Privacy Policy

Introduction

This Privacy Policy describes how ARDOR 0608 OOD ("we," "our," or "us") collects, uses, and protects your personal information when you use the alphai service available at alphai.io (the "Service") — an AI-curated financial news platform that aggregates market-moving stories from public sources, enriches them with AI analysis, and exposes them via a website, REST API (api.alphai.io), and MCP server (mcp.alphai.io) for AI agents and trading bots.

Data Controller

ARDOR 0608 OOD acts as the data controller for the personal data processed through our Service, in accordance with the General Data Protection Regulation (GDPR) and applicable Bulgarian data protection laws.

Information We Collect

Personal Information

When you register for our Service, we collect:

• Email address: (required for account creation and communication)
• Full name: (collected during registration)
• Profile avatar: (if provided through Google authentication or uploaded by you)
• Password: (encrypted and stored securely if you register directly)

Authentication Data

• Google OAuth data: (if you choose to sign in with Google): We receive your Google profile information including name, email, and profile picture
• Login credentials: (for direct registration): Username/email and encrypted password

Technical Information

• IP address and location data
• Browser type and version
• Device information
• Usage patterns and interaction data with our Service
• Log files and error reports

Payment Information

Payment processing is handled by Stripe. We do not store your credit card information. Stripe may collect and process payment-related data according to their privacy policy.

Data You Provide About Your Use

Some features let you save preferences and settings tied to your account:

• Watchlist: Stock and ETF tickers you save to follow. Stored in your account; not shared publicly.
• News alerts: Tickers you subscribe to for new-article alerts. Available on paid tiers.

Sales & Enterprise Inquiries

If you submit the contact form at /contact, we collect your name, email, intended use case, expected request volume, and the source you came from. This information is stored in our internal sales-lead database and forwarded by email to our team to follow up. We use it solely to respond to your inquiry; it is not used for marketing.

Legal Basis for Processing

We process your personal data based on the following legal grounds:

• Contract performance: To provide our news platform, REST API, and MCP server access
• Legitimate interests: To improve our Service, ensure security, and communicate about service updates
• Consent: For marketing communications (where required)
• Legal obligations: To comply with applicable laws and regulations

How We Use Your Information

We use your personal information to:

Service Provision

• Create and manage your user account
• Provide AI-curated financial news, per-ticker analysis, and developer access (REST API, MCP server)
• Process your subscription and payments
• Authenticate your access to the Service

Communication

• Send service-related notifications (email verification, password reset, subscription receipts via Stripe)
• Respond to your inquiries and support requests
• Provide important updates about our Service
• Send marketing communications. We currently do not operate marketing newsletters; this clause reserves the right to introduce them in the future, only with your explicit opt-in consent.

Service Improvement

• Analyze usage patterns to improve our Service
• Develop new features and functionality
• Ensure technical functionality and security

Legal and Security

• Comply with legal obligations
• Protect against fraud and abuse
• Enforce our Terms of Service

Data Sources and Third-Party Services

News Sources & AI Enrichment

Our news feed is built from publicly available sources and enriched with AI. Specifically:

• News articles are sourced from GDELT (Global Database of Events, Language, and Tone), a public, openly accessible news index that aggregates publishers worldwide.
• AI-generated summaries, categories, relevance scores (1–10), and per-ticker impact analysis are produced using OpenAI's API.
• Original article links and publisher attribution are preserved on every article page so you can read the source.

Data Processing

When you use our Service:

• Your usage patterns (page views, search queries, REST API and MCP calls) may be logged for security, rate limiting, and service improvement

Developer Surfaces (REST API & MCP Server)

If you use our public REST API (api.alphai.io) or MCP server (mcp.alphai.io), additional data is processed:

• API keys: We store only an SHA-256 hash and a masked prefix (e.g. ak_live_xxxx…) of each key. The full plaintext is shown to you exactly once at creation and never persisted on our side. Revoked keys are kept as inactive records for audit.
• MCP OAuth credentials: Dynamic Client Registration creates short-lived OAuth client metadata. Refresh tokens rotate on use, with chain-reuse detection that revokes the entire grant chain if a stale token is replayed. Active grants are stored in Redis with a TTL.
• IP address (rate limiting): Your IP is used for short-lived rate-limit buckets in Redis (per-tier hourly quota and per-IP anti-scrape throttle). It is not written to long-term logs except by Sentry when error tracking is enabled.

Data Sharing and Third Parties

Service Providers

We share limited data with trusted third-party service providers, only as necessary to operate the Service:

• Stripe: Payment processing — handles all card data directly; we store only your Stripe customer and subscription IDs (subject to Stripe's privacy policy).
• Google: Authentication via Google OAuth and Google One Tap (if you choose to sign in with Google).
• Cloud hosting providers: For secure data storage, application hosting, and service delivery.
• Mailgun (EU endpoint): Transactional email delivery — verification emails, password resets, sales-lead notifications. We do not run marketing newsletters at this time.
• OpenAI: News enrichment — generating summaries, categories, relevance scores, and per-ticker analysis from public news articles. No personal account data is sent to OpenAI.
• GDELT: Public news index that supplies the article metadata and source links we ingest. GDELT does not receive any personal data from us.
• Analytics & monitoring providers: We use PostHog (product analytics, EU endpoint) for first-party usage signals, and Sentry (optional, error tracking) when enabled. Consent-gated trackers loaded via the TarteAuCitron consent banner include Google Analytics, Google Tag Manager, Google Ads, Facebook Pixel, and Yandex Metrica — none of these load until you accept analytics cookies.

Legal Requirements

We may disclose your information when required by law, legal process, or to protect our rights and the safety of our users.

Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction.

International Data Transfers

Your data may be processed in countries outside the European Economic Area (EEA). When we transfer data internationally, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions by the European Commission
• Other appropriate safeguards as required by GDPR

Data Retention

We retain your personal data for as long as necessary to provide our Service and fulfill the purposes outlined in this policy:

• Account data: Retained while your account is active. After an account-deletion request, personal data is removed within 30 days; aggregated, non-identifying analytics may be retained.
• Payment data: Retained as required by financial regulations (typically 7 years)
• Technical logs: Retained for 12 months for security and service improvement purposes
• Marketing data: Retained until you withdraw consent or for 3 years of inactivity

Your Rights Under GDPR

You have the following rights regarding your personal data:

How to Exercise Your Rights

To exercise any of your rights, please contact us at:

We will respond to your request within 30 days as required by GDPR.

Data Security

We implement appropriate technical and organizational measures to protect your personal data:

• Encryption: Data is encrypted in transit and at rest
• Access controls: Limited access to personal data on a need-to-know basis
• Regular security assessments: Ongoing monitoring and security updates
• Secure authentication: Bcrypt password hashing, JWT-based session tokens with rotating refresh tokens, and OAuth 2.0 sign-in via Google. Two-factor authentication is not currently offered.
• Data breach procedures: Established incident response procedures

Minors

Our Service is not intended for individuals under 16 years of age. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a minor, we will delete it promptly.

Changes to This Privacy Policy

We may update this Privacy Policy periodically. We will notify you of significant changes by:

• Posting the updated policy on our website
• Sending an email notification to registered users
• Displaying a prominent notice on our Service

Your continued use of the Service after changes become effective constitutes acceptance of the updated policy.

Contact Information

For questions about this Privacy Policy or our data practices, please contact us: