Privacy Policy

Last updated: February 2026

Table of Contents

1. 1. 1. Introduction and Data Controller
          1.1 Identification of the Controller
          1.2 Commitment to Privacy
          1.3 Data Protection Officer (DPO)
          1.3.1 DPO Duties
          1.3.2 DPO Contact Details
          1.3.3 Confidentiality
   2. 2. Types of Personal Data Collected
          2.1 Contact and identification data
          2.2 Financial and billing data
          2.3 Payment method data
          2.4 Professional and academic data
          2.5 Availability and job preference data
          2.6 Sensitive data (processed with special protection)
          2.7 Automatically generated data
   3. 3. Purpose of Processing
          3.1 Generation and optimization of professional profiles
          3.2 Connection between candidates and recruiters
          3.3 Administrative management, billing and charges
          3.4 Continuous improvement of the service
          3.5 Legal compliance and security
          3.6 Sensitive data (disability, work permit, etc.)
   4. 4. Legal Basis for Processing
          4.1 Consent of the data subject (Article 6(1)(a) and 9(2)(a) GDPR)
          4.2 Performance of a contract (Article 6(1)(b) GDPR) and Compliance with a legal obligation (Article 6(1)(c) GDPR)
          4.3 Legitimate interest (Article 6(1)(f) GDPR
   5. 5. User Rights under the GDPR
          5.1 Right of access
          5.2 Right to rectification
          5.3 Right to erasure (“right to be forgotten”)
          5.4 Right to restriction of processing
          5.5 Right to data portability
          5.6 Right to object
          5.7 Rights related to consent
          5.8 Rights related to sensitive data
   6. 6. Data Security and Retention
          6.1 Security Measures
          6.2 Data Retention
          6.3 Secure Deletion
          6.4 Confidentiality Commitment
   7. 7. Changes to the Privacy Policy
   8. 8. Data recipients
   9. 9. International data transfers
   10. 10. Use of AI and Data Protection
           10.1 Purpose of using Mistral AI
           10.2 Protection Measures
           10.3 Transparency and User Control
           10.4 Alignment with Mistral AI Policies
           10.5 Shared Responsibility
   11. 11. Use of the Platform by Minors

1. Introduction and Data Controller

1. Introduction and Data Controller

1.1 Identification of the Responsible Party

Novense Quantum AI SL (hereinafter, “Novense”, “we” or “the company”) is the controller of the personal data collected through the professional profile generation and recruiter connection platform (hereinafter, “QIU”).

Company name: Novense Quantum AI SL, with registered office for legal purposes at C/ Suero de Quiñones, 34-36 1st Floor, 28002 Madrid.

Privacy contact email: gdpr@qiu.live

1.2 Commitment to Privacy

At Novense, the privacy and protection of users’ personal data (both candidates and recruiters) is a priority. The company undertakes to process data in accordance with the General Data Protection Regulation (hereinafter, “GDPR”) and the applicable data protection legislation.

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (known as the GDPR).
• Organic Law 3/2018, of 5 December, on Personal Data Protection and guarantee of digital rights (LOPDGDD), which adapts the GDPR to the Spanish legal framework.

1.3 Data Protection Officer (DPO)

In compliance with the GDPR and given the nature and scale of the personal data processing carried out by the company, including the processing of special categories of data such as disability information, a Data Protection Officer (DPO) has been appointed.

1.3.1 DPO Duties

The DPO is responsible for:

• Monitoring compliance with data protection regulations within the organization.
• Advising the company and its employees on the obligations arising from the GDPR and other applicable regulations.
• Acting as a point of contact between the company, users and the data protection authority.
• Managing users’ requests to exercise their rights (access, rectification, erasure, portability, objection and restriction of processing).
• Carrying out and supervising Data Protection Impact Assessments (DPIA) when necessary.

1.3.2 DPO Contact Details

For any request or concern related to the processing of personal data, you can contact the DPO through:

• Email: dpo@qiu.live

1.3.3 Confidentiality

All information provided to the DPO will be treated confidentially and will be used solely to fulfill their legal responsibilities.

2. Types of Personal Data Collected

2. Types of Personal Data Collected

At Novense, the following personal data is collected and processed from users registered on QIU, both candidates and recruiters, for the purpose of generating professional profiles and facilitating connection with job opportunities:

2.1 Contact and identification data:

• First and last name
• Email address
• Mobile phone number

2.2 Financial and billing data

Data necessary for the administrative, accounting and tax management of contracted services, including:

• Identification data of the invoice holder
• Tax address
• Information related to invoicing and the payment method used

2.3 Payment method data

If payments are made through the platform, the essential data for managing the charge will be processed through:

• Credit or debit cards
• PayPal or other electronic payment platforms

QIU does not store full bank card details under any circumstances. Payments are managed through secure payment platforms that comply with the PCI-DSS security standard, and those platforms are responsible for processing payment data in accordance with their own privacy policies.

