Sign in →

AlphaQuantVibe · Legal

Privacy Policy

Last updated: May 9, 2026 (Draft)

Draft Notice: This document is a working scaffold. Final language is pending counsel and SEBI compliance review and must not be treated as a binding agreement until then. The headings below indicate the intended structure of the final policy.

This Privacy Policy describes how AlphaQuantVibe Technologies collects, uses and safeguards information when you use the AlphaQuantVibe Workspace.

1. Information We Collect

  • Identification data: name, email, username.
  • Authentication data: bcrypt-hashed password, JWT issuance metadata.
  • Financial-account metadata: broker API keys (AES-256-GCM at rest), client identifiers, token rotation timestamps.
  • Trading activity data: signals viewed, orders placed, positions, P&L, configuration changes.
  • Behavioural telemetry: feature interactions, page-view frequency, error reports.
  • Communication content: support messages, Telegram acknowledgements.

TODO: 🔴 DPDPA 2023 §6 + §7 — consent must be specific per category, with itemised purposes. Split telemetry/metadata into granular categories. See /app/memory/SEBI_LEGAL_REVIEW.md §2.2.

2. How We Use Information

  • Operate, maintain and improve the Service (lawful basis: contractual necessity, DPDPA §7(b)).
  • Personalise signals, scoring and analytics — this constitutes profiling under DPDPA §10; you may request review of any automated decision affecting you.
  • Communicate operational updates and security alerts (DPDPA §7(c) — legal obligation).
  • Comply with SEBI, PMLA, IT Act and other statutory obligations.

TODO: 🔴 DPDPA 2023 §10 — disclose profiling. Map lawful basis per §7. Pre-emptively appoint DPO even before SDF threshold.

3. Sharing & Disclosure

We do not sell personal information. We share data only with the following sub-processors, each under written confidentiality and data-protection terms:

  • Zerodha Broking Ltd (India) — order execution, holdings sync
  • ICICI Securities (Breeze Connect) (India) — secondary broker integration
  • Resend (United States) — transactional email
  • Telegram BV (United Arab Emirates) — push notifications
  • MongoDB Atlas (region-dependent) — primary data store
  • Emergent (United States) — application hosting and infrastructure
  • OpenAI / Anthropic / Google (United States) — LLM inference for AI-assisted research features

TODO: 🔴 DPDPA 2023 §8(2) — data fiduciary is directly liable for sub-processor breaches. Enumerate every sub-processor.

4. Security

API keys and sensitive credentials are encrypted at rest using AES-256-GCM. Network traffic is protected by TLS 1.2 or higher. Access to production data is logged and reviewed. Broker tokens are rotated automatically each trading day before market open (06:00 IST) per the Platform Policies.

TODO: 🟠 DPDPA §8(5) reasonable safeguards. Algorithm + key custody disclosed.

5. Data Retention

  • Account identification: 7 years after account closure
  • Orders & trades: 8 years (PMLA + SEBI record retention)
  • Signals & analytics output: 5 years (SEBI RA Regs analogue)
  • Behavioural telemetry: 12 months
  • Communication content: 24 months
  • Authentication audit logs: 24 months

TODO: 🔴 DPDPA §8(7) + PMLA 2002 §12 + SEBI CIR/MIRSD/9/2013 — definite retention windows required.

6. Your Rights (DPDPA §11–§14)

  • Confirmation & access (§11): request a summary of personal data we hold about you.
  • Correction & erasure (§12): request correction of inaccurate data or deletion of data we no longer need to retain.
  • Grievance redressal (§13): contact our Grievance Officer (below). We will respond within 30 days.
  • Nominate (§14): nominate another individual to exercise these rights in case of your death or incapacity.

TODO: 🔴 Enumerate each right + appoint Grievance Officer + 30-day SLA.

7. International Transfers

The Service is operated from India. Personal data may be transferred to the United States (Resend, Emergent, OpenAI, Anthropic, Google), the United Arab Emirates (Telegram BV) and other regions where our sub-processors operate, in compliance with DPDPA §16 (none of these countries are currently subject to the Central Government's restricted list).

TODO: 🟡 DPDPA 2023 §16 — name specific destination countries.

8. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be announced inside the workspace at least 14 days before they take effect, and an email notice will be sent to your registered address. Continued use after the effective date constitutes acceptance.

TODO: 🟡 DPDPA §6(2) — also email dormant users.

9. Contact — Grievance Officer & DPO

Grievance Officer: [Name — to be appointed] · grievance@alphaquantvibe.com · response SLA: 30 days

Data Protection Officer: [Name — to be appointed] · dpo@alphaquantvibe.com

For general privacy queries: privacy@alphaquantvibe.com

TODO: 🟠 DPDPA §13 + §17 — appoint both, publish name + designation + contact.

TermsPrivacyRisk DisclosureDisclaimerPlatform Policies