Legal

Privacy Policy

This policy describes how Kwiz Computing Technologies Limited (“KCT”, “we”, “us”, or “our”) collects, uses, shares, and protects information across our three brands — Kwiz Research, Kwiz Quants, and AutoMarket — and the websites, dashboards, and APIs that support them.

Effective date: 25 May 2026 · Last updated: 25 May 2026

1. Who we are

Kwiz Computing Technologies Limited is a Kenyan private company headquartered in Nairobi, Kenya. We operate three customer-facing brands:

Kwiz Research — environmental analytics, biodiversity, EIA/ESIA, climate, and enterprise data-science consulting (research.kwizresearch.com).
Kwiz Quants — institutional-grade systematic forex trading platform (quants.kwizresearch.com).
AutoMarket — multi-tenant automated content-marketing SaaS that publishes content on customers’ behalf across LinkedIn, X (formerly Twitter), and Instagram (automarket.kwizresearch.com).

The KCT umbrella website is www.kwizresearch.com.

For the purposes of the EU General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, and the Kenya Data Protection Act 2019, KCT is the data controller for personal data collected through any of the above properties. Where AutoMarket publishes content on a tenant’s behalf using credentials and content the tenant has supplied, the tenant is the controller for that content and KCT acts as a data processor.

The privacy contact for KCT is:

Kwiz Computing Technologies Limited Nairobi, Kenya Email: jeankwizera@kwizresearch.com

2. Information we collect

We collect only what we need to provide the services you have requested. The categories below describe everything we may collect — what actually applies to you depends on which products you use.

2.1 Information you provide directly

Account details — your full name, email address, phone number (optional), company or organisation name, and the password you set for any KCT dashboard (passwords are stored only as salted hashes by Firebase Authentication).
Contact-form submissions — anything you submit through the contact forms on our marketing sites (your message, the service category you selected, project timeline, and any context you add).
Consultation bookings — appointment details captured by Google Calendar when you book a free consultation through our public scheduling link.
Profile and brand assets for AutoMarket — brand voice notes, target audience descriptions, logos, brand colours, and any source material you upload to inform content generation.
Trading configuration for Kwiz Quants — your MT5 broker name, MT5 account login number, MT5 investor or trading password (transmitted directly to your broker for strategy execution; see section 5B), the strategies you have subscribed to, risk parameters (lot size, max drawdown, per-trade risk %), and any allow- or block-lists you set on instruments.
Project intake material for Kwiz Research — the scope-of-work documents, datasets, shapefiles, survey records, EIA/ESIA disclosures, regulatory correspondence, or other source material you transfer to us so we can perform the engagement you have commissioned.
Billing and payment information for AutoMarket and Kwiz Quants subscriptions — billing address, VAT or tax identifiers where applicable, invoice metadata, and payment status. KCT does not currently process card payments directly; subscription invoices are issued by the KCT super-admin and recorded as paid manually once payment is received (no payment-gateway integration is live as of the effective date). Kwiz Research engagements are billed by direct invoice under the terms of each signed engagement letter.

2.3 Information collected automatically

Website analytics — when you visit any KCT website we use Google Analytics 4 (with IP anonymisation enabled) to collect pages viewed, referring URL, approximate location (country / region), device type, browser, and time on page.
Server and security logs — our hosting provider (Firebase Hosting / Google Cloud) automatically logs requests, IP addresses, timestamps, and user-agent strings. These logs are used for diagnostics, abuse prevention, and security incident investigation.
Application telemetry — the AutoMarket dashboard records the timestamps and outcomes of pipeline events you trigger (topic generation, content drafting, publishing) so you can audit your own activity. The Kwiz Quants control plane records strategy-execution events (strategy started/stopped, signal generated, order submitted to broker, error returned) so you can audit every action taken on your trading account.

2.4 Information AutoMarket generates on your behalf

When you use AutoMarket, our system generates draft topics, briefs, full articles, social-media posts, and infographic briefs using AI (see section 4 and section 5C). The generated drafts are stored against your tenant in our content queue and are visible only to you and to KCT super-administrators with explicit access for support purposes.

