Legal & Policy

1. Information We Collect

1.1. Information You Provide

Account registration data (name, email address, password)
Subscription and billing information (processed by Stripe; we do not store full payment card numbers)
Exchange API keys (encrypted; see Security & API Key Handling Disclosure)
Trading strategy configurations and parameters
Support ticket content and communications
Consent records and preferences

1.2. Information Collected Automatically

IP address and approximate geolocation
Browser type, device type, and operating system
Pages visited, features used, and session duration
Trading activity logs (orders placed, strategy actions, execution timestamps)
Error logs and performance diagnostics
Cookies and similar tracking technologies (see Cookie Policy)

Trading activity logs are system-generated records created automatically when the Platform executes trades or processes strategy logic on your behalf. These logs are maintained exclusively for the purposes of: (a) audit trail integrity; (b) regulatory and legal compliance; (c) security monitoring and anomaly detection; and (d) dispute resolution. Trading activity logs are not used for advertising, profiling, or resale.

1.3. Information from Third Parties

Exchange account data (balances, positions, order history) retrieved via your API key
Payment processing data from Stripe (transaction confirmations, subscription status)
Authentication provider data (if using social sign-in)

1.4. Information We Do NOT Collect

QuantumEdge operates on a strictly non-custodial basis. We do not collect, store, access, or process:

Exchange account usernames or passwords
Exchange two-factor authentication (2FA) codes or recovery phrases
Withdrawal credentials, wallet private keys, or seed phrases
Funds, digital assets, or fiat currency in any form

We do not have the ability to sign in to your Exchange account. The only Exchange access we receive is through trade-and-read-only API keys that you create and configure. We never request or accept API keys with withdrawal permissions. See our Non-Custodial Disclosure for full details.

1.5. Non-Custodial Structure Clarification

QuantumEdge operates on a strictly non-custodial basis. QuantumEdge cannot withdraw funds from your Exchange account, cannot transfer your digital assets or fiat currency to any wallet, account, or address, and cannot access your Exchange sign-in credentials. All API keys connected to QuantumEdge must be configured as trade-and-read-only; withdrawal permissions must not be granted. All assets remain at your Exchange (Kraken for MVP) at all times. QuantumEdge does not hold, custody, or control any User funds. If QuantumEdge ceases operations, your funds remain at your Exchange and are not affected.

2. How We Use Your Information

2.1. Service Delivery: To operate the Platform, execute trades per your instructions, and display analytics.

2.2. Account Management: To manage your account, Subscription, and support requests.

2.3. Security: To detect fraud, unauthorized access, and platform abuse.

2.4. Audit and Compliance: To maintain audit logs, enforce platform rules, and comply with legal obligations.

2.5. Communications: To send transactional emails (alerts, billing confirmations) and, with your consent, marketing communications.

2.6. Improvement: To analyze usage patterns and improve Platform features and performance.

3. Legal Basis for Processing

3.1. Contract Performance: Processing necessary to provide the services you subscribed to.

3.2. Legitimate Interest: Security monitoring, fraud prevention, and service improvement.

3.3. Consent: Marketing communications and optional analytics.

3.4. Legal Obligation: Tax reporting, regulatory compliance, and law enforcement requests.

5. Cross-Border Data Transfers

5.1. QuantumEdge is based in the United States. Your personal data is primarily processed and stored in the United States.

5.2. Our infrastructure providers and sub-processors may process data in jurisdictions outside the United States. Where such transfers occur, we ensure appropriate safeguards are in place, including contractual data processing agreements with each provider.

5.3. By using the Platform, you acknowledge that your data may be transferred to and processed in the United States and other jurisdictions where our service providers operate. U.S. data protection laws may differ from those in your jurisdiction.

5.4. If you are located outside the United States, you consent to the transfer of your data to the United States as described in this policy.

6. Data Retention and Account Deletion

6.1. See our Data Retention & Deletion Policy for detailed retention schedules.

6.2. Generally: account data is retained for the life of the account plus thirty (30) days; audit logs are retained for seven (7) years; trading logs are retained for three (3) years.

