Privacy Policy

Last updated: February 8, 2026

Alphabench LLP ("Alphabench," "we," "us," or "our") operates the website https://alphabench.in and related services (collectively, the "Platform"). This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use our Platform.

This policy is published in compliance with the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the Digital Personal Data Protection Act, 2023 ("DPDP Act").

By accessing or using the Platform, you consent to the collection and processing of your data as described in this policy. If you do not agree, please do not use the Platform.

1. Information We Collect

1.1 Account Information

When you create an account, we collect your full name, email address, and password (stored as a bcrypt hash — we never store plaintext passwords). If you sign in via Google OAuth, we receive your Google profile information including your Google ID, name, email, and profile picture URL.

1.2 Guest Accounts

You may use certain features as a guest without providing personal information. Guest accounts are automatically deleted after 24 hours along with all associated data.

1.3 Conversation & Research Data

When you use our AI-powered research assistant, we store your conversation messages, queries, strategy configurations, and backtesting results (including equity curves, performance metrics, and trade statistics). This data is associated with your account and used to provide continuity across sessions.

1.4 Session & Device Information

We collect your IP address, browser user-agent string, and session metadata when you log in. This information is used for security purposes, including detecting unauthorized access.

1.5 User Preferences & Interactions

We record your message votes (upvote/downvote on AI responses), shared iteration links you create, and iteration fork activity. If you share a conversation publicly, we track view and fork counts.

1.6 Email Communication Logs

We maintain logs of transactional emails sent to you (such as welcome emails, email verification, and password reset emails), including delivery status and timestamps.

2. How We Use Your Information

We use the information we collect for the following purposes:

  • To create and manage your account, authenticate your identity, and maintain session security
  • To provide our AI-powered quantitative research and backtesting services
  • To store your conversation history and strategy results so you can resume and review past research
  • To process your queries through our AI models and return relevant responses
  • To send you transactional emails (account verification, password resets, important service updates)
  • To enable sharing and forking of research iterations with other users
  • To improve the Platform through aggregated, anonymized usage analysis
  • To detect, prevent, and address security issues, fraud, or technical problems
  • To comply with legal obligations under applicable Indian law

3. AI and Third-Party Data Processing

Our Platform uses artificial intelligence to power the research assistant. When you send a message, your query and relevant conversation context are processed by third-party AI services. You should be aware of the following:

3.1 Google Gemini (via OpenRouter)

Your conversation messages are sent to Google's Gemini AI model through the OpenRouter API for processing. This includes the text of your queries and prior conversation context needed to generate responses. We do not send your personal account details (email, name, password) to the AI model.

3.2 Exa AI (Financial Research)

When the AI assistant performs financial research on your behalf, search queries are sent to Exa AI to retrieve relevant financial news, analysis, and market data. The search queries are derived from your conversation but do not include personal identifiers.

3.3 ChromaDB (Vector Database)

Conversation summaries and strategy descriptions are stored as vector embeddings in ChromaDB to enable intelligent retrieval and context-aware responses. This data is tagged with your iteration ID but does not include personal account information.

3.4 Amazon Web Services (AWS SES)

Transactional emails (verification, password reset, etc.) are sent through Amazon Simple Email Service. Your email address and the email content are processed by AWS for delivery.

3.5 Market Data Sources

We use historical market data from third-party sources (including Zerodha/Kite Connect) for backtesting. Your personal data is not shared with market data providers — only instrument identifiers and date ranges are used in data requests.

4. Cookies and Local Storage

We use the following cookies and browser storage mechanisms:

  • Authentication Cookie (refresh_token): An HttpOnly, Secure cookie with SameSite=Lax policy, used to maintain your login session. This cookie expires after 7 days and contains a hashed session token (not your actual credentials). It is scoped to the /api/v1/auth path only.
  • Local Storage: We may store non-sensitive UI preferences (such as theme settings) in your browser's local storage.

We do not use advertising cookies or third-party tracking cookies for behavioral profiling.

5. Data Security

We implement industry-standard security measures to protect your personal data:

  • Passwords are hashed using bcrypt with salt before storage
  • Session tokens are hashed with SHA-256 before database storage
  • Authentication tokens (JWT) are signed with HS256
  • Sensitive configuration data is encrypted using Fernet symmetric encryption
  • All data in transit is encrypted via HTTPS/TLS
  • Database connections use encrypted channels
  • HttpOnly and Secure flags on authentication cookies prevent client-side access

While we strive to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but will notify you promptly in the event of a data breach as required by applicable law.

6. Data Retention

  • Guest accounts: Automatically deleted after 24 hours, along with all associated conversations and data.
  • Registered accounts: Your account data and conversation history are retained for as long as your account is active. You may request deletion at any time.
  • Login sessions: Refresh tokens expire after 7 days. Expired sessions are periodically cleaned up.
  • Shared iterations: Publicly shared links remain accessible until you deactivate them or delete your account.
  • Email logs: Transactional email delivery logs are retained for operational and debugging purposes.

7. Data Sharing and Disclosure

We do not sell your personal data. We may share your information only in the following circumstances:

  • Service Providers: With the third-party services described in Section 3, strictly for providing Platform functionality.
  • User-Initiated Sharing: When you create a public share link for an iteration, the conversation content and results become accessible to anyone with the link.
  • Legal Requirements: When required by law, regulation, legal process, or governmental request under Indian jurisdiction.
  • Safety and Security: To protect against fraud, security threats, or to enforce our Terms of Service.

8. Your Rights Under the DPDP Act

Under the Digital Personal Data Protection Act, 2023, you have the following rights as a Data Principal:

  • Right to Access: You may request confirmation of whether we process your personal data and obtain a summary of your data.
  • Right to Correction: You may request correction of inaccurate or incomplete personal data.
  • Right to Erasure: You may request deletion of your personal data, subject to any legal retention obligations.
  • Right to Withdraw Consent: You may withdraw consent for data processing at any time. Withdrawal of consent will not affect the lawfulness of processing carried out prior to withdrawal.
  • Right to Grievance Redressal: You may raise a complaint with our Grievance Officer or the Data Protection Board of India.
  • Right to Nominate: You may nominate another individual to exercise your rights in the event of your death or incapacity.

To exercise any of these rights, please contact us at privacy@alphabench.in.

9. Children's Privacy

The Platform is not intended for individuals under the age of 18. We do not knowingly collect personal data from minors. If you are a parent or guardian and believe your child has provided us with personal data, please contact us and we will take steps to delete such information.

10. Cross-Border Data Transfer

Your data is primarily stored on servers in India. However, as described in Section 3, certain data is processed by third-party services whose servers may be located outside India (including the United States). By using the Platform, you consent to such transfers. We ensure that any cross-border transfer of personal data is carried out in accordance with the provisions of the DPDP Act and only to jurisdictions not restricted by the Central Government.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes by posting the updated policy on the Platform with a revised "Last updated" date. Your continued use of the Platform after such changes constitutes acceptance of the updated policy.