Privacy Policy

QEdge (“we,” “us,” “our”) is committed to protecting your personal data. This Privacy Policy explains what information we collect, why we collect it, how we use and store it, and your rights in relation to it.

This Policy applies to all users of the QEdge platform accessible at qedge.app and any associated services. It forms part of our Terms of Service.

2.1 Account Data

When you register we collect:

• Your email address (used as your unique identifier and for transactional emails)
• A securely hashed version of your password (bcrypt, 12 rounds — we never store your password in plaintext)
• Account creation timestamp and last login timestamp
• Email verification status

2.2 Activity Logs

For security, fraud prevention, and service improvement, we automatically record the following events:

• Account sign-up and email verification
• Login attempts (successful and failed)
• Password reset requests and completions
• Score requests and stock symbol queries
• Backtest runs

Each log entry may include your IP address, browser user-agent string, the action performed, and the timestamp.

2.3 Watchlist and Portfolio Data

If you use the watchlist feature, we store your selected stock symbols, optional share quantities, and optional average purchase prices in our database, linked to your account.

2.4 Browser Storage (localStorage)

The Platform stores the following preferences locally in your browser. This data never leaves your device unless you explicitly interact with a Platform feature that sends it to our servers:

• Algorithm weight settings
• Default stock symbol
• Refresh interval preference
• Cached score data (short-lived, 5-minute TTL)

2.5 Data We Do Not Collect

We do not collect:

• Payment or financial account information (the Platform is currently free)
• Government-issued identification
• Precise geolocation data
• Third-party social media account data

We use the data we collect for the following purposes:

• To create and maintain your account and authenticate your identity
• To deliver the Platform’s core features (scores, watchlist, backtests)
• To send transactional emails — account verification and password resets only
• To detect, investigate, and prevent fraudulent or abusive activity
• To monitor Platform performance and improve our service
• To generate aggregated, anonymised usage statistics (no individual user is identifiable)
• To comply with applicable legal obligations

We do not use your data for behavioural advertising, profiling for marketing purposes, or any automated decision-making that produces legal or similarly significant effects on you.

Where applicable data protection law requires a legal basis for processing, we rely on the following:

• Contract performance — processing necessary to provide the service you signed up for (account management, feature delivery).
• Legitimate interests — security monitoring, fraud prevention, and service improvement, where these interests are not overridden by your rights.
• Legal obligation — retaining records where required by law.
• Consent — where you have explicitly agreed, such as accepting these terms at sign-up.

We do not sell, rent, or trade your personal data. We share data only with the following processors, strictly to operate the Platform:

• Neon (database hosting) — stores your account data, watchlist, activity logs, and cached score data in a managed PostgreSQL database. Data is processed as a data processor on our behalf.
• Vercel (cloud infrastructure)— hosts and serves the Platform. Your IP address and HTTP request metadata pass through Vercel’s network on each request.
• Resend (transactional email) — receives your email address solely to deliver account verification and password-reset messages. No marketing emails are sent.
• Yahoo Finance API — receives the stock symbols you query in order to return market data. No personal identifying information is transmitted.
• Yahoo Finance & Google News RSS feeds — receives stock symbols to return news headlines used for sentiment analysis. No personal identifying information is transmitted.

No other third parties have access to your personal data. If this changes, we will update this Policy and notify you.

Account data is retained for the lifetime of your account. You can permanently delete your account at any time via Settings → Danger Zone. Deletion removes your account, watchlist, and tokens immediately. Activity log entries are anonymised (your user ID is removed) but the records themselves are retained for security and audit purposes.

Activity logs are retained indefinitely for security and audit purposes. Logs do not contain passwords or payment data.

Verification and reset tokens expire automatically (24 hours for email verification, 1 hour for password resets) but may remain in our database after expiry as inactive records.

Browser localStorage is controlled entirely by your browser and can be cleared at any time through your browser settings.

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These include:

• Passwords hashed using bcrypt with 12 salt rounds — never stored in plaintext
• All data in transit encrypted via HTTPS/TLS
• All data at rest encrypted using AES-256 by our database infrastructure provider, Neon
• Session tokens signed with a secret key and expiring after 8 hours
• Database access restricted to authenticated server-side processes only

No system is completely secure. In the event of a data breach that is likely to result in a risk to your rights, we will notify affected users as required by applicable law.

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access — request a copy of the personal data we hold about you.
• Rectification — request correction of inaccurate data.
• Erasure — request deletion of your personal data, subject to legal retention requirements.
• Restriction — request that we limit how we use your data in certain circumstances.
• Portability — request your data in a structured, machine-readable format.
• Objection — object to processing based on legitimate interests.
• Withdraw consent — where processing is based on consent, you may withdraw it at any time by discontinuing use and requesting account deletion.

To exercise any of these rights, contact us at qedge.app@gmail.com. We will respond within the timeframe required by applicable law.

The Platform uses a single session cookie set by NextAuth to maintain your authenticated session. This cookie is essential for the Platform to function and cannot be disabled while using the service. It expires after 8 hours.

We do not use analytics cookies, advertising cookies, tracking pixels, or any third-party tracking technologies.

The Platform is not directed at individuals under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with personal data, please contact us through the Platform and we will delete it promptly.

Our third-party service providers (Neon, Vercel, Resend) may process data in jurisdictions outside your own. Where such transfers occur, we rely on the providers’ own compliance frameworks (such as Standard Contractual Clauses or equivalent mechanisms) to ensure adequate protection of your data.

We may update this Privacy Policy at any time. We will revise the version number and effective date when we do. For material changes, we will notify you via the email address on your account or through a prominent in-app notice. Continued use of the Platform after the effective date of a revised Policy constitutes acceptance of the changes.

For any questions about this Privacy Policy, your personal data, or to exercise your rights, contact us at qedge.app@gmail.com.