1. Who we are
[TBD — fill in src/lib/legal/config.ts] ([TBD — fill in src/lib/legal/config.ts], registered in [TBD — fill in src/lib/legal/config.ts]) is the data controller for personal information collected through https://quantmystocks.com. Our registered address and contact details are on the Imprint page.
2. Personal data we collect
We collect only the data needed to run the Service:
- Account data — your email address, display name, profile photo URL, and authentication identifiers received from Google OAuth when you sign in.
- User-generated content — community posts, comments, contact-form submissions, and any backtest configurations you save.
- Usage and technical data — pages viewed, requests made, timestamps, IP address, user-agent string, country (derived from IP), and crash/error reports.
- Cookies and similar technologies — see the Cookie Policy for the full inventory.
- Payment data — if and when we introduce paid plans, payment is processed by a third-party payment processor. We do not store full card numbers.
3. Why we use your data (lawful bases)
Under the EU General Data Protection Regulation (GDPR) and equivalent laws, we process personal data on the following legal bases:
- Performance of a contract (GDPR Art. 6(1)(b)) — creating and operating your account, providing the Service you requested.
- Legitimate interests (Art. 6(1)(f)) — securing the Service, detecting fraud and abuse, improving features, sending transactional notifications.
- Consent (Art. 6(1)(a)) — non-essential cookies, optional product-update emails. You can withdraw consent at any time.
- Legal obligation (Art. 6(1)(c)) — retaining records required by tax, accounting, or other applicable laws.
4. How long we keep your data
- Active account data: for as long as your account exists.
- Account closed at your request: deleted within 30 days, except where retention is required by law (e.g. tax records: typically 6–8 years).
- Server logs containing IP addresses: 30 days.
- Email delivery logs from our SMTP processor: 30 days.
- Backups: rolled forward on a 30-day retention cycle; deleted data may persist in backups for up to 30 days after deletion.
5. Who we share data with
We do not sell your personal data. We share the minimum necessary data with the following sub-processors, each of whom is contractually bound to data-protection obligations:
| Provider | Purpose | Region |
|---|---|---|
| Google LLC | Sign-in (OAuth) — receives email + profile | United States |
| DigitalOcean, LLC | Application + database hosting | Bangalore, India |
We may also disclose personal data when required by law, court order, or lawful government request; to enforce our Terms; or to protect the rights, property, or safety of our users or others.
6. International transfers
Our application is hosted on DigitalOcean App Platform and our primary database lives at DigitalOcean BLR1 (Bangalore, India). Sub-processors may be located outside your country. Where personal data is transferred out of the European Economic Area, the United Kingdom, or other regions that restrict transfers, we rely on the European Commission's Standard Contractual Clauses (SCCs) or an adequacy decision, as appropriate.
7. Your rights
Subject to applicable law, you have the right to:
- access the personal data we hold about you;
- request correction of inaccurate or incomplete data;
- request deletion of your data ("right to be forgotten");
- restrict or object to certain processing;
- receive a portable copy of your data;
- withdraw any consent you previously gave;
- lodge a complaint with your local data-protection authority.
To exercise any of these rights, see our Data Subject Request page or email [email protected]. We will respond within 30 days. We may need to verify your identity before acting on a request.
8. Security
We use industry-standard safeguards including HTTPS/TLS for all traffic, signed JSON Web Tokens for authentication, hashed and salted password storage where applicable, principle-of-least-privilege database access, and restricted hosting-provider firewalls. No system is perfectly secure; if you suspect a security issue, report it to [email protected].
9. Children
The Service is not directed to children under 13 (or 16 in the EEA). We do not knowingly collect personal data from children. If you believe we may have collected information from a child, contact [email protected] and we will delete it.
10. California residents
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including the right to know what personal information we collect, the right to delete, the right to correct, and the right to opt out of any "sale" or "sharing" of personal information. We do not sell personal information. To exercise these rights, contact [email protected].
11. Changes to this policy
We may update this Privacy Policy from time to time. The current version, effective date, and date of last update are shown at the top of this page. Material changes will be highlighted by an in-product notice; continued use of the Service after the new effective date constitutes acceptance.
12. Contact
Questions about this policy or about how we handle your data: email [email protected].