Quant7 Alpha, LLC ("Quant7", "we") operates Q7 AEGIS AI at quant7alpha.com. This policy describes what data we collect, why we collect it, where it lives, who we share it with, and what rights you have over it. We have tried to write it the way we wish other companies wrote theirs — plain English, no padding, no dark patterns.
what we collect
We collect only what the platform needs to operate. Specifically:
- Email address. We use magic-link authentication. There are no passwords. Your email is how we identify your account and how we send you sign-in links, billing receipts, calibration updates, and material policy changes.
- Venue API credentials. When you connect a broker (EdgeX, NinjaTrader, Bybit, Tradovate, gTrade, or any other supported venue), you submit API keys to us. We store them encrypted (see below). We use them solely to read account state and route orders that you have authorized.
- Position and trade data synced from your venue. While you are connected, the platform polls your venue for open positions, fills, balances, and order status, so the dashboard reflects reality and the risk subsystems can do their job. This data is stored in our database and tied to your account.
- IP address, user agent, and timestamps. Standard server-side logging. We retain these for security monitoring, abuse detection, and operational debugging.
- Stripe payment metadata. When you subscribe, Stripe sends us a customer ID, a subscription status, billing email (if different from your account email), the country we should consider for tax purposes, and the last four digits of the card for receipts. We do not see or store full card numbers, expiration dates, CVVs, or bank account numbers — those live with Stripe.
what we do not collect
We do not collect:
- Real names, home addresses, dates of birth, Social Security numbers, taxpayer ID numbers, government ID images, or proof-of-residency documents. KYC for trading lives at the venue, not with us. We never see what the venue collected from you. The exception is the billing name Stripe asks for during checkout, which we receive only as a metadata field on the subscription record.
- Phone numbers (unless you voluntarily provide one in support correspondence).
- Browsing history outside our own site.
- Cross-site tracking identifiers, marketing pixels, ad-platform cookies, or behavioral fingerprints.
where data lives
All application data — accounts, encrypted API keys, position snapshots, signal logs, trade history — is stored in a managed Postgres database (Neon) in the US-East region, encrypted at rest with provider-managed keys and encrypted in transit via TLS 1.2 or higher.
Venue API keys receive a second layer of protection on top of database encryption. Each key is encrypted with AES-GCM using a per-row key derived from a master key held in our secrets manager. The plaintext key is held in memory only for the duration of the request that issues an order, and is never written to logs. If our database were ever exfiltrated, the keys remain unusable without separate access to the secrets manager.
Operational logs (IP, user agent, request paths) are stored separately, with shorter retention.
data retention
- Account data — email, venue connections, billing status — is retained for the duration of your active subscription, plus 90 days after closure for billing reconciliation, fraud prevention, and regulatory traceability. After 90 days, the account record is anonymized: the email is replaced with a hash, the venue connections and API keys are deleted, and any remaining trade records become tied to an opaque internal ID with no path back to your identity.
- Trade history and signal logs are retained indefinitely in anonymized form. This data is essential to the calibration pipeline — anonymized trade records inform backtest validity, drift detection, and the Adaptive Repair Loop. Once anonymized, there is no path back to you.
- Stripe billing data is retained per Stripe's policies (typically seven years for tax records).
- Operational logs are retained for 90 days.
If you close your account and want the 90-day reconciliation window waived, email us at privacy@quant7alpha.com and we will accelerate the anonymization where legally permissible. ⚠ confirm whether tax/billing records can be shortened below seven years for non-US subscribers under their local regimes, and whether GDPR right-to-erasure overrides our billing-retention default.
how we use the data
- To operate the service. Authenticate you, route signals to your venue, display your dashboard, run risk subsystems, send billing receipts.
- To run the platform safely. Detect abuse, debug incidents, monitor fraud, comply with sanctions screening.
- To improve the system. Aggregated and anonymized trade data informs calibration cycles. Your individual trade record is never used to target you in any way; it contributes to the population statistics the system needs to detect drift.
- To communicate with you. Authentication emails, billing receipts, material policy changes, security notices, and infrequent product updates. You can opt out of product updates at any time without affecting service.
