QuantLink

Privacy Policy

Privacy Policy for QuantLink
Oct 24, 2025

Introduction

QuantLink ("we," "our," or "us") operates a quantitative trading signal relay and distribution platform that connects trading strategies on JoinQuant (聚宽) with execution terminals such as QMT and PTrade. This Privacy Policy describes how we collect, use, store, and share information when you access or use our services at quantlink.app and related services (collectively, the "Service").

By using the Service, you consent to the data practices described in this policy. If you do not agree, please discontinue use of the Service.

Information We Collect

1. Account Information

When you create an account, we collect:

  • Email address — used for account identification, authentication, and communication
  • Display name — your chosen name visible to other users when you share strategies
  • Password — stored in hashed form; we never store plaintext passwords
  • OAuth tokens — if you sign in via Google or GitHub, we receive your profile information from the provider

2. Trading and Platform Data

As a quantitative trading platform, we process and store:

  • Strategy configurations — strategy names, parameters, webhook tokens, and source code references
  • Trading signals — buy/sell signals relayed through our platform, including stock codes, quantities, prices, and timestamps
  • Position data — virtual position snapshots from JoinQuant and actual position snapshots from QMT/PTrade terminals
  • Execution records — terminal execution confirmations, including filled quantities and latency metrics
  • Terminal information — terminal device identifiers, authentication tokens, heartbeat status, and online/offline state
  • Drift analysis data — position drift calculations comparing expected vs. actual positions

3. Sharing and Invitation Data

When you use our strategy sharing features:

  • Invitation records — invitee emails, invitation codes, acceptance status, and expiration dates
  • Share permissions — permission settings you configure for recipients (pause rights, delete rights, terminal limits, validity periods)
  • User group membership — group assignments and member relationships
  • Audit logs — records of sharing actions for compliance and transparency

4. Payment and Billing Information

  • Subscription and plan data — your selected plan, subscription status, and billing cycle
  • Transaction records — payment history for your reference
  • Payment card details are processed through our payment providers (Stripe, PayPal, or Creem) and are not stored on our servers

5. Technical and Usage Data

  • Device and browser information — device type, operating system, browser type, and IP address
  • Usage patterns — pages visited, features used, and interaction patterns
  • Cookies and session data — session tokens for authentication, locale preferences, and UI settings
  • Log data — server access logs for security monitoring and debugging

How We Use Your Information

We use collected information for the following purposes:

  1. Service delivery — operating the signal relay pipeline, managing strategy-terminal connections, and processing trading signals
  2. Account management — authentication, authorization, and account administration
  3. Platform security — device binding verification, fraud prevention, and unauthorized access detection
  4. Service improvement — analyzing usage patterns, debugging issues, and optimizing platform performance
  5. Communication — sending service notifications, expiration warnings, invitation emails, and security alerts
  6. Billing — processing subscription payments and maintaining payment records
  7. Drift monitoring — calculating and reporting position drift between expected and actual trading positions
  8. Audit and compliance — maintaining sharing audit logs as required by platform governance

Data Storage and Security

  • Infrastructure: Data is stored on Supabase (PostgreSQL) with encryption at rest and in transit
  • Access controls: Database access is restricted to authorized personnel and services; all API endpoints require authentication
  • Terminal security: Terminal connections use bearer token authentication with device fingerprint binding; unauthorized device connections are rejected
  • Signal integrity: Trading signals are deduplicated using SHA-256 payload hashing to prevent replay attacks
  • Session management: User sessions have defined expiration periods and are validated server-side

While we implement industry-standard security measures, no system is completely secure. We commit to promptly notifying affected users in the event of a data breach.

Data Sharing and Disclosure

We do not sell your personal information. We may share data in the following circumstances:

Sharing Within the Platform

  • Strategy recipients: When you share a strategy, recipients can see the strategy name and receive trading signals. Your email may be visible to invitees
  • Strategy owners: As a recipient of a shared strategy, the strategy owner can see your email address and terminal usage within the scope of the share permissions
  • Sub-accounts: Account owners can view sub-account activity within their tenant

Third-Party Service Providers

  • JoinQuant (聚宽): Trading strategies and signals originate from JoinQuant; we interact with their API to relay signals
  • Payment processors: Stripe, PayPal, or Creem process subscription payments on our behalf
  • Email delivery: Resend handles transactional email delivery (invitations, notifications)
  • Cloud infrastructure: Supabase provides our database hosting

We may disclose information when required by law, regulation, legal process, or governmental request.

Data Retention

  • Active account data: Retained for as long as your account is active
  • Trading signals and execution records: Retained for the lifetime of the associated strategy
  • Audit logs: Retained according to admin-configured retention policies (default: 90 days)
  • Expired shares: Expired sharing records are retained for historical reference but flagged as inactive
  • Deleted accounts: Upon account deletion, personal information is removed within 30 days. Aggregated, anonymized data may be retained

Your Rights

You have the right to:

  • Access: View and export your account data and trading history
  • Correction: Update your account information through the settings page
  • Deletion: Request account deletion through settings or by contacting support. Note that deleting your account will also revoke all active shares you have sent or received
  • Withdrawal of consent: Disable sharing, disconnect terminals, or revoke access at any time through the platform interface

Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children.

International Data Transfers

Our infrastructure providers (Supabase) may process data in jurisdictions outside your country of residence. By using the Service, you consent to the transfer of your information to these jurisdictions, which may have different data protection laws.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised "updated_at" date. Your continued use of the Service after changes are posted constitutes acceptance of the revised policy.

Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us at:

Email: support@quantlink.app