Privacy Policy
Effective 6 July 2026 · Last updated 6 July 2026
This Privacy Policy explains what data Kwant ("Kwant", "we", "us") collects when
you use the hosted quant-intelligence MCP service at https://kwant.sh, why we collect
it, and your choices. We collect the minimum needed to run the Service, meter usage, and take
payment. We do not sell your personal data.
1 · What we collect
| Data | Why |
|---|---|
| Email address (at signup) | To send your API key and account/billing notices, and to prevent abuse of trial credit. |
| API key hash (never the raw key) | To authenticate requests without storing the secret. The raw key is shown once and not retained. |
| Prepaid balance & usage records | To meter priced queries, debit your balance, and enforce quotas. Includes per-call tool name, timestamp, and cost. |
| Bot-verification token (Cloudflare Turnstile) | To confirm signups come from a human and block automated abuse. |
| Payment records | Prepaid: handled by Stripe (we receive confirmation and reference IDs, not full card numbers). x402: an on-chain USDC transaction hash and wallet address. |
| Request/query parameters (e.g. tickers, dates) | To run the tool you invoked. Passed to market-data providers as needed to fulfill the query. |
| Technical logs (IP, user agent, timestamps, error traces) | Security, rate limiting, debugging, and abuse prevention. Handled largely by our edge provider. |
The x402 keyless rail requires no email or account — payment is the authentication. In that flow we process only the on-chain payment data and the request itself.
2 · How we use it
- Provide, operate, meter, and bill the Service.
- Send you your API key and essential account or billing communications.
- Prevent fraud, abuse, and security incidents, and enforce our Terms.
- Debug, monitor, and improve reliability and performance.
- Comply with legal obligations.
We do not use your query contents to advertise to you, and we do not sell personal data.
3 · Service providers we share with
We share the minimum necessary with infrastructure and payment processors that act on our behalf:
- Cloudflare — hosting/edge compute, static assets, storage, and bot verification (Turnstile).
- Stripe — card payment processing for prepaid top-ups, under Stripe's own privacy policy.
- x402 payment facilitator & the Base blockchain — to settle keyless USDC payments. On-chain transactions are public and permanent by design.
- Market-data providers — to fulfill the data your query needs. We forward query parameters (such as tickers and date ranges), not your identity.
We may also disclose data if required by law, to protect our rights or users' safety, or in connection with a merger or acquisition.
4 · Retention
We keep account data (email, key hash, balance, usage records) for as long as your key is active and as needed for billing, tax, and legal purposes, then delete or anonymize it. Technical logs are kept for a limited period for security and debugging. On-chain payment data cannot be deleted from the blockchain.
5 · Security
We store only a hash of your API key, enforce authentication and rate limits at the edge, and scope billing operations to atomic, per-customer ledgers. No system is perfectly secure — keep your API key secret and rotate it if you suspect exposure.
6 · Cookies & tracking
The landing page uses no advertising or analytics cookies. Cloudflare Turnstile may set a short-lived token to run its bot check on the signup form. The MCP API itself is stateless and does not use cookies.
7 · Your rights
Depending on where you live (e.g. under GDPR or PIPEDA), you may have the right to access, correct, delete, or export your personal data, or to object to certain processing. To exercise a right or delete your account and key, email us at the address below. We may need to verify your identity first.
8 · International transfers
The Service runs on globally distributed edge infrastructure, so your data may be processed in countries other than your own. Where required, we rely on appropriate safeguards for such transfers.
9 · Children
The Service is not directed to children under 16 (or the minimum age in your jurisdiction) and we do not knowingly collect their data.
10 · Changes
We may update this Policy. Material changes take effect when posted at this URL with a new effective date. Continued use after a change constitutes acceptance.
11 · Contact
Privacy questions or data requests: support@kwant.sh.