Privacy Policy
Summary: We collect only what's needed to run the platform: your email, hashed password, billing IDs, and basic usage data. We don't sell your data. We don't track your trades or your activity outside Alpha Suite. We use cookies only for authentication. For a full breakdown of your data-protection rights and how to exercise them, see Data Rights.
1. Information We Collect
1.1 Information You Provide
| Data | Purpose | Retention |
|---|---|---|
| Email address | Account creation, login, service communications | Until account deletion |
| Password | Authentication (stored as a bcrypt hash only — never plaintext) | Until account deletion |
| Subscription tier | Access control and billing | Until account deletion |
| FastSpring account / subscription IDs | Look up your subscription state with our payment processor | Until account deletion + 7 years for tax records |
| Paper-tracked positions | Tracking simulated trades you've opened (symbol, entry, TP/SL/time-stop, status, P&L) | Until account deletion |
| Optional API key (Institutional) | Programmatic API access | Until you revoke or delete the account |
1.2 Information Collected Automatically
| Data | Purpose | Retention |
|---|---|---|
| IP address | Security, rate limiting, abuse prevention | Server logs rotated regularly |
| Browser type / OS | Compatibility and debugging | Server logs rotated regularly |
| Pages visited | Service improvement | Aggregated, not individually tracked |
| API usage | Rate limiting, tier enforcement | Rolling window |
1.3 Information We Do NOT Collect
- Your brokerage account details or credentials
- Your actual trades, positions, or portfolio holdings
- Financial account numbers or balances
- Social Security numbers or government IDs
- Precise geolocation data
2. How We Use Your Information
We use your information solely to:
- Provide and maintain the Service (authentication, tier-based access control)
- Process subscription payments through our payment processor
- Send essential service communications (account security, billing, major service changes)
- Prevent abuse and enforce our Terms of Service
- Improve the Service based on aggregate usage patterns
We do not use your information for advertising, profiling, or selling to third parties.
3. Cookies, Local Storage, and Authentication
Alpha Suite uses a minimal set of first-party cookies and one localStorage flag. We use no third-party cookies, no advertising pixels, and no analytics that track individual users.
| Cookie / item | Type | Purpose | Duration |
|---|---|---|---|
| Session token (JWT) | Strictly necessary cookie | Authentication — keeps you logged in | 24 hours, refreshed on activity |
alphaTheme | localStorage (not a cookie) | Remembers your light / dark theme preference | Until you clear browser storage |
paperTradingExplainerSeen | localStorage (not a cookie) | Suppresses the one-time paper-tracking explainer modal after first dismissal | Until you clear browser storage |
We honour Do-Not-Track signals where they apply — in practice we do not perform cross-site tracking, so DNT requires no behavioural change on our side.
4. Sub-processors and Data Sharing
We rely on a small number of third-party sub-processors. We share only the minimum personal data each processor needs to perform its function. None of them is permitted to use your data for advertising, profiling, or marketing.
| Processor | Purpose | Data shared |
|---|---|---|
| FastSpring | Subscription billing, tax remittance, customer account portal (merchant of record) | Email, subscription state. We do not store card numbers ourselves. |
| Resend | Transactional email (welcome, password reset, position events, daily digest) | Email, message content |
| Railway | Application hosting and managed Postgres | All operational data at rest in the database |
| Cloudflare | DNS, edge caching, DDoS protection | IP, user-agent, request metadata |
Beyond these processors, we share data only:
- For legal requirements: we may disclose information if compelled by law, valid court order, or governmental authority.
- For service protection: to investigate fraud, abuse, or violations of our Terms of Service.
- In a corporate transaction: if Alpha Suite is acquired, we will transfer data to the acquirer subject to this Privacy Policy or a substantially similar successor.
We do not sell, rent, or trade your personal information. We do not "share" personal information for cross-context behavioural advertising as defined under California CCPA / CPRA.
5. Data Security
We implement reasonable technical and organisational security measures:
- Passwords are hashed using bcrypt (never stored in plaintext).
- Authentication uses signed JWT tokens transmitted over HTTPS-only cookies.
- The Service is served exclusively over HTTPS with TLS 1.2 or higher.
- Database access is restricted to the application layer; no public database ingress.
- Postgres is operated by Railway with automated backups and point-in-time recovery.
- Rate-limiting on authentication endpoints to mitigate brute-force attacks.
- Separation of admin and user roles; admin actions are logged.
No system is perfectly secure. While we take reasonable precautions, we cannot guarantee absolute security. In the unlikely event of a personal-data breach that is likely to result in a risk to your rights, we will notify affected users and the relevant supervisory authority within 72 hours of becoming aware (the GDPR deadline) and as soon as practicable in any case.
6. Data Retention
We retain your account data for as long as your account is active. If you delete your account, we will remove your personal data within 30 days, with the following exceptions:
- Billing records (FastSpring account ID, subscription IDs, charge history) are retained for 7 years to satisfy tax and dispute-resolution obligations.
- Aggregated, anonymised usage data may be retained indefinitely for service improvement and may not be reversible.
- Backup copies roll off within 30 days; deletion propagates as backups expire.
7. Your Rights
You have the right to access, rectify, delete, export (port), restrict, and object to the processing of your personal data, plus the right to withdraw consent and to lodge a complaint with a supervisory authority. The full description of these rights, the response timelines under GDPR, UK GDPR, CCPA / CPRA, and equivalent regimes, and the verification process lives on the Data Rights page.
To exercise any right, email [email protected].
8. International Users and Cross-Border Transfers
The Service is hosted in the United States. If you access the Service from outside the US, your data is transferred to and processed in the US.
For users in the EEA, UK, and Switzerland, we process personal data on the legal basis of contract performance (Art. 6(1)(b) — providing the Service you signed up for), legitimate interest (Art. 6(1)(f) — security, fraud prevention, abuse mitigation), and legal obligation (Art. 6(1)(c) — tax records, lawful disclosure). For cross-border transfers from the EEA / UK / Switzerland to our US-based sub-processors, we rely on the European Commission's Standard Contractual Clauses supplemented by encryption in transit and at rest.
For California residents, see the Data Rights page for CCPA / CPRA-specific information including the "Do Not Sell or Share" notice.
9. Children
The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If we learn that we have collected data from a child, we will delete it promptly.
10. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via the Service or email. The "Last updated" date at the top reflects the most recent revision.
11. Contact
For privacy-related questions or requests, contact us at [email protected].