Privacy Policy

The data controller responsible for your personal data is FlashAlpha LTD, trading as FlashAlpha, a company registered in the Republic of Cyprus (Registration No. HE 487635).

Registered address: 44 Emmanuel Rhoidi, 3031 Limassol, Cyprus.

For data protection enquiries, you may contact us at: support@flashalpha.com

Information you provide directly: Name, email address, and payment information when creating an account or subscribing. We do not store full credit card numbers; payment processing is handled by Stripe.

Information collected automatically: IP addresses, browser type and version, operating system, referring URLs, pages visited, timestamps, API usage patterns and request logs, and device identifiers.

Information from third parties: We may receive information from payment processors (e.g., Stripe) regarding transaction status.

We process your personal data on the following legal bases under the EU General Data Protection Regulation:

• Performance of a contract (Art. 6(1)(b)): To provide and manage our Service, process your subscription, manage your account, and deliver the data analytics you have subscribed to.
• Legitimate interests (Art. 6(1)(f)): To improve our Service, ensure security, prevent fraud, analyse usage patterns, and communicate with you about service updates. Our legitimate interest is to operate and improve our business while providing a secure platform.
• Consent (Art. 6(1)(a)): For optional marketing communications and non-essential cookies/analytics. You may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.
• Legal obligation (Art. 6(1)(c)): To comply with applicable legal and regulatory requirements, including tax obligations and data retention requirements.

We use your information to: provide and maintain the Service; process subscriptions and payments; send important account notifications; enforce rate limits and API access controls; improve the platform and develop new features; ensure security and prevent abuse; and comply with legal obligations.

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

We use the following cookies and tracking technologies:

• Essential cookies: Required for authentication and core platform functionality.
• Google Analytics (G-7ELS45QVMP): To analyse website traffic and usage patterns. Google Analytics may transfer data to the United States; Google participates in the EU-U.S. Data Privacy Framework.
• Microsoft Clarity: Session recording and heatmaps to understand user interaction with the platform.
• LinkedIn Insight Tag: To measure the effectiveness of advertising campaigns and provide aggregated audience insights.
• Reddit Ads Pixel: To measure the effectiveness of advertising campaigns on Reddit and provide aggregated audience insights. Email addresses provided at sign-up and purchase are hashed (SHA-256) in your browser before transmission for conversion matching.

You can manage cookie preferences through your browser settings. Disabling certain cookies may affect platform functionality.

We share personal data only with the following categories of third-party processors, each bound by data processing agreements:

• Stripe: Payment processing (PCI DSS compliant).
• Cloud hosting providers: Infrastructure and data storage.
• Google Analytics, Microsoft Clarity, LinkedIn, Reddit: Website analytics and advertising measurement.

We may also disclose personal data where required by law, regulation, legal process, or governmental request.

Some of our third-party processors may process data outside the European Economic Area (EEA). Where this occurs, we ensure appropriate safeguards are in place, including:

• EU-U.S. Data Privacy Framework certification
• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions by the European Commission

We implement appropriate technical and organisational measures to protect your personal data, including encryption in transit (TLS/SSL) and at rest, secure API key management, access controls, and regular security reviews.

However, no method of electronic transmission or storage is completely secure. While we strive to protect your data, we cannot guarantee absolute security.

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, accounting, or reporting obligations.

Account data is retained for the duration of your account and for a reasonable period thereafter to fulfil legal obligations. API usage logs are retained for up to 12 months. Payment records are retained as required by tax and accounting regulations.

When data is no longer needed, it is securely deleted or anonymised.

Under the GDPR, you have the following rights regarding your personal data:

• Right of access (Art. 15): You have the right to request a copy of the personal data we hold about you.
• Right to rectification (Art. 16): You may request correction of inaccurate or incomplete personal data.
• Right to erasure (Art. 17): You may request deletion of your personal data, subject to legal retention obligations (“right to be forgotten”).
• Right to restrict processing (Art. 18): You may request that we limit how we use your data in certain circumstances.
• Right to data portability (Art. 20): You may request your data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21): You may object to processing based on legitimate interests, including profiling.
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, contact us at support@flashalpha.com. We will respond within 30 days (extendable by a further 60 days for complex requests, with notice).

You also have the right to lodge a complaint with the Office of the Commissioner for Personal Data Protection in Cyprus or the supervisory authority in your country of residence.

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child, we will take steps to delete it promptly.

We may update this Privacy Policy from time to time. Material changes will be notified by posting the revised policy on this page and updating the effective date. For significant changes, we may also notify you by email. Continued use of the Service after changes constitutes acceptance of the revised policy.