2.4 Professional and academic data

• Work experience (employment history, roles held, companies, dates)
• Academic education (degrees, educational institutions, dates)
• Special skills and professional competencies
• Language levels
• Expected salary range

The data necessary for profile creation and service provision is mandatory. Refusal to provide it will prevent proper use of QIU.

2.5 Availability and job preference data

• Availability to start
• Geographic preferences or work modality preferences (on-site, remote, hybrid)

2.6 Sensitive data (processed with special protection)

• Degree of disability
• Work permit in the country of the job offer (yes/no)

Sensitive data is always voluntary.

2.7 Automatically generated data

• Access data, logs, device identifiers and browsing data.
• Browsing data is processed in accordance with QIU’s Cookie Policy, permanently available on the website.

Important note on sensitive data: The processing of health-related data (such as degree of disability, Article 9 GDPR) is carried out only with the user’s explicit consent and is strictly limited to the purpose of adapting job offers to their specific needs, without sharing this information with third parties outside QIU.

3. Purpose of Processing in QIU

At Novense, the personal data of candidates and recruiters is processed exclusively for the following purposes, always with users’ informed consent and in compliance with applicable regulations:

3. Purpose of Processing in QIU

3.1 Generation and optimization of professional profiles

The data provided by users (work experience, education, skills, preferences, etc.) is used to generate and optimize professional profiles through artificial intelligence agents connected to an external provider, which will be identified later in this privacy policy. In this way, it is ensured that this privacy policy is aligned with the policy provided by that provider, ensuring maximum transparency and consistency in the processing of personal data.

Likewise, the data provided by users through their direct interaction with the AI agent, as well as the transcripts of conversations between recruiters and candidates, are used to generate and optimize professional profiles. This data makes it possible to adapt profiles more precisely to each user’s competencies, interests and expectations, always ensuring the protection of their privacy and the responsible use of the information.

The objective is to facilitate the creation of tailored and relevant CVs for the job opportunities available.

3.2 Connection between candidates and recruiters

• The generated profiles are made available to recruiters registered in QIU, in order to facilitate talent search and the adaptation of job offers to candidates’ specific needs.
• Candidate profile data may be accessible by recruiters registered on the platform for the purpose of managing selection processes and or professional contact. In such cases, recruiters will process the data in accordance with their own responsibilities regarding data protection and their purposes, and must inform the candidate when applicable.

3.3 Administrative management, billing and charges

The personal data provided by the user described in sections 2.2 and 2.3 of this policy will be processed for the following purposes:

• Managing the contractual relationship and the provision of the services offered by QIU.
• Managing billing, charges and payments for the contracted services.
• Complying with applicable legal obligations in tax, accounting and administrative matters.
• Handling inquiries, requests or incidents raised by the user.

3.4 Continuous improvement of the service

• We analyze anonymized and aggregated data to optimize the user experience, improve the accuracy of generated profiles and develop new functionalities.
• QIU uses third-party cookies for analytical and measurement purposes, based on external analytics tools, in order to obtain statistical information about platform usage, analyze users’ aggregated behavior and evaluate the performance and effectiveness of advertising campaigns and dissemination actions carried out, enabling measurement, tracking and optimization of such campaigns and of the platform itself.

3.5 Legal compliance and security

• Processing personal data through the use of QIU’s own technical and functional cookies, necessary to ensure the proper functioning of QIU, enable session management and user authentication, strengthen system security and prevent unauthorized or fraudulent access, and remember and apply user preferences such as language or certain usage settings.

3.6 Sensitive data (disability, work permit, etc.)

• Sensitive data, such as degree of disability or work permit, is processed only when the user voluntarily provides it and exclusively for the purpose of adapting job offers to their needs. At no time will it be used for discriminatory automated decisions.
• This data is not shared outside QIU and is subject to enhanced protection measures.

Transparency note: Under no circumstances is personal data used for purposes other than those described, unless there is the user’s explicit consent or a legal obligation.