2.5 Trading and financial data (Kwiz Quants)

When you connect an MT5 trading account to Kwiz Quants we collect, process, and retain trading-related data so we can run the strategies you have subscribed to and report on their performance:

Account-level data — your broker, MT5 login, base currency, account equity, balance, free margin, leverage, and your broker’s reported account type (live, demo, hedged/netted).
Order and position data — every order we submit on your behalf, including symbol, side, volume, entry/exit price, stop-loss, take-profit, timestamps, swap, commission, and realised/unrealised P&L.
Strategy outputs — the signals each subscribed strategy produced, the parameters used to produce them, and the resulting trade decisions.
Backtest and validation outputs — historical backtest results, walk-forward and combinatorial-purged cross-validation reports, and Deflated Sharpe Ratio computations generated against your selected strategy configuration.
Risk-parameter changes — every change you make to per-trade risk, max drawdown caps, or instrument allow/block lists, together with who made the change and when.

We treat this material as sensitive financial data. See section 5B for how it is stored, who can see it, and what we will and will not do with it.

2.6 Project, environmental, and regulatory data (Kwiz Research)

A Kwiz Research engagement frequently requires us to handle data that is either commercially sensitive (client business plans, project economics) or environmentally and regulatorily sensitive (locations of protected species, EIA findings prior to public disclosure, raw GHG inventory inputs, geospatial layers tagged to indigenous or community land). Categories we typically receive include:

Project briefs, scope-of-work, and engagement letters.
Raw and derived environmental datasets — EIA/ESIA disclosures, biodiversity survey records (including precise coordinates), water-quality and air-quality measurements, remote-sensing imagery, geospatial vector and raster layers.
Climate, carbon, and GHG inventory inputs — activity data, emission factors, energy bills, fleet records, audit trails.
Correspondence and submissions with regulators (e.g., NEMA in Kenya), partner organisations, or community stakeholders.
Personal data of named project personnel, survey respondents, or interviewees, where it forms part of the engagement deliverable.

See section 5A for how this material is handled, retained, and released.

3. How we use your information

We process personal data only where we have a lawful basis to do so. Specifically:

To deliver the services you have signed up for — operating the Kwiz Research client engagement, providing the Kwiz Quants trading-strategy platform, running the AutoMarket content pipeline. Lawful basis: performance of a contract.
To publish content on your behalf through AutoMarket using the social-media credentials you have connected, in line with the publishing schedule you have approved. Lawful basis: performance of a contract.
To execute trades on your behalf through Kwiz Quants using the MT5 credentials and the strategy + risk parameters you have configured, and to report on the resulting performance. Lawful basis: performance of a contract.
To carry out commissioned analysis for Kwiz Research — processing the project material you have provided in order to produce the deliverables defined in the engagement letter. Lawful basis: performance of a contract.
To send service-related communications — onboarding emails, billing notifications, security alerts, scheduled-maintenance notices. Lawful basis: performance of a contract, or legitimate interest in keeping you informed about a service you actively use.
To improve our services — analysing aggregate, de-identified usage patterns to inform product decisions, debugging issues, measuring marketing effectiveness. Lawful basis: legitimate interest in operating and improving our services.
To comply with our legal obligations — keeping invoice and tax records as required by Kenyan law, responding to lawful requests from regulators or courts. Lawful basis: legal obligation.
To prevent abuse and protect our services — rate-limiting, fraud detection, identifying compromised credentials. Lawful basis: legitimate interest in keeping our platform secure for all users.

We do not sell your personal data. We do not use your data to train third-party AI models without your explicit opt-in (see section 4 for how AutoMarket uses Claude).

4. Third-party services we rely on

Operating our services requires us to share specific data with carefully selected processors. Each is bound by either a Data Processing Agreement or its standard customer terms equivalent.

