Privacy Policy

Effective Date: 26 May 2026 · Last Updated: 26 May 2026

Plain-language summary. We collect your email, password (hashed), and the stocks you save to watchlists/portfolios. We use third parties like our payment processor and Sentry for error tracking. We do not sell your data. You can request deletion at any time by emailing us.

Contents

Who We Are
Information We Collect
How We Use Your Information
Legal Basis for Processing
Sharing & Third Parties
Cookies & Tracking
Data Retention
Data Security
Your Rights
International Transfers
Children's Privacy
Changes to This Policy
Contact

1. Who We Are

Axiom Alpha ("we," "us," or "our") is a stock-analysis service operated by an individual sole proprietor based in Indonesia, available at axiom-alpha.com. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Service.

This policy is designed to comply with Indonesia's Personal Data Protection Law (UU No. 27/2022 — UU PDP) and, where applicable, the EU General Data Protection Regulation (GDPR).

2. Information We Collect

2.1 Information you provide

Account information: username, email address, hashed password.
Profile preferences: selected plan tier, theme preference, optional Telegram chat ID for alerts, alert notification preferences.
Watchlist and portfolio data: tickers you save, position quantities, cost basis, purchase dates (only if you choose to enter them).
Price alerts: ticker, condition (above/below/cross), threshold price.
Search history: tickers you've searched (used to power autocomplete and recent searches).
Payment information: when you subscribe to a paid plan, our payment processor collects payment details. We do not store card numbers, CVV, or full bank account numbers on our servers.
Communications: emails you send to contact@axiom-alpha.com.

2.2 Information collected automatically

Log data: IP address, browser type, operating system, pages visited, timestamps, referrer URL.
Cookies and similar technologies: see the Cookies & Tracking section below.
Performance and error data: via Sentry, we collect crash reports and performance metrics that may include URL paths, browser metadata, and stack traces.

2.3 Information we do NOT collect

We do not collect government-issued identification numbers (NIK, KTP).
We do not collect biometric data.
We do not access your brokerage account or trading history.
We do not track you across other websites.

3. How We Use Your Information

We use your personal information to:

Provide, maintain, and improve the Service.
Authenticate you and secure your account.
Process subscriptions and payments through our payment processor.
Send transactional emails: account confirmations, password resets, payment receipts, subscription renewals, and alert notifications you've enabled.
Respond to your support requests.
Detect, prevent, and address fraud, abuse, security, or technical issues.
Comply with legal obligations.

We do not use your personal information for targeted advertising or sell it to third parties.

4. Legal Basis for Processing

We process your personal information based on the following legal bases under UU PDP and GDPR (where applicable):

Contract: processing necessary to provide the Service you've subscribed to.
Legitimate interest: security monitoring, fraud prevention, service improvements.
Consent: for optional features like Telegram alerts or marketing communications (you may withdraw consent at any time).
Legal obligation: compliance with applicable Indonesian and international law.

5. Sharing & Third Parties

We share your information only with:

Payment processor: to process subscription payments. The processor handles your payment details directly under their own privacy policy.
Hosting and infrastructure: Vercel (hosting), Supabase (managed PostgreSQL database), and similar service providers that host or process data on our behalf under data processing agreements.
Error and performance monitoring: Sentry, which may receive crash reports and limited contextual data.
Email provider: for sending transactional emails (receipts, password resets, alerts).
Analytics: minimal first-party server logs only. We do not currently use Google Analytics or similar third-party analytics.
Legal authorities: when required by valid legal process or to protect rights, property, or safety.

We do not sell, rent, or trade your personal information.

6. Cookies & Tracking

We use cookies and similar technologies for:

Strictly necessary cookies: session identifiers, CSRF tokens, authentication. The Service cannot function without these.
Preference cookies: theme (light/dark mode), language, view preferences.
Service worker cache: a browser-managed cache for offline shell and faster page loads. You can clear it via your browser's site-data controls.

We do not use third-party advertising cookies or cross-site tracking pixels.

7. Data Retention

We retain your personal information only as long as necessary to provide the Service or comply with legal obligations:

Active accounts: retained for the life of the account.
Inactive accounts: accounts with no activity for 24 months may be deleted after 30-day email notice.
Closed accounts: deleted within 30 days of cancellation, except for billing records retained for the period required by Indonesian tax and accounting law (typically 10 years).
Server logs: typically retained for 30–90 days.
Backups: may persist for up to 90 days after deletion before being cycled out.

8. Data Security

We implement reasonable technical and organizational measures to protect your data, including:

HTTPS encryption for all data in transit.
Passwords stored using industry-standard hashing (Django's PBKDF2).
HttpOnly and Secure cookies, CSRF protection, and HSTS headers.
Database access restricted via least-privilege credentials.
Regular security updates of dependencies.

No system is perfectly secure. If we become aware of a breach affecting your personal data, we will notify you and the Indonesian data protection authority within 72 hours as required by UU PDP.

9. Your Rights

Subject to applicable law, you have the right to:

Access: request a copy of the personal information we hold about you.
Rectification: correct inaccurate or incomplete information.
Erasure: request deletion of your account and associated data.
Portability: receive your data in a structured, machine-readable format (currently CSV exports of portfolios and watchlists are available in-app).
Restriction: ask us to limit how we process your data.
Objection: object to processing based on legitimate interest.
Withdraw consent: for processing based on consent (e.g., Telegram alerts).
Lodge a complaint: with the Indonesian data protection authority or your local supervisory authority.

To exercise these rights, email contact@axiom-alpha.com. We will respond within 30 days.

10. International Transfers

Our infrastructure providers (Vercel, Supabase, Sentry) may store or process data on servers located outside Indonesia, including in the United States, European Union, or Singapore. By using the Service, you consent to such transfers. We rely on standard contractual clauses or equivalent safeguards where required.

11. Children's Privacy

The Service is not directed to children under 18. We do not knowingly collect personal information from children. If you believe a child has provided us with information, contact us at contact@axiom-alpha.com and we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email or in-app notice at least 14 days before taking effect. The "Last Updated" date at the top of this page reflects the most recent revision.

13. Contact

For privacy questions, requests, or complaints, contact us at:

Privacy & data requests: contact@axiom-alpha.com
General support: contact@axiom-alpha.com