Privacy Policy

QuantifyMe is a quantitative trading platform operated at quantifyme.ai. This policy explains what data we collect, why, and how to control it.

Data we collect

• Account data — email + username when you sign up (Google OAuth supported). Stored encrypted.
• API keys — generated on request. Tied to your account. Trial keys are anonymous, browser-bound, expire when credits hit zero.
• Strategy code — Python code you generate or paste, plus the natural-language prompts used to produce it. Retained so you can retrain / revisit.
• Trained models — pickled ML artifacts from your backtests. Stored on our server, isolated per user.
• Usage metrics — which endpoints you call, credit consumption, model count. For billing + rate limiting.
• Server logs — IP, user agent, request path, timestamps. Kept 30 days for debugging.
• Payment data — handled by Stripe. We store only customer ID, subscription status, and last-4 of card for display.

Data we don't collect

• Your broker credentials — we never integrate with your brokerage account.
• Your actual trades — QuantifyMe delivers signals; execution is your responsibility elsewhere.
• Third-party tracking cookies — we don't use Google Analytics, Facebook Pixel, or similar.

How we use it

• Authenticate API calls (X-API-Key header)
• Run backtests and deliver live signals to channels you configure (webhook, Telegram)
• Send account + billing emails via SMTP
• Improve the product based on aggregate usage patterns

Where we store it

• Location — Postgres + model artifacts hosted on dedicated Hetzner servers in Helsinki, Finland (EU). No data is replicated outside the EU.
• Encryption at rest — disks are LUKS-encrypted. Account passwords are bcrypt-hashed; API keys are stored hashed (server can verify but never recover).
• Encryption in transit — all traffic is TLS 1.3 (Cloudflare → origin and origin ↔ database). HTTP redirects to HTTPS.
• Backups — Postgres WAL is streamed continuously to a standby; full snapshots taken daily, retained 14 days, then deleted.
• Isolation — every row that can belong to a user carries a user_id; access is gated by your API key. Per-user model files live in directories named by user.

How long we keep it

• Anonymous trial accounts — trial user_id + derived rows (strategies, generation logs, signal logs) retained 30 days from last activity, then anonymized.
• Signed-up accounts — kept until you delete your account. Deleting removes models, strategy files, and personal data immediately; usage logs are retained 30 days for audit, then purged.
• Trained model PKLs — kept while the model is deployed live, plus 90 days after you un-deploy or delete it (lets you redeploy without retraining), then permanently removed.
• Live signal logs (per-trade) — 90 days, then deleted.
• Generation logs (prompt → cost) — 90 days for billing reconciliation, then anonymized (cost row kept, prompt text dropped).
• Server / request logs — 30 days.
• Aggregated metrics (in-memory tool-call counters surfaced at /mcp-stats) — never written to disk; reset on every service restart.

Third-party services

• Anthropic (Claude) — your strategy prompts are sent to Anthropic's API for code generation. See their privacy policy.
• Market data providers — we source OHLC data from institutional vendors. Your identity is never sent; they see only our aggregate data requests.
• Cloud compute providers — training runs in ephemeral containers. Your strategy code executes briefly then is discarded from compute nodes (still kept in our own database).
• Google — OAuth sign-in only. We store the subject ID + email, nothing else.
• Stripe — payment processing. Card numbers never touch our servers.

AI agents using our API

If you access QuantifyMe via ChatGPT Custom GPT, Claude MCP, or any third-party AI agent, the same API policy applies — requests are tied to your API key (or an anonymous trial key). AI providers may retain your prompts per their own policies; QuantifyMe receives and stores only what's sent to our API.

Your rights

• Access / export — email [email protected] for a full data dump. Honoured within 7 days.
• Delete — account deletion (via account settings or the same email) removes models, strategy files, and personal data immediately. Usage logs are retained 30 days for audit, then purged. Anonymous trial users: email the trial user_id (visible in your API key prefix) for the same.
• Rectify — email [email protected] to correct any stored personal data (email, username).
• Withdraw consent — stop using the platform at any time. Cancel subscription via /billing.
• GDPR / CCPA basis — we process personal data on the basis of contract performance (signed-up users) or legitimate interest (anonymous trial demo). Right-to-erasure is honoured on request regardless of basis.

Contact

Questions? Email [email protected].