Alphastream AI Logo
SCHEDULE A DEMO

Privacy Policy

Last Updated: [16/02/2026]

1. Introduction

AlphaStream AI is a cutting-edge, AI-native platform revolutionizing private credit workflows by transforming unstructured financial and legal documents into real-time, 99%-accurate insights. Designed specifically for private credit and fixed-income markets, the platform accelerates critical processes such as deal term extraction, diligence, comparison, and portfolio analytics through purpose-built AI and human-validated outputs.

AlphaStream AI is built with enterprise-grade security and compliance at its core, including SOC 2 and ISO 27001 certifications, tenant isolation, VPC-based infrastructure, single sign-on (SSO) support, and comprehensive audit trails. These safeguards ensure robust protection of customer data while enabling seamless integration into client systems for confident, efficiency-driven decision-making.

For the purposes of applicable data protection laws, including the General Data Protection Regulation (GDPR) and the Digital Personal Data Protection Act (DPDP), AlphaStream AI acts as a Data Processor with respect to customer-uploaded content and documents processed through the platform, and as a Data Controller with respect to account registration data, billing information, marketing communications, and website usage data.

2. Data We Collect

2.1 Information You Provide Directly

  • Contact details – name, email address, phone number, company name, job title.
  • Account information – if you register or log in to access demos, trials, or services.
  • Communication records – when you contact us for support, sales inquiries, or participate in surveys/events.
  • Uploaded documents & data – financial, legal, or corporate materials you choose to process through the AlphaStream platform (strictly for service delivery).

2.2 Information Collected Automatically

  • Usage data – interactions with our website/platform (pages visited, features used, session duration).
  • Device & technical information – IP address, browser type, operating system, device identifiers, crash logs.
  • Cookies & similar technologies – to track preferences, analytics, and improve user experience.

2.3 Information from Third Parties

  • Professional or corporate information – obtained from partners, data providers, or public sources (e.g., LinkedIn, company websites).
  • Analytics and marketing data – from tools like Google Analytics, CRM, or marketing automation platform

2.4 Sensitive / Confidential Information

  • If you upload financial or legal documents into the platform, AlphaStream processes and structures the data securely using AI models.
  • We do not sell or share this data for marketing. It is processed only to deliver contracted services and improve model accuracy.

3. How We Use Data

3.1 To Deliver and Improve Our Services

  • Process and analyze documents (financial, legal, or corporate) to provide structured insights.
  • Ensure platform functionality, availability, and performance.
  • Customize and enhance your user experience.

3.2 To Communicate With You

  • Respond to inquiries, demo requests, or customer support tickets.
  • Send updates about features, services, or policy changes.
  • Provide training, onboarding, and best-practice resources.

3.3 For Security and Compliance

  • Protect against unauthorized access, fraud, or misuse.
  • Monitor and audit platform activity for compliance with laws and contractual obligations.
  • Maintain SOC 2, ISO 27001, and other security certifications.

3.4 For Business Operations

  • Conduct research, testing, and analytics to improve AI accuracy.
  • Develop new features tailored to private credit and financial market needs.
  • Maintain records for accounting, billing, and legal purposes.

3.5 For Marketing and Outreach (with Consent, Where Required)

  • Share information about new products, events, or research.
  • Personalize marketing communications based on your interests.
  • Measure the effectiveness of campaigns and website engagement.

3.6 To Meet Legal Obligations

  • Comply with applicable laws, regulations, and data protection requirements.
  • Cooperate with regulators, auditors, and legal authorities if required.

3.7 Lawful Basis for Processing

We process personal data based on one or more of the following lawful bases:

  1. Performance of a contract – to provide the requested services;
  2. Legitimate interests – to secure, improve, and operate our platform;
  3. Consent – where required, such as for marketing communications or non-essential cookies;
  4. Legal obligation – to comply with applicable laws, regulations, or legal processes.

We process personal data in accordance with applicable data protection laws, including the GDPR and UK GDPR, and rely on one or more of the following lawful bases:

  • Performance of a Contract: To provide, operate, and maintain our services as requested by our customers.
  • Legitimate Interests: To secure, improve, and operate our platform, including ensuring system reliability, preventing fraud, and enhancing user experience, provided such interests are not overridden by individual rights.
  • Consent: Where required by law, such as for marketing communications or the use of non-essential cookies. Consent may be withdrawn at any time.
  • Legal Obligation: To comply with applicable laws, regulations, regulatory guidance, or lawful requests from authorities.

