Quantjo Privacy Policy
Effective date: May 3, 2026
1. Who we are
Quantjo is operated by Chitrav Research Private Limited, 5/4, Block B, Madhu Park Ridge, Langer House, Ibrahim Bagh Lines, Hyderabad, Telangana, India 500031. Quantjo is a software platform that helps users design, backtest, optimize, and paper-trade algorithmic trading strategies.
This Privacy Policy explains what personal information we collect, why we collect it, how we use it, where it is stored, and the choices you have.
For the purposes of the Digital Personal Data Protection Act, 2023, Quantjo is the Data Fiduciary for personal data you provide. For users in the European Economic Area or the United Kingdom, Quantjo is the Data Controller.
Contact: privacy@quantjo.com
Grievance contact: privacy@quantjo.com
2. Scope
This policy covers personal data we process when you:
- create and manage a Quantjo account;
- use the Quantjo web application;
- connect a supported market data provider, currently Zerodha, Databento, or Massive;
- interact with the AI assistant;
- create strategy projects;
- run backtests or optimizations;
- run paper-trading simulations;
- receive transactional emails from us.
This policy does not cover the privacy practices of market data providers or other third-party services you connect to Quantjo. Their own privacy policies govern how they process your data.
Quantjo does not currently support live trading or real-money order placement. If that changes, this policy will need to be updated before live-trading features are launched.
3. Information we collect
3.1 Account and profile information
We collect the information needed to create, secure, and manage your account:
- email address;
- full name;
- password, stored only as a bcrypt hash;
- account status, admin flag, plan, and account timestamps;
- optional profile avatar.
If you upload an avatar, it is stored privately and shown only through authenticated product access or time-limited access mechanisms. You can replace or delete your avatar from your account.
3.2 Provider credentials and connection information
When you connect a market data provider, we collect the credentials needed to call that provider on your behalf:
- Zerodha API key and API secret;
- Zerodha OAuth access token after you authorize Quantjo;
- Databento API key;
- Massive API key.
We also store provider connection status, token expiry where applicable, capability checks, and recent connection errors so that we can show whether a provider is connected and usable.
Provider credentials are encrypted before they are stored in our database and are decrypted only when Quantjo needs to call the provider on your behalf.
3.3 Project, strategy, and AI-assistant content
When you use Quantjo, we collect the content needed to provide the product:
- project names and descriptions;
- chat messages exchanged with the Quantjo AI assistant;
- strategy code and strategy-related files;
- AI-generated strategy suggestions and code changes;
- accepted strategy file versions used for backtest reproducibility.
Your strategy content may include information you choose to enter about your trading ideas, market preferences, or strategy logic.
3.4 Backtest, optimization, and paper-trading simulation data
When you run backtests, optimizations, or paper-trading simulations, we store the data needed to display results, reproduce runs, and maintain usage history:
- selected assets and provider asset identifiers;
- date ranges, run names, and strategy parameters;
- backtest and optimization status, errors, summary metrics, and result files;
- trade logs, result JSON, and interactive result viewers;
- paper-trading simulation sessions, selected assets, simulated positions, simulated signals, simulated profit/loss, and engine snapshots.
Paper trading in Quantjo is simulation only. We do not place real orders or execute trades in your brokerage account.
3.5 Usage, security, and operational data
We collect operational data needed to run and secure the service:
- authentication tokens and token hashes;
- password reset tokens;
- invite records;
- LLM token usage;
- backtest and optimization compute usage;
- application logs, including request IDs, user IDs, project IDs, timestamps, and error details needed for debugging and security.
Production logs exclude full user messages, assistant responses, provider credentials, password data, and token values.
4. Information we do not collect or use
Quantjo does not:
- support live trading or real-money order placement;
- access your brokerage account to place trades;
- sell, rent, or trade your personal data;
- use third-party advertising SDKs;
- track user interaction data for analytics, advertising, session replay, or behavioral profiling;
- use your personal data for advertising;
- use your strategy code, chat messages, backtest results, or paper-trading history to train Quantjo-owned AI models.
5. How we use your information
We use your information to:
- create, authenticate, and secure your account;
- manage your profile and plan;
- connect to market data providers on your behalf;
- help you create and modify strategy code;
- run and display backtests, optimizations, and paper-trading simulations;
- preserve run history and reproducibility;
- generate AI-assistant responses;
- send transactional emails, such as invites and password resets;
- enforce quotas and plan limits;
- detect abuse, debug errors, and secure the platform;
- comply with legal obligations.
We do not use your personal data for unrelated purposes.
