Privacy Policy
Effective date: 27 April 2026
This Privacy Policy explains how we collect, use, and protect your personal data when you use QuantStream — our web application, public API, and dashboard (together, the "Service"). It is written to satisfy the European Union's General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR").
1. Who we are (Data Controller)
The data controller responsible for processing your personal data is:
Jakub Krupski 51-649 Wrocław, Poland Email: contact@quantposition.com
We have not appointed a Data Protection Officer because we are not legally required to do so. For any privacy-related question, please write to the email above.
2. Scope
This policy applies to all personal data we process when you:
- visit the QuantStream marketing site,
- create an account, sign in, or use the dashboard,
- call the public QuantStream API using an API key,
- contact us by email about the Service.
It does not apply to third-party websites that we link to. Please read their own privacy policies.
3. What data we collect
We process the following categories of personal data.
Account data
| Field | Source | Notes |
|---|---|---|
| Email address | You, at sign-up | Used as login identifier |
| Password | You, at sign-up | Stored only as a salted hash |
| Display name | You, optional | Shown in the dashboard |
| Role | Assigned by us | Default: user |
| Email verified | Set by the Service | Tracks whether you confirmed your email |
| Timezone | You, optional | Used for displaying timestamps |
| Created / updated timestamps | Set by the Service | Audit and security |
API key metadata
When you create an API key we store its name, tier, rate limit, the last time
it was used (lastUsedAt), the time it was revoked (if any), and the time it
was created. The key itself is hashed with argon2 — only the prefix is stored
in plaintext so you can identify it in the dashboard. We cannot recover a lost
key.
Server logs
When you use the Service we automatically log technical information needed to keep it secure and reliable:
- IP address,
- user-agent string,
- HTTP request path, status code, and timestamp.
Server logs are kept for no longer than 30 days, except where a longer period is required to investigate a security incident (up to 12 months).
Analytics
We use Google Analytics 4 to understand how the Service is used. Analytics is only collected if you grant consent through the cookie banner shown on your first visit. See the Cookies section for details.
Support correspondence
If you email us, we keep the message and your reply address as long as needed to handle the request and for a reasonable retention period afterwards.
4. Purposes and legal bases (GDPR art. 6)
| Purpose | Legal basis |
|---|---|
| Creating and authenticating your account | Performance of a contract — art. 6(1)(b) |
| Providing the API and dashboard | Performance of a contract — art. 6(1)(b) |
| Securing the Service, preventing abuse, applying rate limits | Legitimate interest — art. 6(1)(f) |
| Sending transactional email (verification, password reset) | Performance of a contract — art. 6(1)(b) |
| Google Analytics traffic measurement | Your consent — art. 6(1)(a) — withdrawable at any time |
| Complying with accounting, tax, and other legal obligations | Legal obligation — art. 6(1)(c) |
| Defending or pursuing legal claims | Legitimate interest — art. 6(1)(f) |
We do not use your personal data for marketing without your separate consent, and we do not sell it.
5. Cookies and similar technologies
The Service uses the following storage on your device. The cookie banner shown on your first visit lets you accept or reject the optional analytics technologies; strictly-necessary technologies are always used because the Service does not work without them.
| Name | Type | Purpose | Retention |
|---|---|---|---|
qs-consent | localStorage (first-party) | Stores your consent choice | Until you clear it |
| Auth session cookies | httpOnly cookies (first-party) | Keep you signed in | Session lifetime |
_ga, _ga_<container> | Cookies (third-party, Google) | Distinguish unique users for GA4 | Up to 2 years |
You can withdraw consent at any time by clearing site data in your browser — the consent banner will reappear and you can decline. You can also block analytics with browser extensions or do-not-track features.
