PRIVACY POLICY AND DATA PROTECTION NOTICE
INTRODUCTION
Alpha Mirror ("we", "us", "our", "the Company") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, process, store, share, and protect personal data in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other relevant privacy regulations.
This Privacy Policy is incorporated by reference into our Terms and Conditions and applies to:
- All users accessing our website, mobile applications, platform, or APIs;
- All clients engaging our trading, portfolio management, or advisory services;
- All counterparties in trading or commercial relationships;
- All service providers, partners, and vendors;
- All visitors to our physical or virtual premises;
- Any other third parties interacting with our company or services.
By using our services or providing personal data to Alpha Mirror, you acknowledge that you have read, understood, and consent to the practices described in this Privacy Policy.
If you have questions about our data practices, wish to exercise your privacy rights, or need to contact our Data Protection Officer, please use the contact information provided in Section 14.
1. DATA CONTROLLER AND RESPONSIBILITY
1.1 Alpha Mirror as Data Controller
Alpha Mirror is the data controller responsible for your personal data. This means we determine the purposes for which and the means by which your personal data is processed. Our responsibilities as data controller include:
- Determining what personal data to collect and how to use it;
- Ensuring processing complies with applicable data protection laws;
- Implementing appropriate security measures to protect your data;
- Responding to your requests to exercise privacy rights;
- Maintaining records of processing activities;
- Conducting data protection impact assessments where required;
- Reporting data breaches to authorities and affected individuals when required.
1.2 Contact Information
- Company Name: Alpha Mirror
- Jurisdiction: Republic of Panama
- Data Protection Officer Email: business@alphamirror.ai
- General Inquiries: business@alphamirror.ai
2. WHAT PERSONAL DATA WE COLLECT
2.1 Categories of Personal Data
We collect and process the following categories of personal data:
| Category |
Examples of Data Collected |
| Identity Data |
Full name, date of birth, nationality, gender, government-issued ID numbers, passport details, facial photographs, signatures |
| Contact Data |
Email address, phone number, residential address, business address, emergency contact information |
| Professional Data |
Job title, employer, employment history, professional qualifications, business affiliations, industry sector |
| Financial Data |
Bank account details, payment card information, wallet addresses (cryptocurrency), transaction history, portfolio holdings, trading activity, account balances, source of funds, net worth, income level |
| Technical Data |
IP address, device identifiers, browser type and version, operating system, login data, session information, API keys, cookies and similar technologies |
| Behavioral Data |
Usage patterns, trading preferences, platform interaction data, login frequency, feature usage, click-through data, time spent on platform |
| Location Data |
Geolocation information, IP-based location, timezone, country of residence, travel patterns (where relevant for compliance) |
| Communication Data |
Content of communications with us (emails, chat messages, support tickets), call recordings, feedback and survey responses |
| Compliance Data |
KYC/AML verification documents, politically exposed person (PEP) status, sanctions screening results, beneficial ownership information, risk assessments |
| Marketing Data |
Marketing preferences, subscription choices, event attendance, response to campaigns |
2.2 Sources of Personal Data
We collect personal data from the following sources:
- Directly from you: When you register, use our services, complete forms, communicate with us, or voluntarily provide information;
- Automated technologies: Through cookies, analytics tools, and automated systems that collect technical and behavioral data;
- Third-party services: From exchanges, custodians, payment processors, identity verification services, and other service providers;
- Public sources: From blockchain explorers, public registries, regulatory filings, and publicly available information;
- Business partners: From referral partners, affiliates, or other parties with whom you have authorized data sharing;
- Compliance providers: From KYC/AML service providers, sanctions screening services, and fraud detection services.
2.3 Special Categories of Personal Data
We generally do not collect special categories of personal data (such as racial or ethnic origin, political opinions, religious beliefs, health data, or biometric data) unless specifically required for legal or regulatory compliance. If we must collect such data, we will obtain your explicit consent or rely on another lawful basis, and we will implement enhanced protections.
3. HOW WE COLLECT PERSONAL DATA
3.1 Direct Collection Methods
- Account Registration: Information provided when creating an account or profile;
- KYC/AML Verification: Documents and information submitted for identity verification and compliance;
- Service Requests: Information provided when requesting specific services or features;
- Trading Activity: Data generated through your use of trading and portfolio management services;
- Communications: Information shared in emails, support tickets, chat messages, or phone calls;
- Surveys and Feedback: Responses to questionnaires, surveys, or feedback requests;
- Events and Webinars: Registration and attendance information for events we host or sponsor.
3.2 Automated Collection Methods
- Cookies and Tracking Technologies: Data collected through cookies, web beacons, and similar technologies (see Section 11);
- Platform Usage: Automatic logging of platform interactions, feature usage, and navigation patterns;
- API Activity: Automated collection of API calls, requests, and responses;
- System Logs: Server logs capturing IP addresses, access times, and system events;
- Analytics Tools: Data collected through analytics and performance monitoring tools.
4. LEGAL BASIS FOR PROCESSING PERSONAL DATA
We process your personal data only when we have a valid legal basis under applicable law. The legal bases we rely on include:
4.1 Contractual Necessity (GDPR Art. 6(1)(b))
Processing is necessary for the performance of our contract with you or to take steps at your request before entering into a contract. This includes:
- Account creation and management;
- Providing trading, execution, and portfolio management services;
- Processing transactions and settlements;
- Communicating with you about your account and services;
- Providing customer support.
4.2 Legal Obligation (GDPR Art. 6(1)(c))
Processing is necessary to comply with legal obligations to which we are subject, including:
- KYC/AML verification and ongoing monitoring;
- Sanctions screening and compliance;
- Tax reporting and withholding obligations;
- Regulatory reporting and disclosures;
- Responding to lawful requests from authorities;
- Record retention requirements;
- Prevention of fraud, money laundering, and terrorist financing.
4.3 Legitimate Interests (GDPR Art. 6(1)(f))
Processing is necessary for our or a third party's legitimate interests, provided those interests are not overridden by your fundamental rights. Legitimate interests include:
- Fraud prevention and security monitoring;
- Network and information security;
- Risk management and internal compliance;
- Business analytics and service improvement;
- Direct marketing to existing clients (with opt-out rights);
- Protecting our legal rights and defending against claims;
- Corporate transactions such as mergers or acquisitions;
- Internal administration and business operations.
4.4 Consent (GDPR Art. 6(1)(a))
Where required or appropriate, we obtain your explicit consent for specific processing activities, including:
- Marketing communications (where not based on legitimate interests);
- Certain uses of cookies and tracking technologies;
- Processing special categories of personal data (if applicable);
- International data transfers (where consent is the mechanism used);
- Automated decision-making or profiling with significant effects.
You have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.
4.5 Vital Interests (GDPR Art. 6(1)(d))
Processing is necessary to protect your vital interests or those of another person in emergency situations.
5. HOW WE USE YOUR PERSONAL DATA
5.1 Primary Uses
We use your personal data for the following purposes:
| Purpose |
Legal Basis |
| Account creation and management |
Contractual necessity |
| Providing trading and investment services |
Contractual necessity |
| Processing transactions and settlements |
Contractual necessity |
| KYC/AML verification and compliance |
Legal obligation |
| Sanctions screening |
Legal obligation |
| Tax reporting and compliance |
Legal obligation |
| Fraud detection and prevention |
Legitimate interests / Legal obligation |
| Security monitoring and incident response |
Legitimate interests |
| Customer support and communications |
Contractual necessity / Legitimate interests |
| Platform analytics and improvement |
Legitimate interests |
| Risk management and compliance |
Legitimate interests / Legal obligation |
| Marketing to existing clients |
Legitimate interests (with opt-out) |
| Marketing to prospects |
Consent |
| Legal proceedings and enforcement |
Legitimate interests / Legal obligation |
5.2 Service Delivery and Operations
- Creating and managing your account;
- Executing trades and managing your portfolio;
- Providing market making and liquidity services;
- Processing deposits, withdrawals, and transfers;
- Calculating and charging fees;
- Providing access to DeFi protocols and third-party services;
- Generating performance reports and analytics;
- Managing API access and integrations;
- Responding to your inquiries and requests;
- Providing technical support and troubleshooting.
