Privacy Policy

Last updated: 13 June 2026

This policy explains what data QUANTHEON Lab (“we”, “us”, the “Service”, available at app.quantheonlab.com) collects when you use it, why we collect it, who we share it with, and the rights you have. We keep it short and concrete.

1. Who we are

QUANTHEON Lab is a web application for designing and backtesting trading strategies on historical market data and building hypothetical portfolios. The Service is operated by the QUANTHEON Lab team. For any privacy request you can contact us at [email protected].

2. Data we collect

Category	What it is	Why
Account	Your email address and a securely hashed password — or, if you use “Sign in with Google”, your email, name and Google account identifier.	To create and secure your account and sign you in.
Consent preferences	Whether you opted in to commercial/marketing communications at sign-up.	To respect your choice and prove it was given.
Your content	The strategies, studies and portfolios you create and save.	To store your work and let you reopen it.
Usage & compute	Records of heavy operations (backtests, optimizations, etc.), compute credits consumed, request counts and timestamps.	To run the Service, measure usage and apply plan limits fairly.
Technical	Your IP address and basic request metadata.	Security, abuse prevention and rate-limiting.

Local storage, not tracking cookies. To keep you signed in we store an authentication token in your browser’s local storage. We do not use third-party advertising or cross-site tracking cookies.

3. How we use your data

To provide, maintain and secure the Service and your account.
To measure compute usage and enforce plan limits.
To protect the Service from abuse (e.g. rate-limiting by IP).
Only if you opted in: to send you product updates and commercial communications. You can withdraw this at any time (see §7) and every message includes an opt-out.

4. Legal bases (GDPR)

Performance of a contract — to deliver the Service you asked for.
Legitimate interests — to keep the Service secure and reliable.
Consent — for marketing/commercial communications, where you opted in.
Legal obligation — where the law requires us to retain certain records.

5. Sharing & service providers

We do not sell your personal data. We share data only with providers that help us run the Service:

Google — when you choose “Sign in with Google” (authentication only).
Cloudflare — content delivery, TLS and security in front of the Service.
Our hosting provider — EU-based servers (Hetzner, Germany) that run the application and database.
Market-data sources — third-party providers (e.g. Yahoo Finance) supply price/ETF data. Browsing such data does not send them your personal information.

6. Where data is stored & how long

Your data is stored on servers located in the European Union. We keep your account and content for as long as your account is active. If you ask us to delete your account, we erase your personal data and content within a reasonable period, except where we must keep limited records to comply with the law.

7. Your rights

Under the GDPR and similar laws you can:

access the data we hold about you, and request a copy (portability);
rectify inaccurate data or erase your data (“right to be forgotten”);
restrict or object to certain processing;
withdraw marketing consent at any time;
lodge a complaint with your local data-protection authority.

To exercise any of these, email [email protected].

8. Security

Passwords are stored only as salted hashes (bcrypt) — never in clear text. Sessions use signed tokens (JWT) and the Service is served over HTTPS. No system is perfectly secure, but we take reasonable measures to protect your data.

9. Children

The Service is not directed to children and is intended for users aged 18 or older.

10. Changes to this policy

We may update this policy as the Service evolves. We will revise the “Last updated” date above and, for material changes, take reasonable steps to inform you.

11. Contact

Questions about this policy or your data? Email [email protected].