Privacy Policy
What we collect, why we collect it, and what we never do with it.
Last updated June 23, 2026
This Privacy Policy explains how QuantriumFlow LLC (“QuantriumFlow”, “we”, “our”, “us”) collects, uses, and shares information when you visit https://uatw.quantriumflow.com or use our Service.
Data controller
The data controller responsible for your personal data is QuantriumFlow LLC, 24 Warner Ln, Monmouth Junction, New Jersey 08852, USA. You can contact us about privacy matters at privacy@quantriumflow.com.
Information we collect
Information you provide
- Account data: name, email. If you sign in via OAuth, we also receive a stable provider-specific identifier (Discord ID or Google ID) that we use to recognise you on subsequent visits.
- Password (Credentials sign-in only): if you create an account with a password, we store only a salted bcrypt hash. We never store your plaintext password and cannot recover it — only reset it.
- Billing data: handled by Stripe — we never see or store your card number. We retain Stripe’s customer ID, subscription tier, and billing-period metadata.
- Support communications: messages you send us via email or contact forms.
- Waitlist sign-ups: if you join the trial waitlist, your email is collected solely to send your trial invitation.
Information collected automatically
- Usage data: aggregated, privacy-preserving analytics about which pages you view and which features you use. We use cookieless analytics ([Plausible / Vercel Analytics]) — no third-party tracking cookies are set.
- Server logs: IP address, user-agent, and request timestamps for security and rate-limiting purposes. Retained for up to 30 days.
- Sign-up attempt records: for each sign-up attempt (successful or otherwise) we record the IP address, user-agent, a one-way hash of the email address, and an outcome tag, so we can detect and prevent trial abuse. Retained for up to 90 days, then deleted. Lawful basis: legitimate interest in preventing fraud and abuse of our free trial.
How we use your information
- To provide and maintain the Service.
- To process payments and manage subscriptions through Stripe.
- To assign Discord roles based on your subscription tier (if you opt in).
- To send transactional emails (receipts, password resets, trial invitations).
- To prevent fraud, abuse, and unauthorized access.
- To comply with legal obligations.
Legal bases (GDPR / UK GDPR)
Where the GDPR or UK GDPR applies to you, we rely on the following lawful bases:
- Performance of a contract — account, billing, and core service data needed to deliver the Service you signed up for.
- Legitimate interests — transactional emails, fraud prevention, and security logging.
- Consent — Discord role assignment, optional features, and any marketing communications you opt in to. You may withdraw consent at any time without affecting the lawfulness of processing carried out beforehand.
- Legal obligations — tax, accounting, and anti-fraud retention requirements.
What we do not do
- We do not sell your personal information.
- We do not share your trading activity with third parties.
- We do not run ads or place ad-tracking pixels on the Site.
- We do not set cross-site tracking cookies.
Service providers
We share data only with the third parties strictly necessary to operate the Service:
- Stripe — payments and subscription management.
- Google — OAuth sign-in (if you choose this option).
- Discord — OAuth sign-in and tier-based role assignment (if you choose this option and opt in to Discord access).
- Supabase — database and authentication backend.
- Resend — transactional email delivery (verification, password resets, receipts).
- Vercel — hosting, CDN, and privacy-preserving page-view analytics.
Each provider acts as a data processor under our instructions and is contractually bound to handle your data securely.
Cookies
We use only strictly-necessary cookies (e.g., authenticated session tokens). We do not use advertising or third-party tracking cookies. Because we use privacy-preserving analytics that do not set cookies, we do not display a cookie consent banner. If your jurisdiction requires explicit consent for any cookie we set, we will honor that requirement.
Your rights
Depending on your jurisdiction (including GDPR, UK GDPR, CCPA/CPRA, and similar laws) you may have the right to access, correct, export, or delete your personal information. You may also have the right to object to or restrict processing, to withdraw consent where processing is based on consent, and to lodge a complaint with your data protection supervisory authority(for example, the UK Information Commissioner’s Office, or your EU member-state authority). To exercise any of these rights, email privacy@quantriumflow.com from the address associated with your account. We will not discriminate against you for exercising any privacy right.
EU, UK & Swiss representatives
We have no establishment in the European Union, the United Kingdom, or Switzerland but we process personal data of people in those regions. As required by GDPR Article 27, the equivalent UK GDPR provision, and Swiss revFADP Article 14, we have designated representatives in each.
EU representative: Data Protection Representative Limited (trading as DataRep), DataRep, The Cube, Monahan Road, Cork, T12 H1XY, Republic of Ireland.
UK representative: Data Protection Representative Limited (trading as DataRep), DataRep, 107-111 Fleet Street, London, EC4A 2AB, United Kingdom.
Swiss representative: Data Protection Representative Limited (trading as DataRep), DataRep, Leutschenbachstrasse 95, Zurich, 8050, Switzerland.
Data retention
We retain account and subscription data for as long as your account is active and for up to 24 months afterward to comply with tax and accounting requirements. Server logs are retained for up to 30 days. You may request earlier deletion subject to our legal obligations.
International transfers
Our infrastructure is hosted in the United States. If you access the Service from outside the US, your data will be transferred to and processed in the US. For transfers of personal data from the European Union and the European Economic Area to the United States, we rely on the European Commission’s Standard Contractual Clauses (SCCs). For transfers from the United Kingdom we rely on the UK’s International Data Transfer Agreement (IDTA) or the UK Addendum to the SCCs, as applicable. Where additional safeguards are required by the law applicable to you, we will implement them.
Children’s privacy
The Service is not directed to children under 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will delete it.
Security
We use industry-standard encryption in transit (TLS) and at rest, scoped access controls, and regular dependency audits. No system is perfectly secure; if you suspect a vulnerability, see our security disclosure policy.
Changes
We’ll post material changes here and notify subscribers by email at least 14 days in advance. The “Last updated” date above always reflects the current version.
Contact
Privacy questions or rights requests: privacy@quantriumflow.com. General support: support@quantriumflow.com. Or write to QuantriumFlow LLC, 24 Warner Ln, Monmouth Junction, New Jersey 08852, USA.