 

1.7 DISCLOSURE OF YOUR INFORMATION

We may share your personal information with selected third parties in accordance with applicable law, including as set out below:

• Our group companies. We may share your personal information with our affiliates and group companies as reasonably necessary for the purposes set out in this Policy. If, in the future, the Company re-organizes or transfers all or part of its business, the Company may need to transfer all information to new entities or third parties through which its business will be carried out.

• Service providers. We may share your personal information with companies with which we have contracted to provide services on our behalf, such as HR services, hosting websites, conducting surveys, processing transactions, analyzing our Sites and performing analyses to improve the quality of our business, Sites, products and services. We require these service providers to protect the confidentiality of your personal information.

• Professional advisers, auditors, and insurers. 

• Distributors and other trusted business partners. We may share your personal information with third parties that distribute our products and other trusted business partners for purposes that include allowing those third parties to send marketing communications to you. Such sharing of personal information for marketing purposes will be performed in accordance with applicable laws and regulations.

• Disclosure in connection with transactions. In connection with certain transactions, we may disclose some or all of your personal information to financial institutions, government entities and shipping companies or postal services involved in fulfilment of the transaction.

• Disclosures in connection with acquisitions or divestitures. Circumstances may arise where for strategic or other business reasons Quantinuum decides to sell, buy, divest, merge or otherwise reorganize businesses in some countries. We may disclose information we maintain about you to the extent reasonably necessary to proceed with the negotiation or completion of a merger, acquisition, divestiture or sale of all or a portion of Quantinuum’s assets.

• Disclosure for other reasons. We may disclose personal information if required or authorized to do so by law or in the good-faith belief that such action is necessary to comply with legal or regulatory requirements or with legal process served on us, to protect and defend our rights or property or, in urgent circumstances, to protect the personal safety of any individual.

Personal information may be accessed by third parties and by our Company offices from countries whose laws provide various levels of protection for personal data which are not always equivalent to the level of protection that may be provided in the country of operation of the Company. Where the Company transfers information internationally, the Company will take reasonable steps to ensure that information is treated securely, and the means of transfer provides adequate safeguards.

Personal information may be stored with, and managed by, a cloud service provider located in a different country to the Company office. 

When a third-party Processes Personal Data on behalf of the Company, the Company shall enter into  an appropriate processing contract with the third party to: govern the Processing relationship with the third party; ensure that the third party acts only on instructions from the Company with respect to the Processing of the Personal Data; and provide sufficient written guarantees that the third party has implemented, and is compliant with, appropriate technical, security, and organizational measures designed to protect Personal Data against (a) accidental or unlawful destruction, loss or alteration and (b) unauthorized disclosure or access. 

2. TECHNICAL, PHYSICAL, AND ORGANIZATIONAL SAFEGUARDS

‍

1. IN GENERAL

The Company protects Personal Data by applying reasonable technical, physical, and organizational safeguards designed to prevent unauthorized or unlawful access to or acquisition or disclosure of Personal Data or any accidental loss, alteration, destruction or damage to Personal Data. These safeguards take into account applicable industry standards, the practicality of the protection, and the sensitivity of the Personal Data being protected and are appropriate to the risks posed by the relevant Processing activities, including the risk of exposure to loss, theft or unauthorized use or access of Personal Data.

‍

2. PHYSICAL AND ELECTRONIC SECURITY

The Company maintains physical and electronic measures to protect Personal Data as provided in the           Company’s security policies.

3. ORGANIZATIONAL SECURITY

The Company maintains organizational measures to protect Personal Data, including:

Privacy Impact Assessments - A Privacy Impact Assessment (PIA) is designed to solicit information needed in order to ensure compliance with applicable Law, this Policy and other company policies and  standards while helping the Company avoid significant financial penalties and/or reputational damage that can result from violations of Law or Policy.

A PIA must be performed annually and submitted (or updated, if one had previously been submitted) for any new, or changes to, an existing product, service, application, system or project that involves the Processing of Personal Data.

Role-Based Access - The Company takes steps to ensure that access to Company IT systems that contain Personal Data is given only to those employees who require it in order to properly perform their role (“role based access”). For example, role-based access will be utilized for HR systems including but not limited to PeopleSoft, Cezanne and ADP, which are the primary databases containing employee Personal Data. HR employees who are granted role based access to Company HR systems are required to complete data privacy training and sign appropriate user agreements before accessing the relevant HR system.

