Privacy Policy
1. Summary · 2. Data Controller · 3. Personal Data We Collect · 4. Lawful Basis · 5. How We Use Your Data · 6. Sharing & Subprocessors · 7. International Transfers · 8. Retention Periods · 9. Security Measures · 10. Your Rights · 11. Cookies & Tracking · 12. Children's Data · 13. Changes to This Policy · 14. Contact
1. Summary (the 90-second version)
- We collect the minimum personal data necessary to run an automated-trading SaaS: an email, a password hash, an encrypted exchange API key (you choose what scope to grant), a Telegram chat ID (after you link), and event logs of your bot configuration changes.
- We do not sell personal data. We do not share it for advertising. We do not use it to train any ML model.
- Subprocessors are listed in Section 6. The main ones are GCP (hosting), Lemon Squeezy (card payments), Telegram (bot), Sentry (error monitoring), and the cryptocurrency exchange you connect.
- You can request a copy of your data, correct it, or have it deleted at any time — see your rights. Deletion is processed within 30 days, manually, per a documented internal procedure.
- For complaints, contact us first; if unresolved, you have the right to complain to your local data-protection authority.
The rest of this document is the full version with all the legally-required detail.
2. Data Controller
For the purposes of GDPR and similar laws, the controller of your personal data is:
Quantor, operated by its founder in Israel (Esek
Patur sole-proprietorship registration in progress).
Contact for data-protection inquiries:
support@quantorsaas.app.
3. Personal Data We Collect
| Category | Examples | Source |
|---|---|---|
| Account identity | Email address, hashed password (BCrypt), account creation timestamp, last login timestamp, optional TOTP secret (encrypted), failed-login counter | You, at registration / login |
| Authentication state | Session cookies (quantor_at,
quantor_rt_id,
quantor_rt_secret), refresh-token records,
password-reset tokens |
Set by our servers on successful login |
| Telegram link | Telegram chat ID (hashed at rest), Telegram username (if present), link timestamp | You, when you link via the bot |
| Exchange API keys | Encrypted API key + secret (AES-GCM with master key in GCP Secret Manager), last-4 of the key for identification, verification status, IP-allowlist compliance flag | You, when you upload |
| Bot configuration | Strategy parameters, allowed symbols, notional limits, daily-loss limits, execution mode, kill-switch state | You, via dashboard / mini-app |
| Trade events | Order timestamps, sizes, prices (recorded for auditability — not used for advice). The actual funds and order book live on the exchange. | Exchange API, on bot execution |
| Subscription state | Plan, status (ACTIVE/CANCELLED/etc), period end, external subscription ID from the payment processor, freeze flag | Payment-processor webhooks (Lemon Squeezy) |
| Payment audit chain | Tamper-evident HMAC-chained log of payment-fulfilment events; includes user UUID (internal random identifier, not your name or email) | Our backend, on each payment processed |
| Bot interaction log | Telegram event type (command, callback, payment), timestamp, chat ID hash. No message body content. | Telegram bot, when you interact |
| Operational logs | Structured JSON log of HTTP requests, errors, system events. May include IP address, user-agent, request path. Retained per Section 8. | Our backend |
| Crash / error reports | Stack trace, request context, user UUID. Sent to Sentry for triage. | Automatic, on exception |
| Web beacons (analytics) | Page path, anonymised IP, country (from IP), referrer. Set only if you opt in via the cookie banner. | Browser, when you visit marketing pages |
We do NOT collect: your real name (unless you choose to put it in your email address), date of birth, government ID, home address, phone number, browsing history outside Quantor, social-media data, biometric data.
4. Lawful Basis (GDPR Article 6)
Each category of data is processed under one of the following lawful bases:
| Category | Lawful basis | Article |
|---|---|---|
| Account identity, authentication state | Performance of contract — we cannot provide the service without it | 6(1)(b) |
| Exchange API keys, bot config | Performance of contract | 6(1)(b) |
| Subscription state, payment audit chain | Performance of contract + legal obligation (tax / accounting record retention) | 6(1)(b), 6(1)(c) |
| Telegram link, bot interaction log | Performance of contract | 6(1)(b) |
| Operational logs, crash reports | Legitimate interest — operating and improving the service, detecting fraud, security incidents | 6(1)(f) |
| Web beacons (analytics) | Consent (opt-in via cookie banner) | 6(1)(a) |
| Marketing email (if we ever send any) | Consent | 6(1)(a) |
5. How We Use Your Data
- To provide the Service: route your configured trades to the exchange, store your bot state, show you the dashboard, alert you via Telegram, process subscription payments.
