Privacy Policy — Qriterion

This Privacy Policy explains how Qriterion ("we," "us," or "our") collects, uses, and protects your personal data when you use our services, including when you visit qriterion.ai, use our AI-powered stock analysis platform, or engage with us in other related ways. We operate in accordance with the EU General Data Protection Regulation (GDPR), Luxembourg data protection law, and applicable US state privacy laws. If you do not agree with this policy, please do not use our services. Questions? Contact us at hello@qriterion.ai.

1. Data Controller

Qriterion
Operated by an individual based in Luxembourg
Email: hello@qriterion.ai
Address: Luxembourg City, Luxembourg

We are the data controller responsible for your personal data collected through the Qriterion platform at qriterion.ai.

2. What Information We Collect

Information you provide directly

We collect personal information that you voluntarily provide when you register, use our services, or contact us. This includes:

  • Email address
  • Username and encrypted password
  • Contact or authentication data

Sensitive information: We do not process sensitive personal information such as racial or ethnic origins, religious beliefs, or biometric data.

Payment data: We may collect data necessary to process your payment. All payment data is handled and stored by Stripe. You may find their privacy policy at stripe.com/privacy.

Information collected automatically

CategoryDataPurpose
Account dataEmail address, encrypted passwordAccount creation and authentication
Subscription dataMembership tier, billing history (handled by Stripe)Processing payments and managing access
Usage dataStock tickers analysed, profiles selected, analysis scores, timestampsProviding the service and saving your analysis history
Technical dataIP address, browser type, device typeSecurity, fraud prevention, and service improvement

All personal information you provide must be true, complete, and accurate.

3. How We Process Your Information

In short: We process your information to provide, improve, and administer our services, communicate with you, and for security and fraud prevention.

We process your personal information for the following purposes:

  • Account creation and authentication — to create and manage your account
  • Service delivery — to provide AI-generated stock analysis tailored to your investor profile
  • Analysis history — to save and display your past analyses
  • Administrative communications — to send account confirmations, payment receipts, and policy updates
  • Marketing communications — where you have given consent, to send news and updates about Qriterion
  • Security and fraud prevention — to detect and prevent abuse
  • Service improvement — to improve our AI models and platform quality
  • Legal compliance — to comply with applicable laws and regulations

4. Legal Bases for Processing

In short: We only process your information when we have a valid legal reason to do so.

If you are located in the EU or UK

We rely on the following legal bases under GDPR Article 6:

  • Consent — where you have given permission for a specific purpose (e.g. marketing). You may withdraw consent at any time.
  • Contract performance — to fulfil our obligations in providing the service you subscribed to
  • Legal obligation — to comply with applicable laws including Luxembourg tax and financial regulations
  • Legitimate interests — to improve our platform, prevent fraud, and ensure security, where these interests are not overridden by your rights
  • Vital interests — where necessary to protect your safety or the safety of a third party

If you are located in Canada

We may process your information with your express or implied consent, or where permitted by law without consent (e.g. fraud detection, legal investigations, or where obtaining consent would compromise the accuracy of the information).

5. When and With Whom We Share Your Information

In short: We share information only in specific situations with the following third parties.

We share your data only with the following service providers, all of whom are bound by appropriate data protection agreements:

  • Supabase — database and authentication provider (EU servers)
  • Stripe — payment processing (PCI-DSS compliant). See stripe.com/privacy
  • Anthropic — AI analysis engine. Stock ticker data is sent to generate analyses; we do not send personal data such as your email address to Anthropic.
  • Railway — application hosting (United States)

We may also share or transfer your information in connection with any merger, sale of company assets, financing, or acquisition of all or part of our business.

We do not sell, rent, or share your personal data with advertisers or any third parties for marketing purposes.

6. Cookies and Tracking Technologies

In short: We use cookies only for authentication and session management.

Qriterion uses minimal cookies necessary for authentication and session management. Your session token is stored locally in your browser to keep you logged in. We do not use tracking cookies, advertising cookies, or analytics cookies.

You can set your browser to remove or reject cookies, though this may affect certain features of our services. For more information, see our Cookie Policy.

7. Artificial Intelligence Products

In short: We offer AI-powered stock analysis using Anthropic's technology.

Qriterion is an AI-powered platform. Our AI products are designed for the following functions:

  • AI insights — structured scoring of stocks against investor profiles
  • AI predictive analytics — criterion-based assessment of publicly traded securities

We provide these AI products through Anthropic as our AI service provider. Your stock ticker inputs and the resulting analysis outputs will be processed by Anthropic to enable our service. You must not use our AI products in any way that violates Anthropic's terms or policies. All personal information processed using our AI products is handled in line with this Privacy Policy.

8. International Transfers

In short: We may transfer your information to countries outside your own, including the United States.

Our servers and service providers are located in the United States. If you are a resident of the EEA, UK, or Switzerland, please be aware that your information may be transferred to and processed in the United States, which may not have data protection laws as comprehensive as those in your country.

We ensure appropriate safeguards are in place for such transfers, including the European Commission's Standard Contractual Clauses. Our Standard Contractual Clauses can be provided upon request.