Audit - Where required by Law or otherwise in accordance with Company practice, the Company may  conduct audits of its data Processing activities and may issue audit reports that are shared with relevant stakeholders.

4. REPORTING OF INCIDENTS

Employees should immediately (and in any case no later than 24 hours after discovery) report any actual or suspected compromise of the confidentiality, integrity, or availability of Personal Data or the systems or databases on which the Personal Data is stored, transmitted or Processed; including, but not limited to, any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or acquisition of, or access to, any Personal Data (each, an “Incident”) to the Data Protection Officer for investigation regardless of magnitude of the Incident or the type of Personal Data involved. The Data Protection Officer shall identify one or more individuals to lead the investigation of the Incident (each a “Primary Investigator”). No action may be taken to investigate the Incident until a Primary Investigator has been appointed by the Data Protection Officer. Notwithstanding the foregoing, any employee responsible for a system or database containing Personal Data that may  have been compromised shall take immediate steps to secure that system or database in accordance with relevant Company policies to ensure that any privacy risks arising as a result of the Incident are mitigated. The Data Privacy Function shall notify Incidents to the relevant supervisory authorities and  Data Subjects as may be required by Law.

3.  YOUR RIGHTS

Depending on applicable law, you may have certain rights with respect to your personal information:

• You may have the right to access, correct, update or request deletion of your personal information. 
• You can object to the processing of your personal information, ask us to restrict processing of your personal information or request portability of your personal information.
• You may have the right not to have a decision made about you that is based solely on automated processing, including profiling if that decision produces legal effects about you or significantly affects you.
• Similarly, if we have collected and process your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.
• You may have the right to opt-out of the sale of your personal information. Quantinuum does not sell your personal information to third parties for profit. However, we may share or otherwise disclose your personal information to third parties in accordance with this Policy and our Cookie Notice. For example, we may engage with third parties to distribute our products, provide you with technical assistance, operate website analytical tools and features, and engage in marketing and sales of our products and services. Such activities may involve the disclosure of your personal information to third parties and may be considered a “sale” of data under certain (but not all) data protection laws. 
• You have the right to complain to a data protection authority responsible for overseeing compliance with data protection law in your jurisdiction about our collection and use of your personal information if you believe our processing of your personal information does not comply with data protection law. For example, individuals in the EEA have the right to lodge a complaint with the competent Data Protection Authority, a list of which can be accessed at https://edpb.europa.eu/about-edpb/board/members_en.  We would however appreciate the chance to address your concerns, so please feel free to contact us regarding any complaint you may have.  We will not discriminate against individuals for exercising their data privacy rights.

We will facilitate your exercise of the rights that apply to you in accordance with applicable law. However, even if your personal information is not afforded protection under, or otherwise subject to, a data protection law, we may seek to accommodate any request or inquiry you may have with regard to our data processing activities. If you have questions about your rights or wish to exercise your rights, you can contact us at compliance@quantinuum.com.

4. CHILDREN’S INFORMATION

Our Sites are not directed to, and should not be used by, children under the age of sixteen (16) and we do not knowingly collect, use or sell information from such individuals. If you are a minor as understood by laws of your country, please do not submit any personal information through our Sites.

5. LINKS TO OTHER WEBSITES

Our Sites may contain links to third-party websites, products and services. We have no liability or responsibility for those websites, products and services, their policies, or their collection or other processing of your personal information. The practices of those third parties is governed by their own privacy policies. We encourage you to learn about the privacy policies of those third parties.

6. EXCEPTIONS TO THIS POLICY

Consistent with Law, the Data Protection Officer or his/her designee may make exceptions from the requirements of this Policy on a case-by-case basis. Any deviation from or exception to this Policy requires prior written approval from the Data Protection Officer or his/her designee.

7. CONCERNS AND APPEALS

The Company takes reasonable steps to permit Data Subjects to raise concerns about the manner in which it Processes Personal Data. If an Employee has a concern about the Company’s collection or Processing of Personal Data, the Employee should notify the Company’s Data Protection Officer at compliance@quantinuum.com. 

A customer or supplier may also raise concerns with the Company about how it Processes the Personal Data of that customer or supplier, which concerns will be addressed in an appropriate manner in accordance with Law. The Company business units shall provide and notify customers and suppliers of an appropriate contact mechanism for any customer or supplier who has questions about the Company’s handling of Personal Data as well as, if applicable, with the contact details of the pertinent Data Protection Officer or similar person or department responsible for the protection of their Personal  Data. 

