<!--
  TEMPLATE — same disclaimer as terms.md. Attorney review required
  before production launch. Suggested reviewer: any crypto-experienced
  privacy counsel familiar with GDPR, UK DPA 2018, and CCPA/CPRA.
  Last template review: 2026-05-17 (Claude).
-->

# Privacy Policy — PolyQuantX

Effective date: <FILL ON LAUNCH>

## 1. Posture

PolyQuantX minimizes data collection. We do not collect data we dont
need to operate the Platform. We do not sell personal data. We do not
run behavioural advertising. The Platform is **non-custodial** —
operationally, most user activity happens on-chain, not on our
servers.

This Policy describes the data we do collect, why, and your rights
over it.

## 2. What we collect

| Category | Examples | Purpose | Legal basis (GDPR) |
|----------|----------|---------|---------------------|
| Account | email (optional), wallet address, username | account creation, login, in-product notifications | Contract performance + your consent |
| On-chain refs | tx hashes, contract interactions, USDC balances visible from your wallet address | platform functionality (showing your subscriptions, escrows, jobs) | Contract performance |
| Telemetry | API request paths, HTTP status codes, error stacks (via Sentry) | reliability, debugging, security monitoring | Legitimate interest |
| Usage | bot subscriptions, freelance jobs posted/taken, ratings, AI-assistant prompts | platform functionality | Contract performance |
| Communications | email subject + body when you email us; support-ticket history | answering you, keeping a record of correspondence | Contract performance |
| Developer artifacts | bot source code (if uploaded), backtest report PDFs | provide the developer tooling you asked for | Contract performance |

We do **NOT** collect, by default:
- Real legal names (your wallet address and chosen username are
  sufficient).
- Government-issued ID, passport, or other KYC documents — unless
  your jurisdiction or use-pattern legally requires KYC, in which
  case this is flagged separately at the point of collection.
- Physical postal address.
- Phone numbers.
- IP-based geolocation for marketing purposes.
- Behavioural advertising profiles or cross-site tracking identifiers.
- Biometric data.
- Data about your wallet activity outside of PolyQuantX (we only see
  what your wallet does on the Platform, not your broader on-chain
  history).

## 3. Cookies and browser storage

| Type | Name(s) | Purpose | Default |
|------|---------|---------|---------|
| Essential cookie | session JWT, CSRF token | authentication, session integrity | Required, set on login |
| localStorage | wallet-connect state (the Reown shim), theme preference, `polyquantx-cookie-consent` | remember your wallet session and UI preferences | Required |
| Analytics | (none today) | n/a | Disabled by default |

We do **not** load analytics cookies or third-party tracking scripts
by default. If we add analytics in the future, we will ask for your
explicit opt-in via the cookie-consent banner before loading any
analytics provider, and you may continue to use the Platform if you
decline.

The `polyquantx-cookie-consent` localStorage key records your choice
(values: `essential` or `all`).

## 4. Third-party processors (sub-processors)

We rely on the following sub-processors. Each has its own privacy
policy, which we recommend you review.

| Provider | Purpose | Data shared | Region |
|----------|---------|-------------|--------|
| Neon (https://neon.tech) | Postgres database | account row, on-chain references, off-chain metadata | EU (Frankfurt) |
| Upstash (https://upstash.com) | Redis cache | session state, rate-limit counters | EU |
| Cloudflare R2 (https://www.cloudflare.com/products/r2/) | object storage | bot source code uploaded by developers, backtest report PDFs | EU / global edge |
| Resend (https://resend.com) | transactional email | recipient email address, message body | US |
| Sentry (https://sentry.io) | error monitoring | error stacks (which may contain a wallet address or request path), release identifiers | US |
| Vercel (https://vercel.com) | web-app hosting + CDN | HTTP request logs, asset distribution | global edge |
| Alchemy (https://www.alchemy.com) | Polygon RPC | wallet address and on-chain read queries you issue from the Platform | US |
| OpenRouter (https://openrouter.ai) | AI assistant routing | the prompt text you send to the assistant | US |

We currently use only the free tier of each provider. We do not sell
data to these providers or to any third party; they process data
solely on our behalf as our sub-processors.

## 5. Your rights (GDPR and similar regimes)

If you are a data subject under the GDPR, UK DPA 2018, CCPA/CPRA, or
a similar regime, you have the following rights:
- **Access:** request a copy of the personal data we hold about you
  (we will respond within 30 days; email privacy@polyquantx.com).
- **Rectification:** request that inaccurate or incomplete data be
  corrected.
- **Erasure:** request deletion of your data, subject to legal
  retention obligations.
- **Restriction:** request that we limit processing of your data.
- **Portability:** request a machine-readable copy of data you
  provided to us.
- **Objection:** object to processing based on legitimate interest.
- **Withdraw consent:** for any processing based on your consent, at
  any time, without affecting prior lawful processing.
- **Complaint:** lodge a complaint with your local Data Protection
  Authority (e.g., your national DPA in the EU; the ICO in the UK;
  the California Privacy Protection Agency in California).

**Important caveat:** on-chain data **CANNOT** be deleted from the
blockchain. We can delete the off-chain mapping (your account row,
session data, telemetry) but the on-chain record — your wallet
addresss history of interactions with the Contracts — will remain
publicly visible on Polygon indefinitely. This is an inherent
property of public blockchains.

## 6. Retention

| Data | Retention |
|------|-----------|
| Account data (active) | While your account is active. |
| Account data (closed) | 90 days after closure, then deleted, except where longer retention is legally required. |
| On-chain references | As long as the Contracts exist and are indexed. |
| Telemetry / Sentry events | 90 days rolling. |
| R2 objects (bot code, reports) | Until the developer deletes them or closes their account. |
| Email correspondence | 2 years from last message, for support-history continuity. |
| `polyquantx-cookie-consent` localStorage | Until you clear browser storage. |

## 7. Children

The Platform is not directed to, and we do not knowingly collect
personal data from, individuals under the age of 18. If you believe a
minor has provided us with personal data, please contact
privacy@polyquantx.com and we will delete it.

## 8. International transfers

Personal data may be processed in jurisdictions outside your country
of residence, including the United States. Where required, we rely on
Standard Contractual Clauses (SCCs) or equivalent transfer
safeguards. The sub-processor table in Section 4 lists the primary
processing region for each provider.

## 9. Changes

We may update this Policy from time to time. Material changes will be
announced via an in-app banner at least 7 days before the effective
date, and via email when an email address is on file. Continued use
of the Platform after the effective date constitutes acceptance.

## 10. Contact

- Privacy and DPA correspondence: privacy@polyquantx.com (placeholder)
- Data Protection Officer (if appointed): <FILL>
- Operator postal address: <FILL>
- Operator legal entity: <FILL — sole proprietor / LLC / Ltd. + jurisdiction>