Provider	What they do	What we share with them
Google Firebase / Google Cloud (USA, EU)	Hosts our websites, authenticates dashboard users, stores Firestore data, runs Cloud Functions, sends transactional email.	Account details, authentication credentials, application data, server logs.
Google Analytics 4	Website traffic analytics.	Anonymised IP, page-view events, device metadata.
LinkedIn (Microsoft Corporation)	LinkedIn OAuth and Marketing Developer Platform — used to publish AutoMarket content to your LinkedIn profile or company page.	Your access token, the post content you have approved.
X Corp.	X API v2 — used to publish AutoMarket posts to your X account.	Your access token, the post content you have approved.
Meta Platforms (Instagram Graph API / Facebook Login)	Used to publish AutoMarket content to your Instagram Business account via its linked Facebook Page.	Your access token, the post content and media you have approved.
Anthropic (Claude AI)	Generates draft content (topics, articles, social posts, infographic briefs) inside the AutoMarket pipeline.	The structured prompts we build for each generation, which may include the brand voice, topic, and source material you have supplied. Anthropic’s commercial API terms prohibit using API inputs and outputs to train its models.
Your MT5 broker (Kwiz Quants)	Holds your trading account and executes the orders Kwiz Quants submits on your behalf.	The MT5 credentials you provided and the orders we submit on your behalf. KCT does not select your broker — you do.
FormSubmit	Receives contact-form submissions from our marketing sites and forwards them to our inbox.	The fields you submit on the contact form.
GitHub (Microsoft Corporation)	Source-code hosting and CI/CD for our build pipelines.	No customer personal data — only code and build artifacts.

If we add or remove a processor materially, we will update this table and, where the change is significant, notify affected users.

5. Product-specific handling

Each KCT product handles a distinct category of sensitive data. This section sets out, product-by-product, what we do with it.

5A. Kwiz Research — environmental, regulatory, and client project data

Kwiz Research engagements are governed by the engagement letter you sign with us. That letter, together with this policy, defines how your project data is handled. In all cases:

Confidentiality. All client deliverables, datasets, raw observations, and internal correspondence are treated as confidential. Project material is shared inside KCT only with the team members staffed on your engagement and a small number of named senior reviewers; it is not accessed for any other purpose.
Sensitive-location masking. Where datasets include the precise coordinates of protected species, archaeological sites, indigenous or community land, or critical infrastructure, we apply standard masking conventions (coordinate generalisation, public-vs-restricted layer splits) so that public-facing deliverables do not expose locations that could enable harm. The unmasked source data is held only in our restricted project store.
Regulatory pre-disclosure material. EIA/ESIA drafts, GHG inventory drafts, and similar pre-submission material are not shared outside the engagement and are not used in marketing, blog posts, or training material without your prior written consent.
Open data. Where a project uses or produces openly licensed data (e.g., GBIF occurrence records, satellite imagery, open-government datasets), we may retain and reuse that material in line with the original licence — but never the joined or enriched form that links it to your engagement.
Storage. Project files are held in Google Cloud Storage and Firestore within KCT’s controlled environment. We do not place client EIA/ESIA, biodiversity, or GHG project files into shared third-party productivity tools (e.g., generic ChatGPT, free Google Drive accounts) without your prior written consent.
Subcontractors. If we need to bring in a domain specialist (e.g., a botanist, hydrologist, or quantitative reviewer) we will tell you in advance and only share the minimum data they need. They sign a confidentiality agreement before any data leaves our environment.
Return or destruction at engagement end. When your engagement closes, we either return your source material, retain only what is needed to defend a regulatory or contractual claim, or destroy it — per the engagement letter. Default retention is 7 years for the final deliverable and 24 months for working files, after which working files are deleted.

5B. Kwiz Quants — trading accounts and financial data

This section covers the additional protections we apply because Kwiz Quants connects to real money.

You always control your funds. Your capital remains in your own MT5 brokerage account. KCT cannot withdraw, transfer, or deposit funds, and we never request banking, card, or wallet credentials. We only ever interact with your account through the MT5 trading interface, and only for the strategies and risk parameters you have authorised.

MT5 credential handling.