9. How Long We Keep Your Information

In short: We keep your information for as long as necessary to fulfil the purposes outlined in this policy.
  • Account data — retained for the duration of your account, plus 2 years after deletion
  • Analysis history — retained for the duration of your account
  • Payment records — retained for 10 years as required by Luxembourg tax law
  • Technical logs — retained for 90 days

When we have no ongoing legitimate business need to process your information, we will delete or anonymise it. If deletion is not immediately possible (e.g. backup archives), we will securely isolate it from further processing until deletion is possible.

10. How We Keep Your Information Safe

In short: We implement appropriate technical and organisational security measures.

We protect your personal data using:

  • Encrypted data transmission (HTTPS/TLS)
  • Encrypted password storage via Supabase Auth
  • Row-level security on our database
  • Server-side storage of all API keys and credentials
  • Regular security monitoring

No method of transmission over the internet is 100% secure. In the event of a data breach that affects your rights, we will notify you and the relevant data protection authority as required by GDPR (within 72 hours where applicable).

11. Minors

In short: We do not knowingly collect data from or market to children under 18.

Qriterion is intended for users aged 18 and over. We do not knowingly collect, solicit data from, or market to children under 18. By using our services, you represent that you are at least 18 years of age. If we learn that personal information from users under 18 has been collected, we will deactivate the account and promptly delete such data. If you become aware of any data we may have collected from a child under 18, please contact us at hello@qriterion.ai.

12. Your Privacy Rights

In short: Depending on your location, you have rights to access, correct, delete, and control your personal information.

In regions such as the EEA, UK, Switzerland, and Canada, you have the following rights under applicable data protection laws:

  • Right of access — request a copy of your personal data
  • Right to rectification — correct inaccurate data
  • Right to erasure — request deletion of your data ("right to be forgotten")
  • Right to restriction — restrict how we process your data
  • Right to portability — receive your data in a structured, machine-readable format
  • Right to object — object to processing based on legitimate interests
  • Right to withdraw consent — where processing is based on consent, you may withdraw at any time without affecting the lawfulness of prior processing
  • Right not to be subject to automated decision-making — where a decision produces significant legal effects, you may request human review

To exercise any of these rights, visit your account settings or contact us at hello@qriterion.ai. We will respond within 30 days.

If you are in the EEA or UK and believe we are unlawfully processing your data, you have the right to complain to your Member State data protection authority or the UK data protection authority. In Luxembourg, contact the Commission Nationale pour la Protection des Données (CNPD) at cnpd.public.lu.

Account termination

You may terminate your account at any time via your account settings. Upon termination, we will deactivate or delete your account and information from our active databases, subject to our retention obligations.

Cookies

Most web browsers accept cookies by default. You can usually set your browser to remove or reject cookies. Note that removing cookies may affect certain features of our services. See our Cookie Policy for more information.

13. US State Privacy Rights

In short: If you are a US resident, you may have additional rights depending on your state.

Residents of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia may have the right to:

  • Right to know whether we are processing your personal data
  • Right to access your personal data
  • Right to correct inaccuracies in your personal data
  • Right to request deletion of your personal data
  • Right to obtain a copy of personal data you previously shared with us
  • Right to non-discrimination for exercising your rights
  • Right to opt out of the processing of your personal data for targeted advertising, sale, or profiling (we do not engage in these activities)

Categories of personal information collected (last 12 months)

CategoryCollected
A. Identifiers (email address, account name)Yes
B. California Customer Records personal informationNo
C. Protected classification characteristicsNo
D. Commercial informationNo
E. Biometric informationNo
F. Internet or network activityNo
G. Geolocation dataNo
H. Audio, electronic, sensory informationNo
I. Professional or employment informationNo
J. Education informationNo
K. Inferences from personal informationNo
L. Sensitive personal informationNo

We have not disclosed, sold, or shared any personal information to third parties for commercial purposes in the preceding 12 months and will not do so.

How to exercise your rights

To exercise your rights, visit qriterion.ai/members-area or contact us at hello@qriterion.ai or qriterion.ai/contact.

Appeals

If we decline to take action on your request, you may appeal by emailing hello@qriterion.ai. We will respond in writing with an explanation. If your appeal is denied, you may submit a complaint to your state attorney general.

California "Shine the Light" Law

California Civil Code Section 1798.83 permits California residents to request, once per year and free of charge, information about categories of personal information (if any) we disclosed to third parties for direct marketing purposes. To make such a request, contact us using the details in Section 16.

14. Do-Not-Track Features

Most web browsers include a Do-Not-Track ("DNT") setting. At this time, no uniform technology standard for recognising and implementing DNT signals has been finalised. We do not currently respond to DNT browser signals. If a standard is adopted that we are required to follow, we will update this policy accordingly.

15. Updates to This Policy

We may update this Privacy Policy from time to time to stay compliant with relevant laws. The updated version will be indicated by an updated date at the top of this page. If we make material changes, we will notify you by email or by posting a prominent notice on the platform. We encourage you to review this policy periodically.

16. How to Contact Us

For any privacy-related questions, requests, or concerns:
Qriterion
Luxembourg City, Luxembourg
hello@qriterion.ai

17. How to Review, Update, or Delete Your Data

Based on the applicable laws of your country or state of residence, you may have the right to request access to the personal information we collect from you, correct inaccuracies, or request deletion. To do so, visit qriterion.ai/members-area or contact us at hello@qriterion.ai.