How it works Strategies FAQ Contact
Sign in Get started
Legal · Privacy

Privacy Policy

Asteria Quant is a service of Quant Algorithm Tree System Ltd ("QATS Ltd", "we", "us"), an Israeli private limited company (Company ID 517208377), with registered office at Maurizio Vitale 3, Tel Aviv, Israel. QATS Ltd is the data controller for personal data collected through asteriaquant.com. This Policy explains what we collect, how exchange API credentials and operational logs are protected, and what rights you have.

Effective: 25 May 2026 Version 2.1 (Asteria) Controller: QATS Ltd · Israel

1. Summary

Asteria Quant is operated by Quant Algorithm Tree System Ltd (QATS Ltd), an Israeli company. We provide a strategy-execution interface for self-custodial crypto trading. We do not hold user funds. We do not require withdrawal permissions on exchange API keys. We process account data to operate the service, display performance and risk state, and meet operational, billing, and audit requirements.

Plain-English summary. We collect what we need to run your strategy and bill you, and not more. Funds stay on your exchange. API keys are stored encrypted and are trade-only. Logs exist so you and our team can audit what happened. The legal entity behind Asteria is QATS Ltd in Israel.

2. Scope

This policy applies to the Asteria web application, account dashboards, marketing site, email notifications and the strategy execution runner. It does not cover third-party services you connect to (your exchange, your email provider, your payment processor).

3. Data we collect

CategoryExamplesWhy
AccountEmail, password hash, display name, timezoneAuthenticate, send operational notices
Exchange linkEncrypted API key, exchange id, permitted scopesPlace trade-only orders for your selected strategy
Strategy stateSelected profile, H variant, position state, P&L snapshotsRun the strategy and show dashboards
BillingPlan, invoice metadata, payment processor idCharge subscription, issue receipts
Operational logsOrder events, runner heartbeats, error traces, IP, user agentReliability, security, audit trail
CommunicationsSupport emails, in-app messagesHelp requests, incident notifications

We do not collect government IDs, bank account numbers, or any payment card data directly. Card data is handled by our payment processor.

4. Exchange API keys

API keys are the most sensitive data on the platform. They are stored in an encrypted secrets vault (envelope encryption with Fernet keys; key material kept outside the application database) and only decrypted in memory by the runner at order placement time.

  • Trade-only: we require that withdrawal permission is disabled when you attach a key. The connector verifies scopes on attach and refuses the link if withdrawal is enabled.
  • IP allow-list: we recommend restricting your API key to our published runner IP range.
  • Revocable: you can detach a key at any time from the Settings > Credentials page. Detaching stops new orders within seconds.
  • No display: after the key is stored, the secret cannot be displayed again. Only a fingerprint (last 4 characters) is shown.
Keep custody of your funds. Asteria never holds, transfers or has the technical ability to withdraw your assets. All balances remain on your exchange under your account.

5. How we use data

  • To run your selected strategy and place trade-only orders on your behalf.
  • To display dashboards (positions, trades, equity, risk state).
  • To send operational notifications (order failures, runner pause, billing).
  • To process subscription payments via our payment processor.
  • To detect abuse, debug incidents and meet audit requirements.
  • To improve the product (aggregated metrics, never raw personal data sold or shared with advertisers).

We do not sell personal data. We do not show third-party ads. We do not profile users for advertising purposes.

6. Sharing with processors

We use a small number of vetted processors and only share the minimum needed:

ProcessorPurposeData shared
Hero PaymentsSubscription billing and invoicingEmail, plan, billing amount, processor customer id
Transactional email providerVerification, password reset, security and billing alertsEmail address, message metadata
Cloud infrastructureApplication hosting, encrypted backupsAll application data (encrypted at rest)
Error monitoringReliabilityStack traces, request id, anonymised IP (no API keys)
Exchange connectorOrder routing on your behalfOrder parameters; signed with your trade-only API key

Processors are contractually bound to use data only for the stated purpose and to maintain industry-standard security controls. We may also disclose personal data when required by law, court order, regulator request, or to protect the rights, safety, and property of QATS Ltd, our users, or third parties.

International transfers

QATS Ltd is incorporated in Israel. Our service providers may process data outside your country of residence. Transfers are safeguarded through recognised legal mechanisms — Standard Contractual Clauses or the EU–US Data Privacy Framework where applicable. Israel is recognised by the European Commission as providing an adequate level of data protection.

7. Retention

  • Account data: kept while your account is active and for 90 days after deletion request, then erased.
  • Order and trade logs: kept for 7 years to support tax, audit and dispute requirements.
  • Operational logs (heartbeats, traces): 90 days rolling.
  • Billing records: kept for the period required by applicable law (typically 6–10 years).

8. Security

  • Encryption in transit (TLS 1.2+) and at rest (AES-256 / Fernet for secrets).
  • MFA available on all accounts. Strongly recommended.
  • HMAC-signed webhooks between Control Plane and Execution Plane with nonce replay protection.
  • Audit log of every privileged action (key attach/detach, live activation, plan change).
  • Periodic third-party review of operational controls.
No service is 100% secure. Use a unique strong password, enable MFA, restrict your API key by IP, and keep withdrawal permissions disabled. If you suspect compromise, detach your key and contact support immediately.

9. Your rights

Depending on your jurisdiction (including the EU/UK under GDPR and California under CCPA), you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Request deletion of your account and personal data (subject to mandatory retention).
  • Export your data in a portable format.
  • Object to or restrict certain processing.
  • Lodge a complaint with your local data protection authority.

To exercise these rights, contact us at privacy@asteriaquant.com from the email registered on your account.

10. Cookies & local storage

We use first-party cookies and browser localStorage for: keeping you signed in (JWT), remembering interface preferences, and basic anti-abuse. We do not use third-party advertising cookies. You can clear stored data at any time via your browser; doing so will sign you out.

11. Changes to this policy

We will update this page when our practices change. Material changes are communicated by email to the address on your account at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the current version.

12. Contact

Quant Algorithm Tree System Ltd (trading as Asteria Quant)
Company ID: 517208377
Maurizio Vitale 3, Tel Aviv, Israel

Privacy & data requests: privacy@asteriaquant.com
Security disclosures: security@asteriaquant.com
General support: support@asteriaquant.com

EU/UK residents may also lodge a complaint with their national data-protection authority. Israeli residents may contact the Israeli Privacy Protection Authority. California residents may exercise their CCPA/CPRA rights.