8. REGISTRATIONS WITH NATIONAL DATA PROTECTION AUTHORITIES

The Company shall comply with the national data protection laws and regulations to which it is subject and shall make all required notifications to competent data protection authorities and/or obtain authorizations in respect to its Processing of Personal Data, as required by Law.

DEFINITIONS

Data Subject. For purposes of this Policy, Data Subject means any individual – including current and former employees, job candidates, customers, suppliers and end users of Company’s products and services – who is the subject of Personal Data.

Employee. For purposes of this Policy, “Employee” or “employee” shall include current and former regular, part-time and temporary workers, and non-traditional workers, including secondees, interns, or other temporary assignees.

Quantinuum or Company. For purposes of this Policy, Quantinuum or Company shall mean Quantinuum, its subsidiaries and affiliates, and their respective predecessors and successors.

Information Resources. For purposes of this Policy, Information Resources means Company assets used to store, Process, or transact data (e.g., media devices, portable storage devices, workstations, laptops, phones and other telecommunications devices, networks, web resources, and email).

Law. For purposes of this Policy, Law means all applicable international, national, state, provincial, and local laws and regulations.

Personal Data. For purposes of this Policy, Personal Data means any information relating to an identified or identifiable natural person in accordance with Article 4 of the GDPR or information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household in accordance with CA Civ. Code § 1798.140. An identifiable natural person is one who can be identified directly or indirectly in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. Personal Data shall include Sensitive Identification Data and Sensitive Personal Data.

Processing (or Process, Processes or Processed). For purposes of this Policy, Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether  or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Sensitive Identification Data. For purposes of this Policy, Sensitive Identification Data means certain types of Personal Data that pose a risk of financial, reputational, or other harm to the Data Subject if compromised, such as a national identification number (e.g., Social Security Number in the U.S., Social Insurance Number in Canada and Permanent Account Number in India), driver's license number, bank  account number, credit or debit card number, passport number and date of birth (when in combination with other data that can subject an individual to risk of identity theft), and user names and passwords for online accounts.

Sensitive Personal Data. For purposes of this Policy, Sensitive Personal Data means Personal Data that reveals race or ethnicity, political opinions, religious or philosophical beliefs, membership in a trade union, processing of genetic data and biometric data for the purpose of uniquely identifying a natural person, data concerning health, data concerning a natural person’s sex life and sexual orientation and criminal records.

Additional terms not defined herein can be found in the Glossary of Terms and Acronyms.

RESPONSIBILITY FOR THE POLICY:

OWNERSHIP: The Company Data Protection Officer shall serve as the policy “owner” and be responsible for future revision cycles.

POLICY CONTACT: General Counsel and Data Protection Officer

REVISION HISTORY:

Effective Date

Version

Description of Change

Section(s) Affected

15-JUL-2023

1.0

Updating to account for U.S. state and global privacy law requirements and industry best practices. 

All. 

California Privacy Policy and Notice

This privacy policy and notice for California residents applies solely to visitors, users, and individuals, who reside in the State of California (“consumers” or “you”). We have adopted this notice to comply with the California Consumer Privacy Act of 2018 (CCPA) and the California Privacy Rights Act of 2020 (CPRA). The terms “business,” “business purpose”, “personal information”, “processing”, and “service provider” have the meanings given to them in the CCPA and CPRA.

Our Role 

Quantinuum (“our”, “us”, or “we”) may collect and use consumer personal information for its commercial and business purposes and related operational purposes. With respect to these activities, Quantinuum may have direct responsibilities as a business subject to the CCPA. For example, for certain activities related to direct interaction with consumers who have a direct relationship with Quantinuum, interacting with prospective/current clients, marketing, website and web application use, engaging vendors, and interacting with visitors/users of our Website. In these cases, this privacy policy is applicable.

Quantinuum also collects information in its capacity as a service provider to our clients, providing valuation, corporate finance advisory, governance, risk, investigations, disputes consulting and related services. In that case, Quantinuum receives personal information from or on behalf of our clients where we have no direct relationship with the individuals whose personal information we process, and information is provided to us solely for the business purpose of providing those services. If you are a customer or other user associated with one of our clients on whose behalf we have collected or processed your information, this privacy policy does not apply to you, and if you have questions or wish to exercise your rights relating to your personal information (such as information, access, correction or deletion), please contact that client directly.

Categories of Personal Information We Collect

The specific personal information that we collect, use, and disclose relating to a California resident covered by the CCPA and CPRA will vary based on our relationship or interaction with that individual.

