Quantblocks
EN DE
Start Free
Legal

Privacy Policy

Last updated: 2026-05-12

01 Data Controller

Controller for data processing within the meaning of Art. 4(7) GDPR is:

Scharger & Schuberth GbR, Am Mitterfeld 9a, 85276 Pfaffenhofen, Germany.

Authorised representatives: Josua Schuberth, Joshua Scharger.

Contact: contact@quantblocks.io

02 Data Protection Officer

We are not required to appoint a data protection officer. We do not meet the threshold of § 38 BDSG (typically 20 persons regularly engaged in automated processing of personal data) and we do not carry out processing that requires a data protection impact assessment under Art. 35 GDPR.

Please direct privacy enquiries to contact@quantblocks.io.

03 Supervisory Authority

The competent supervisory authority for non-public bodies based in Bavaria is:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach, Germany.

Web: www.lda.bayern.de

04 Data We Process

We only process the data we actually need to provide Quantblocks. In detail:

a) Account creation and login (passwordless)

  • Email address — for sign-in via login code and for service messages
  • Username and optionally a display name
  • Date of birth — solely for age verification (minimum 18 years)
  • Timestamp of acceptance of the Terms of Service (terms_accepted_at)
  • Login codes (6 digits) — stored ephemerally in our cache (Valkey) and automatically deleted after 10 minutes or upon use

Legal basis: Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(c) GDPR (legal obligation regarding age verification).

b) Server logs

  • IP address (truncated or hashed once technically no longer needed)
  • User-Agent (browser and device information)
  • Timestamp of the request
  • Requested URL and HTTP status code

These data are produced as a technical consequence of operating the platform and are processed to prevent abuse (rate limiting, security analysis).

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in stable and secure operation).

c) Audit log (security events)

Security-relevant events around login and account are logged with event type, timestamp, IP address and, where applicable, user ID (e.g. login code requested, login failed, account deactivated).

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in fraud prevention and traceability).

d) Strategies, indicators and backtest results

  • Strategies and custom indicators created by the user, including their configuration
  • Backtest parameters (symbol, time range, initial capital) and backtest results
  • Daily backtest counter (used to enforce plan limits)

Legal basis: Art. 6(1)(b) GDPR (performance of the contract — providing the platform features).

e) Payment processing

  • Stripe customer ID, subscription tier, status and end date
  • Acceptance of payment terms (with the corresponding Stripe session ID)

Payment data in the strict sense (card number, bank details) are processed exclusively by Stripe and never reach our servers.

Legal basis: Art. 6(1)(b) GDPR (performance of the contract) and Art. 6(1)(c) GDPR (statutory retention obligations for invoicing data).

f) Cookies and similar technologies

Strictly necessary cookies and storage mechanisms (no consent required, § 25(2) no. 2 TTDSG / DDG):

  • Session cookie (server-side session in our Valkey cache)
  • Remember-me cookie (optional, lifetime 30 days)
  • Language cookie (lang) storing the chosen language
  • Cookie-consent storage (cookie_consent as a cookie and qb_consent in localStorage), to remember your cookie choice
  • CSRF protection token as part of the session

Only with your consent (Art. 6(1)(a) GDPR, § 25(1) TTDSG / DDG) we additionally use the TikTok Pixel and the cookies/identifiers TikTok sets in connection with it (e.g. _ttp, ttwid). Details in section 12. Without your consent the TikTok Pixel is not loaded; you can withdraw your consent at any time, with effect for the future, via the cookie banner or the Cookie settings link in the footer.

05 Recipients and Processors

We do not sell personal data and only share it with the following recipients that help us operate the platform. Data processing agreements under Art. 28 GDPR are in place with the processors.

a) Hetzner Online GmbH (hosting)

  • Address: Industriestr. 25, 91710 Gunzenhausen, Germany
  • Purpose: hosting the server on which Quantblocks runs (including database and cache)
  • Server location: Germany
  • Third-country transfer: none
  • Legal basis: Art. 6(1)(b) and (f) GDPR; DPA in place

b) Stripe Payments Europe, Ltd. / Stripe, Inc. (payment processing)

  • EU contracting entity: Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Dublin, Ireland
  • Parent company: Stripe, Inc., 354 Oyster Point Boulevard, South San Francisco, CA, USA
  • Purpose: handling subscriptions and payments (checkout, invoices, recurring billing)
  • Data transferred: email, name, billing address, optionally tax ID, payment data (collected directly by Stripe)
  • Third-country transfer (US): Stripe, Inc. is certified under the EU-U.S. Data Privacy Framework; additionally, Standard Contractual Clauses (SCCs) apply
  • DPA: https://stripe.com/legal/dpa
  • Privacy policy: https://stripe.com/privacy

c) Resend (delivery of login emails and service emails)

