Skip to main content
← Back to Home
DRAFT — pending legal review. This document is a first draft. Obtain sign-off from a privacy/fintech attorney before publishing.

Privacy Policy

Last updated: April 24, 2026

1. Who We Are

AlphEdge Ltd. ("AlphEdge", "we") is an Israeli limited company and the controller of the personal data described in this Privacy Policy. For GDPR purposes, our EU representative is listed in Section 12.

2. What Data We Collect

Account data. Email address, display name, locale preference, bcrypt-hashed password, IP address at signup, timestamp, email verification status.

Authentication data. JWT tokens as HttpOnly cookies, refresh-token state, login session timestamps and IP addresses.

Wallet data. Public wallet address (plaintext, for on-chain queries) and private key (encrypted with AES-256 via HashiCorp Vault).

Trading data. Bot configuration, historical trades, order book snapshots used for decisions, AI decision logs, P&L.

Billing data. Stripe customer ID, subscription status, invoice history. Card details stored by Stripe only.

Usage data. Pages visited, actions taken, error events, performance metrics.

Communications. Support tickets retained while the account is active plus 12 months.

3. How and Why We Use Your Data (GDPR Legal Bases)

  • Contract performance (Art. 6(1)(b)): authenticate you, sign blockchain transactions, compute performance metrics, display dashboards.
  • Billing (Art. 6(1)(b)): process subscription fees via Stripe.
  • Legal obligation (Art. 6(1)(c)): tax records, AML logs where required, response to legal process.
  • Legitimate interests (Art. 6(1)(f)): platform security, product improvement via aggregated analytics, transactional communications.
  • Consent (Art. 6(1)(a)): optional marketing emails — withdrawable at any time.

4. Third-Party Processors

We share data with the following parties for the purposes listed, bound by data processing agreements:

  • Stripe, Inc. (USA) — payment processing.
  • Resend, Inc. (USA) — transactional email delivery.
  • HashiCorp Vault (self-hosted, EU) — encrypted key storage.
  • Amazon Web Services (EU-Frankfurt) — hosting, database, object storage.
  • Polymarket / Polygon blockchain — trade execution. Public on-chain data is visible to anyone.
  • Anthropic (USA) — LLM inference. Queries exclude user-identifying information.
  • Plausible Analytics (EU) — cookieless web analytics.

5. International Data Transfers

Some processors (Stripe, Resend, Anthropic) are in the United States. We rely on the EU–US Data Privacy Framework and Standard Contractual Clauses (SCCs) for lawful transfer. Copies of SCCs are available on request.

6. Data Retention

  • Active accounts: for the lifetime of your account.
  • Deleted accounts: personal data and encrypted keys deleted within 30 days, except where law requires retention (e.g., Israeli tax records — up to 7 years).
  • Trade history: anonymized and aggregated after deletion for product analytics.
  • Backups: rolling 30-day retention; deletion requests propagate to backups within 90 days.
  • Logs: security 90 days; access 30 days.

7. Security Measures

We employ industry-standard technical and organizational measures:

  • TLS 1.3 for all data in transit.
  • AES-256 encryption at rest for private keys via HashiCorp Vault.
  • Bcrypt password hashing with per-user salts.
  • HttpOnly, Secure, SameSite cookies for session tokens.
  • Rate limiting, WAF, DDoS protection.
  • Role-based access control; two-person approval for production DB access.
  • Security monitoring, annual penetration testing, quarterly dependency audits.

No system is 100% secure. In the event of a data breach affecting personal data, we will notify you and the Israeli Privacy Protection Authority within 72 hours of becoming aware, as required by Israeli Privacy Protection Regulations (Data Security), 2017.

8. Your Rights

Under GDPR, Israeli Privacy Protection Law, and CCPA:

  • Access — request a copy of personal data we hold.
  • Rectification — correct inaccurate data.
  • Erasure ("right to be forgotten").
  • Restriction of processing.
  • Portability — structured, machine-readable export.
  • Objection to processing based on legitimate interests.
  • Withdraw consent for consent-based processing.
  • Not be subject to fully automated decisions with significant effect. Trades execute on your explicit instructions and parameters.
  • Lodge a complaint with a supervisory authority (Israel: privacy.gov.il; your EU DPA; California AG).

To exercise rights: privacy@alphedge.com. We respond within 30 days (up to 60 for complex requests).

9. Cookies & Similar Technologies

Essential cookies only:

  • access_token — HttpOnly JWT, 15-minute expiry.
  • refresh_token — HttpOnly refresh, 30-day expiry.
  • locale — language preference (first-party, non-tracking).
  • theme — display theme preference (first-party).

No third-party tracking or advertising cookies. Plausible is cookieless.

10. Children's Privacy

AlphEdge is not directed at, and we do not knowingly collect personal data from, anyone under 18. If you believe a minor provided us data, email privacy@alphedge.com.

11. California Residents (CCPA / CPRA)

Additional rights for California residents: right to know, right to deletion, right to opt out of "sale" (not applicable — we do not sell data), right to non-discrimination. Contact privacy@alphedge.com.

12. Contact & Data Protection Officer

Data Protection Officer:
Email: privacy@alphedge.com
Postal address: [Company address — to be added before launch]

EU Representative (Art. 27 GDPR): [To be appointed before EU customers are onboarded.]

13. Changes to This Policy

We may update this Privacy Policy. Material changes will be notified at least 30 days before taking effect. "Last updated" reflects the latest revision.