Short version: We collect your email and name when you register, trading data you enter into the Journal, and payment information processed by Stripe. We do not sell your personal data. We use Supabase for data storage and Keycloak for authentication — both with industry-standard security. You can delete your account and data at any time.
1. Who We Are
QSREX LLC ("QSREX," "we," "us," or "our") operates the trading analytics platform available at qsrex.dev and its subdomains. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our Platform.
For privacy-related inquiries, contact us at: [email protected]
2. What Data We Collect
2.1 Account Data (via Keycloak)
- Email address (required for registration)
- Display name or username
- Account creation date and last login timestamp
- Authentication tokens (stored securely, not shared)
2.2 Trading Data (via Trading Journal)
- Trade entries you manually input or import: pairs, entry/exit prices, dates, P&L, notes
- Exchange names (e.g., "Binance") — we do not collect your exchange API keys unless you explicitly connect an exchange integration
- Performance metrics calculated from your trades (win rate, D-Score, etc.)
2.3 Payment Data (via Stripe)
- Subscription plan and billing history
- Last 4 digits of card and card type (stored by Stripe, not us)
- Billing country
We do not store full card numbers, CVV, or complete payment card data. All payment processing is handled by Stripe, Inc., which is PCI-DSS compliant.
2.4 Telegram Data (via Signal Bot)
- Telegram user ID and chat ID (only if you connect the Telegram bot)
- Bot interaction logs (commands sent, signals received)
2.5 Usage Data
- Pages visited, features used, and time spent on the Platform
- Browser type, operating system, and device type
- IP address (used for security and approximate geolocation)
- Referring URL
2.6 Data You Do Not Need to Provide
Our free tools (Position Size Calculator, Correlation Matrix) do not require account creation and do not collect personal data beyond standard server logs.
3. How We Use Your Data
| Purpose | Data Used | Legal Basis |
|---|
| Provide and maintain Platform services | Account, trading, usage data | Contract performance |
| Process payments and manage subscriptions | Payment data, email | Contract performance |
| Send signal alerts via Telegram | Telegram ID, preferences | Consent |
| Send transactional emails (password reset, billing) | Email address | Contract performance |
| Improve the Platform and fix bugs | Usage data | Legitimate interest |
| Comply with legal obligations | Any required data | Legal obligation |
| Prevent fraud and abuse | IP, usage patterns | Legitimate interest |
We do not use your data for advertising, sell it to third parties, or use it to train AI models.
4. Data Sharing
We share your data only with the following third-party service providers, strictly for the purposes of delivering our services:
| Provider | Purpose | Data Shared |
|---|
| Supabase | Database hosting | Account and trading data |
| Stripe, Inc. | Payment processing | Email, billing info |
| Hetzner Cloud | Server infrastructure (Helsinki, Finland) | All platform data (encrypted in transit) |
| Cloudflare | DNS, CDN, DDoS protection | IP addresses, request metadata |
| Resend | Transactional email delivery | Email address, email content |
| Telegram | Signal bot delivery | Telegram ID, signal messages |
We do not share your personal data with any other third parties, except when required by law (e.g., valid legal process, court orders).
5. Data Retention
- Account data — retained while your account is active and for 90 days after deletion request
- Trading journal data — retained while your account is active; deleted within 30 days of account deletion
- Payment records — retained for 7 years as required by US tax law
- Usage logs — retained for 90 days for security and debugging purposes
- Telegram data — retained while bot connection is active; deleted upon disconnection or account deletion
6. Security
We implement industry-standard security measures to protect your data:
- All data transmitted is encrypted using TLS 1.2+
- Authentication handled by Keycloak with PKCE OAuth 2.0 flow
- Passwords are never stored in plaintext — hashed using bcrypt via Keycloak
- Database access is restricted to application-level with role-based permissions (Supabase RLS)
- Payment data is handled exclusively by PCI-DSS compliant Stripe infrastructure
No method of transmission or storage is 100% secure. We cannot guarantee absolute security but commit to promptly notifying affected users in the event of a data breach, as required by applicable law.
7. Your Rights
Regardless of your location, we honor the following rights for all users:
Access
Request a copy of all personal data we hold about you
Correction
Request correction of inaccurate or incomplete data
Deletion
Request deletion of your account and associated personal data
Portability
Request your trading journal data exported in CSV format
Objection
Object to processing based on legitimate interest
Withdraw Consent
Disconnect Telegram bot or unsubscribe from emails at any time
To exercise any of these rights, email us at [email protected]. We will respond within 30 days.
8. Cookies
We use the following types of cookies and local storage:
| Type | Purpose | Duration |
|---|
| Session cookies | Maintain your login session (Keycloak) | Session / up to 30 days with "Remember me" |
| Analytics | Google Analytics 4 — anonymous usage statistics | Up to 2 years |
| Local storage | Scanner preferences, saved calculations (no personal data) | Until cleared |
You can disable cookies in your browser settings. Disabling session cookies will prevent you from staying logged in. Analytics can be blocked using browser extensions (e.g., uBlock Origin).
9. Children's Privacy
The Platform is not directed at individuals under 18 years of age. We do not knowingly collect personal information from minors. If we become aware that we have inadvertently collected data from a minor, we will delete it promptly. If you believe a minor has provided us personal data, contact us at [email protected].
10. GDPR — EU/EEA Users
If you are located in the European Union or European Economic Area, the following additional provisions apply under the General Data Protection Regulation (GDPR):
- Data Controller: QSREX LLC, Austin, Texas, USA
- Legal bases for processing: Contract performance, legitimate interest, consent, and legal obligation (as specified in Section 3)
- International transfers: Your data may be transferred to and processed in the United States. We rely on Stripe's and Supabase's Standard Contractual Clauses (SCCs) for such transfers
- Right to lodge a complaint: You have the right to file a complaint with your local data protection authority (DPA)
Our server infrastructure is located in Helsinki, Finland (EU) via Hetzner Cloud, which helps minimize cross-border data transfers for EU users.
11. CCPA — California Users
If you are a California resident, the California Consumer Privacy Act (CCPA) grants you additional rights:
- Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months
- Right to Delete: You may request deletion of your personal information, subject to certain exceptions
- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights
- Do Not Sell: We do not sell personal information as defined by the CCPA. We do not share personal information for cross-context behavioral advertising
To submit a CCPA request, email [email protected] with the subject "CCPA Request." We will respond within 45 days.
12. Changes to This Policy
We may update this Privacy Policy periodically. When we make material changes, we will notify you by email and/or a prominent notice on the Platform at least 14 days before the changes take effect. The updated policy will be identified by a new "Last Updated" date at the top of this page.