4. Legal Basis for Processing

4. Legal Basis for Processing

The processing of personal data in QIU is always carried out on a clear legal basis and in accordance with the GDPR. Below are the legal bases applicable to each purpose:

4.1 Consent of the data subject (Article 6(1)(a) and 9(2)(a) GDPR)

• Generation of professional profiles and connection with recruiters: The processing of candidates’ personal data (including work experience, education, skills, salary preferences, availability, languages, and, when voluntarily provided, sensitive data such as degree of disability or work permit) is based on the user’s freely given, specific, informed and unambiguous consent, granted when registering on QIU and completing their profile.
• Sensitive data: The processing of special categories of data (such as degree of disability) requires additional explicit consent, which the user can grant or withdraw at any time from their profile, by contacting the user support channels provided by the company or by making an explicit request to the DPO.

4.2 Performance of a contract (Article 6(1)(b) GDPR) and Compliance with a legal obligation (Article 6(1)(c) GDPR)

• The performance of a contract to which the data subject is a party.
• The provision of the profile generation services and connection with job opportunities requires processing certain personal data (such as name, contact details, work experience and education). This legal basis applies when processing is necessary for the performance of the contract between Novense and the user (candidate or recruiter).
• The processing of billing and transaction data is based on the performance of the contract (service provision) and on compliance with legal obligations in tax and accounting matters when applicable.
• The consent of the data subject, where legally required.
• In exceptional cases, we process personal data to comply with applicable legal obligations (for example, data retention to comply with tax or judicial regulations).

4.3 Legitimate interest (Article 6(1)(f) GDPR)

• Legitimate interest is used as the legal basis for internal service improvement activities, analysis of aggregated and anonymized usage of QIU, and ensuring system security and functionality. In these cases, we carry out a balancing test to ensure that our legitimate interests do not override users’ fundamental rights and freedoms.
• Users may object to processing based on legitimate interest at any time.

5. User Rights under the GDPR

5. User Rights under the GDPR

In QIU, it is guaranteed that all users (candidates and recruiters) can fully exercise their rights over their personal data as detailed below:

5.1 Right of access

The user has the right to request a copy of the personal data we process about you, as well as information about the purpose of the processing, the categories of data, the recipients and the retention period.

5.2 Right to rectification

The user may request the correction of their personal data if it is inaccurate or incomplete.

5.3 Right to erasure (“right to be forgotten”)

The user may request the deletion of their personal data when it is no longer necessary for the purposes for which it was collected, or when they withdraw their consent.

5.4 Right to restriction of processing

The user has the right to request that the processing of data be restricted in certain circumstances (for example, while verifying the accuracy of the data or determining the lawfulness of the processing).

5.5 Right to data portability

You may receive your personal data in a structured, commonly used and machine-readable format, and transmit it to another controller where the processing is based on consent or on a contract.

5.6 Right to object

The user may object to the processing of their personal data based on Novense’s legitimate interest, including profiling.

The right to object will not apply to processing that is necessary for the performance of the contract or for providing QIU’s main service, including the generation and optimization of professional profiles, without which the service could not be provided. If the user objects to such essential processing, Novense may proceed to suspend or cancel the user’s account.

5.7 Rights related to consent

For processing based on consent (such as the use of sensitive data), consent may be withdrawn at any time, without affecting the lawfulness of processing carried out prior to the withdrawal.

5.8 Rights related to sensitive data

If sensitive data has been provided (such as degree of disability), you may request specific information about its use and protection, as well as its deletion at any time.

How to exercise your rights

To exercise any of these rights, you can:

• Access your profile on the platform and modify or delete your data directly.
• Send a request to gdpr@qiu.live, indicating the right you wish to exercise and providing the information necessary to identify yourself.
• Contact our DPO at dpo@qiu.live for any questions or complaints related to data protection.
• If you believe that the processing of personal data infringes the regulations, the data subject may file a complaint with the Spanish Data Protection Authority (www.aepd.es).

Response deadline: We will handle your request within a maximum of 30 days from receipt, except in exceptional cases requiring a justified extension.

6. Data Security and Retention

6. Data Security and Retention

6.1 Security Measures

At Novense, advanced technical and organizational measures are implemented to protect our users’ personal data against unauthorized access, loss, destruction or accidental alteration. These measures include:

• Data encryption: All personal data is transmitted and stored in encrypted form, using secure protocols (TLS/SSL).
• Restricted access: Only authorized staff and recruiters registered on QIU can access the data, according to their role and specific needs.
• Robust authentication: We use multi-factor authentication systems to access sensitive areas of the platform.
• Periodic audits: Systematic security assessments and vulnerability analyses are carried out in order to ensure the integrity of the systems. Likewise, the company requires its contracted technology providers to carry out security assessments and vulnerability testing on their services, placing particular value on their availability and compliance with information security standards such as ISO/IEC 27001, NIST or PCI DSS.
• Protection of sensitive data: Specially protected data (such as degree of disability) is subject to additional security measures and is only accessible for specific purposes and with explicit consent.
• Likewise, based on the security and personal data protection policies of its service providers and the contractual agreements signed with them, there is a commitment to notify any personal data security breach that could affect the processing carried out, in accordance with Articles 33 and 34 GDPR.

