Legal · GDPR

Privacy Policy

Last updated: 13 June 2026

1. Data Controller

The controller of your personal data within the meaning of Article 4(7) of the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") is QuarnLabs ("QuarnLabs", "we", "us"). QuarnLabs has prepared and operates the New Model AI manifesto and this website (the "Site") and bears sole responsibility for the processing of personal data described in this Policy.

You may contact QuarnLabs in any data-protection matter through the channels indicated on the Site.

2. Scope

This Policy describes how QuarnLabs collects, uses, stores, and protects personal data of visitors and signatories of the New Model AI manifesto. It is drafted in accordance with the GDPR and other applicable EU and Polish data-protection law.

3. Categories of Data We Process

When you sign the manifesto, QuarnLabs processes the following categories of personal data:

  • Name — displayed publicly as a signatory.
  • Email address — used for double opt-in verification and removal requests only; never displayed publicly.
  • Organization name (optional) — displayed publicly if you choose to provide it.
  • Pseudonymized IP address — your IP address is immediately hashed with a secret cryptographic salt and stored only in that hashed form for rate-limiting and abuse prevention. The raw IP is not retained.
  • Technical metadata — timestamps of submission, verification, and moderation.

QuarnLabs does not process any special categories of personal data (Article 9 GDPR) and does not knowingly collect data from children under 16.

4. Purposes & Legal Bases

  • Publication of your signature (name, optional organization, date) — legal basis: your explicit consent under Art. 6(1)(a) GDPR, given when you submit the signature form and confirm your email.
  • Email verification & processing removal requests — legal basis: performance of pre-contractual / contractual steps at your request under Art. 6(1)(b) GDPR and our legitimate interest in ensuring an authentic signatory list under Art. 6(1)(f) GDPR.
  • Rate limiting, abuse prevention, IT security (pseudonymized IP) — legal basis: legitimate interest under Art. 6(1)(f) GDPR in protecting the Site against automated abuse.
  • Compliance with legal obligations (e.g. responding to lawful requests from authorities) — Art. 6(1)(c) GDPR.

QuarnLabs does not use your email for marketing, newsletters, profiling, or any purpose beyond what is described above.

5. Recipients & Processors

Personal data are processed on infrastructure operated by trusted technical service providers acting as processors under Art. 28 GDPR (hosting, database, email delivery). These providers process data exclusively on documented instructions from QuarnLabs and under appropriate data-processing agreements.

QuarnLabs does not sell personal data and does not share it with third parties for their own commercial purposes.

6. International Transfers

Personal data are stored within the European Economic Area (EEA). Where a sub-processor unavoidably processes data outside the EEA, QuarnLabs ensures an adequate level of protection by relying on European Commission adequacy decisions or Standard Contractual Clauses (Art. 46 GDPR), together with supplementary technical and organizational measures where required.

7. Retention

  • Approved signatures are retained while the manifesto remains active and your signature remains approved.
  • Unverified or rejected submissions are deleted after a reasonable period (typically within 30 days).
  • If you withdraw your consent or request removal, your personal data are deleted within 30 days, unless retention is required by law.
  • Pseudonymized IP hashes used for rate limiting are retained only as long as necessary for that purpose.

8. Your Rights under the GDPR

You have the right to:

  • Access your personal data (Art. 15 GDPR);
  • Rectification of inaccurate data (Art. 16 GDPR);
  • Erasure / "right to be forgotten" (Art. 17 GDPR);
  • Restriction of processing (Art. 18 GDPR);
  • Data portability (Art. 20 GDPR);
  • Object to processing based on legitimate interest (Art. 21 GDPR);
  • Withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal (Art. 7(3) GDPR);
  • Lodge a complaint with a supervisory authority — in Poland, the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych, uodo.gov.pl), or with the supervisory authority of your habitual residence.

You can exercise the right of erasure directly via the signature removal page, or by contacting QuarnLabs.

9. Automated Decision-Making

QuarnLabs does not carry out automated decision-making or profiling that produces legal effects concerning you, within the meaning of Art. 22 GDPR. Moderation of signatures is performed by human reviewers.

10. Security

QuarnLabs implements appropriate technical and organizational measures within the meaning of Art. 32 GDPR, including TLS encryption in transit, access controls, role-based authorization, pseudonymization of IP addresses, server-side validation, and regular review of access privileges, to protect personal data against unauthorized access, alteration, disclosure, or destruction.

11. Cookies & Local Storage

The Site does not use cookies for advertising, analytics, or cross-site tracking. Only strictly necessary technical storage (such as a session needed for authenticated administrative access) is used; under Art. 5(3) of the ePrivacy Directive such strictly necessary storage does not require consent.

12. Changes to This Policy

QuarnLabs may update this Policy from time to time. Material changes will be reflected by updating the "Last updated" date at the top of this page. We encourage you to review this Policy periodically.

13. Contact

For any questions or requests regarding your personal data, please contact QuarnLabs through the channels indicated on the Site.