  • Provider: Resend, Inc., USA
  • Purpose: delivery of login codes and transactional emails
  • Data transferred: email address, contents of the email (login code with short validity)
  • Third-country transfer (US): Resend is certified under the EU-U.S. Data Privacy Framework; additionally, Standard Contractual Clauses apply
  • Legal basis: Art. 6(1)(b) GDPR (performance of the contract — login delivery)

d) TikTok (advertising-reach and conversion measurement — only with consent)

  • Provider (EEA/UK): TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland, and TikTok Information Technologies UK Limited, London, United Kingdom
  • Corporate group: ByteDance Ltd. and affiliated companies (incl. TikTok Inc., USA; TikTok Pte. Ltd., Singapore)
  • Purpose: measuring the effectiveness of our advertising on TikTok, conversion attribution, and building audiences for advertising
  • Data transferred: in particular IP address, device and browser information, pages/URLs visited, time of visit, events triggered (e.g. page view, registration, subscription) and online identifiers/cookies set by TikTok
  • Third-country transfer: transfer to the USA and possibly further third countries (including intra-group access within the ByteDance group); TikTok relies on EU Standard Contractual Clauses. A residual risk remains that authorities in those countries access data without a level of protection equivalent to the GDPR being guaranteed
  • Legal basis: Art. 6(1)(a) GDPR, § 25(1) TTDSG / DDG (consent)
  • Details: see section 12

06 Transfers to Third Countries

Transfers to the United States take place in the context of payment processing (Stripe), email delivery (Resend) and — if you have consented — the TikTok Pixel.

Stripe and Resend are certified under the EU-U.S. Data Privacy Framework. The European Commission has issued an adequacy decision in this respect (decision of 10 July 2023). In addition, Standard Contractual Clauses (SCCs under Implementing Decision (EU) 2021/914) are used as a second legal basis.

For the TikTok Pixel, data is transferred to the USA and possibly further third countries (including intra-group access within the ByteDance group, e.g. in Singapore). TikTok relies on EU Standard Contractual Clauses for these transfers; however, a level of protection fully equivalent to the GDPR cannot be guaranteed in every case, in particular with regard to potential government access. You therefore give your consent in the knowledge of this risk (Art. 49(1)(a) GDPR as a supplementary basis).

You can verify the current certification status of DPF participants at www.dataprivacyframework.gov/list.

07 Retention Periods

We store personal data only for as long as necessary for the purpose at hand:

  • Login codes: at most 10 minutes (cache TTL), then automatically deleted
  • Account master data (email, username, date of birth, display name): until the account is deleted
  • Strategies, indicators and backtest results: until you delete them or until the account is deleted
  • Server logs: typically 30 days, then deleted or anonymised
  • Audit log (security events): typically up to 90 days
  • Invoicing and tax data (via Stripe and in our database): up to 10 years pursuant to § 147 AO and § 257 HGB
  • Cookie-consent storage (cookie_consent / qb_consent): up to 12 months, after which the cookie banner is shown again
  • TikTok Pixel cookies/identifiers: varying lifetimes, typically up to 13 months; further processing by TikTok is governed by TikTok's privacy policy
  • Database backups: up to 30 days; after account deletion, residual data may persist in backups for up to this period and is no longer actively used

When you delete your account, all data not subject to retention is removed without undue delay; remaining data is deleted in line with the periods stated above.

08 Your Rights

Under the GDPR, you have the following rights against us:

  • Right of access (Art. 15 GDPR) — what data we process about you
  • Right to rectification (Art. 16 GDPR) — correction of inaccurate data
  • Right to erasure (Art. 17 GDPR) — right to be forgotten
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR) — receive your data in a structured, commonly used format
  • Right to object (Art. 21 GDPR) — to processing based on legitimate interests
  • Right to withdraw consent (Art. 7(3) GDPR) — effective for the future only; you withdraw consent to the TikTok Pixel via the cookie banner or the Cookie settings link in the footer

An informal email to contact@quantblocks.io is sufficient. For security reasons we may, in case of justified doubt, request additional proof of identity.

Many actions are also available directly in your account settings (edit profile, delete account).