We do not use your data to train any external machine-learning model. The hybrid AI overlay's XGBoost classifiers and FinBERT sentiment gate are trained on market data — price, order flow, public news headlines — not on subscriber behavior.
who we share data with
We share narrowly, with named processors, only to the extent required to operate the service:
- Stripe — for billing. You sign up to Stripe's terms and privacy policy as part of the checkout flow.
- Your chosen broker venue — for execution. We send orders and read account state via the API key you provided. We do not share your platform credentials with the venue; only the API key you submitted is in scope.
- Neon — our database host. Standard cloud DPA in place.
- Vercel — our application host. Standard cloud DPA in place.
- Hetzner — our compute backend for the canary account and the calibration pipeline. Standard cloud DPA in place.
We do not sell data. We do not run ad networks. We do not exchange data with marketing partners, data brokers, or affiliates. We do not run pixel-based remarketing.
We will disclose data if compelled by valid legal process — a subpoena, court order, or law-enforcement request that meets the standard required in our jurisdiction. Where legally permitted, we will notify you before disclosure so that you can object. ⚠ confirm whether a transparency report or warrant canary policy is appropriate at our scale.
GDPR and CCPA rights
If you are a resident of the EU, UK, California, or any jurisdiction with an equivalent regime, you have the following rights regardless of where we are headquartered:
- Access. You can request a copy of the personal data we hold about you. We will deliver it in a portable format (JSON or CSV) within 30 days.
- Correction. If anything is wrong, tell us and we will fix it.
- Deletion. You can request deletion of your personal data. We will honor it subject to the retention exceptions above (billing records we are required to keep, anonymized trade data that is no longer personal).
- Portability. Your data is yours. We will export it on request.
- Objection / restriction. You can object to specific processing activities. In practice the only optional processing we do is product-update emails; everything else is necessary to operate your account.
- Withdraw consent. Where processing is consent-based, you can withdraw at any time without affecting prior processing.
- Lodge a complaint. EU residents may complain to their national supervisory authority. UK residents may complain to the ICO. California residents may contact the Attorney General.
Send any of the above requests to privacy@quant7alpha.com. We will respond within 30 days. We do not charge for these requests except in the rare case of obviously abusive repeat filings.
cookies and similar technologies
We use cookies for one thing only: keeping you signed in. The session cookie is a signed token, scoped to our domain, set with HttpOnly, Secure, and SameSite=Lax. No third-party cookies are set by us. We do not run ad-network pixels, social-network pixels, fingerprinting libraries, or session-replay tools. Embedded charts (TradingView and similar) may set their own cookies if you interact with them; we cannot control that, and you can block them at the browser level without losing platform functionality.
Local storage is used by the dashboard to remember user-interface preferences (theme, expanded panels, last-viewed strategy). Nothing in local storage is sent to our servers.
children
The platform is not intended for and not made available to anyone under 18. We do not knowingly collect data from minors. If you believe a minor has provided data through the platform, contact privacy@quant7alpha.com and we will remove it.
international transfers
Data is stored in the United States. If you are subscribing from outside the US, you consent to the transfer of your personal data to the US for processing. We rely on Standard Contractual Clauses or equivalent transfer mechanisms with our processors where required. ⚠ confirm SCC version and whether a separate UK addendum is needed post-Brexit.
security
We follow the security practices we expect of a platform handling financial-execution credentials: AES-GCM encryption for venue keys, per-row key derivation, secrets-manager isolation of the master key, TLS 1.2+ in transit, principle of least privilege on database access, audit logging of all sensitive operations, dependency scanning, and a vulnerability disclosure process. No system is unbreakable; if you discover a vulnerability, email security@quant7alpha.com and we will respond within 72 hours.
In the event of a breach affecting personal data, we will notify affected users within 72 hours of confirmation, as required under GDPR and analogous regimes, regardless of whether such notification is legally required in your jurisdiction.
changes to this policy
Material changes will be announced via email and in-app banner at least 30 days before they take effect. Non-material changes (clarifications, typo fixes, vendor name updates) will be reflected by updating the "last updated" date at the top of this page.
contact
Privacy questions, data requests, and complaints: privacy@quant7alpha.com.
Security disclosures: security@quant7alpha.com.
General legal inquiries: legal@quant7alpha.com.