6.3. Account Deletion Timeline

Upon receiving a deletion request:

(a) Active Deployments. You must stop all active Deployments before account deletion can proceed. If active Deployments exist at the time of the deletion request, you will be prompted to stop them. QuantumEdge will not automatically close, cancel, or modify open orders or positions on the Exchange — you are solely responsible for managing any open positions on your Exchange account before and after deletion.
(b) Your account enters a thirty (30) day cooling-off period. During this period, you may cancel the deletion request and restore your account.
(c) Access During Cooling-Off. During the cooling-off period, your Platform access may be restricted. You will retain read-only access to your dashboard and historical data for the purpose of exporting data or reviewing records. You will not be able to create new Deployments, modify existing configurations, or connect new Exchange API keys.
(d) API Key Deletion. Exchange API key references are deleted from our systems within twenty-four (24) hours of the deletion request, regardless of the cooling-off period. After API key deletion, the Platform will no longer have any access to your Exchange account.
(e) After the cooling-off period, the following data is permanently deleted: account profile data, trading strategy configurations, notification history, and support ticket content (unless subject to a legal hold).
(f) The following data is retained beyond account deletion as required by law or legitimate compliance obligations (see table below).
(g) Legal Hold or Regulatory Investigation. QuantumEdge may delay or suspend the deletion of account data if the account is subject to a legal hold, active regulatory investigation, pending litigation, law enforcement request, or other legal obligation requiring data preservation. We will notify you of any such delay to the extent legally permitted and will proceed with deletion promptly upon resolution of the hold.
(h) Exchange Data. Data held by your Exchange (Kraken for MVP) — including your Exchange account, transaction history, balances, and order records — is not controlled by QuantumEdge and remains subject to the Exchange's own data retention and deletion policies. Deletion of your QuantumEdge account does not delete, modify, or affect any data held by the Exchange. You must contact the Exchange directly regarding its data retention practices.
(i) Data Export Recommended. We strongly recommend that you export your data (trading logs, deployment configurations, consent history) through the Platform's self-service data export feature before initiating account deletion. After the cooling-off period, deleted data cannot be recovered by QuantumEdge.
(j) Deletion is irreversible after the cooling-off period. We cannot recover deleted data.

Data Retention After Deletion

Data Category	Retention After Deletion	Basis
Audit logs (immutable, append-only)	7 years from creation	Legal and regulatory compliance
Billing and transaction records	7 years from transaction	Tax and financial regulation
Consent records	7 years from consent event	Regulatory compliance
Trading execution logs	3 years from creation	Dispute resolution, regulatory compliance

6.4. Audit Log Immutability

Audit logs described in Section 6.3(f) are immutable, append-only records. They cannot be modified, overwritten, or erased — including upon account deletion request, User request, administrative action, or any other instruction. This immutability is a structural property of the audit logging system, not a discretionary retention decision. Audit logs are retained for the full seven (7) year period regardless of account status, and their retention is not subject to the cooling-off period, deletion request, or User opt-out.

7. Data Security

7.1. We implement industry-standard security measures including encryption at rest and in transit, access controls, and regular security assessments.

7.2. See our Security & API Key Handling Disclosure for details on API key protection.

7.3. No method of electronic transmission or storage is completely secure. While we strive to protect your personal data using commercially reasonable measures, we cannot guarantee absolute security. Transmission of data over the internet carries inherent risks, and you acknowledge these risks when using the Platform.

8. Data Breach Notification

8.1. In the event of a confirmed security breach involving personal data, QuantumEdge will notify affected Users without undue delay and no later than as required by applicable law.

8.2. Where required by applicable state data breach notification laws (including but not limited to California Civil Code § 1798.82, New York General Business Law § 899-aa, and Delaware Code Title 6 § 12B-102), we will notify affected individuals and relevant state authorities within the timeframes prescribed.

8.3. Breach notifications will include: (a) a description of the nature of the breach; (b) the categories of data affected; (c) steps we have taken or propose to take to address the breach; and (d) contact information for follow-up inquiries.

8.4. See our Security & API Key Handling Disclosure for details on our incident response procedures.

9. AI, Analytics, and Aggregated Data Usage

9.1. QuantumEdge may use anonymized, aggregated data derived from Platform usage to improve our algorithms, strategies, risk models, and overall Platform performance. Anonymized data cannot be used to identify you individually.

9.2. We do not sell, license, or share individual trading behavior, strategy configurations, or execution data with third parties for any purpose, including advertising or profiling.

9.3. We do not use your personal data or trading activity for advertising profiling, behavioral targeting, or sale to data brokers.

9.4. Any machine learning models trained on aggregated data operate on anonymized datasets only. No individual User's trading strategy, positions, or parameters are exposed to or derivable by other Users or third parties.

9.5. Pre-built strategy performance metrics displayed on the Platform are derived from backtested or aggregated data and do not reveal any individual User's activity.

9.6. No Automated Decision-Making Beyond User-Configured Strategies. QuantumEdge does not perform automated decision-making that produces legal or similarly significant effects on Users outside of the trading strategies that Users themselves configure and deploy. The Platform executes User-defined logic only. It does not independently decide to trade, allocate capital, or modify strategy parameters unless explicitly instructed by the User's configuration or triggered by User-configured risk management rules (e.g., auto-pause on drawdown breach).

