Privacy Policy
Last updated: 4 June 2026
This Privacy Policy explains how Quantum Reports (“we”, “us”, “our”) collects, uses, and protects your personal data when you use our website at quantumreports.io. We are committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Who We Are
Quantum Reports is a financial news aggregation and AI analysis service. For data protection purposes, we are the data controller for the personal data we collect about you.
Contact: For all data protection enquiries, please email privacy@quantumreports.io
ICO Registration No. ZC169897
2. Personal Data We Collect
Data you provide directly
- Email address — provided during account registration, used to send account notifications and (with consent) marketing emails.
- Display name — optional, set in account preferences.
- Password — stored as a one-way bcrypt hash; we never store or have access to your plaintext password.
- Payment information — we do not store your card details. All payment data is processed and stored by Stripe Inc. We receive only a subscription status and customer reference from Stripe.
Data we collect automatically
- Usage data — articles you save, tickers you star, preferences you set, and email digest settings.
- IP address — collected by our hosting provider (Railway) as part of standard server logs, retained for up to 30 days.
- Device and browser information — user agent string and general device type, collected via server logs.
- Email interaction data — a log of digest emails sent (date, frequency, article count, delivery status), retained until you delete your account.
- Cookie consent records — a record of the consent choices you make, including timestamp and which categories you accepted.
3. How We Use Your Data and Legal Basis
| Purpose | Legal Basis |
|---|---|
| Providing your account and the core service | Performance of contract (UK GDPR Art. 6(1)(b)) |
| Processing subscription payments | Performance of contract (UK GDPR Art. 6(1)(b)) |
| Sending transactional emails (verification, password reset, account deletion) | Legitimate interest (UK GDPR Art. 6(1)(f)) |
| Sending email digests and marketing communications | Consent (UK GDPR Art. 6(1)(a)); you may withdraw at any time |
| Improving the service and monitoring for abuse | Legitimate interest (UK GDPR Art. 6(1)(f)) |
| Retaining payment records for legal compliance | Legal obligation (UK GDPR Art. 6(1)(c)) |
4. Data Retention
- Account data (email, preferences, saved articles, starred tickers): retained until you request account deletion.
- Payment records: Stripe retains payment history for 7 years to comply with financial regulations. We hold only a customer reference and subscription status.
- Server logs (including IP addresses): retained for up to 30 days by our hosting provider, Railway.
- Email digest logs: retained until you delete your account.
- Cookie consent records: retained until you delete your account.
5. Third Parties We Share Data With
- Stripe Inc. (Payment processing) — processes subscription payments. Your card data goes directly to Stripe; we never receive it. Stripe is an independent data controller. Stripe Privacy Policy
- Resend Inc. (Email delivery) — we pass your email address and email content to Resend to deliver account emails and digests. Resend processes this data on our behalf as a data processor.
- Anthropic PBC (AI analysis) — we send news article headline text to Anthropic's Claude API to generate AI analysis. We do not send any personal data to Anthropic — only the text of news headlines sourced from public news feeds.
- Supabase Inc. (Database hosting) — your account data is stored in a PostgreSQL database hosted by Supabase. Supabase processes this data on our behalf as a data processor.
- Railway Corp. (Server hosting) — our application server runs on Railway infrastructure. Railway may process IP addresses and server logs as a data processor.
We do not sell your personal data to any third party.
6. Your Rights Under UK GDPR
You have the following rights regarding your personal data:
- Right of access — you can request a copy of the personal data we hold about you. Use the “Download My Data” feature in Account Settings → Danger Zone, or email privacy@quantumreports.io.
- Right to rectification — you can correct inaccurate data via Account Settings, or by contacting us.
- Right to erasure — you can permanently delete your account and all associated data via Account Settings → Danger Zone, or by emailing us.
- Right to data portability — you can export your data in JSON format using the “Download My Data” feature in Account Settings.
- Right to restriction — you can ask us to restrict processing of your data in certain circumstances.
- Right to object — you can object to processing based on legitimate interest. You can unsubscribe from marketing and digest emails at any time using the unsubscribe link in any email or via Account Settings.
- Right to withdraw consent — where processing is based on consent (e.g. marketing emails, cookies), you can withdraw consent at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, please email privacy@quantumreports.io. We will respond within one calendar month.
You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk/concerns.
7. Cookies and Tracking Technologies
We use the following types of cookies:
- Essential cookies — required for the site to function. These include a session cookie (
_refresh) to keep you signed in, and a site configuration cookie (_auth). These cannot be disabled. - Analytics cookies — we may use analytics tools to understand how visitors use the site. We will only set these if you give consent. Currently, no analytics cookies are set.
- Marketing cookies — we do not currently use any marketing or advertising cookies.
You can manage your cookie preferences at any time using the Cookie Preferences panel.
8. Data Security
We use industry-standard security measures including TLS encryption for all data in transit, bcrypt password hashing, HTTP-only cookies for session tokens, and Content Security Policy headers. Access to personal data is restricted to essential service operations only.
9. International Transfers
Our service providers (Stripe, Resend, Anthropic, Supabase, Railway) may process data in the United States. We rely on Standard Contractual Clauses and/or the UK International Data Transfer Agreement where applicable to ensure adequate protection.
10. Children
Quantum Reports is not directed at children under 18 years of age. We do not knowingly collect data from anyone under 18. If you believe a minor has registered, please contact us at privacy@quantumreports.io and we will delete the data.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify registered users by email of any material changes. The date at the top of this page shows when the policy was last updated. Continued use of the service after changes constitutes acceptance of the updated policy.
12. Governing Law
This Privacy Policy is governed by the laws of England and Wales. Any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.
For all privacy-related enquiries: privacy@quantumreports.io