You enter your broker, MT5 login, and MT5 password in the Kwiz Quants control plane.
The password is encrypted in transit and at rest. It is held only in the execution sandbox that connects to your broker.
Wherever your broker supports it, we encourage you to use the MT5 investor password rather than the master password — investor passwords are read-and-trade-only at the broker’s discretion and cannot be used to change account settings.
You can rotate or revoke the credential at any time from the control plane; doing so disconnects the strategy worker on the next heartbeat (within 60 seconds).

Storage and isolation of trading data. Order, position, P&L, equity, and strategy-signal data is stored in Firestore under your account, with security rules that prevent any other Kwiz Quants user from reading it. The KCT super-admin role has read access for support and incident response only, and all such access is logged.

What we will not do with your trading data.

We will not sell or share order-flow or position data with any third party.
We will not use your individual account’s performance in marketing, case studies, or screenshots without your explicit written consent.
We will not aggregate your data with other users’ data for any purpose other than internal product quality (e.g., monitoring strategy slippage, sizing infrastructure) and even then only in anonymised, non-attributable form.
We will not place your trading-credential material into general-purpose AI tools.

No trading or investment advice. Kwiz Quants provides validated systematic strategies you choose to subscribe to; we do not provide personalised investment advice. Backtest results — Sharpe, Deflated Sharpe Ratio, drawdown statistics, and walk-forward performance — describe historical behaviour. Past performance does not guarantee future results, and trading leveraged products such as forex carries a substantial risk of loss. You are responsible for ensuring that algorithmic forex trading is permitted in your jurisdiction.

Regulatory cooperation. Where a competent financial-services regulator issues a lawful request for records relating to your account, we will respond as required by law and will notify you unless we are legally prohibited from doing so.

5C. AutoMarket — OAuth, social-media access, and AI-generated content

This section applies specifically to AutoMarket and exists because LinkedIn, X, and Meta require us to be explicit about how we handle the access you grant — and because everything AutoMarket produces involves AI generation.

5C.1 What happens when you connect a social account.

You click Connect LinkedIn / X / Instagram in the AutoMarket dashboard.
We redirect you to the relevant provider’s authorisation page, where you see exactly which scopes we are requesting (see section 2.2).
You either approve or deny the request on the provider’s site — KCT never sees your password.
If you approve, the provider returns an access token (and, where supported, a refresh token) to our backend.
We store the token encrypted at rest in Firestore, scoped to your tenant document. Tokens are readable only by the AutoMarket publishing worker and by KCT super-administrators with break-glass access for support.

5C.2 What we do with that access. We use the token only to publish posts you have explicitly approved, on the schedule you have configured. We do not read your inbox, your followers’ personal data, your private posts, or anything outside the scopes listed in section 2.2. Every publish action is logged in your tenant audit trail.

5C.3 AI-generated content disclosure. All AutoMarket content — topic suggestions, briefs, long-form articles, social posts, infographic briefs — is generated by an AI system (Anthropic’s Claude API) operating on prompts that combine your brand voice, your editorial calendar, and any source material you have supplied. Key points:

You always have a review step. Drafts land in your queue with status draft and only move to approved (and from there to published) on your explicit action. We never post AI-generated content to your connected accounts without that approval.
No third-party model training. Anthropic’s commercial API terms (which we operate under) prohibit Anthropic from using customer API inputs and outputs to train its models. KCT itself does not train any model on your material, your brand voice, or your published content.
Source attribution. Where a draft is built on top of specific source material you provided, AutoMarket tracks those sources in the draft metadata so you can verify them before approving.
AI labelling on publication. Where the platform you are posting to (or the law of your jurisdiction) requires you to disclose AI-assisted content, you are responsible for adding the relevant label or disclosure to the post text or platform setting; AutoMarket exposes a per-channel toggle to help you do this consistently.
Hallucinations and errors. AI-generated drafts can contain factual errors. AutoMarket is a productivity tool, not an editorial signoff — you remain the publisher of record for everything posted from your account.