- To enforce safety and risk controls: run the 14-gate risk policy, regime classifier, daily-loss limit, kill-switch. See the 14 risk gates post.
- To operate and improve the Service: monitor performance, diagnose errors, fix bugs, prevent abuse.
- To communicate with you: service alerts, billing notifications, security-incident notifications, responses to your support requests. Routed via Telegram when you have linked; otherwise via email.
- To comply with legal obligations: retain payment records for the period required by Israeli tax law, respond to lawful regulatory requests.
We do NOT:
- Sell your personal data to anyone.
- Share it with advertisers or marketers.
- Use it to train any machine-learning model.
- Combine it with data from third-party sources to build a marketing profile.
6. Sharing & Subprocessors
We share personal data with the following subprocessors, each of which has signed a Data Processing Agreement (DPA) with us or operates under standard contractual terms equivalent to a DPA:
| Subprocessor | Purpose | Data shared | Location |
|---|---|---|---|
| Google Cloud Platform (Google LLC) | Infrastructure hosting, database, secret management, load balancing, DDoS protection (Cloud Armor) | All categories above (encrypted at rest) | EU / Israel (me-west1 region) |
| Lemon Squeezy (Lemon Squeezy LLC) | Card payment processing, Merchant of Record for card-paid subscriptions | Email, payment-method details (handled directly by LS, not by us), subscription identifiers | United States (SCCs or EU-US DPF, see Section 7) |
| Telegram (Telegram FZ-LLC) | Bot communication, mini-app | Telegram chat ID (you've already disclosed this to Telegram by using their platform) | United Arab Emirates (own privacy regime) |
| Sentry (Functional Software, Inc.) | Application error monitoring | Stack traces, request context, user UUID | European Union (data-residency option enabled) |
| The cryptocurrency exchange you connect | Order routing (the entire purpose of the Service) | API key (your scope choice), order parameters you configure | Per the exchange (varies) |
We will not add a new subprocessor that processes personal data without notifying users at least 14 days in advance via a notice on this page and (where applicable) email or Telegram. Material changes will be summarised in Section 13.
We will not disclose your personal data to law enforcement or government agencies except in response to a binding legal order, and only to the extent compelled. Where legally permitted, we will notify you in advance.
7. International Transfers
Quantor is operated from Israel. Israel has been recognised by the European Commission as providing an adequate level of data protection under GDPR Article 45 (Commission Decision 2011/61/EU). Personal data transfers from the EU/EEA to Quantor's infrastructure rely on this adequacy decision.
Where personal data is shared with subprocessors located outside the EEA without an adequacy decision (Lemon Squeezy in the United States, Telegram in the UAE), we rely on Standard Contractual Clauses (SCCs) as the transfer mechanism, plus supplementary safeguards where warranted.
8. Retention Periods
| Data category | Retention | Trigger to delete |
|---|---|---|
| Account identity, bot config, exchange keys | For the life of your account | Account deletion (30 days max after request) |
| Session / refresh / password-reset tokens | 15 min to 30 days depending on type | Token expiry or rotation |
| Operational logs | 30 days (Cloud Logging default) | Automatic rotation |
| Crash reports (Sentry) | 90 days | Sentry's standard retention policy |
| Trade events | 3 years (subject to tax / audit retention rules) | Automatic after retention window |
| Subscription / payment records | 7 years from end of fiscal year (Israeli Income Tax retention; consult counsel for confirmation) | End of retention window |
| Audit chain entries | Indefinite — GDPR Article 17(3)(e) exception: retained for the establishment, exercise, or defence of legal claims. After your account is deleted, the audit-chain rows contain only an internal UUID with no link to you personally. | None — see GDPR exception |
| Web beacons (if you opted in) | 13 months | Automatic, or on consent withdrawal |
| Cloud SQL automated backups | 7 days rolling | Backup aging |
9. Security Measures
We apply technical and organisational measures appropriate to the risks. The principal ones (more detail at /security):
- Password storage: BCrypt hashing with per-user salt.
- Exchange-key storage: AES-GCM encryption at rest with master key in GCP Secret Manager (separate trust boundary from the database).
- Transport: HTTPS only (HSTS enforced for 1 year + subdomains).
- Authentication: JWT-based access tokens (short TTL) + rotating refresh tokens. Optional TOTP-based two-factor authentication.
- Login security: per-account lockout (5 failed attempts → 15-minute lock) + per-IP rate limit + Cloud Armor edge throttling.
- Application security headers: CSP, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy.
- Build identity: every production deploy is signed with
Ed25519; signature publicly verifiable at
/api/v1/identity. - Tamper-evident audit chain: payment and admin actions appended to an HMAC-chained log.
- Withdraw-restriction enforcement: exchange API keys with withdrawal scope are rejected at upload time.
- Dependency monitoring: Renovate auto-PRs for security patches.
- Database backups: daily, retained 7 days, restore procedure documented and drilled.
Despite these measures, no system is perfectly secure. In the event of a personal-data breach, we will notify affected users and the relevant supervisory authority within 72 hours of becoming aware, where required by GDPR.
10. Your Rights
Subject to applicable law, you have the following rights regarding your personal data:
- Right of access (Article 15). Request a copy of the personal data we hold about you.
- Right to rectification (Article 16). Request that we correct inaccurate data.
- Right to erasure (Article 17). Request deletion of your data. We process this within 30 days, subject to retention exceptions (legal obligation, audit chain).
- Right to restrict processing (Article 18). Request that we limit processing in certain circumstances.
- Right to data portability (Article 20). Request your data in a structured, machine-readable format.
- Right to object (Article 21). Object to processing based on legitimate interest (Article 6(1)(f)) — we will reassess and either justify the processing or stop.
- Right to withdraw consent. Where processing is based on consent (analytics, marketing), you can withdraw at any time without affecting prior processing.
- Right to lodge a complaint. If you believe we have processed your data unlawfully, you have the right to complain to your local data-protection authority. We ask that you contact us first so we can attempt to resolve the issue directly.
To exercise any of these rights, contact support@quantorsaas.app from the email address registered with your account. We may ask for additional information to verify your identity before acting on the request. We respond within 30 days; if the request is complex we may extend by a further two months and will inform you.
11. Cookies & Tracking
We use cookies in two categories:
| Category | Cookies | Purpose | Consent |
|---|---|---|---|
| Strictly necessary | quantor_at, quantor_rt_id,
quantor_rt_secret |
Authentication. Set only after you sign in. We cannot run the dashboard or mini-app without them. | Not required (ePrivacy Article 5(3) exception) |
| Analytics (opt-in) | Web beacon requests to
/api/v1/beacon |
Aggregated page-view stats so we can see which marketing pages users actually read. | Explicit opt-in via cookie banner. Default OFF. |
We do not use third-party advertising cookies, fingerprinting, or cross-site tracking.
You can clear your cookie consent at any time by clearing site data in your browser; the banner will reappear on your next visit.
12. Children's Data
The Service is not directed to children under 18. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, contact us and we will delete it.
13. Changes to This Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent change. Material changes (new data category collected, new subprocessor added, new purpose of processing) will be notified at least 14 days in advance via dashboard banner and, where applicable, email or Telegram.
If you do not agree with a material change, you may exercise your right to delete your account before the change takes effect.
14. Contact
For any privacy-related question, request, or complaint: support@quantorsaas.app. We aim to respond within 5 business days for general inquiries and within the statutory deadlines for rights requests.
If you are an EU/EEA resident and believe your rights have
been violated, you may lodge a complaint with your local
data-protection authority. A list of authorities is
maintained by the European Data Protection Board at
edpb.europa.eu.