09 Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR), in particular in the EU member state of your residence, place of work or place of the alleged infringement.

The authority competent for us is the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach, Germany.

10 No Automated Decision-Making

We ourselves do not use automated decision-making within the meaning of Art. 22 GDPR. In particular, we do not perform profiling or scoring with legal effect against you.

If you have consented to the TikTok Pixel, TikTok processes the transmitted data as its own controller also to optimise and deliver advertising, which may include profiling within the meaning of the GDPR. TikTok is solely responsible for this; details and objection options can be found in TikTok's privacy policy (see section 12).

11 Cookies and Similar Technologies

On your first visit we show a cookie banner with the equally weighted options Accept all and Necessary only. We store your choice so the banner is not shown again; you can change or withdraw it at any time via the Cookie settings link in the footer.

a) Strictly necessary cookies and storage mechanisms — always set, because without them sign-in, the language selection and CSRF protection would not work. Legal basis: § 25(2) no. 2 TTDSG / DDG and Art. 6(1)(b) and (f) GDPR. In detail: session cookie, optional remember-me cookie, language cookie (lang), cookie-consent storage (cookie_consent / qb_consent), CSRF token.

b) Marketing — the TikTok Pixel and the cookies/identifiers set with it. These are loaded only after your explicit consent (Art. 6(1)(a) GDPR, § 25(1) TTDSG / DDG). If you choose Necessary only or make no selection, the TikTok Pixel is not loaded. Details in section 12.

Beyond the purposes stated above we do not use any further tracking, advertising or analytics cookies; in particular there is no use of Google Analytics or the Meta Pixel.

12 TikTok Pixel

On the basis of your consent (Art. 6(1)(a) GDPR, § 25(1) TTDSG / DDG) we use the TikTok Pixel, a service of TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland, and TikTok Information Technologies UK Limited, London, United Kingdom (together TikTok). TikTok belongs to the ByteDance group.

The TikTok Pixel is a short piece of JavaScript that — only after your consent — is loaded from analytics.tiktok.com. It allows us to measure the effectiveness of our ads on TikTok, attribute conversions (e.g. registrations, subscriptions) to the respective campaigns, and build audiences for advertising.

The data processed in this context includes in particular: your IP address, information about your device and browser (e.g. user agent, screen size, operating system), the pages and URLs you visit, the time of your visit, events you trigger (e.g. page view, registration, subscription), and online identifiers and cookies that TikTok sets or reads in your browser (e.g. _ttp, ttwid).

With regard to the collection of the data via the pixel and its transmission to TikTok, we assume joint controllership with TikTok under Art. 26 GDPR; TikTok makes the essential content of the corresponding arrangement available at https://www.tiktok.com/legal/page/global/bc-controller-controller/en. The subsequent processing of the data by TikTok for its own purposes (including ad optimisation, possibly profiling) is carried out under TikTok's sole responsibility.

Third-country transfer: in connection with the TikTok Pixel, data is transferred to the USA and possibly further third countries; within the ByteDance group there are also access possibilities (e.g. from Singapore). TikTok relies on EU Standard Contractual Clauses for these transfers. A level of protection fully equivalent to the GDPR cannot be guaranteed; by giving your consent you also consent to this transfer in the knowledge of the possible risks (additionally Art. 49(1)(a) GDPR).

Retention: the cookies/identifiers set by the pixel have varying lifetimes, typically up to 13 months. The duration of TikTok's further processing is governed by TikTok's privacy policy.

Withdrawal: you can withdraw your consent at any time with effect for the future — via the Cookie settings link in the footer or by choosing Necessary only in the cookie banner. The TikTok Pixel is then no longer loaded. You can additionally delete cookies already set by TikTok in your browser settings. The lawfulness of processing carried out before the withdrawal is not affected.

Further information on data processing by TikTok can be found in TikTok's privacy policy and in TikTok's Business Products Terms.

13 Data Security

Transmission between your browser and our servers is encrypted via TLS (HTTPS). Login is passwordless via short-lived codes; we do not store passwords.

Database access is restricted to the internal network. Security-relevant events are recorded in the audit log.

14 Changes to this Privacy Policy

We may update this privacy policy, e.g. when features, processors or the legal landscape change. The current version is always available at this URL. In the event of material changes, we will additionally notify you by email or in the product.

15 Notice

This privacy policy has been prepared to the best of our knowledge and reflects the state of processing as of the last update. It does not replace individual legal advice.

Last updated: May 12, 2026