This policy explains what personal data AlphaAssay processes, why, and the rights you have. It applies to the Swiss Federal Act on Data Protection (revDSG) and, where we offer the Service to individuals in the EU/EEA, to the GDPR (Art. 3(2) — extraterritorial scope).
Who is responsible
The controller is AlphaAssay, 6403 Küssnacht am Rigi, Switzerland — see the legal notice. Data-protection contact: hello@alphaassay.com.
The short version: we do not see your strategies
We do not store your trading strategies, signals or backtests. What we retain from an assay is a
one-way cryptographic fingerprint (a hash) and the machine-readable cause of death —
died_at, failure codes and family statistics. A fingerprint cannot be reversed into your
inputs. This is a design choice, not a promise of good behaviour: we cannot leak, sell or front-run what we
never keep.
What we process, and why
| data | why | legal basis |
|---|---|---|
| Account details (email, and any name you provide) | create and secure your account, send service messages | contract performance (GDPR 6(1)(b); revDSG contractual) |
| Payment metadata (via Coinbase / x402 or a card processor) | take payment and prevent abuse — we do not store card numbers; the processor handles them | contract performance; legitimate interest in fraud prevention (6(1)(f)) |
| API and request logs (request id, timestamp, endpoint, status, coarse IP/rate-limit signal) | run the API, debug, enforce rate limits, keep an audit trail | legitimate interest (6(1)(f)); legal record-keeping where applicable |
| Your submitted signals / backtests | run the assay in memory; only a one-way fingerprint + verdict metadata is retained, never the inputs | contract performance |
Where it is hosted
The Service runs on servers located in the European Union (Germany). Payment processing runs through our payment providers (e.g. Coinbase for x402/USDC), who process the payment data described above under their own terms.
How long we keep it
Operational API and request logs are retained for about 90 days, then deleted or aggregated. Account data is kept while your account exists and for as long as needed to meet legal obligations. Verdict fingerprints and public calibration/graveyard statistics are, by design, anonymised and may be kept as part of the permanent public record — they contain no personal data and no recoverable strategy.
Who we share with
We do not sell your data and do not share it for advertising. We share only what is necessary with payment processors (to take payment) and infrastructure providers (hosting), acting as our processors, and where required by law. There is no other disclosure.
No tracking, no advertising cookies
This site runs no analytics and no advertising trackers. We set only cookies that are strictly necessary for the site or your session to function. There is no cross-site tracking to opt out of because there is none to begin with.
Your rights
Under the revDSG and, where it applies, the GDPR, you can request access to your data, and its rectification, erasure, restriction or portability, and you can object to processing based on legitimate interests. To exercise any of these, email hello@alphaassay.com. You also have the right to lodge a complaint with a supervisory authority — in Switzerland the FDPIC (Federal Data Protection and Information Commissioner), or in the EU/EEA your local data-protection authority.
Changes
We may update this policy; the current version is dated at the top. Material changes take effect when posted here.