Privacy Policy

1. Introduction

Project Lyra, Inc. ("Project Lyra," "we," "us," or "our") operates the Quantum Bridge platform — a B2B SaaS service that routes quantum workloads across Origin Pilot (China), Amazon Braket (Western QPU providers), and classical high-performance computing backends. Our customers are enterprises, research institutions, and developers who need a single, unified interface for hybrid and cross-jurisdictional quantum computing.

This Privacy Policy explains what information we collect when you use the Project Lyra platform, how we use it, with whom we share it, and the rights you have over it. Because Project Lyra operates at the intersection of classical cloud infrastructure and quantum hardware spanning multiple legal jurisdictions, we take special care to document the flow of your data and circuits across providers.

This policy applies to projectlyra.io (including the waitlist signup), the Project Lyra API, the Project Lyra CLI, the Project Lyra SDKs, and any associated dashboards or customer portals (collectively, the "Service"). By using the Service or joining the waitlist, you agree to the practices described in this policy.

2. Information We Collect

We collect only the data we need to provide, secure, bill, and improve the Service. The categories below describe what we collect and why.

Waitlist Information

• Contact details: the name, work email address, organization, and optional role/use case you submit to join the waitlist ahead of launch.
• Communication preferences: whether you have opted in to product updates and launch announcements.

Account Information (post-launch)

• Identity: full name, work email address, and role/title.
• Organization: company name, billing address, tax identifiers, and the names of authorized team members you invite.
• Credentials: hashed passwords, API keys, SSO metadata (e.g., SAML assertions), and multi-factor authentication secrets.

Usage Data

• Quantum tasks: metadata about circuits you submit, including qubit count, gate depth, shot count, target backend, and estimated cost.
• Algorithm telemetry: which algorithms, templates, or SDK modules you invoke (e.g., VQE, QAOA, Grover, custom pulse programs).
• Job lifecycle events: submission, queuing, dispatch, execution, completion, failure, and cancellation timestamps.
• Dashboard activity: pages viewed, features used, and actions taken within the customer portal.

Technical Data

• Network: IP address, approximate geolocation (country/region), and ISP.
• Device and client: browser type and version, operating system, SDK version, CLI version, and user-agent string.
• Diagnostics: crash reports, error traces, performance metrics, and request latency.

Payment Information

Once the Service launches, payments for QPU usage, subscription tiers, and overages will be processed by Stripe, Inc. Project Lyra does not store full payment card numbers on its servers. We retain only a tokenized reference, the card brand, the last four digits, and the billing country for reconciliation, tax calculation, and fraud prevention. Stripe's own privacy notice governs the raw payment data. No payment information is collected during the pre-launch waitlist phase.

3. How We Use Your Data

We process your information to operate the Quantum Bridge and to fulfill our contractual commitments to you. Specifically, we use your data to:

• Provide the Quantum Bridge service — authenticate you, accept circuit submissions, and return results.
• Route workloads to optimal backends — our scheduler evaluates each task against latency, price, qubit topology, fidelity, and jurisdictional constraints to dispatch it to Origin Pilot, Amazon Braket, or classical simulators.
• Bill for QPU usage — calculate per-shot and per-second charges, issue invoices, and remit usage-based fees to upstream providers.
• Improve the platform — analyze aggregated usage patterns to tune the scheduler, reduce queue times, and prioritize new features.
• Security and fraud prevention — detect abuse, prevent denial-of-service, block circuits that attempt to exfiltrate data, and investigate suspicious activity.
• Communicate with you — send service announcements, incident notifications, billing receipts, and (with your consent) product updates.
• Comply with legal obligations — including export-control reviews, tax reporting, and responses to lawful requests from authorities.

We do not use your quantum circuits, results, or business data to train machine learning models without explicit, opt-in consent from your organization.

4. Quantum Data Handling

Quantum workloads are fundamentally different from conventional cloud data: a circuit often encodes proprietary research, trade secrets, or sensitive optimization targets. Project Lyra is engineered to treat every circuit as confidential by default.

Transmission to QPU Providers

When you submit a circuit, Project Lyra serializes it (typically as OpenQASM 3, Braket IR, or Origin Pilot's native format), encrypts it in transit with TLS 1.3, and forwards it to the selected backend over the provider's authenticated API. Project Lyra's bridge workers hold the circuit in memory only long enough to translate, validate, and dispatch it; they do not write unencrypted circuit bodies to durable storage.

Tenant Isolation

• Every circuit, job, and result is tagged with an immutable tenant identifier and stored in logically isolated namespaces.
• Row-level security and signed request envelopes prevent any tenant from reading or enumerating another tenant's jobs.
• Compute workers are ephemeral and scoped to a single job; they are destroyed after execution.

Results Handling and Storage

Measurement outcomes, expectation values, and error statistics returned by the QPU provider are encrypted at rest with AES-256 and stored against your tenant. You can retrieve, export, or delete your results at any time via the API or dashboard. By default, results are retained for 90 days, after which they are automatically deleted unless you have configured longer retention under an enterprise agreement.

5. Data Sharing

We share your data only with the parties necessary to operate the Service. We do not sell, rent, or trade personal information, quantum circuits, or results to third parties under any circumstance.

• Amazon Web Services / Amazon Braket — receives circuits routed to Western QPU providers (IonQ, Rigetti, IQM, QuEra, and Braket simulators). AWS processes this data under the AWS Customer Agreement and its own data protection addendum.
• Origin Quantum Computing Technology Co., Ltd. — receives circuits routed to Origin Pilot superconducting processors. Origin processes this data under our commercial agreement and the applicable laws of the People's Republic of China.
• Stripe, Inc. — processes payment card and bank transfer data on our behalf.
• Infrastructure providers — a limited set of vetted subprocessors provide hosting, logging, email delivery, error monitoring, and customer support tooling. A current list is available on request.
• Professional advisors — auditors, lawyers, and accountants bound by confidentiality obligations.
• Legal authorities — where required by a valid subpoena, court order, or equivalent legal process, and only to the extent strictly necessary.
• Corporate transactions — in connection with a merger, acquisition, or sale of assets, subject to the continued protection of this policy.

6. International Data Transfers

Project Lyra exists precisely to bridge East and West. That means your data — and specifically your quantum circuits — may cross international borders as part of ordinary Service operation.

• Transfers to China: Jobs routed to Origin Pilot are transmitted to Origin Quantum's data centers in the People's Republic of China. These transfers are governed by Standard Contractual Clauses and supplementary technical measures where applicable.
• Transfers to AWS regions: Jobs routed to Amazon Braket execute in the AWS region selected by Project Lyra's scheduler, typically us-east-1, us-west-2, or eu-west-2.
• Classical compute: Simulators and pre/post-processing run in Project Lyra's primary regions (currently EU and US).

Your Controls

You decide how far your data travels. Project Lyra exposes per-project and per-job routing controls:

• Geo-fence: restrict a project to Western providers only, Chinese providers only, or classical simulators only.
• Allow-list: specify exactly which backends (e.g., braket.ionq.aria-1, origin.wukong) are eligible.
• Residency tags: pin result storage to a specific region (EU, US, or APAC).

Where the law of a destination country does not offer protections equivalent to those of your home jurisdiction, we rely on contractual safeguards, encryption in transit and at rest, minimization of transferred metadata, and the explicit routing consents configured in your account.

7. Data Retention

We retain personal and usage data only as long as needed for the purposes described in this policy:

• Waitlist data: retained until the Service launches and you convert to an account, or until you ask us to remove you, whichever comes first.
• Account data: for the lifetime of your account, plus 30 days after closure to allow for recovery.
• Job metadata and results: 90 days by default, configurable up to 7 years under enterprise contracts.
• Billing records: 7 years, as required by tax and accounting law.
• Security and audit logs: 12 months.
• Support communications: 24 months.

When a retention period ends, data is either permanently deleted or irreversibly anonymized. You may request earlier deletion at any time, subject to our legal obligations.

8. Your Rights

Depending on your jurisdiction — including the European Economic Area, the United Kingdom, Switzerland, California, and other U.S. states with comprehensive privacy laws — you may have the following rights over your personal data:

• Access: obtain a copy of the personal data we hold about you.
• Rectification: correct inaccurate or incomplete information.
• Erasure: request deletion of your personal data, subject to legal retention requirements.
• Portability: receive your data in a structured, machine-readable format and transmit it to another controller.
• Restriction: ask us to limit how we process your data in certain circumstances.
• Objection: object to processing based on our legitimate interests, including direct marketing.
• Withdraw consent: where processing is based on consent, you may withdraw it at any time.
• Lodge a complaint: contact your local supervisory authority if you believe we have mishandled your data.

To exercise any of these rights, contact privacy@projectlyra.io. We will respond within 30 days, or sooner where required by law. We do not discriminate against users who exercise their privacy rights.

9. Security Measures

Project Lyra is designed as a secure-by-default platform. Our security program includes, at a minimum:

• Encryption: TLS 1.3 for all data in transit; AES-256 for data at rest; envelope encryption for customer secrets with KMS-backed keys.
• Access control: least-privilege IAM, just-in-time production access, hardware-backed MFA for all staff, and signed audit logs of every privileged action.
• Network isolation: private subnets, mutual TLS between internal services, and a deny-by-default egress firewall.
• Secure development: mandatory code review, automated static analysis, dependency scanning, and secret detection in CI.
• Vulnerability management: continuous scanning, an external bug bounty, and at least one independent penetration test per year.
• Audits and certifications: Project Lyra is targeting SOC 2 Type II and ISO/IEC 27001 certification ahead of general availability. Reports will be made available under NDA to enterprise customers once complete.
• Incident response: 24/7 on-call, documented runbooks, and customer notification within 72 hours of a confirmed personal data breach.

No system is perfectly secure. If you discover a vulnerability, please report it to security@projectlyra.io.

10. Cookies

Our marketing website and customer dashboard use a small number of cookies and similar technologies for authentication, session management, preference storage, and privacy-respecting analytics. We do not use advertising cookies. For a full breakdown of each cookie, its purpose, and how to manage it, see our Cookie Policy.

11. Children's Privacy

The Service is a B2B product intended exclusively for users who are at least 18 years old and acting on behalf of a business, research institution, or similar organization. We do not knowingly collect personal data from children under 18. If you believe a child has provided us with personal information, please contact privacy@projectlyra.io and we will promptly delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our Service, our subprocessors, or applicable law. When we make material changes, we will:

• Update the "Last updated" date at the top of this page.
• Post a notice in the customer dashboard.
• Email the primary contact on each active account at least 14 days before the changes take effect.

Your continued use of the Service after the effective date of the revised policy constitutes acceptance of the updated terms. Prior versions are archived and available on request.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or Project Lyra's handling of your data, please get in touch:

For EU/EEA users, you also have the right to contact your local data protection authority. For California residents, you may designate an authorized agent to submit requests on your behalf.