9.7. QuantumEdge does not use personal data to make eligibility determinations, credit decisions, or automated assessments about Users beyond standard fraud detection and platform abuse monitoring described in Section 2.3.

10. Regulatory Status and Jurisdictional Scope

10.1. QuantumEdge is a software-as-a-service (SaaS) platform that provides algorithmic trading automation tools. QuantumEdge is not a broker-dealer registered with the U.S. Securities and Exchange Commission (SEC). QuantumEdge is not an investment advisor registered with the SEC or any state securities regulator.

10.2. QuantumEdge does not provide discretionary account management. The Platform does not make trading decisions on your behalf. All trading strategies are selected, configured, and deployed by the User. The Platform executes User-defined instructions only.

10.3. No fiduciary, advisory, or agency relationship is created between QuantumEdge and any User by virtue of data collection, processing, or the provision of Platform services.

10.4. Jurisdictional Availability. The Platform is intended for use by residents of the United States in jurisdictions where algorithmic trading automation is not prohibited. QuantumEdge may restrict or suspend access to the Platform in jurisdictions where regulatory requirements cannot be satisfied or where use of the Platform may conflict with local law.

10.5. Jurisdictional Access Restrictions. QuantumEdge may restrict, suspend, or block access to the Platform based on your jurisdiction, geographic location, or detected IP address. Access may be blocked where required by U.S. sanctions, export control regulations, or local laws applicable to cryptocurrency, algorithmic trading, or financial technology services. QuantumEdge may geo-block IP address ranges associated with restricted jurisdictions without prior notice. Data collection and processing described in this Privacy Policy apply only to Users who access the Platform from permitted jurisdictions.

10.6. User Responsibility. You are solely responsible for determining whether your use of the Platform — and the data processing described in this Privacy Policy — complies with all laws and regulations applicable in your jurisdiction. QuantumEdge makes no representation that the Platform's data practices satisfy the requirements of any particular jurisdiction's data protection framework beyond those explicitly stated in this policy.

10.7. QuantumEdge reserves the right to suspend accounts pending compliance review if we reasonably believe that continued access may expose the Platform or the User to regulatory risk. Users will be notified of any such suspension and the basis for it to the extent legally permissible.

11. Your Rights

11.1. Access: You may request a copy of your personal data held by QuantumEdge.

11.2. Correction: You may request correction of inaccurate data.

11.3. Deletion: You may request deletion of your account and personal data, subject to the cooling-off period and legal retention requirements described in Section 6.

11.4. Portability and Data Export

You may request your data in a machine-readable format (JSON or CSV). Exportable data categories include:

(a) Profile data: Account information, email, display name, timezone, and preferences.
(b) Deployment configurations: Strategy selections, parameter settings, risk thresholds, exchange pair assignments, and deployment history.
(c) Trading execution logs: Trade records, order submissions, fills, cancellations, P&L, and execution timestamps.
(d) Consent history: Records of policy version acceptances, including document type, version, and acceptance timestamp.
(e) Notification history: Alerts, system notifications, and email delivery records associated with your account.

11.5. Export Exclusions. Data exports may exclude: (a) internal security logs, fraud detection signals, and abuse monitoring records that are maintained for Platform integrity and cannot be disclosed without compromising security controls; (b) proprietary platform algorithms, scoring models, risk engine logic, and internal system metadata that constitute QuantumEdge trade secrets or intellectual property; and (c) data belonging to other Users or aggregated datasets from which your individual data cannot be reasonably isolated.

11.6. Export Scope. Exports are limited to data associated with the requesting account. You may not request data associated with other Users' accounts, and QuantumEdge will not include data from accounts other than the verified requesting account in any export.

11.7. Export Rate Limits. To prevent abuse and ensure Platform stability, data export requests may be rate-limited. You may submit up to one (1) full data export request per thirty (30) day period. Incremental exports of specific data categories (e.g., trading logs for a date range) may be available more frequently through the Platform's self-service export feature. If you require an expedited or additional export for regulatory or legal purposes, contact compliance@quantumedge.markets with supporting documentation.

11.8. Export Processing and Delivery. Data export generation is not instantaneous. Export requests are queued and processed asynchronously. QuantumEdge may delay export generation for operational reasons, including but not limited to system load, infrastructure maintenance, or data integrity verification. QuantumEdge does not guarantee a specific turnaround time for export generation but will use commercially reasonable efforts to complete exports promptly. QuantumEdge reserves the right to refuse or deprioritize export requests that are abusive, duplicative, or designed to circumvent rate limits. A request is considered duplicative if it is substantially identical to a prior request fulfilled within the preceding thirty (30) day period. Refusal of an abusive or duplicative request does not affect your underlying right to data portability.