6. AI processing and OpenAI
Quantjo's AI assistant uses OpenAI models. When you use AI-assisted features, Quantjo may send the following data to OpenAI so the assistant can respond:
- your chat messages;
- relevant conversation context;
- current strategy code or strategy files;
- rejected or accepted code-change context where needed;
- backtest or optimization results you ask the assistant to analyze;
- static system instructions that define Quantjo assistant behavior.
We do not intentionally send provider credentials, password hashes, refresh tokens, or payment information to OpenAI.
OpenAI processes API data under its own API data-usage terms. As of the effective date of this policy, OpenAI states that API data is not used to train OpenAI models by default.
If you do not want project or chat content sent to OpenAI, you should not use the AI-assistant features.
7. Sharing with third parties
We share data only as needed to operate Quantjo. We do not sell personal data.
| Third party | Purpose | Data shared |
|---|---|---|
| Amazon Web Services | Hosting, database, file storage, compute, and email infrastructure | Account, project, result, log, and operational data |
| OpenAI | AI assistant responses and code-generation support | Chat messages, strategy code, relevant project context, and result context |
| Zerodha | Market data access when connected by the user | API requests made using the user's Zerodha credentials |
| Databento | Market data access when connected by the user | API requests made using the user's Databento API key |
| Massive | Market data access when connected by the user | API requests made using the user's Massive API key |
When you connect a provider, your use of that provider remains subject to the provider's own terms and privacy policy.
We may disclose information to law enforcement, regulators, courts, or other authorities when required by valid legal process, and only to the extent necessary.
8. Where your data is stored
Quantjo currently stores primary application data on AWS infrastructure in India, using AWS Mumbai (ap-south-1).
AI-assistant data sent to OpenAI may be processed outside India, including in the United States. By using the AI-assistant features, you understand that relevant project and chat content may be transferred internationally for processing.
9. How long we keep your data
We keep data for as long as needed to provide Quantjo, maintain security, preserve user-requested history, comply with legal obligations, or resolve disputes.
| Data type | Current retention position |
|---|---|
| Account profile | Kept while the account is active |
| Provider credentials | Kept until the provider is disconnected or the account is deleted |
| Projects, strategy files, chat history, backtests, optimizations | Kept while the project or account remains active |
| Paper-trading simulation history | Kept while the project or account remains active |
| Refresh-token hashes | Kept until expiry or revocation |
| Password reset tokens | Expire after 1 hour |
| Zerodha OAuth nonce | Expires after 10 minutes and is cleared after use |
| Result-file access links | Presigned links expire after 1 hour; underlying result files remain until project/account deletion |
| Application logs | 30 days unless a shorter period is configured or longer retention is required for security investigation |
| Backups | Retained only as needed for service recovery and deleted or overwritten according to our backup lifecycle |
Project deletion hard-deletes the project database record and purges private S3 files under that project prefix, including versioned S3 objects where the purge path is used.
Account-level deletion is currently handled manually. When an account deletion request is approved, Quantjo will delete the user account row and associated personal data, except where limited retention is required by law or necessary for security, fraud prevention, dispute resolution, or legal claims.
10. Security
We use technical and organizational safeguards to protect user data, including:
- HTTPS/TLS for data in transit;
- bcrypt password hashing;
- encrypted provider credentials at rest;
- hashed refresh tokens in the database;
- single-use password reset tokens with short expiry;
- private S3 storage for strategy files and result artifacts;
- time-limited presigned URLs for private result downloads;
- access controls for production infrastructure.
No system is perfectly secure. If we discover a personal data breach, we will notify affected users and authorities where required by applicable law.
11. Your choices and rights
Depending on where you live, you may have the right to:
- access the personal data we hold about you;
- correct inaccurate personal data;
- delete your personal data;
- withdraw consent where processing is based on consent;
- request a portable copy of your data;
- object to certain processing;
- lodge a complaint with the relevant data protection authority.
You can update profile information and disconnect providers in the product. You can delete individual projects, which removes the project record and associated private S3 files.
To request account deletion, data export, or help with privacy rights, email privacy@quantjo.com from the email address registered to your Quantjo account. We may need to verify your identity before acting on the request. We aim to respond within 15 days.
12. Children
Quantjo is not intended for users under 18. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact privacy@quantjo.com and we will delete it.
13. Changes to this policy
We may update this policy from time to time. When we do, we will update the effective date. For material changes, we will notify users by email or in-product notice before the change takes effect where required by law.
14. Contact
- Privacy questions: privacy@quantjo.com
- Grievance contact: privacy@quantjo.com
- Postal address: Chitrav Research Private Limited, 5/4, Block B, Madhu Park Ridge, Langer House, Ibrahim Bagh Lines, Hyderabad, Telangana, India 500031