6.2 Data Retention

Personal data is retained for as long as necessary to fulfill the purposes described in this policy, unless the law requires a longer retention period. Specifically:

• Candidate and recruiter data: Retained while the user keeps their account active in QIU. After account closure or a deletion request, the data is erased within a maximum period of 30 days, unless there are legal obligations requiring its retention (for example, billing or tax compliance).
• Transaction data and evidence of operation (if applicable): will be retained for the periods necessary to meet legal obligations (tax and accounting), manage claims and address liabilities arising from the service.
• Logs and security records: will be retained for the time strictly necessary for security, fraud prevention and technical audit, applying minimization criteria and periodic review.

In all cases, the periods are established in accordance with the storage limitation principle and the controller’s accountability.

• Sensitive data (disability, work permits, etc.): deleted immediately upon the user’s request or when the user closes their account, unless retention is required by law.

6.3 Secure Deletion

When data is no longer necessary, it is securely and permanently deleted, ensuring it cannot be recovered or reconstructed.

6.4 Confidentiality Commitment

All Novense staff and external collaborators are subject to strict confidentiality obligations and have received training in data protection and GDPR.

7. Changes to the Privacy Policy

Novense reserves the right to update or modify this Privacy Policy at any time to adapt it to legislative, case-law, technical or business model changes. Any modification will be communicated to users as follows:

• Email notification: A notice will be sent to the email address registered in QIU, informing about the changes made and the effective date.
• Publication on QIU: The updated version of the policy will always be available on the website and in the “Settings” or “Privacy” section of the platform, with the date of the last update clearly indicated.
• Explicit consent for significant changes: If changes substantially affect users’ rights or the way their personal data is processed (for example, new processing purposes or disclosure to third parties), new explicit consent will be requested before applying such changes.

Validity and acceptance: Continued use of QIU after the changes take effect implies acceptance of the new Privacy Policy. If you do not agree with the changes, you may exercise your rights to object, erase or port your data, or close your account at any time.

Version history: A record of previous versions of this policy will be kept, available upon request at gdpr@qiu.live.

8. Data recipients

Depending on the purpose of processing, the following categories may access personal data:

• Recruiters registered in QIU, for managing selection processes and professional contact.
• Service providers necessary for the proper functioning of QIU’s activity, in particular technology and hosting service providers that host the infrastructure where personal data is stored.

These providers act as processors, accessing the data only for the provision of the contracted service and following Novense’s instructions, and such access does not constitute a data disclosure.

Novense has entered into the corresponding data processing agreements with these providers, in accordance with Article 28 of Regulation (EU) 2016/679.

• Financial institutions and payment platforms (for example, card payment gateways or PayPal), exclusively for proper charge management.
• Public administrations and competent bodies, in compliance with legal obligations.

These third parties will act as processors or independent controllers, as applicable, ensuring compliance with current data protection regulations.

9. International data transfers

Personal data is processed entirely within the European Economic Area.

No international data transfers to third countries are carried out.

• Processing location:
  • Hosting: Spain (Madrid)
  • AI / processor: France (EU)

If, due to the nature of technology or payment providers, international data transfers outside the European Economic Area are carried out, Novense will inform users and will apply the appropriate safeguards provided for in the GDPR (for example, an adequacy decision or standard contractual clauses), indicating the means to obtain a copy of the safeguards or where they have been made available.

7. Changes to the Privacy Policy

7. Changes to the Privacy Policy

Novense reserves the right to update or modify this Privacy Policy at any time to adapt it to legislative, case-law, technical or business model changes. Any modification will be communicated to users as follows:

• Email notification: A notice will be sent to the email address registered in QIU, informing about the changes made and the effective date.
• Publication on QIU: The updated version of the policy will always be available on the website and in the “Settings” or “Privacy” section of the platform, with the date of the last update clearly indicated.
• Explicit consent for significant changes: If changes substantially affect users’ rights or the way their personal data is processed (for example, new processing purposes or disclosure to third parties), new explicit consent will be requested before applying such changes.