11.9. Legal Hold Exclusion. Data that is subject to a legal hold, active regulatory investigation, pending litigation, or law enforcement preservation request may be excluded from or redacted in data exports to the extent required by law or legal obligation. QuantumEdge will inform you if a legal hold affects the completeness of your export to the extent legally permitted.

11.10. Export Link Expiry. Data export files generated by the Platform will be made available for download via a secure, time-limited link. Export download links expire seven (7) days after generation. After expiry, you must submit a new export request. QuantumEdge does not retain generated export files beyond the expiry window.

11.11. Opt-Out: You may opt out of marketing communications at any time.

11.12. To exercise any right, contact compliance@quantumedge.markets. We will respond to verified requests within thirty (30) days.

12. Children's Privacy

12.1. The Platform is not directed to individuals under 18. We do not knowingly collect data from minors.

12.2. If we become aware that we have collected personal data from an individual under 18, we will take steps to promptly delete such data from our systems unless we are legally required to retain it. If you believe that a minor has provided personal data to QuantumEdge, please contact compliance@quantumedge.markets immediately.

13. California Residents (CCPA/CPRA)

13.1. California residents have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including the right to know, delete, correct, and opt out of the sale or sharing of personal information.

13.2. We do not sell or share personal information as defined by the CCPA/CPRA.

13.3. We do not use sensitive personal information for purposes beyond what is necessary to provide the Platform services.

13.4. To submit a CCPA/CPRA request, contact compliance@quantumedge.markets. We will verify your identity before processing the request and respond within forty-five (45) days as required by law.

14. Do Not Track (DNT)

14.1. Some web browsers transmit "Do Not Track" (DNT) signals. There is currently no universally accepted standard for how platforms should respond to DNT signals.

14.2. QuantumEdge does not currently alter its data collection or tracking practices in response to browser DNT signals.

14.3. You may manage tracking preferences through our Cookie Policy settings panel and opt out of analytics cookies at any time.

15. Data Processing Agreements (DPA)

15.1. Enterprise customers and business partners that require a Data Processing Agreement (DPA) for regulatory, contractual, or internal compliance purposes may request one by contacting legal@quantumedge.markets.

15.2. Our standard DPA covers: categories of data processed, processing purposes, sub-processor disclosures, security obligations, data breach notification commitments, and data deletion procedures.

15.3. DPAs are available at no additional cost to customers on Enterprise plans.

16. Data Protection Contact

16.1. For all privacy-related inquiries, data subject requests, or complaints, contact:

Quantum Edge Technologies LLC

Attn: Data Protection Officer

1401 Lavaca St, Austin, TX 78701 #1086

United States

Email: compliance@quantumedge.markets

16.2. We aim to respond to all inquiries within thirty (30) days. If you are unsatisfied with our response, you may have the right to lodge a complaint with a relevant regulatory authority.

17. Changes to This Policy, Versioning, and Re-Consent

17.1. Notice. We will notify you of material changes to this Privacy Policy via email and in-app notification at least thirty (30) days in advance of the effective date.

17.2. Versioning. Each version of this Privacy Policy is assigned a version identifier (e.g., v1.0, v1.2) and an effective date, both displayed at the top of this document. Our consent versioning system records which version you have accepted.

17.3. Re-Consent for Material Changes. When we publish a material update to this Privacy Policy — including changes to the categories of data collected, data sharing practices, data retention periods, cross-border transfer mechanisms, or your rights — you will be required to explicitly review and accept the updated policy before continuing to use the Platform. The Platform will present you with a consent gate identifying the changes and requiring per-document acceptance.

17.4. Access Restriction. If you do not accept a required Privacy Policy update, your access to the Platform will be restricted until re-consent is completed. Specifically: trading, deployment, and configuration actions will be blocked; you will retain access to logout, support, and legal document pages. This restriction is a consent compliance measure, not a suspension or punitive action.

17.5. Continued Use. For non-material changes (formatting, clarifications that do not alter your rights or our data practices), continued use of the Platform after the effective date constitutes acceptance. For material changes, explicit acceptance through the consent gate is required — continued use alone is not sufficient.

17.6. Consent Record. Each acceptance of an updated Privacy Policy version is recorded with your user ID, the document version, the timestamp of acceptance, and your IP address. These records are maintained in an immutable audit log and are available to you upon request.

17.7. The "Last Updated" date and version identifier at the top of this policy will reflect the most recent revision. We encourage you to review this policy periodically.

Privacy Policy