5C.4 How to disconnect a social account. You can revoke our access at any time, in two ways:

From the AutoMarket dashboard — open Settings → Connected Accounts and click Disconnect. We delete the stored token immediately and queue any scheduled posts for that channel for cancellation.
From the provider directly — LinkedIn (Settings → Data Privacy → Permitted services), X (Settings → Security and account access → Apps and sessions), or Meta (Settings → Apps and Websites). Revoking from the provider takes effect immediately; the next publishing attempt will fail and the dashboard will prompt you to reconnect or remove the schedule.

Once you disconnect, we delete the access and refresh tokens within 7 days. Published posts that already went out remain on the platform under your account — only you can delete those.

6. Cross-service data flows

Some customers use more than one KCT product (for example, a Kwiz Research client may also subscribe to AutoMarket; a Kwiz Quants subscriber may also commission Kwiz Research analysis). We keep the products’ data stores separate by default:

Per-product isolation. Each product writes to its own Firestore namespace (tenants/{uid}/* for AutoMarket, quants/{uid}/* for Kwiz Quants, project-scoped Cloud Storage buckets for Kwiz Research). Security rules and IAM grants are scoped per-product; the AutoMarket publishing worker has no read path to Kwiz Quants trading data, and vice versa.
No automatic cross-use. We will not feed your Kwiz Quants trading data into AutoMarket-generated marketing content, will not surface Kwiz Research project material in your AutoMarket queue, and will not use AutoMarket-generated content as input to a Kwiz Quants strategy, unless you have explicitly opted in to that flow.
Shared identity only. What is shared across products is your Firebase Authentication identity (so you can sign into each product without a separate password) and KCT-level billing records (so we can issue a single invoice if you choose). Nothing else flows automatically between products.
Cross-team support access. A KCT super-administrator may have access to all three products’ admin views. Such access is always logged and is used only for support, security, or incident response — not for combining data across products.

If we ever want to introduce a feature that combines data across products (for example, surfacing Kwiz Quants performance summaries as AutoMarket content suggestions), we will request your explicit, granular opt-in before any data crosses the boundary.

7. Cookies and similar technologies

We use a small number of cookies and storage mechanisms:

Strictly necessary — Firebase Authentication session cookies, CSRF tokens, and load-balancer cookies. Without these the dashboards cannot function. No consent is required for strictly necessary cookies.
Analytics — Google Analytics 4 sets _ga and _ga_* cookies (typically expiring after 2 years) to distinguish unique visitors. We have IP anonymisation enabled, and we do not enable Google Signals or advertising features.
Preferences — local-storage entries inside the AutoMarket dashboard remember your sidebar state, theme, and the tenant or account you last opened.

We do not use third-party advertising cookies, cross-site tracking pixels, or social-media retargeting tags.

If you are in the EU/EEA, UK, or another jurisdiction that requires consent for non-essential cookies, you can decline analytics via your browser’s Do Not Track signal or by blocking the Google Analytics cookies in your browser settings. Most browsers also support per-site cookie controls.

8. How long we keep your data

We keep personal data only as long as we need it for the purposes set out above, or as required by law:

Data	Retention
Active account profile and settings	For as long as your account is active.
Connected-account OAuth tokens (AutoMarket)	Until you disconnect, after which up to 7 days for cleanup.
MT5 trading credentials (Kwiz Quants)	Until you remove them in the control plane; deleted from the execution sandbox within 24 hours of removal.
Kwiz Quants order, position, and P&L history	For the life of your account; exportable as JSON on request. On account closure, retained for 7 years for tax and dispute-defence purposes.
Kwiz Quants strategy backtests and validation reports	For the life of your account. Anonymised aggregates of strategy-level performance (no per-user data) may be retained indefinitely for product quality monitoring.
AutoMarket generated drafts and published-post records	For the life of your account, or until you delete them.
Kwiz Research project files and deliverables	Per the engagement letter — default 7 years for final deliverables and 24 months for working files.
Contact-form submissions	Up to 24 months from submission, then archived or deleted.
Billing and invoice records	7 years from issue (Kenyan tax law).
Web-analytics data in Google Analytics 4	14 months (GA4 default we have set).
Server and security logs	Up to 90 days, except where retained longer for a specific security incident investigation.
Backups	Rolling 30-day window for Firestore point-in-time recovery.

When you close an account we will delete or anonymise your personal data within 30 days, except where we are required to keep it (typically invoice records for tax compliance, or trading history for financial-records retention) or where it is needed to defend a legal claim.

9. Your rights

Depending on where you live you have some or all of the following rights:

Access — request a copy of the personal data we hold about you.
Rectification — ask us to correct inaccurate or incomplete data.
Erasure (“right to be forgotten”) — ask us to delete your personal data, subject to our legal retention obligations.
Restriction — ask us to stop processing your data in certain circumstances.
Portability — receive your data in a structured, machine-readable format (JSON export from the AutoMarket and Kwiz Quants dashboards; on request for Kwiz Research project files).
Objection — object to processing based on our legitimate interests.
Withdraw consent — where we rely on consent, withdraw it at any time without affecting prior lawful processing.
Complain to a supervisory authority — for example, the Office of the Data Protection Commissioner in Kenya (odpc.go.ke), or your local data-protection authority in the EU/EEA or UK.

To exercise any of these rights, email jeankwizera@kwizresearch.com from the address associated with your account. We will respond within 30 days. We may need to verify your identity before acting on a request.

10. International data transfers

KCT is based in Kenya, but several of our processors (notably Google, LinkedIn, X, Meta, and Anthropic) operate in the United States and the European Union. When personal data is transferred outside your country we rely on:

Adequacy decisions where they exist (for transfers from the EU/EEA to recipients in adequate jurisdictions).
Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented where appropriate by additional technical and contractual safeguards.
The processor’s own certifications — Google, Meta, LinkedIn, and Anthropic each maintain SOC 2 and ISO 27001 certifications relevant to their services.

You can request a copy of the transfer mechanism applicable to your data by contacting us.

11. Security

We protect your data using a combination of organisational and technical controls:

All data in transit is encrypted with TLS 1.2 or higher.
All data at rest in Firestore and Cloud Storage is encrypted using Google-managed keys.
OAuth tokens for social-media accounts (AutoMarket) and MT5 trading credentials (Kwiz Quants) are stored with field-level encryption and isolated from the read paths of unrelated services.
Kwiz Research project material is held in access-controlled Cloud Storage buckets scoped to the specific engagement, with no shared “all projects” bucket.
Access to production systems uses multi-factor authentication and is restricted to a small number of named staff. All staff with access to financial (Kwiz Quants) or confidential project (Kwiz Research) data sign a confidentiality agreement.
Firestore security rules enforce strict per-tenant and per-product isolation; production code is reviewed and tested before deployment.
We monitor for unusual activity, review access logs regularly, and run penetration testing periodically on the Kwiz Quants control plane and AutoMarket dashboard.

No system is perfectly secure. If we ever become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and notify affected users without undue delay. For Kwiz Quants incidents that could affect trading-account integrity, we will pause strategy execution on impacted accounts as a precaution while we investigate.

12. Children

Our services are not directed at children under 16, and we do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact us and we will delete it.

13. Automated decision-making

We do not make decisions that produce legal or similarly significant effects about you using purely automated means.

AutoMarket uses AI (Anthropic’s Claude API) to generate content drafts. Those drafts are always staged for your review and approval before publication — you remain in control of what goes out on your social accounts. See section 5C.3 for the AI-content disclosure.
Kwiz Quants executes systematic trading strategies on your MT5 account based on the strategy logic and risk parameters you subscribed to and configured. The platform itself does not make discretionary investment decisions and does not provide personalised investment advice; you can pause or disconnect any strategy at any time. See section 5B.
Kwiz Research deliverables are reviewed by a named human analyst before they are released to you or to any regulator.

14. Changes to this policy

We may update this policy from time to time. When we do, we will change the Last updated date at the top of this page. If the changes are material — for example, if we add a significant new category of processing or a new third-party processor that handles your data — we will notify you by email or through an in-product banner before the changes take effect.

We encourage you to review this page periodically.

15. Contact us

If you have questions about this policy or about how we handle your personal data, please contact: