Privacy Policy
FRACTIQ.AI (“we,” “us,” or “our”), operating from the Kingdom of Saudi Arabia, respects your privacy and is committed to handling personal data responsibly and in accordance with the Saudi Personal Data Protection Law (PDPL) and other applicable privacy laws. This Privacy Policy explains what we collect, why, who we share it with, and the rights you have.
1. Summary
- We collect only what we need to run your account and the Service.
- We never see your third-party API keys — they live in your browser only.
- We never sell or rent personal data.
- You can request access, correction, deletion, or export by emailing hello@fractiq.ai.
2. Data We Collect
2.1 Data you provide directly
- Account data — email, optional name, and a bcrypt-hashed password (if you use credentials login).
- Beta access requests — email, optional name, optional note you type into the waitlist form.
- Analysis inputs — ticker symbols, chart screenshots, and timeframes you submit. Images are relayed to your chosen AI provider and are not stored on our servers; only the structured JSON response is persisted, attached to your account.
- Commitments and watchlist entries — analyses you choose to save as targets, plus any watchlist tickers.
- Feedback — anything you type into the in-app feedback widget.
2.2 Data collected automatically
- Authentication data — session cookies (HTTP-only, signed) issued by NextAuth; IP address and user agent for login attempts (for rate-limiting and fraud prevention).
- Security logs — failed login attempts, admin actions, and password resets, retained for audit.
- Operational telemetry — request paths, response status codes, and error traces, collected by our hosting provider (Vercel) for reliability. Not used for marketing.
2.3 Data we store with special protections
- Your AI provider API keys — Claude, OpenAI, Gemini, and Grok keys are encrypted at rest using AES-256-GCM with a per-user subkey derived via HKDF from a master secret that lives only in our production environment configuration. Key material is only decrypted in-memory during an analysis request, passed to the upstream AI provider, and discarded on response. Plaintext keys are never logged, never shown to Fractiq staff, and never returned to the browser after you save them. You can view, rotate, or delete your keys anytime in Settings → Providers.
- Two-factor authentication secrets — if you enable 2FA, the TOTP secret is encrypted using the same scheme as API keys. Backup recovery codes are stored as bcrypt hashes (cost 10), and each is marked single-use once redeemed.
2.4 Data we do NOT collect
- Brokerage credentials, wallet addresses, or trade execution data.
- Tracking pixels or third-party fingerprinting scripts.
- We never access the plaintext of an API key once stored. Staff can see only a key-hint (first 4 and last 4 characters) for support purposes.
3. How We Use Your Data
We process personal data only on the following legal bases:
- To perform our contract with you — run your account, authenticate logins, route analyses to your chosen provider, persist your commitments.
- Legitimate interests — abuse prevention (rate-limiting, intrusion detection), service reliability, product analytics at an aggregate level.
- Consent — marketing emails, optional product-update emails, non-essential cookies. You can withdraw consent at any time from Profile → Preferences or by emailing us.
- Legal obligation — responding to lawful orders from Saudi authorities or other competent jurisdictions.
4. Third Parties We Rely On (Sub-Processors)
We use the following providers to operate the Service. Each has its own privacy practices you should review:
| Provider | Purpose | Data category | Region |
|---|---|---|---|
| Vercel | Application hosting and edge network | Request metadata, logs | United States / EU |
| Neon | Managed Postgres database | Account, analyses, logs | EU (eu-west-2) |
| Upstash | Rate-limiting (Redis) | Hashed request identifiers | EU / US |
| Cloudflare | DNS, inbound email routing | DNS queries, forwarded email | Global |
| Resend | Transactional email delivery | Email address, message content | EU / US |
| Anthropic, OpenAI, Google, xAI | AI model inference — called from your browser using your own API keys | Chart image, prompt, ticker | Varies; set per provider |
| TradingView, Yahoo Finance | Live chart and OHLC data | Ticker symbols (no PII) | Global |
5. Data Retention
| Category | Retention |
|---|---|
| Account data | For the life of your account; deleted within 30 days of account deletion. |
| Analyses and commitments | Until you delete them or your account is deleted. |
| Beta requests | Up to 24 months after the request, for cohort planning. |
| Login attempts (for fraud detection) | Up to 180 days. |
| Admin-action audit log | Up to 24 months. |
| Transactional email logs (Resend) | Per Resend’s retention: typically 30 days. |
6. Your Rights Under PDPL
As a data subject, you have the right to:
- Be informed of how your data is collected and used (this policy).
- Access the personal data we hold about you.
- Request correction of inaccurate data.
- Request deletion of your personal data (subject to our legal and regulatory obligations).
- Request a portable copy of your data in a commonly-used electronic format.
- Object to, or request restriction of, specific processing activities.
- Withdraw consent where processing is based on consent.
To exercise any of these rights, email hello@fractiq.ai. We will respond within 30 days or as required by applicable law. If you believe we have mishandled your data, you may lodge a complaint with the Saudi Data & AI Authority (SDAIA).
7. Security
We use HTTPS everywhere, bcrypt (cost 12) for password hashes, HTTP-only signed session cookies, rate-limiting on sensitive endpoints, and strict Content Security Policy headers. Access to production systems is role-gated and audit-logged. No security program is perfect — if you discover a vulnerability, report it in confidence to hello@fractiq.ai and we will acknowledge within 72 hours.
8. Cookies
We use the following cookie categories:
- Strictly necessary — session cookies (NextAuth), CSRF tokens. Cannot be turned off without breaking login.
- Preferences — language and theme selections, stored in localStorage (not technically a cookie).
- Analytics / marketing — none in use at launch. If added in the future, they will require explicit opt-in via the cookie banner, and you can change your mind any time in Profile → Preferences.
9. Cross-Border Transfers
Some of our sub-processors operate infrastructure outside Saudi Arabia (primarily the EU and the United States). We rely on contractual safeguards and the SDAIA-approved list of adequate jurisdictions. If you do not wish your data to leave the Kingdom, please do not use the Service.
10. Children
The Service is not directed at children under 18. We do not knowingly collect personal data from anyone under 18. If you believe a minor has submitted data, email us and we will delete it.
11. Changes to This Policy
If we materially change this Policy, we will announce the change via in-app notification or email. You can always find the current version at /privacy.
12. Contact
Privacy questions, data subject requests, security reports: hello@fractiq.ai.