Last Updated: 27 January 2026
Mycelia Labs ("Company", "we", "us", or "our") operates SIQ("Platform", "Service"), a quantitative financial analysis platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Platform.
We are committed to protecting your privacy and ensuring transparency about our data practices. This policy complies with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the EU General Data Protection Regulation (EU GDPR), and the California Consumer Privacy Act (CCPA).
Mycelia Labs is the data controller responsible for your personal data under the UK GDPR and EU GDPR. As the data controller, we determine the purposes and means of processing your personal data.
Data Protection Contact: For any questions about this Privacy Policy, our data practices, or to exercise your data protection rights, please contact us at privacy@thesiq.ai.
Note: We are in the process of appointing a formal Data Protection Officer (DPO) and will update this policy with their contact details once appointed. In the meantime, all data protection enquiries should be directed to the email address above.
SIQ processes financial information that you voluntarily provide, including portfolio holdings, transaction history, and investment data. This information may be considered sensitive and is treated with additional care.
We do not:
All financial data you provide is processed solely to deliver quantitative analysis and insights through the Platform.
| Data Category | Examples | Purpose |
|---|---|---|
| Account Information | Email address, name (via WorkOS authentication) | Account creation and authentication |
| Portfolio Data | Holdings, transactions, financial positions you upload | Providing quantitative analysis services |
| Chat History | Messages, queries, and conversations with the Platform | Providing AI-powered analysis, improving services |
| Communications | Emails, support requests, feedback | Customer support and service improvement |
| Data Category | Examples | Purpose |
|---|---|---|
| Usage Data | Features used, pages visited, session duration | Service improvement and analytics |
| Device Information | Browser type, operating system, device identifiers | Security, compatibility, troubleshooting |
| Log Data | IP address, access times, error logs | Security, debugging, fraud prevention |
Under the UK GDPR and EU GDPR, we process your personal data based on the following legal grounds:
| Processing Activity | Legal Basis (Article 6) |
|---|---|
| Account creation and authentication | Contract performance |
| Portfolio data analysis | Contract performance |
| Chat history storage and AI processing | Contract performance |
| Service improvement and analytics | Legitimate interests |
| Security monitoring and fraud prevention | Legitimate interests / Legal obligation |
| Marketing communications (if opted in) | Consent |
| Responding to legal requests | Legal obligation |
| Error monitoring and crash reporting | Legitimate interests |
Legitimate Interests Assessment: Where we rely on legitimate interests, we have conducted a balancing test to ensure that our interests do not override your fundamental rights and freedoms. You may request details of this assessment by contacting us.
We use the information we collect to:
What We Do Not Do: We do not sell your personal information to third parties. We do not use your data for targeted advertising. We do not share your financial data with third parties for their own marketing purposes.
SIQ uses artificial intelligence and machine learning to analyse your data and provide quantitative insights. This constitutes "profiling" under GDPR, as we process personal data to analyse and make predictions about your financial information.
Nature of AI Processing:
Your Rights: The AI analysis provided is informational only. All investment decisions remain entirely with you. You have the right to:
We share your information with trusted third-party service providers ("sub-processors") who assist us in operating the Platform. We have entered into Data Processing Agreements (DPAs) with each of these providers that include appropriate data protection obligations.
| Provider | Purpose | Data Shared | Location | Transfer Mechanism |
|---|---|---|---|---|
| WorkOS | Authentication and identity | Email address, name, authentication tokens | USA | SCCs + DPA |
| Anthropic | AI/LLM processing | Chat messages, queries, uploaded data for analysis | USA | SCCs + DPA |
| Railway | Cloud infrastructure and hosting | All application data, session state, database | USA | SCCs + DPA |
| Cloudflare | Content delivery and security | IP addresses, request metadata | Global (USA HQ) | SCCs + DPA |
| Sentry | Error tracking and user feedback | Error logs, stack traces, device/browser information, screenshots (if submitted via feedback) | USA | SCCs + DPA |
Sub-processor Updates: We may update our list of sub-processors from time to time. Material changes to sub-processors will be notified through updates to this Privacy Policy. You may subscribe to sub-processor update notifications by contacting us at privacy@thesiq.ai.
Transfer Safeguards: For transfers to countries outside the UK and EEA that do not have an adequacy decision, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and the UK Information Commissioner's Office, supplemented by additional technical and organisational measures where necessary.
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected. Our retention periods are based on business needs and legal requirements:
| Data Category | Retention Period | Basis |
|---|---|---|
| Account Data | Duration of account + 2 years | Legal obligations, dispute resolution |
| Chat History | Duration of account or until deletion request | Service provision, user convenience |
| Portfolio Data | Until deletion request or account termination | Service provision |
| Log Data | 90 days | Security, debugging, fraud prevention |
| Backup Data | 30 days after primary deletion | Disaster recovery |
After the retention period expires, we will securely delete or anonymise your personal data. In some cases, we may retain anonymised data for statistical purposes indefinitely.
If you are in the UK or European Economic Area, you have the following rights:
To exercise these rights, please contact us at hello@thesiq.ai. We will respond within one month as required by law.
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
We do not sell your personal information. We do not share personal information for cross-context behavioural advertising. We do not use or disclose sensitive personal information for purposes other than those permitted under CCPA/CPRA.
Categories Collected (preceding 12 months): Identifiers (email, name), commercial information (portfolio data), internet activity (usage logs), and inferences drawn from the above.
Verification: When you make a request, we will verify your identity by matching the information you provide with information we have on file. For sensitive requests, additional verification may be required.
Authorised Agents: You may designate an authorised agent to make requests on your behalf. We may require written proof of the agent's authorisation and verify your identity directly.
To exercise any of your data protection rights, you may:
We will respond to verifiable requests within one month (GDPR) or 45 days (CCPA), with possible extensions for complex requests. We may request additional information to verify your identity before processing your request.
Your information may be transferred to and processed in countries outside the UK and European Economic Area, including the United States. When we transfer data internationally, we ensure appropriate safeguards are in place:
We implement appropriate technical and organisational measures to protect your personal data in accordance with industry best practices and applicable legal requirements:
Employee Access to Your Data: A limited number of authorised Mycelia Labs administrators may access your account data, including chat conversations and strategy configurations, strictly for the following purposes: investigating support requests you have raised, responding to security incidents, complying with legal obligations, debugging platform issues, and conducting SOC 2 compliance audits. All administrative access is logged in an immutable audit trail and reviewed quarterly. We do not access your data for marketing, analytics, or any purpose beyond platform operation and security.
While we strive to protect your personal data using industry-standard security measures, no method of transmission or storage is 100% secure. We cannot guarantee absolute security, but we commit to promptly investigating and addressing any suspected security incidents.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
We use essential cookies necessary for the Platform to function, including authentication tokens and session management. We do not use third-party advertising or tracking cookies.
| Cookie Type | Purpose | Duration |
|---|---|---|
| Authentication | Keep you logged in securely | Session / 7 days |
| Preferences | Remember your settings (e.g., theme) | 1 year |
The Platform is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately at hello@thesiq.ai.
We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. We encourage you to review this Privacy Policy periodically.
If you have concerns about our data practices, please contact us first at privacy@thesiq.ai. We take all privacy concerns seriously and will do our best to resolve your concern promptly.
If you are not satisfied with our response, you have the right to lodge a complaint with a supervisory authority:
Under California Civil Code Section 1798.83, California residents may request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes.
We do not disclose personal information to third parties for their direct marketing purposes. If this practice changes, we will update this Privacy Policy and provide you with an opportunity to opt out.
For any questions or concerns about this Privacy Policy or our data practices:
Mycelia Labs
Data Protection Enquiries
Privacy Email: privacy@thesiq.ai
General Email: hello@thesiq.ai
Website: https://thesiq.ai
For time-sensitive data protection matters, please include "URGENT" in the subject line of your email. We aim to respond to all enquiries within 5 business days.
As required under Article 30 of the GDPR, we maintain a record of all processing activities carried out under our responsibility. This record is available to the supervisory authority upon request and includes information about the purposes of processing, categories of data subjects and personal data, recipients of data, international transfers, retention periods, and security measures.
You may request a summary of our processing activities relevant to your personal data by contacting us at privacy@thesiq.ai.
This Privacy Policy is effective as of 27 January 2026.
Previous versions of this Privacy Policy may be requested by contacting us at privacy@thesiq.ai.
View Terms and Conditions