6. Recipients and subprocessors
We share personal data only with the service providers we need to operate the Service. Each one is bound by a Data Processing Agreement and processes data only on our instructions.
| Provider | Role | Location | Transfer safeguard |
|---|---|---|---|
| Vercel Inc. | Hosting of the QuantStream web app | USA | Standard Contractual Clauses |
| Render Services, Inc. | Hosting of QuantStream backend APIs | USA | Standard Contractual Clauses |
| Google Ireland Limited (GA4) | Web analytics (only with your consent) | EEA / USA | Standard Contractual Clauses |
We may also disclose data when required by a competent authority (court order, law-enforcement request) or to protect our rights — but only to the extent the law requires.
7. International transfers
Some of our subprocessors are based outside the European Economic Area, mainly in the United States. When personal data is transferred there we rely on the European Commission's Standard Contractual Clauses (SCCs) and on supplementary measures such as transport encryption and access controls. You may request a copy of the relevant SCCs by writing to contact@quantposition.com.
8. API and API keys
When you use a QuantStream API key, the request is authenticated against the
hashed key and we record the request path and the time the key was last used
(lastUsedAt). This information is used to enforce rate limits, detect abuse,
and provide usage information back to you.
You can revoke an API key at any time from Settings → API keys. A revoked
key cannot be reactivated — create a new one if you need it. Because keys are
stored as argon2 hashes, we cannot show you a key again after creation;
only the prefix (e.g. ak_live_…) is visible.
9. Data retention
- Account data is deleted promptly when you ask us to delete your account, or when the account is closed by us for breach of terms. Some records may be retained longer where the law requires it — for example, accounting records under Polish tax law (5 years from the end of the tax year).
- API key metadata is deleted with the account.
- Server logs are kept for up to 30 days, or up to 12 months for entries relevant to a security investigation.
- Analytics retention follows the GA4 default (currently 14 months).
- Support correspondence is kept for as long as needed to handle the request and a reasonable period afterwards.
10. Your rights
Under the GDPR you have the right to:
- Access the personal data we hold about you (art. 15),
- Rectify inaccurate or incomplete data (art. 16),
- Erase your data — the "right to be forgotten" (art. 17),
- Restrict processing in some circumstances (art. 18),
- Object to processing based on legitimate interest (art. 21),
- Data portability — receive your data in a structured, machine-readable format (art. 20),
- Withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal (art. 7(3)).
How to exercise your rights
Send an email to contact@quantposition.com describing what you want to do. We may ask you to confirm your identity (for example, by replying from the address on the account) so that we do not disclose data to the wrong person.
We will respond within one month of receiving your request, in line with GDPR art. 12. If your request is complex we may extend the deadline by up to two further months and tell you why.
11. Right to lodge a complaint
If you believe we have processed your personal data in breach of the law, you can lodge a complaint with the Polish supervisory authority:
Prezes Urzędu Ochrony Danych Osobowych (UODO) ul. Stawki 2, 00-193 Warszawa, Poland https://uodo.gov.pl
You may also complain to the supervisory authority in the EU member state where you live or work.
12. Automated decision-making
We do not use your personal data for solely automated decisions that produce legal or similarly significant effects on you (GDPR art. 22). Rate-limiting and abuse-prevention rules act on technical signals, not on profiling.
13. Children
The Service is not directed at people under the age of 16. We do not knowingly collect personal data from children. If you believe a child has given us their data, please contact us so that we can delete it.
14. Security
We use industry-standard technical and organisational measures to protect your data — including TLS for all traffic, hashed passwords (argon2 / bcrypt), hashed API keys (argon2), least-privilege access to production systems, and regular dependency updates. No system is perfectly secure; if we ever discover a breach affecting your personal data we will notify you and the supervisory authority as required by GDPR art. 33–34.
15. Changes to this policy
We may update this Privacy Policy from time to time. When we do, we will update the "Effective date" at the top and, for material changes, send a notice to the email address on your account. Continued use of the Service after a change means you accept the updated policy.
16. Contact
Questions about this Privacy Policy or about how we handle your data: