GDPR & Data Protection Statement

Last updated: May 2, 2026

This statement summarises how Morteza Riahi (the "Operator", "we") complies with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the UK General Data Protection Regulation, and analogous data-protection laws, in connection with the website at quantumfieldmotion.com (the "Site") and any reference made on the Site to the Quantum Field Motion non-fungible token collection (the "Collection"). It is intended as a plain-language complement to our Privacy Notice and should be read together with it.

1. Data Controller

The data controller for personal data processed in connection with the Site is the Operator, Morteza Riahi. You can contact the controller at info@quantumfieldmotion.com. The Operator has not designated a Data Protection Officer; due to the limited scope and nature of processing on a static educational site, the GDPR does not require one.

2. Categories of Personal Data and Purposes

The Site is a static educational website that does not require an account or wallet connection. Personal data processed in connection with the Site is therefore limited:

• Connection data (e.g., IP address, browser/device user-agent, timestamps, requested URL, security signals) automatically processed by hosting and security infrastructure (currently Cloudflare) to deliver the Site, mitigate abuse, and maintain availability. Legal basis: Article 6(1)(f) GDPR — legitimate interest in operating and securing the Site.
• Email correspondence initiated by you. Legal basis: Article 6(1)(b) GDPR (steps taken at the data subject's request) and/or Article 6(1)(f) (responding to inquiries).
• Local browser preferences (such as theme selection) stored only on your device. This data does not leave your browser and is not received by the Operator.

The Operator does not knowingly process special categories of personal data (Article 9 GDPR), nor does it engage in automated decision-making with legal effect (Article 22 GDPR).

3. Recipients and Sub-Processors

The Operator does not sell or rent personal data. The following categories of recipients may process limited connection data on the Operator's behalf:

• Hosting and security: Cloudflare, Inc. (and affiliates), acting as a processor for the delivery and protection of the Site.
• Email infrastructure: the email service provider associated with the contact mailbox.

4. International Transfers

The Site is delivered through a global content-delivery network. Your request may be served by, or pass through, servers located outside the European Economic Area or the United Kingdom. Where transfers fall outside the EEA/UK, the Operator relies on appropriate safeguards as defined in Chapter V of the GDPR — typically the European Commission's Standard Contractual Clauses adopted by the relevant infrastructure providers, supplemented by additional security measures where required.

5. NFTs, Wallets, and Public-Blockchain Considerations

The Collection is implemented as a smart contract on the Ethereum public blockchain. Wallet addresses and on-chain transaction history are inherently public and permanent. The Operator does not publish to the blockchain on your behalf and does not control on-chain data. As a result:

• The "right to erasure" (Article 17 GDPR) cannot be exercised against the public ledger. The Operator can delete personal data only from systems it controls (e.g., email correspondence).
• The "right to rectification" (Article 16 GDPR) likewise cannot be applied to immutable on-chain records.
• If you connect a wallet to a third-party marketplace, that marketplace acts as an independent controller for the personal data it processes. Please consult its privacy policy.

The Operator never has, requests, or stores your seed phrase or private keys, and will never solicit them.

6. Cookies and Local Storage

The Site does not place advertising, profiling, or analytics cookies. Strictly necessary cookies may be set by Cloudflare for security and load-balancing purposes; under EU/UK ePrivacy rules, strictly necessary cookies are exempt from prior consent. Local-storage entries used to remember user preferences (such as theme) are kept on your device only.

7. Retention

Connection logs are retained by infrastructure providers for the period required for security and operational purposes, in accordance with their own retention schedules. Email correspondence is kept for as long as necessary to handle your inquiry and to comply with applicable record-keeping obligations.

8. Your Rights under the GDPR

Subject to the conditions and exceptions of the GDPR, you have the right to:

• access your personal data (Article 15);
• obtain rectification of inaccurate data (Article 16);
• obtain erasure of your data (Article 17), subject to the exceptions discussed in Section 5 above regarding public blockchains;
• obtain restriction of processing (Article 18);
• object to processing based on legitimate interest (Article 21);
• data portability (Article 20), where applicable;
• lodge a complaint with your local supervisory authority (Article 77).

To exercise these rights, write to info@quantumfieldmotion.com. We will respond within one month, extended by up to two further months where the request is complex, in which case we will inform you within the first month.

9. Security

The Operator applies reasonable technical and organisational measures appropriate to the limited scope of processing carried out by a static, accountless educational site. Despite such measures, no internet transmission or storage system can be guaranteed to be fully secure.

10. Changes to This Statement

We may revise this statement from time to time. The "Last updated" date at the top reflects the most recent revision.

11. Contact

For data-protection inquiries, write to info@quantumfieldmotion.com.