Privacy Policy

1. Introduction

Ant vs Bear Ltd (“AlphaRules”, “we”, “us”, or “our”), registered at 128 City Road, London, United Kingdom, EC1V 2NX (Company No. 15391307), operates the website alpha-rules.com and the AlphaRules application (together, the “Service”). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use the Service.

This policy applies to users worldwide, including those in the United Kingdom, European Economic Area, United States, and India. Jurisdiction-specific rights are set out in Section 7.

2. Information We Collect

2.1 Information You Provide

• Account information: Name, email address, and password when you register.
• Payment information: Payment card details and billing address when you subscribe. Processed by Stripe — we do not store your full card number.
• Strategy and portfolio data: Investment rules, screening criteria, thresholds, portfolio configurations, watchlists, and alert preferences.
• AI queries and prompts: Questions, prompts, and natural language requests you submit to our AI features (e.g., strategy builder chat, stock debates). These are used to generate responses and improve the Service.
• Communications: Information you provide when you contact support, submit feedback, or respond to surveys.

2.2 Information Collected Automatically

• Usage data: Pages visited, features used, strategies created, backtests run, alerts received, screening rules selected, and threshold adjustments.
• Device and technical data: IP address, browser type, operating system, device type, referring URL.
• Cookies: See Section 8.
• Log data: Server logs including access times and error logs.

2.3 Information We Do NOT Collect

3. How We Use Your Information

1. Providing the Service: Processing your screening rules, generating watchlists, running backtests, and sending alerts.
2. Account management: Creating and managing your account, processing payments, communicating about your account.
3. Service improvement and community insights: Analysing anonymised, aggregated usage patterns to improve the Service and generate community insights — such as which screening rules are most popular and how different rule combinations have performed historically. Individual strategies are never disclosed.
4. Communications: Service-related emails and, where opted in, marketing communications.
5. Security: Detecting and preventing fraud, abuse, and security incidents.
6. Legal compliance: Complying with applicable laws, regulations, and legal processes.

Legal Basis for Processing (UK/EEA Users)

Purpose Limitation (Indian Users — DPDP Act)

For users in India, personal data is processed only for the purposes stated in this Privacy Policy and as consented to at the time of collection. We will not process your personal data for any purpose beyond what is necessary to provide the Service, unless we obtain your separate consent.

4. How We Share Your Information

We do not sell, rent, or trade your personal information to third parties.

4.1 Service Providers

4.2 Aggregated and Community Data

We analyse anonymised, aggregated data to generate community insights that are displayed within the Service. Examples include:

• Which screening rules are most popular across all users
• How different rule combinations have performed in historical backtests
• Aggregate accuracy of AI debate verdicts over time

This data is always anonymised and aggregated — it cannot be used to identify you or reconstruct your individual strategy. No personally identifiable information is included in community insights.

4.3 Legal Requirements

We may disclose your information if required by law or to protect the rights, property, or safety of AlphaRules, our users, or the public.

4.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred. We will notify you of any such change.

5. Data Security

• Encryption in transit: TLS 1.2+ (HTTPS) for all data transmission.
• Encryption at rest: Personal data and strategy data encrypted at rest.
• Access controls: Restricted to authorised personnel on a need-to-know basis.
• Authentication: Passwords hashed using industry-standard algorithms. No plaintext storage.
• Infrastructure: Vercel and Supabase maintain SOC 2 Type II compliance.

No method of transmission or storage is 100% secure. We cannot guarantee absolute security.

In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours (UK/EEA) and affected users without undue delay. For Indian users, we will notify the Data Protection Board of India in accordance with the DPDP Act.

6. Data Retention

• Active accounts: Data retained while your account is active.
• Closed accounts: Personal data deleted or anonymised within 30 days of account deletion, except where required by law.
• Anonymised data: Aggregated, anonymised usage data may be retained indefinitely.
• Payment records: Retained up to 7 years (HMRC requirements).
• Support correspondence: Retained up to 2 years after resolution.

7. Your Rights

7.1 UK and EEA Users (UK GDPR / EU GDPR)

• Access: Request a copy of your personal data.
• Rectification: Request correction of inaccurate data.
• Erasure: Request deletion (“right to be forgotten”).
• Restriction: Restrict processing in certain circumstances.
• Portability: Receive your data in a machine-readable format.
• Object: Object to processing for legitimate interests or direct marketing.
• Withdraw consent: At any time where processing is consent-based.

Contact: privacy@alpha-rules.com. Response within 30 days.

Supervisory authority: Information Commissioner’s Office (ICO) for UK users, or your local DPA for EEA users.

7.2 California Residents (CCPA / CPRA)

• Know: Request disclosure of personal information collected.
• Delete: Request deletion of your personal information.
• Correct: Request correction of inaccurate information.
• Non-discrimination: We will not discriminate for exercising your rights.

We do not sell your personal information. We do not share personal information for cross-context behavioural advertising.

7.3 Indian Users (DPDP Act 2023)

• Access: Obtain a summary of your personal data and processing activities.
• Correction and erasure: Request correction of inaccurate data and erasure of data no longer necessary.
• Grievance redressal: Submit a complaint — our Grievance Officer will respond within 30 days.
• Nominate: Nominate another person to exercise your rights in the event of death or incapacity.

Consent: We process your data based on informed, specific consent provided at account creation. You may withdraw consent at any time by deleting your account or contacting us.

Grievance Officer: Data Protection Officer, Ant vs Bear Ltd — privacy@alpha-rules.com

7.4 All Users

• Access and update your information through account settings.
• Delete your account at any time.
• Opt out of marketing emails via the unsubscribe link.
• Export your data (strategies, rules, watchlists) through the Service.

8. Cookies

We do not use third-party advertising cookies, cross-site tracking cookies, or participate in retargeting programmes. You can control cookies through your browser settings.

9. Third-Party Links

The Service may link to third-party websites. We are not responsible for their privacy practices. Review their privacy policies before providing personal information.

10. Children’s Privacy

The Service is not intended for anyone under 18. We do not knowingly collect data from children. If we learn we have, we will delete it promptly. Contact us at privacy@alpha-rules.com if you believe a child has provided us with personal information.

11. International Data Transfers

Ant vs Bear Ltd is based in the United Kingdom. Your information may be transferred to and processed in other countries, including the United States.

UK and EEA Users

Where we transfer data outside the UK/EEA, we use Standard Contractual Clauses (SCCs), the UK International Data Transfer Agreement (IDTA), or rely on adequacy decisions.

Indian Users

Personal data may be transferred outside India for processing by our service providers. We do not transfer data to countries restricted by the Central Government under the DPDP Act. Equivalent protections are maintained through contractual obligations.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email and/or by posting a notice on the Service. Where required by applicable law (including India’s DPDP Act), we will obtain renewed consent for material changes.

13. Data Controller and Contact