Privacy Policy
Last updated: July 10, 2026
This policy explains what personal data AlphaVault collects, why, and your rights under the Philippine Data Privacy Act of 2012 (RA 10173) and its IRR. We collect the minimum we need to run a trading journal for you.
1. What we collect
Account data: name, email address, password (stored only as a salted hash by our authentication provider), optional two-factor secrets, and your timezone. Membership data: your validation state and, for affiliate validation, the broker account number and name/email you registered with the broker. Trading data: the trades, notes, tags, emotions, screenshots, playbooks, goals and journal entries you create or sync. MT5 connection data: if you connect auto-sync, your account number, server name and read-only investor password — the investor password is encrypted at rest (AES-256-GCM), is used server-side only, and can never place trades or withdraw funds.
2. What we don't collect
No payment or card details (there is no billing). No master trading passwords. No advertising trackers or third-party analytics cookies — see Cookies.
3. Why we process it (lawful basis)
To provide the service you signed up for (contract): syncing and displaying your trades, analytics, alerts. To validate community membership (legitimate interest, disclosed at signup). To secure the platform: rate limiting, authentication logs (legitimate interest). To send price alerts to the Telegram chat ID you choose to link (consent — unlink it anytime in Alerts).
4. Where it lives and who processes it
Data is hosted on Supabase (database and authentication) and the app runs on Vercel; live price ticks are relayed through Cloudflare. Trade sync runs on a private server we operate. These providers act as processors; we do not sell or rent your personal data to anyone. Your coach can see your membership state and the broker account number you submitted for validation — not your journal content.
5. Retention
Your data is kept while your account exists. When you request deletion, your account, journal, and connected-account credentials are removed from the live database within 30 days; encrypted backups roll off on the provider's schedule.
6. Your rights (RA 10173)
You have the right to be informed, to access, to correct, to object, to erasure or blocking, to damages, and to data portability. Exercise them via your coach or the in-app contact channel; we respond within the periods set by the NPC. If you believe your rights were violated you may complain to the National Privacy Commission (privacy.gov.ph).
7. Security
Row-level security on every table, encrypted investor passwords, service credentials kept server-side only, two-factor authentication available on every account, and rate limiting on authentication endpoints. No system is perfectly secure — if a breach affecting your data occurs we will notify you and the NPC as RA 10173 requires.
8. Children
The Service is for adults 18+. We do not knowingly hold data on minors.
9. Changes
Material changes to this policy will be announced in the app before they take effect.