Privacy Policy — PolyQuantX
Effective date: <FILL ON LAUNCH>
1. Posture
PolyQuantX minimizes data collection. We do not collect data we don't need to operate the Platform. We do not sell personal data. We do not run behavioural advertising. The Platform is non-custodial — operationally, most user activity happens on-chain, not on our servers.
This Policy describes the data we do collect, why, and your rights over it.
2. What we collect
| Category | Examples | Purpose | Legal basis (GDPR) |
|---|---|---|---|
| Account | email (optional), wallet address, username | account creation, login, in-product notifications | Contract performance + your consent |
| On-chain refs | tx hashes, contract interactions, USDC balances visible from your wallet address | platform functionality (showing your subscriptions, escrows, jobs) | Contract performance |
| Telemetry | API request paths, HTTP status codes, error stacks (via Sentry) | reliability, debugging, security monitoring | Legitimate interest |
| Usage | bot subscriptions, freelance jobs posted/taken, ratings, AI-assistant prompts | platform functionality | Contract performance |
| Communications | email subject + body when you email us; support-ticket history | answering you, keeping a record of correspondence | Contract performance |
| Developer artifacts | bot source code (if uploaded), backtest report PDFs | provide the developer tooling you asked for | Contract performance |
We do NOT collect, by default:
- Real legal names (your wallet address and chosen username are sufficient).
- Government-issued ID, passport, or other KYC documents — unless your jurisdiction or use-pattern legally requires KYC, in which case this is flagged separately at the point of collection.
- Physical postal address.
- Phone numbers.
- IP-based geolocation for marketing purposes.
- Behavioural advertising profiles or cross-site tracking identifiers.
- Biometric data.
- Data about your wallet activity outside of PolyQuantX (we only see what your wallet does on the Platform, not your broader on-chain history).
3. Cookies and browser storage
| Type | Name(s) | Purpose | Default |
|---|---|---|---|
| Essential cookie | session JWT, CSRF token | authentication, session integrity | Required, set on login |
| localStorage | wallet-connect state (the Reown shim), theme preference, polyquantx-cookie-consent | remember your wallet session and UI preferences | Required |
| Analytics | (none today) | n/a | Disabled by default |
We do not load analytics cookies or third-party tracking scripts by default. If we add analytics in the future, we will ask for your explicit opt-in via the cookie-consent banner before loading any analytics provider, and you may continue to use the Platform if you decline.
The polyquantx-cookie-consent localStorage key records your choice
(values: essential or all).
4. Third-party processors (sub-processors)
We rely on the following sub-processors. Each has its own privacy policy, which we recommend you review.
| Provider | Purpose | Data shared | Region |
|---|---|---|---|
| Neon (https://neon.tech) | Postgres database | account row, on-chain references, off-chain metadata | EU (Frankfurt) |
| Upstash (https://upstash.com) | Redis cache | session state, rate-limit counters | EU |
| Cloudflare R2 (https://www.cloudflare.com/products/r2/) | object storage | bot source code uploaded by developers, backtest report PDFs | EU / global edge |
| Resend (https://resend.com) | transactional email | recipient email address, message body | US |
| Sentry (https://sentry.io) | error monitoring | error stacks (which may contain a wallet address or request path), release identifiers | US |
| Vercel (https://vercel.com) | web-app hosting + CDN | HTTP request logs, asset distribution | global edge |
| Alchemy (https://www.alchemy.com) | Polygon RPC | wallet address and on-chain read queries you issue from the Platform | US |
| OpenRouter (https://openrouter.ai) | AI assistant routing | the prompt text you send to the assistant | US |
We currently use only the free tier of each provider. We do not sell data to these providers or to any third party; they process data solely on our behalf as our sub-processors.
5. Your rights (GDPR and similar regimes)
If you are a data subject under the GDPR, UK DPA 2018, CCPA/CPRA, or a similar regime, you have the following rights:
- Access: request a copy of the personal data we hold about you (we will respond within 30 days; email privacy@polyquantx.com).
- Rectification: request that inaccurate or incomplete data be corrected.
- Erasure: request deletion of your data, subject to legal retention obligations.
- Restriction: request that we limit processing of your data.
- Portability: request a machine-readable copy of data you provided to us.
- Objection: object to processing based on legitimate interest.
- Withdraw consent: for any processing based on your consent, at any time, without affecting prior lawful processing.
- Complaint: lodge a complaint with your local Data Protection Authority (e.g., your national DPA in the EU; the ICO in the UK; the California Privacy Protection Agency in California).
Important caveat: on-chain data CANNOT be deleted from the blockchain. We can delete the off-chain mapping (your account row, session data, telemetry) but the on-chain record — your wallet address's history of interactions with the Contracts — will remain publicly visible on Polygon indefinitely. This is an inherent property of public blockchains.
6. Retention
| Data | Retention |
|---|---|
| Account data (active) | While your account is active. |
| Account data (closed) | 90 days after closure, then deleted, except where longer retention is legally required. |
| On-chain references | As long as the Contracts exist and are indexed. |
| Telemetry / Sentry events | 90 days rolling. |
| R2 objects (bot code, reports) | Until the developer deletes them or closes their account. |
| Email correspondence | 2 years from last message, for support-history continuity. |
polyquantx-cookie-consent localStorage | Until you clear browser storage. |
7. Children
The Platform is not directed to, and we do not knowingly collect personal data from, individuals under the age of 18. If you believe a minor has provided us with personal data, please contact privacy@polyquantx.com and we will delete it.
8. International transfers
Personal data may be processed in jurisdictions outside your country of residence, including the United States. Where required, we rely on Standard Contractual Clauses (SCCs) or equivalent transfer safeguards. The sub-processor table in Section 4 lists the primary processing region for each provider.
9. Changes
We may update this Policy from time to time. Material changes will be announced via an in-app banner at least 7 days before the effective date, and via email when an email address is on file. Continued use of the Platform after the effective date constitutes acceptance.
10. Contact
- Privacy and DPA correspondence: privacy@polyquantx.com (placeholder)
- Data Protection Officer (if appointed): <FILL>
- Operator postal address: <FILL>
- Operator legal entity: <FILL — sole proprietor / LLC / Ltd. + jurisdiction>