Skip to content

Trading involves substantial risk. Past performance is not a guarantee of future results.

Read the full risk disclosure →
AlphaLab-AIAlphaLab-AI

Privacy Policy

Last updated: 12 May 2026

1. Who we are

AlphaLab-AI FZ-LLC (“AlphaLab-AI”, “we”, “us”, “our”) is the controller of personal data processed in connection with the website alphalab-ai.com and any related software and services (together, the “Service”).

Registered office: AlphaLab-AI FZ-LLC, RAK Free Trade Zone, Ras Al Khaimah, United Arab Emirates.

Privacy contact: privacy@alphalab-ai.com. Data-protection enquiries: dpo@alphalab-ai.com.

2. Scope and territorial application

AlphaLab-AI is established in the United Arab Emirates and primarily subject to UAE law, including the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021, “PDPL”).

Where you access the Service from the European Economic Area, the United Kingdom, Switzerland, or another jurisdiction with extraterritorial data-protection legislation (such as the EU's General Data Protection Regulation 2016/679, the UK GDPR, and similar regimes), we honour the rights those laws give you. We do not currently appoint a representative under GDPR Article 27; you may exercise your rights directly with us via the contacts in §1.

The Service is intended for users worldwide except where local law prohibits automated trading software or the use of leveraged products. We do not knowingly target users in restricted jurisdictions.

3. What personal data we collect

We collect the following categories of personal data:

Account & profile

  • Email address, password (stored as an Argon2id hash, never in plaintext), MFA secret (encrypted with AES-256-GCM under our platform key).
  • Optional profile data you provide after email verification: first name, last name, date of birth (used to check the 18+ requirement), country of residence (ISO 3166-1 alpha-2 code), and an optional phone number used for security alerts only.
  • Newsletter subscription state (the timestamp at which you opted in, if you did).

Service usage

  • Session records: an opaque session token (we never store the raw token, only a SHA-256 hash), your IP address, user-agent string, sign-in timestamp, MFA-cleared status, and session expiry.
  • Audit-log entries: a structured record of actions you take (sign in, change password, complete profile, subscribe / unsubscribe from newsletter, request a refund), with the timestamp, IP, and user-agent at the time of action. Used for security investigation and regulatory record-keeping.
  • Risk-Profiler responses: the inputs you submit when running the AI Risk Profiler, and the recommendation returned. Stored against your account so we can re-display the recommendation later.

Payments

  • Billing identifiers (your Stripe customer ID, subscription ID, invoice numbers, last 4 digits of card and brand, country of card issue). We never see or store full card numbers, CVVs, or bank-account numbers — those are handled directly by Stripe.

Communications

  • Transactional emails we send to your account email (verify, password reset, security alert) and metadata returned by Resend (delivery status, bounce events).
  • Support correspondence you send us via email or any contact form.

Technical telemetry

  • Error-tracking metadata (stack traces, sanitised request context) captured by Sentry when an unhandled error occurs. Sentry receives the request ID, route, HTTP status, and your IP at the time of the error. We do not knowingly send personal data into Sentry breadcrumbs.
  • CDN / hosting access logs (IP address, request URL, timestamp, user-agent). Held briefly for fraud / abuse detection, then deleted.

4. How we use personal data (purposes & lawful bases)

For users in jurisdictions that require us to declare a lawful basis (e.g. GDPR Article 6), the bases we rely on are:

  • Contract performance — to provide the Service, run your account, process payments, deliver transactional emails, and enforce Plan limits.
  • Legitimate interests — to keep the Service secure (audit logs, anomaly detection, fraud prevention), to improve the product (aggregated usage analytics, error monitoring), and to defend our legal rights.
  • Consent — for the optional newsletter / marketing emails. You can withdraw consent at any time from your notification preferences or via the one-click unsubscribe link in any newsletter.
  • Legal obligation — record-keeping for tax, audit, anti-money-laundering, and regulatory compliance.

5. Sub-processors

We use a small set of trusted vendors to operate the Service. They process personal data on our instructions, under contractual confidentiality and security obligations. The current list is:

VendorPurposeData location
Stripe, Inc.Payment processing, billingEU / US
Resend Inc.Transactional and newsletter email deliveryEU (Ireland)
Neon Inc.Managed PostgreSQL database hostingUS-East (AWS us-east-1)
Railway CorpAPI hosting (containers)US
Vercel Inc.Web frontend hosting (Next.js)Global edge
Cloudflare, Inc.DNS, CDN, DDoS protectionGlobal edge
Functional Software, Inc. (Sentry)Error trackingUS
Anthropic PBCAI inference for AI-assisted featuresUS
Google LLC (Workspace, Gmail)Inbound and outbound business emailEU / US
Google LLC (Sign-In with Google)OAuth 2.0 / OpenID Connect identity provider for users who choose “Continue with Google” on sign-in / registration. We receive only `sub` (an opaque stable identifier), email, first name, and last name — explicitly no Google Drive, Calendar, or other Workspace data.EU / US

The list is kept current. We notify subscribers by email at least 30 days before adding a new sub-processor that materially changes data routing, except in emergencies where notification cannot reasonably be made in advance.

6. International data transfers

Some of our sub-processors (Neon, Railway, Sentry, Anthropic) are located in the United States; Stripe operates EU and US infrastructure. When we transfer personal data outside your country of residence, we rely on contractual safeguards equivalent to the EU Standard Contractual Clauses (SCCs) and, where applicable, supplementary measures (encryption in transit and at rest, pseudonymisation for telemetry, strict access controls). Where you contact us at dpo@alphalab-ai.com we will share a copy of the relevant transfer-impact assessment or sub-processor DPA on a confidential basis.

7. How long we keep data (retention)

  • Account & profile data: kept while the account is active. Deleted within 30 days of you closing the account (see §10), except where a longer retention is required by law (e.g. tax records, anti-fraud obligations).
  • Sessions: active sessions expire 24 hours after issuance; expired sessions are purged within 30 days.
  • Audit log: retained for up to 7 years from the date of the event, for regulatory and security investigation purposes. After account deletion the actor reference is anonymised; the entry remains as a record-of-processing.
  • Payment records: retained for as long as required by tax and accounting law in the UAE and your country (typically 5–7 years).
  • Email metadata (Resend): 30 days for delivery diagnostics, then purged from Resend per their own retention.
  • Error telemetry (Sentry): 90 days, then automatically deleted.

8. How we secure data

  • TLS 1.3 in transit, AES-256-GCM at rest for sensitive fields.
  • Argon2id password hashing.
  • MFA secrets and recovery codes encrypted under a platform key with rotation.
  • Session tokens are opaque, SHA-256-hashed in the database, never logged.
  • Role-based access control on every administrative action, with a full audit trail.
  • Continuous vulnerability scanning (Trivy on container images, CodeQL on source, Dependabot on dependencies, secret scanning on every push).
  • Production infrastructure isolated from corporate IT. Production secrets stored in a secrets manager, never committed to source control.

No method of electronic transmission or storage is 100% secure. If we become aware of a personal-data breach that is likely to result in a risk to your rights, we will notify you and any competent supervisory authority within the time frames required by applicable law (under GDPR, 72 hours).

9. Your rights

Depending on where you reside, you may have the following rights in respect of your personal data:

  • Access — download a copy of the data we hold about you (from /account/data, in machine-readable JSON).
  • Rectification — correct inaccurate or incomplete data (from /account/profile/edit).
  • Erasure — delete your account and the data linked to it (from /account/data → Delete my account). We retain anonymised audit-log entries for legal compliance per §7.
  • Portability — receive your data in a structured, commonly-used, machine-readable format (the JSON export above satisfies this).
  • Restriction — ask us to limit the processing of your data while a complaint or correction is investigated.
  • Objection — object to processing based on legitimate interests (e.g. analytics).
  • Withdraw consent — for any processing that relies on consent (newsletter), at any time, without affecting prior processing.
  • Complaint — lodge a complaint with your local data-protection authority (e.g. the UAE Data Office, the EU national DPAs, the UK ICO).

To exercise any of these rights, use the self-service controls linked above or write to privacy@alphalab-ai.com. We respond within 30 days. We may ask you to verify your identity before acting on a request.

10. Account deletion

You can delete your account from /account/data. The deletion runs in two stages:

  1. Immediate scrubbing — we delete or anonymise personal data fields on the account record (name, profile, MFA secret), revoke every active session, and invalidate any in-flight password-reset or verification token.
  2. 30-day grace window — the account row remains in a soft-deleted state for 30 days. If you change your mind, contact support before the window closes and we can restore the account.
  3. Hard purge — after 30 days, the account row is permanently deleted by a daily cron. Audit-log entries you generated stay (with the actor field anonymised) as required by §7.

11. Cookies

The Service uses essential cookies (sign-in session) only. Detailed information about what we set and why is in our Cookie Policy.

12. AI features and personal data

When you use an AI-assisted feature (e.g. AI Risk Profiler explanations), the prompt we send to the model includes your relevant input (risk-profile answers, product context). We do not include your email, phone number, IP address, or any directly identifying information in those prompts unless strictly necessary for the feature.

Our AI provider (Anthropic) does not train its production models on prompts received via the commercial API. We pass through the same commitments.

13. Children

The Service is for adults (18+). We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact privacy@alphalab-ai.com and we will delete it.

14. Automated decision-making and profiling

The AI Risk Profiler produces a software-suitability recommendation based on the answers you give. It is not a fully-automated decision with legal or similarly significant effect — the recommendation does not affect your access to the Service, your subscription terms, or your pricing. You are free to follow or ignore it.

We do not use automated profiling for ad targeting, credit decisions, fraud risk scoring beyond standard security signals, or any other purpose with legal effect.

15. Changes to this Policy

We update this Privacy Policy from time to time. Material changes (new categories of data collected, new sub-processors that materially change routing, a change of controller) are notified by email to active accounts at least 30 days before they take effect, and the “Last updated” date is bumped.

16. Contact

AlphaLab-AI FZ-LLC
RAK Free Trade Zone, Ras Al Khaimah, United Arab Emirates
Privacy: privacy@alphalab-ai.com
Data-protection officer: dpo@alphalab-ai.com