Privacy Policy
Last updated: March 15, 2026
1. Introduction
Quantum Flow Investments ("we", "us", "our") operates QFI Terminal. This Privacy Policy explains how we collect, use, and protect your personal data when you use our Service, in compliance with the EU General Data Protection Regulation (GDPR) and applicable Portuguese law.
2. Data Controller
Quantum Flow Investments is the data controller. For questions about data processing, contact privacy@qfiterminal.com.
3. Data We Collect
| Data | Purpose | Legal Basis |
|---|---|---|
| Email address | Account creation, communication | Contract performance |
| Name | Account identification | Contract performance |
| Solana wallet address | Wallet-based authentication | Contract performance |
| Google/X OAuth ID | Social login | Consent |
| IP address | Security, rate limiting, fraud prevention | Legitimate interest |
| Browser user agent | Security, bot detection | Legitimate interest |
| Usage data (tabs visited) | Product analytics, improving the Service | Legitimate interest |
| Watchlist & portfolio data | Service functionality | Contract performance |
4. Data We Do NOT Collect
- We do not collect or store private keys or seed phrases.
- We do not access wallet transaction history beyond authentication verification.
- We do not sell, rent, or share personal data with third parties for marketing.
- We do not use tracking pixels, retargeting cookies, or advertising networks.
5. Payment Data
All payment processing is handled by Stripe, Inc. We do not store credit card numbers, bank details, or payment credentials. Stripe's privacy policy applies to payment data: stripe.com/privacy.
6. Cookies
- Session cookie — Required for authentication. HttpOnly, Secure, SameSite=Strict. Expires on browser close.
- Remember-me cookie — Optional persistent login (7 days). HttpOnly, Secure, SameSite=Lax. Token is hashed and rotated on each use.
- Affiliate cookie — Stores referral code (30 days). First-party, no tracking.
We do not use third-party cookies, analytics cookies, or advertising cookies.
7. Data Storage & Security
- Data is stored in Supabase (PostgreSQL), hosted in the EU.
- All API communication is encrypted via HTTPS/TLS.
- Passwords are hashed with bcrypt (never stored in plaintext).
- Remember-me tokens are SHA-256 hashed and rotated on each use.
- Row Level Security (RLS) is enabled on all database tables.
- API endpoints are protected by session checks, rate limiting, CORS, and user-agent filtering.
8. Data Retention
- Account data is retained while your account is active.
- Session tracking data is retained for 90 days.
- Performance logs are retained for 30 days.
- Upon account deletion, all personal data is permanently removed within 30 days.
9. Your Rights (GDPR)
Under the GDPR, you have the right to:
- Access — Request a copy of your personal data.
- Rectification — Correct inaccurate data.
- Erasure — Request deletion of your data ("right to be forgotten").
- Portability — Receive your data in a machine-readable format.
- Objection — Object to processing based on legitimate interest.
- Restriction — Request restriction of processing.
To exercise any of these rights, email privacy@qfiterminal.com. We will respond within 30 days.
10. Third-Party Services
- Stripe — Payment processing
- Supabase — Database hosting (EU region)
- Helius — Solana RPC for wallet verification (public blockchain data only)
- Google OAuth — Optional social login
11. International Transfers
Your data is primarily stored in the EU. Where data is processed outside the EU (e.g., Helius RPC calls), we ensure appropriate safeguards are in place, including Standard Contractual Clauses where applicable.
12. Children
QFI Terminal is not intended for individuals under 18. We do not knowingly collect data from minors.
13. Changes
We may update this Privacy Policy periodically. Material changes will be communicated via email or in-app notification. The "Last updated" date reflects the most recent revision.
14. Contact
For any privacy-related inquiries:
Email: privacy@qfiterminal.com