In the past 12 months, we have collected, used and disclosed for business purposes, the following categories of personal information relating to California residents covered by this policy:

Category

Examples May Include

Identifiers

Name, alias, postal address, unique personal identifier, online
identifier, internet protocol address (IP Address), email address, account name, social security number, driver’s license number, passport number, or other similar identifiers

Personal Information categories described in California Customer Records statute (Cal. Civ. Code § 1798.80(e))

Name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information

Protected classification characteristics under California or federal law

Age, race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status

Commercial information

Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

Internet/network activity

Browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement

Geolocation data

Physical location.

Professional or employment-related information

Current or past job history

Non-public education information (per the Family Educational Rights and Privacy Act

Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student financial information

Inferences drawn from other personal information.

Inferences drawn to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.

‍

Sources of Personal Information We Collect

• Information directly from you, the consumer, that you choose to provide, when you interact with us, for example, when you communicate with us by phone, email or otherwise, register for an event, subscribe to marketing or other communications, or inquire about or purchase a product or service.
• Information we automatically collect when you interact with our website, content or emails such as your IP address and the pages you visited, and when you use our services, we may collect information on how you use those services. Please see our Website Use and Cookies Policy for additional information.
• Information provided by our clients in order for us to provide specific services as a service provider, or information from third parties, acquired at the direction of our clients in order to provide the services.
• Information from other sources, including service providers or publicly available sources.

Business Purposes

We collect personal information to offer and administer our services and products. These include valuation, corporate finance advisory, governance, risk, investigations, disputes consulting and related services. We use personal information for the following business purposes:

• To provide the products or perform services for clients pursuant to a written agreement, including contacting you in the course of our ordinary commercial relationship, maintaining and servicing client accounts, verifying client information, processing payments, or similar activities as needed to provide services for or on behalf of our clients.
• To comply with our legal, risk, or compliance obligations in operating our business, for example conducting anti-money laundering/ due diligence checks on clients, vendors, third parties, or business partners.
• For marketing purposes. For example, we may use your information to further discuss your interest in the services and to send you information regarding Quantinuum such as information about promotions, events, products or services. You may opt-out of receiving marketing communications and updates at any time.
• To improve Quantinuum’s communications with you. Emails sent to you by Quantinuum may include standard tracking, including open and click activities. Quantinuum may collect information about your activity as you interact with our email messages and related content in order to verify or maintain the quality of our communications, or improve, upgrade, or enhance the services we provide.
• For operating and improving the Quantinuum website and web applications and your customer experience, including debugging to identify and repair errors that impair existing intended functionality or to verify or maintain the quality of our website, auditing related to counting ad impressions to unique visitors and verifying positioning and quality of ad impressions, and to improve, upgrade or enhance the website services. For example, we may collect and analyze data on your use of our website and process it for the purpose of improving our online experience. Please see our Website Use and Cookies Policy for additional information.
• For security and integrity purposes, including securing Quantinuum’s network, detecting security incidents, protecting against malicious, deceptive, fraudulent or illegal activity, and prosecuting those responsible for that activity.
• For other business purposes, which will be disclosed at the time we collect personal information.

Selling/Sharing of Personal Data

In the preceding 12 months, we have not sold personal information and we have not shared personal information with a third party for cross-context behavioral advertising.

Disclosure of Personal Data for our Business Purposes

We have disclosed personal information for business purposes in the preceding 12 months to the following categories of parties:

• Our affiliates, as needed to operate our business and provide services.
• Service providers or contractors, such as vendors, consultants and other service providers who perform certain services on behalf of Quantinuum, in which case we enter a contract that describes the purpose of processing and requires the recipient to not use it for any purpose except performing the contract.
• Third parties to whom you or your agents request or authorize us to disclose your personal information in connection with products or services we provide to you.

Data Retention

Quantinuum will retain personal information for a reasonable period, taking into account legitimate business needs to capture and retain such information. Information will also be retained for a period necessary to comply with state, local, and federal regulations, and in accordance with Quantinuum’s Document Retention Schedule (currently in progress).

Your Rights

Subject to the CCPA, CPRA and other applicable laws, you have the following rights concerning your data processed by Quantinuum:

• Deletion: You have the right to request that Quantinuum erase your personal information, and Quantinuum will erase such information unless it is reasonably necessary for Quantinuum to maintain your personal data in accordance with CCPA 1798.105 (d) or 1798.145
• Correction: You have the right to request that Quantinuum correct inaccurate personal information, taking into account the nature and purpose of processing the information.
• Access: You have the right to request to access the personal information that Quantinuum holds about you, including specific pieces of personal information Quantinuum has collected about you.
• Non-discrimination: Quantinuum will not discriminate against a consumer because the consumer exercised any of the consumer’s rights under the CCPA or CPRA.

Contact Us

Please contact us if you wish to exercise your rights under CCPA/CPRA:

Email: compliance@quantinuum.com

Phone: (303) 469-4058 

Virginia Privacy Policy and Notice

This notice describes how we collect, use, and share your personal data in our capacity as a “Controller” under Virginia’s Consumer Data Protection Act (“CDPA”) and the rights that you have with respect to your personal data, including sensitive personal data. For purposes of this section, “personal data” and “sensitive data” have the meanings given in the CDPA and do not include information excluded from the CDPA’s scope. In general, personal data is information reasonably linkable to an identifiable person.

The Personal Data we collect about you will depend upon how you interact with our Sites and the information you voluntarily provide us. Accordingly, we may not collect all of the below information about you. In addition, we may collect and/or use additional types of information after providing notice to you and obtaining your consent to the extent such notice and consent is required by the CDPA.

To the extent that we collect Personal Data that is subject to the CDPA, that information, our practices, and your rights are described below. Persons with disabilities may obtain this notice in alternative format through any contact method at Accessibility Support.

1. What Personal Data Do We Process and Share?

Consistent with the "Information We Collect" and “How We Use Information” sections in the general privacy policy, we may collect certain categories of information about Virginia consumers (“Personal Data”). The chart below summarizes the Personal Data we process, the purposes for processing this data, the categories of personal data that we share with third parties, and the categories of third parties that we share the data with as specified in the CDPA. We do not sell personal data to third parties.

Identifiers

• Personal Data We Collect in This Categorysome text
  • Your name, phone number(s), postal address(es), and email address(es)
  • For state-regulated programs for the profession, we may collect additional identifiers to verify your identity when taking examinations as required by the state, such as your Social Security number or driver’s license
• Purpose for Processing Personal Datasome text
  • To fulfill or meet the reason for which the information was provided to us
  • To provide the services you requested
  • To manage payments, fees, and charges
  • To provide you with support and respond to your inquiries, including to investigate and address your concerns
  • To monitor and improve our responses
  • To provide you with email alerts, event registrations, and other notices concerning our products or services, or events or news that may be of interest to you
  • To report your attendance, performance, completion data, and proctored testing conditions to state oversight agencies
  • To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations
  • To personalize your website experience
  • To improve and deliver content and product and service offerings relevant to your interests through our website, third-party sites, and via email or text messages
  • As an education and enablement service provider with consumers from middle school through professional we store this information to optimize your experience with us and assist you in achieving your lifetime and career goals.
  • Research and development
• Categories of Third Parties With Which We Share Personal Datasome text
  • Service providers such as payment processors
  • Business partners
  • Other Quantinuum businesses
  • State regulators
  • Courts of law/enforcement
  • Data analytic, intelligence, and augmentation firms

Commercial Information

• Personal Data We Collect in This Categorysome text
  • Online activity data, information about products or services purchased or considered, or other purchasing or consuming histories or tendencies to provide you with information, products, or services that you request from us and to improve them.
• Purpose for Processing Personal Datasome text
  • To provide lifelong learners information of interest and opportunities for development
• Categories of Third Parties With Which We Share Personal Datasome text
  • Service providers such as payment processors
  • Business partners
  • Other Quantinuum businesses
  • State regulators
  • Courts of law/enforcement
  • Data analytic, intelligence, and augmentation firms

Financial Information

• Personal Data We Collect in This Categorysome text
  • Bank account number, credit card number, debit card number, or any other financial information
• Purpose for Processing Personal Datasome text
  • Process payments, fees, charges, billing, and collections so that we provide you with information, products, or services that you request from us.
• Categories of Third Parties With Which We Share Personal Datasome text
  • Service providers such as payment processors
  • Business partners

Inferences

• Personal Data We Collect in This Categorysome text
  • Information from sources other than you to build a consumer profile of your preferences.
• Purpose for Processing Personal Datasome text
  • To determine how best to serve you over your lifetime, how you may achieve success when using our products, and how we may modify our offerings for the success of others.
• Categories of Third Parties With Which We Share Personal Datasome text
  • Other Quantinuum businesses

Professional or Employment Information

• Personal Data We Collect in This Categorysome text
  • Information on professional license numbers or membership information, certifications, licenses, or credentials
• Purpose for Processing Personal Datasome text
  • To assess the offerings that may assist you in maintaining your professional certification and to report continuing education to the state oversight agency for the profession.
• Categories of Third Parties With Which We Share Personal Datasome text
  • Business partners
  • Other Quantinuum businesses
  • State regulators

Sensory Information

• Personal Data We Collect in This Categorysome text
  • Your audio or voice recordings if your program is recorded as part of the delivery of services or randomly when you telephone us for quality assurance and internal review.
• Purpose for Processing Personal Datasome text
  • We retain program recordings for the benefit of other participants in the program, internal research, and quality assurance.
• Categories of Third Parties With Which We Share Personal Datasome text
  • We do not share Sensory Information with third parties.

Sensitive Data

• Personal Data We Collect in This Categorysome text
  • Your demographic information
• Purpose for Processing Personal Datasome text
  • We obtain from sources other than you demographic information to further understand our customers and personalize offerings of products or services to optimize your experience with us
• Categories of Third Parties With Which We Share Personal Datasome text
  • We do not share Sensitive Data with third parties

2. What Are My Rights?

• Right to Access Information/Correct Inaccurate Personal Datasome text
  • You have the right to request access to Personal Data collected about you and information regarding the purposes for which we collect it and the third parties and service providers with which we share it. Additionally, you have the right to correct inaccurate or incomplete Personal Information. You may submit such a request as described below.
• Right to Deletion of Personal Datasome text
  • You have the right to request in certain circumstances that we delete any Personal Data that we have collected directly from you. You may submit such a request as described below. We may have a reason under the law why we do not have to comply with your request or why we may comply in a more limited way than you anticipated. If we do, we will explain that to you in our response.
• Right to Opt Out of Sale of Personal Data to Third Partiessome text
  • You have the right to opt out of any sale of your Personal Data by Quantinuum to third parties at “Opt Out of Sale of Personal Data and Targeted Advertising.” We do not sell Personal Data to third parties for their own direct marketing purposes.
• Right to Portabilitysome text
  • You have the right to request a copy of the Personal Data that you previously provided to us as controller in a portable format. Our collection, use, disclosure, and sale of Personal Information is described in our Privacy Policy.
• Right to Opt Out of Targeted Advertisingsome text
  • You have the right to opt out of Targeted Advertising based on your Personal Data obtained from your activities over time and across websites or applications.
• Right to Opt Out of Profilingsome text
  • You have the right to opt out of having your personal data processed for the purpose of profiling in the furtherance of decisions that produce legal or similarly significant effects concerning you.
• Right to Appealsome text
  • If we decline to take action in any request that you submit in connection with the rights described in the above sections, you may ask that we reconsider our response by sending an email to the same email box (referenced in section below) from which you receive the decision. You must ask us to reconsider our decision within 45 days after we send you our decision.

3. How Do I Exercise My Rights?

You may submit a request to exercise your rights above by emailing us and identifying the business or Site you interacted with. If you choose to send an email, please help us locate your data by including information about the website(s) you interacted with when you provided your information and any email address you used to create your account.

Privacy Request Contact Information

Email: compliance@quantinuum.com

Phone: (303) 469-4058 

SPECIAL NOTICE FOR COLORADO RESIDENTS

This Special Notice for Colorado Residents supplements the general Privacy Policy and applies only to individuals who are Colorado residents. This Special Notice is not applicable to Colorado job applicants or personnel.

This notice describes how we collect, use, and share your personal data in our capacity as a “Controller” under Colorado’s Privacy Act (“CPA”) and the rights that you have with respect to your personal data, including sensitive personal data. For purposes of this section, “personal data” and “sensitive data” have the meaning given in the Colorado Privacy Act and do not include information excluded from the CPA’s scope.

The personal data we collect about you will depend upon how you interact with our Sites and the information you voluntarily provide us. Accordingly, we may not collect all of the below information about you. In addition, we may receive information about you from other sources (such as firms that use public data to make predictions) or we may collect and/or use additional types of information after providing notice to you and obtaining your consent to the extent such notice and consent is required by the CPA.

To the extent that we collect personal data subject to the CPA, that information, our practices, and your rights are described below. Persons with disabilities may obtain this notice in alternative format through any contact method at compliance@quantinuum.com  

1. WHAT PERSONAL DATA DO WE COLLECT, PROCESS, AND SHARE?

Consistent with the "Information We Collect" and “How We Use Information” sections in the general privacy policy, the below information provides additional detail about certain information that is linked or reasonably linkable to an identified or identifiable individual consumer (“Personal Data”) we process, the purposes for processing this data, and the Personal Data that we share with third parties as defined by the CPA. Please carefully review the general privacy policy for complete information about Quantinuum’s data privacy practices.

Personal Data We Collect

Personal data means any information that is linked or reasonably linkable to an identified or identifiable individual. Personal data does not include de-identified data or publicly available information.

We collect your name, phone number(s), postal address(es), and email address(es).

We collect online activity data, information about products or services purchased or considered, or other purchasing or consuming histories or tendencies to provide you with information, products, or services that you request from us and to improve them.

Our service providers collect a bank account number, credit card number, debit card number, or any other financial information you submit to process payment.

For state-regulated programs for the profession, we may collect personal data to authenticate your identity when taking examinations as required by the state, such as your Social Security number or driver’s license. We collect information on professional license numbers or membership information, certifications, licenses, or credentials.

Purpose for Processing Personal Data: To fulfill or meet the reason for which the information was provided to us; To provide the services you requested; To manage payments, fees, and charges; To provide you with support and respond to your inquiries, including to investigate and address your concerns; To monitor and improve our responses; To assess the offerings that may assist you in maintaining your professional certification and to report continuing education to the state oversight agency for the profession; To provide you with email alerts, event registrations, and other notices concerning our products or services or events or news that may be of interest to you; To report your attendance, performance, completion data, and proctored testing conditions to state oversight agencies; To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations; To personalize your website experience; To improve and deliver content and product and service offerings relevant to your interests through our website, third-party sites, and via email or text messages; As an education and enablement service provider with consumers from middle school through professional we store this information to optimize your experience with us and assist you in achieving your lifetime and career goals; and Research and development.

Third Parties with Which We Share Personal Data: Service providers such as payment processors; Business partners; State regulators; Courts of law/enforcement; and data analytic, intelligence, and augmentation firms.

Profiling Information We Collect

Profiling Information means any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements. We may collect information from sources other than you to build a consumer profile of your preferences. We do not profile as defined by the Colorado Privacy Act. Any details about consumer preferences, if compiled, is to understand your preferences for services we offer and not used for any automated decision making that would produce legal or similarly significant effects concerning you.

Purpose for Processing Profiling Information: To determine how best to serve you over your lifetime, how you may achieve success when using our products, and how we may modify our offerings for the success of others.

Third Parties with Which We Share Profiling Information: Quantinuum business partners and affiliates.

Sensitive Data We Collect

Sensitive data means personal data that includes data revealing (A) racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status, (B) genetic or biometric data for the purpose of uniquely identifying an individual, or (C) personal data from a known child.

We may collect age as defined as sensitive data by the CPA. We may collect other demographic information from sources other than you (such as firms that use public data to make predictions). We do not collect personal data from a known child.

Purpose for Processing Sensitive Data: We collect age to comply with the law. We obtain demographic information from sources other than you to further understand our customers and personalize offerings of products or services to optimize your experience with us.

Third Parties with Which We Share Sensitive Data: We do not share Sensitive Data with third parties.

2. WHAT ARE MY RIGHTS?

Right to Access Information/Correct Inaccurate Personal Data

You have the right to request access to Personal Data collected about you and information regarding the purposes for which we collect it and the third parties and service providers with which we share it. Additionally, you have the right to correct inaccurate or incomplete Personal Data. You may submit such a request as described below.

Right to Obtain a Copy of Personal Data

You have the right to request a copy of the Personal Data that you previously provided to us as controller in a portable format no more than two times per calendar year. Our collection, use, disclosure, and sale of Personal Data is described in our Privacy Policy.

Right to Deletion of Personal Data

You have the right to request in certain circumstances that we delete any Personal Data that we have collected directly from you or from a third party. You may submit such a request as described below. We may have a reason under the law why we do not have to comply with your request or why we may comply in a more limited way than you anticipated. If we do, we will explain that to you in our response.

Right to Opt Out

You have the right to opt out of processing personal data for the purposes of and as defined by the CPA: (A) Targeted Advertising based on your Personal Data obtained from your activities over time and across websites or applications; or (B) The Sale of Personal Data to third parties. We do not profile as defined by the Colorado Privacy Act. You may submit a request to exercise your right to opt out of Targeted Advertising by emailing compliance@quantinuum.com. You may submit a request to opt out of the sale of your Personal Data by Quantinuum to third parties by emailing compliance@quantinuum.com.

Right to Appeal

If we decline to take action in any request that you submit in connection with the rights described in the above sections, you may ask that we reconsider our response by sending an email to the same email box (referenced in section below) from which you receive the decision. You must ask us to reconsider our decision within 45 days after we send you our decision. You may contact the Attorney General if you have concerns about the appeal.

3. HOW DO I EXERCISE MY RIGHTS?

You may submit a request to exercise your rights above by emailing us and identifying the business or Site you interacted with. If you choose to send an email, please help us locate your data by including information about the website(s) you interacted with when you provided your information and any email address you used to create your account.

Privacy Request Contact Information

Email: compliance@quantinuum.com 

AUTHENTICATION PROCESS

To protect consumers’ Personal Data and to comply with the CPA, we will use an authentication process to confirm your identity before we act on your request. You or your authorized agent may make an authenticated consumer request related to your Personal Data. If you use an authorized agent to submit a request on your behalf, we may require that you (1) provide the authorized agent written permission to do so and (2) provide us a copy of the authorization or a copy of a power of attorney.

In authenticating requests, we employ reasonable measures to detect fraudulent requests and prevent unauthorized access to your personal information. To meet our obligations, we are required to authenticate your identity and the identity of your authorized agent, if the request is submitted via an agent, by associating the information provided in your request to personal data previously collected by us.

If we suspect fraudulent or malicious activity on or from the password-protected account, we may decline a request or request that you provide further authenticating information.

Making an authenticated consumer request does not require you to create an account with us. We will only use personal data provided in an authenticated consumer request to authenticate your identity or authority to make the request.

European Union/United Kingdom Privacy Rights Notice

This Privacy Policy Addendum supplements the Privacy Policy above and describes additional rights of residents of the European Union (EU) or United Kingdom (UK).

Data Protection Officer 

We have delegated authority to our Associate General Counsel of Compliance to serve the role of Data Protection Officer (DPO) who is responsible for overseeing questions in relation to this privacy policy. 

Email: compliance@quantinuum.com 

If you are located in the EU, EEA, Switzerland or UK you have the right to lodge a complaint with an EU or the UK Supervisory Authority. We would, however, appreciate the opportunity to address your concerns before you approach the ICO, so please contact us in the first instance.

International Transfers

Personal Data may be transferred to or processed in locations outside of the European Economic Area (EEA), some of which have not been determined by the European Commission to have an adequate level of data protection. In that case, for personal data subject to European data protection laws, we take commercially reasonable measures designed to provide the level of data protection required in the EU, including ensuring transfers are governed by the requirements of the Standard Contractual Clauses adopted by the European Commission, or another adequate transfer mechanism. 

Storage and Retention of your Personal Data

We will only retain your Personal Data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements. To determine the appropriate retention period for Personal Data, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements. Please contact us at compliance@quantinuum.com if you would like more information.

It is important that the Personal Data we hold about you is accurate and current. Please keep us informed if your Personal Data changes during your working relationship with us.

In some circumstances we may anonymize your Personal Data so that it can no longer be associated with you, in which case we may use such information without further notice to you.

Your rights as a data subject

Under certain circumstances, by law you have the right to:

• Request access to your Personal Data (commonly known as a "data subject access request"). This enables you to receive a copy of the Personal Data we hold about you and to check that we are lawfully processing it.
• Request correction of the Personal Data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
• Request erasure of your Personal Data. This enables you to ask us to delete or remove Personal Data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your Personal Data where you have exercised your right to object to processing (see below).
• Object to processing of your Personal Data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your Personal Data for direct marketing purposes.
• Request the restriction of processing of your Personal Data. This enables you to ask us to suspend the processing of Personal Data about you, for example if you want us to establish its accuracy or the reason for processing it.
• Request the transfer of your Personal Data to another party. If you want to review, verify, correct or request erasure of your Personal Data, object to the processing of your Personal Data, or request that we transfer a copy of your Personal Data to another party, please contact us at compliance@quantinuum.com.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it.

No fee usually required

You will not have to pay a fee to access your Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

Your right to withdraw consent

In circumstances where you may have provided your consent to the collection, processing and transfer of your Personal Data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. You have the right to withdraw consent to marketing by following the opt-out links on any marketing message. To withdraw your consent for another circumstance, please contact us at compliance@quantinuum.com. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.