Data Rights
This page explains your data-protection rights under GDPR (EU/EEA), UK GDPR (United Kingdom), CCPA / CPRA (California), and equivalent regimes — and exactly how to exercise them. For a description of what data we collect and why, see the Privacy Policy.
1. Your rights at a glance
| Right | What it means | How to exercise |
|---|---|---|
| Access | Get a copy of all personal data we hold on you | Email request |
| Rectification | Correct inaccurate or incomplete data | Edit in-app or email request |
| Erasure ("right to be forgotten") | Delete your account and personal data | Email request |
| Portability | Receive your data in a portable, machine-readable format (JSON) | Email request |
| Restriction | Pause certain processing of your data | Email request |
| Objection | Object to processing on legitimate-interest grounds | Email request |
| Withdrawal of consent | Withdraw any consent you've given (e.g. marketing emails) | Unsubscribe link or email request |
| Non-discrimination | We won't penalise you for exercising any right | Automatic |
| Lodge a complaint | Complain to your local data-protection supervisory authority | See § 8 |
2. What personal data we hold
The complete list lives in the Privacy Policy. In summary, for an active account we hold:
- Account data: email, bcrypt password hash, tier, account creation timestamp, optional API key.
- Session data: JWT session tokens with expiry timestamps.
- Billing data: Polar customer ID, Polar subscription IDs (used to look up your subscription state). We do not store card numbers or full billing addresses.
- Service data: paper-tracked positions you opened (symbol, entry / TP / SL / time-stop, status, P&L), email-sent flags.
- Server logs: IP address, user-agent, requested path, timestamp — rotated regularly.
3. Sub-processors
We use the following third-party processors. Each has its own privacy policy and security commitments. We share only the minimum personal data each processor needs to perform its function.
| Processor | Purpose | Data shared | Region |
|---|---|---|---|
| Polar.sh | Subscription billing, tax, payment processing | Email, Polar customer ID, subscription state | EU/US |
| Resend | Transactional email (welcome, password reset, position events, daily digest) | Email, message body | US/EU |
| Railway | Application hosting (compute + Postgres) | All operational data at rest in DB | US |
| Cloudflare | DNS, edge caching, DDoS protection | IP, user-agent, request metadata | Global edge |
| Cloudflare R2 (optional) | SQLite backup storage if Postgres is unavailable | Encrypted DB file (only when self-hosting falls back to SQLite) | US/EU |
We do not engage processors for advertising, profiling, marketing analytics, or behavioural tracking. We will update this list before adding any new sub-processor that handles personal data.
4. Rights under EU GDPR and UK GDPR
If you are a resident of the European Economic Area, the United Kingdom, or Switzerland, you have all the rights listed in § 1 above. The legal bases on which we process your data are:
- Contract (Art. 6(1)(b)): we need your account data to deliver the Service you signed up for.
- Legitimate interests (Art. 6(1)(f)): to operate, secure, and improve the Service (rate-limiting, abuse prevention, fraud detection).
- Legal obligation (Art. 6(1)(c)): tax records, anti-fraud requirements, lawful disclosure requests.
- Consent (Art. 6(1)(a)): for any optional processing we ask you to opt into (none currently).
You can object to processing based on legitimate interest at any time. Where we cannot honour an objection (for example, because the data is necessary to operate your account), we will explain why.
4.1 International data transfers
Personal data is transferred to and processed in the United States. For transfers from the EEA, UK, and Switzerland, we rely on the European Commission's Standard Contractual Clauses (SCCs) with our US-based sub-processors, supplemented by encryption in transit (TLS 1.2+) and at rest, and access controls described in § 7.
4.2 Automated decision-making
We do not use your personal data to make automated decisions that produce legal or similarly significant effects on you (no scoring, no credit decisions, no behavioural profiling). Trading-signal generation is performed on public market data, not your personal data, and the output is not personalised.
5. Rights under California CCPA / CPRA
If you are a California resident, you have the rights listed in § 1 above plus the following:
- Right to know the categories and specific pieces of personal information we have collected, the sources, the purpose, and the categories of third parties to whom we disclose it. The categories are listed in § 2 and § 3 above.
- Right to delete personal information, subject to legal-retention exceptions.
- Right to correct inaccurate personal information.
- Right to opt out of "sale" or "sharing" of personal information.
- Right to limit use of sensitive personal information.
- Right to non-discrimination for exercising any CCPA right.
"Do Not Sell or Share My Personal Information." Alpha Suite does not sell your personal information for monetary or other valuable consideration, and does not share it with third parties for cross-context behavioural advertising. There is nothing to opt out of in the CCPA/CPRA "sale or sharing" sense, but the right to opt out remains available to you on request.
Authorised agents may submit requests on your behalf if they provide signed written permission and we can verify your identity through us directly.
6. Rights under other regimes
- Canada (PIPEDA, Quebec Law 25): rights of access, correction, withdrawal of consent, and complaint to the Office of the Privacy Commissioner.
- Brazil (LGPD): rights of confirmation, access, correction, anonymisation/blocking/deletion, portability, and information about sharing.
- Australia (Privacy Act / APPs): rights of access and correction; complaints to the OAIC.
- South Korea (PIPA), Japan (APPI), Singapore (PDPA), Switzerland (FADP): equivalent access / correction / deletion rights.
If you are a resident of a jurisdiction with specific data-protection rights not listed above, contact us — we will honour any equivalent right under applicable local law.
7. Security measures
We apply the following technical and organisational measures:
- HTTPS-only with TLS 1.2 or higher across the entire platform.
- Passwords stored only as bcrypt hashes (never plaintext).
- Session tokens are JWTs signed with a secret rotated on the server; sessions are revocable.
- Database access is restricted to the application layer; no public ingress.
- Postgres is operated by Railway with automated backups and point-in-time recovery.
- Sub-processors are SOC 2 / ISO 27001 / equivalent certified where applicable.
- Rate-limiting on authentication endpoints to mitigate brute-force attacks.
- Separation of admin and user roles; admin actions are logged.
No system is perfectly secure. If we ever experience a personal-data breach that is likely to result in a risk to your rights, we will notify affected users and the relevant supervisory authority within 72 hours of becoming aware (the GDPR deadline), and as soon as practicable in any case.
8. Retention
| Data | Retention |
|---|---|
| Account, sessions, paper positions | For the life of your account |
| Server logs (IP, user-agent, paths) | 30 days, then aggregated or deleted |
| Billing records (Polar IDs) | 7 years (tax and dispute-resolution records) |
| After account deletion | Personal data erased within 30 days, except items above required by law |
| Backup copies | Backups roll off within 30 days; deletion propagates as backups expire |
9. How to submit a request
Email [email protected] from the email address on your Alpha Suite account. Subject line: Data request — [your right]. Please indicate which right you are exercising.
If you cannot send from your account email (for example, the account is compromised or the email no longer works), include enough information for us to verify your identity by other means — we may follow up to confirm.
9.1 Response timeline
| Regime | Standard timeline | Possible extension |
|---|---|---|
| GDPR / UK GDPR | 1 month from receipt | Up to 2 additional months for complex requests, with notice |
| CCPA / CPRA | 45 days from receipt | Up to 45 additional days, with notice |
| Other | 30 days target | As required by applicable local law |
9.2 Verification
To prevent unauthorised access, we will verify your identity before fulfilling sensitive requests (access, deletion, portability). Verification is normally achieved by you sending the request from the email address on your account. For requests submitted by an authorised agent, we additionally require signed written authorisation from you.
9.3 Fees
Requests are free of charge. We may charge a reasonable administrative fee, or refuse to act, only where requests are manifestly unfounded, excessive, or repetitive (as permitted by GDPR Art. 12(5) and equivalent CCPA provisions).
10. Right to lodge a complaint
If you believe we have not handled your personal data lawfully, you have the right to lodge a complaint with a data-protection supervisory authority. We ask only that you contact us first so we have an opportunity to resolve the issue.
- EEA: the supervisory authority of your country of residence (list at edpb.europa.eu).
- UK: Information Commissioner's Office — ico.org.uk.
- California: California Privacy Protection Agency — cppa.ca.gov — or the Attorney General's office.
- Other jurisdictions: your local data-protection authority.
11. Children
The Service is not directed at children under 18 (or the age of majority in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has created an account, contact us and we will delete it.
12. Changes to this page
We may update this page from time to time to reflect changes in law, sub-processors, or our practices. The "Last updated" date at the top reflects the most recent revision. Material changes will be communicated via the Service or by email.
13. Contact
All data-rights requests, complaints, and questions: [email protected].
For general legal questions: [email protected].