Validity and acceptance: Continued use of QIU after the changes take effect implies acceptance of the new Privacy Policy. If you do not agree with the changes, you may exercise your rights to object, erase or port your data, or close your account at any time.

Version history: A record of previous versions of this policy will be kept, available upon request at gdpr@qiu.live.

8. Data recipients

8. Data recipients

Depending on the purpose of processing, the following categories may access personal data:

• Recruiters registered in QIU, for managing selection processes and professional contact.
• Service providers necessary for the proper functioning of QIU’s activity, in particular technology and hosting service providers that host the infrastructure where personal data is stored.

These providers act as processors, accessing the data only for the provision of the contracted service and following Novense’s instructions, and such access does not constitute a data disclosure.

Novense has entered into the corresponding data processing agreements with these providers, in accordance with Article 28 of Regulation (EU) 2016/679.

• Financial institutions and payment platforms (for example, card payment gateways or PayPal), exclusively for proper charge management.
• Public administrations and competent bodies, in compliance with legal obligations.

These third parties will act as processors or independent controllers, as applicable, ensuring compliance with current data protection regulations.

9. International data transfers

9. International data transfers

Personal data is processed entirely within the European Economic Area.

No international data transfers to third countries are carried out.

• Processing location:
  • Hosting: Spain (Madrid)
  • AI / processor: France (EU)

If, due to the nature of technology or payment providers, international data transfers outside the European Economic Area are carried out, Novense will inform users and will apply the appropriate safeguards provided for in the GDPR (for example, an adequacy decision or standard contractual clauses), indicating the means to obtain a copy of the safeguards or where they have been made available.

10. Use of AI and Data Protection

10. Use of AI and Data Protection

At Novense, Mistral AI models are used to generate and optimize professional profiles in QIU, always under strict privacy and data protection safeguards aligned with Mistral AI’s policies and the GDPR.

10.1 Purpose of using Mistral AI

• Candidates’ personal data (work experience, education, skills, etc.) is sent to Mistral AI exclusively to generate and improve professional profiles, adapting them to the needs of the labor market.
• The data is not used to train Mistral AI models without the user’s explicit consent, nor is it shared with third parties outside QIU.
  Legal Center | Mistral AI
• The user has the right at all times to modify the AI-modeled profiling, and to request human intervention, express their point of view and to contest decisions in accordance with Article 22 GDPR.

10.2 Protection Measures

• Data minimization: Only the data necessary for profile generation is sent to Mistral AI, avoiding the processing of irrelevant information.
• Anonymization and pseudonymization: Wherever possible, data is processed so it does not allow direct identification of the user.
• Data protection agreements: Mistral AI complies with the GDPR and applies technical and organizational safeguards to ensure confidentiality and data security, including selecting providers within the EU and applying contractual clauses that comply with Article 46 GDPR. https://legal.mistral.ai/terms/privacy-policy

10.3 Transparency and User Control

• Users are clearly informed about the use of Mistral AI in the profile generation process, in this policy and at the time they register their data.
• Users may request specific information about how their data is processed through Mistral AI, and may exercise their rights of access, rectification, erasure or objection at any time by contacting gdpr@qiu.live.

10.4 Alignment with Mistral AI Policies

• Novense follows Mistral AI’s privacy guidelines, including:
  • Not using users’ data to train AI models without consent.
  • Ensuring that sensitive data (such as degree of disability) is not processed or stored beyond the specific purposes authorized by the user.
  • Facilitating the exercise of users’ rights under the GDPR, including the right to data portability and data erasure.

10.5 Shared Responsibility

• Novense acts as the controller of personal data, while Mistral AI, through its hosting and infrastructure, acts as a processor in the context of profile generation, under an agreement that ensures GDPR compliance and data protection.
  legal.mistral.ai

11. Use of the Platform by Minors

QIU is not directed at minors under 16 years of age.

Novense does not knowingly collect personal data from minors of that age nor allow their registration or use of the services offered.

If registration or use of QIU by a minor under 16 years of age is detected, Novense will immediately delete the account and the associated personal data, without prejudice to any applicable legal obligations.

11. Use of the Platform by Minors

11. Use of the Platform by Minors

QIU is not directed at minors under 16 years of age.

Novense does not knowingly collect personal data from minors of that age nor allow their registration or use of the services offered.

If registration or use of QIU by a minor under 16 years of age is detected, Novense will immediately delete the account and the associated personal data, without prejudice to any applicable legal obligations.