5.3 Compliance and Legal Obligations
- Verifying your identity and conducting KYC procedures;
- Screening against sanctions lists and PEP databases;
- Monitoring transactions for suspicious activity and money laundering;
- Filing suspicious activity reports (SARs) when required;
- Responding to regulatory inquiries and examinations;
- Maintaining required records and audit trails;
- Reporting to tax authorities and withholding taxes;
- Complying with court orders, subpoenas, and legal process;
- Cooperating with law enforcement investigations.
5.4 Security and Fraud Prevention
- Detecting and preventing fraud, unauthorized access, and criminal activity;
- Monitoring account activity for anomalies;
- Implementing multi-factor authentication and access controls;
- Investigating security incidents and breaches;
- Blocking malicious actors and suspicious activity;
- Protecting the integrity of our platform and services.
5.5 Platform Improvement and Analytics
- Analyzing usage patterns to improve user experience;
- Testing new features and services;
- Optimizing platform performance and reliability;
- Conducting market research and competitive analysis;
- Developing new products and services;
- Generating aggregated and anonymized analytics.
5.6 Marketing and Communications
- Sending service-related notifications and updates;
- Providing information about new features or services;
- Sending newsletters and marketing communications (with consent or opt-out rights);
- Inviting you to events, webinars, or educational content;
- Conducting surveys to gather feedback;
- Personalizing your experience based on preferences.
6. WITH WHOM WE SHARE YOUR PERSONAL DATA
We may share your personal data with the following categories of recipients:
6.1 Service Providers and Processors
We engage third-party service providers who process personal data on our behalf under our instructions. These include:
- Technology Providers: Cloud hosting, infrastructure, and platform services (e.g., AWS, Google Cloud);
- KYC/AML Providers: Identity verification, document verification, and compliance screening services;
- Payment Processors: Banks, payment gateways, and financial institutions;
- Custodians and Wallet Services: Digital asset custody and security services;
- Analytics Providers: Website analytics, user behavior analysis, and performance monitoring;
- Customer Support Tools: Helpdesk, ticketing, and CRM systems;
- Communication Services: Email delivery, SMS, and communication platforms;
- Security Services: Cybersecurity, fraud detection, and monitoring services;
- Professional Advisors: Lawyers, accountants, auditors, and consultants;
- IT Support: System maintenance, development, and technical support services.
All service providers are contractually bound to process personal data only as instructed and to implement appropriate security measures.
6.2 Exchanges and Trading Venues
- Centralized cryptocurrency exchanges (e.g., Binance, Coinbase);
- Decentralized exchanges and automated market makers;
- Over-the-counter (OTC) trading desks;
- Liquidity providers and counterparties.
6.3 Regulatory Authorities and Law Enforcement
We may disclose personal data to regulatory, governmental, tax, and law enforcement authorities when required or permitted by law, including:
- Financial regulators (e.g., SEC, CFTC, FCA, MAS);
- Tax authorities (e.g., IRS, HMRC);
- Financial intelligence units and anti-money laundering agencies;
- Law enforcement agencies investigating criminal activity;
- Courts, arbitrators, and dispute resolution bodies;
- Government agencies enforcing sanctions or export controls.
6.4 Business Partners and Affiliates
- Affiliated Companies: Other entities within the Alpha Mirror corporate group;
- Referral Partners: Parties who refer clients to us under partnership agreements;
- Research Providers: Third parties providing market data, research, or analytics;
- Integration Partners: Platforms or services with which we integrate.
6.5 Corporate Transactions
In connection with any merger, acquisition, financing, sale of assets, or bankruptcy, we may transfer personal data to prospective or actual acquirers, investors, or successors. We will notify you of such transfers and any choices you may have.
6.6 Public Blockchains
When you conduct transactions on public blockchains, certain information becomes publicly visible and permanently recorded, including:
- Wallet addresses;
- Transaction amounts and timing;
- Smart contract interactions;
- Token holdings and transfers.
This information is outside Alpha Mirror's control and cannot be modified or deleted.
6.7 With Your Consent
We may share personal data with other third parties when you have provided explicit consent for such sharing.
7. INTERNATIONAL DATA TRANSFERS
7.1 Cross-Border Transfers
Your personal data may be transferred to, stored in, or processed in countries outside your country of residence, including countries that may not provide the same level of data protection as your home country. This is necessary because:
- Our service providers and infrastructure are located globally;
- Digital asset markets and exchanges operate internationally;
- Cloud services and data centers span multiple jurisdictions;
- Regulatory requirements may require sharing data across borders.
7.2 Safeguards for International Transfers
When transferring personal data internationally, we implement appropriate safeguards including:
- EU Standard Contractual Clauses (SCCs): Legally binding contracts approved by the European Commission;
- UK International Data Transfer Agreement/Addendum: For transfers from the UK;
- Adequacy Decisions: Relying on adequacy decisions by competent authorities;
- Binding Corporate Rules: Internal data protection policies for corporate group transfers;
- Explicit Consent: Where appropriate and legally permissible;
- Necessary Transfers: For contract performance or legal claims.
7.3 Jurisdictions
Your data may be transferred to and processed in the following regions:
- European Economic Area (EEA);
- United Kingdom;
- United States;
- Singapore;
- Other jurisdictions where our service providers operate.
For more information about international transfers or to request copies of safeguards implemented, please contact our Data Protection Officer.
8. DATA RETENTION
8.1 Retention Principles
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce agreements. Retention periods depend on:
- The nature and sensitivity of the data;
- The purposes for which we process the data;
- Legal, regulatory, and contractual retention requirements;
- Potential for legal claims or disputes;
- Business and operational needs.
8.2 Specific Retention Periods
| Data Type |
Retention Period |
| KYC/AML Documents |
5-10 years after relationship ends (or as required by law) |
| Transaction Records |
7-10 years for tax and regulatory compliance |
| Account Information |
Duration of relationship plus retention period as required by law |
| Communications |
3-7 years depending on content and regulatory requirements |
| Marketing Data |
Until consent withdrawn or legitimate interest ceases |
| System Logs |
90 days to 2 years depending on type |
| Support Tickets |
3 years after closure |
| Compliance Records |
As required by applicable regulations (typically 5-10 years) |
8.3 Secure Disposal
When personal data is no longer required, we securely delete or anonymize it using industry-standard methods including secure erasure, physical destruction of media, or irreversible anonymization techniques.
8.4 Exceptions
We may retain personal data beyond standard retention periods when:
- Required by law, regulation, or court order;
- Necessary for ongoing legal proceedings or investigations;
- Needed to protect our legal rights or defend against claims;
- You have specifically requested extended retention;
- Data has been anonymized for statistical or research purposes.
9. YOUR PRIVACY RIGHTS
9.1 Rights Under GDPR (EEA/UK Residents)
If you are located in the EEA or UK, you have the following rights under the GDPR:
- Right of Access (Art. 15): Request access to your personal data and obtain a copy of the data we hold about you;
- Right to Rectification (Art. 16): Request correction of inaccurate or incomplete personal data;
- Right to Erasure / "Right to be Forgotten" (Art. 17): Request deletion of your personal data in certain circumstances (subject to legal retention obligations);
- Right to Restriction of Processing (Art. 18): Request that we restrict processing in certain circumstances;
- Right to Data Portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller;
- Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing purposes;
- Right to Withdraw Consent (Art. 7): Withdraw consent at any time where processing is based on consent;
- Right Not to be Subject to Automated Decision-Making (Art. 22): Not be subject to decisions based solely on automated processing with significant effects (unless necessary for contract or with explicit consent);
- Right to Lodge a Complaint: Lodge a complaint with your local data protection authority (see Section 9.5).
9.2 Rights Under CCPA (California Residents)
If you are a California resident, you have the following rights under the CCPA:
- Right to Know: Request information about categories and specific pieces of personal information collected, sources, purposes, and third parties with whom shared;
- Right to Delete: Request deletion of personal information (subject to exceptions);
- Right to Opt-Out of Sale: Opt-out of sale of personal information (Note: Alpha Mirror does not sell personal information);
- Right to Non-Discrimination: Not be discriminated against for exercising privacy rights;
- Right to Limit Use of Sensitive Personal Information: Limit use of sensitive personal information (where applicable).
9.3 How to Exercise Your Rights
To exercise any of these rights, please contact us at:
- Email: business@alphamirror.ai
- Subject: Data Subject Request or Privacy Rights Exercise
- Include: Your name, email address, account details, and description of your request
9.4 Identity Verification
To protect your privacy and security, we must verify your identity before processing rights requests. We may request additional information or documentation to confirm your identity.
9.5 Response Timeframe
We will respond to valid requests within:
- 30 days under GDPR (extendable to 60 days for complex requests with notification);
- 45 days under CCPA (extendable to 90 days with notification);
- Reasonable timeframes under other applicable laws.
9.6 Limitations on Rights
Your rights are subject to legal limitations and exceptions. We may be unable to fulfill requests when:
- We are legally required to retain data;
- Data is necessary for legal claims or compliance;
- Requests are manifestly unfounded or excessive;
- Complying would adversely affect others' rights;
- Data is necessary for performing our contract with you;
- Public interest or official authority requires retention.
9.7 Supervisory Authority Contact
If you are dissatisfied with our response, you have the right to lodge a complaint with your local data protection authority:
- EEA: Contact your national data protection authority (list available at https://edpb.europa.eu)
- UK: Information Commissioner's Office (ICO) - https://ico.org.uk
- Other jurisdictions: Contact your local privacy regulator
10. DATA SECURITY
10.1 Security Measures
We implement comprehensive technical and organizational security measures to protect personal data against unauthorized access, loss, destruction, alteration, or disclosure. Our security framework includes:
10.2 Technical Safeguards
- Encryption: Data encrypted in transit (TLS/SSL) and at rest (AES-256 or equivalent);
- Access Controls: Role-based access control (RBAC) and principle of least privilege;
- Multi-Factor Authentication (MFA): Required for sensitive operations and administrative access;
- Firewalls and Network Security: Enterprise-grade firewalls, intrusion detection/prevention systems;
- Secure Infrastructure: Cloud services with SOC 2, ISO 27001 certifications;
- Vulnerability Management: Regular security assessments, penetration testing, and vulnerability scanning;
- Secure Development: Security-by-design principles and code review processes;
- Data Segregation: Logical separation of customer data and production/test environments;
- Backup and Recovery: Regular encrypted backups and disaster recovery procedures;
- Monitoring and Logging: 24/7 security monitoring, anomaly detection, and audit logging.
10.3 Organizational Safeguards
- Security Policies: Comprehensive information security policies and procedures;
- Employee Training: Regular security awareness training for all personnel;
- Background Checks: Screening of employees with access to sensitive data;
- Confidentiality Agreements: All employees and contractors bound by confidentiality obligations;
- Vendor Management: Security assessments of third-party service providers;
- Incident Response: Documented incident response plan and security team;
- Physical Security: Controlled access to facilities and secure disposal of media;
- Regular Audits: Internal and external security audits and compliance reviews.
10.4 Limitations
While we implement industry-leading security measures, no system is completely secure. Transmission of data over the internet or electronic storage carries inherent risks. We cannot guarantee absolute security and you acknowledge these inherent risks when using our services.
10.5 Your Security Responsibilities
You also play a critical role in protecting your data:
- Choose strong, unique passwords and change them regularly;
- Enable two-factor authentication;
- Never share account credentials or API keys;
- Keep authentication devices and recovery codes secure;
- Use secure networks and avoid public Wi-Fi for sensitive activities;
- Keep your devices and software updated;
- Be vigilant against phishing and social engineering attacks;
- Immediately report any suspicious activity or unauthorized access.
11. COOKIES AND TRACKING TECHNOLOGIES
11.1 What Are Cookies?
Cookies are small text files placed on your device when you visit our website. We also use similar technologies including web beacons, pixels, and local storage.
11.2 Types of Cookies We Use
| Cookie Type |
Purpose |
| Strictly Necessary |
Essential for website functionality, security, and authentication. Cannot be disabled. |
| Functional |
Remember your preferences and settings to enhance user experience. |
| Analytics/Performance |
Collect information about how you use our website to improve functionality and performance. |
| Marketing/Targeting |
Track your browsing to deliver relevant advertisements and measure campaign effectiveness. |
11.3 Third-Party Cookies
We may use third-party services that set cookies, including:
- Google Analytics for website analytics;
- Social media platforms for sharing functionality;
- Advertising networks for marketing campaigns;
- Customer support tools (e.g., Intercom, Zendesk).
11.4 Managing Cookies
You can control cookies through:
- Our cookie consent banner when you first visit the website;
- Your browser settings (see your browser's help documentation);
- Opt-out tools provided by third-party services;
- Cookie preference center on our website (if available).
Note that disabling certain cookies may affect website functionality and your ability to use some features.
12. SPECIAL CONSIDERATIONS
12.1 Blockchain Data Immutability
Blockchain transactions are public, permanent, and immutable. Once data is written to a public blockchain:
- It cannot be modified, deleted, or erased;
- It remains publicly visible indefinitely;
- Wallet addresses and transaction details are pseudonymous but potentially linkable to your identity;
- Alpha Mirror has no control over blockchain data and cannot fulfill deletion requests for on-chain data.
You acknowledge and accept these limitations when conducting blockchain transactions through our services.
12.2 Automated Decision-Making and Profiling
We may use automated systems for certain purposes including:
- Fraud detection and risk assessment;
- KYC/AML screening and sanctions checks;
- Trading algorithm execution;
- Platform analytics and personalization.
Where automated decision-making produces legal or similarly significant effects on you, you have the right to:
- Be informed about the logic, significance, and consequences;
- Request human intervention;
- Express your point of view;
- Challenge the decision.
12.3 Children's Privacy
Our services are not intended for individuals under 18 years of age (or the age of majority in their jurisdiction). We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected data from a child, we will take steps to delete it promptly.
13. CHANGES TO THIS PRIVACY POLICY
13.1 Updates and Modifications
We may update this Privacy Policy from time to time to reflect changes in our practices, services, legal requirements, or for other operational, legal, or regulatory reasons. When we make material changes, we will:
- Update the "Last Updated" date at the bottom of this policy;
- Notify you via email or prominent notice on our platform;
- Where required by law, obtain your consent to material changes;
- Maintain prior versions for reference.
13.2 Your Acceptance
Continued use of our services after updates become effective constitutes acceptance of the revised Privacy Policy. If you do not agree to changes, you should discontinue use of our services.
14. CONTACT INFORMATION
For questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact:
14.1 General Privacy Inquiries
- Email: business@alphamirror.ai
- Subject: Privacy Inquiry
14.2 Data Protection Officer
- Email: business@alphamirror.ai
- Subject: Data Protection Officer - [Your Request Type]
14.3 Data Subject Rights Requests
- Email: business@alphamirror.ai
- Subject: Data Subject Request - [Access/Erasure/Rectification/etc.]
- Include: Full name, email address, account details (if applicable), and detailed description of your request
14.4 Security Incidents
- Email: business@alphamirror.ai
- Subject: URGENT - Security Incident Report
ACCEPTANCE AND CONSENT
By using Alpha Mirror's services or providing personal data to us, you acknowledge that:
• You have read and understood this Privacy Policy in its entirety;
• You consent to the collection, use, processing, and sharing of your personal data as described;
• You understand your privacy rights and how to exercise them;
• You acknowledge that blockchain data is immutable and cannot be deleted;
• You accept the security limitations inherent in digital systems and internet transmission;
• For marketing communications, you can opt-out at any time using the unsubscribe mechanism provided.