3.8 AI Model Training & Improvement

Customer-uploaded data is not used to train shared, public, or third-party AI models. Any use of data for model improvement is limited to aggregated, anonymized data or customer-specific models and is conducted solely to enhance service accuracy and reliability.

AlphaStream AI is designed with strong data governance principles to protect customer data and maintain enterprise trust.

Customer-uploaded data and documents are not used to train shared, public, or third-party AI models. Any use of data for model improvement is strictly limited to aggregated and anonymized data or customer-specific models, and is conducted solely to enhance service accuracy, reliability, and performance.

Where applicable, such processing is subject to contractual safeguards, technical controls, and customer agreements, ensuring that proprietary or confidential information remains protected at all times.

4. Security Measures

4.1 Certifications & Compliance

  • SOC 2 (Type II) and ISO 27001 certified, demonstrating adherence to globally recognized standards for data security, privacy, and availability.
  • Ongoing compliance audits and penetration tests to validate security posture.

4.2 Infrastructure Security

  • Virtual Private Cloud (VPC) isolation for customer environments, preventing cross-tenant data leakage.
  • Tenant isolation to ensure each client’s data remains logically and securely separated.
  • Regular backups with redundancy and disaster recovery protocols.

4.3 Data Protection

  • Encryption in transit (TLS 1.2/1.3) and encryption at rest (AES-256) for all sensitive information.
  • Role-based access controls (RBAC) ensuring only authorized personnel can access specific systems or datasets.
  • Audit trails & monitoring to track access and detect suspicious activities.

4.4 Access & Identity Management

  • Single Sign-On (SSO) integration with enterprise identity providers.
  • Multi-Factor Authentication (MFA) required for internal and administrative accounts.
  • Principle of least privilege enforced across all systems.

4.5 Application & Platform Security

  • Continuous monitoring of vulnerabilities and patching.
  • Secure development lifecycle (SDLC) including code reviews and security testing.
  • AI processing pipelines designed to handle sensitive financial/legal data securely.

4.6 Organizational Measures

  • Employee security training on data protection, phishing awareness, and incident response.
  • Strict confidentiality agreements for employees and contractors.
  • Dedicated security and compliance team overseeing practices across the company.

4.7 Incident Response & Business Continuity

  • AlphaStream AI maintains a documented incident response framework designed to ensure timely detection, containment, investigation, and resolution of security incidents, including personal data breaches.
  • We also maintain disaster recovery and business continuity plans to minimize service disruption and downtime in the event of system failures, cyber incidents, or other unexpected outages.
  • In the event of a personal data breach, AlphaStream AI will notify affected customers and relevant supervisory authorities without undue delay and within the timeframes required under applicable data protection laws, taking into account the nature, scope, and impact of the incident.
  • GDPR/CCPA Compliance: In progress (target: [Q4 2026]).

5. Third Parties

5.1 Service Providers (Processors)

We engage third-party vendors who process data on our behalf, including:

  • Cloud hosting & infrastructure providers (e.g., AWS, Azure, GCP) for secure storage and compute.
  • Analytics & monitoring tools to measure platform performance and user engagement.
  • Customer relationship management (CRM) and marketing automation platforms to manage communications.
  • Payment processors (if applicable) for billing and subscription management.
  • Customer support tools (e.g., ticketing or helpdesk systems).

All such providers are bound by confidentiality obligations and data processing agreements.

5.2 Professional & Advisory Services

  • Legal, compliance, and accounting firms that require access to limited data for audits, reporting, or legal claims.

5.3 Business Transfers

  • If AlphaStream undergoes a merger, acquisition, or sale of assets, personal data may be transferred as part of the transaction, subject to the same protections described in this Policy.

5.4 Legal & Regulatory Authorities

We may disclose data where required by law, regulation, or valid legal process, or to protect the rights, property, or safety of AlphaStream, our users, or others.

5.5 Third-Party Integrations (If You Choose to Connect Them)

If you integrate AlphaStream with third-party platforms (e.g., CRM, portfolio management tools, or document repositories), data may be exchanged as necessary to provide the functionality. These integrations are optional and controlled by you.

5.6 Aggregated & Anonymized Data

We may share de-identified or aggregated data (that does not personally identify individuals) with industry partners, researchers, or for product development purposes.

6. Your Rights

6.1 Right to Access

You can request confirmation of whether we process your personal data and obtain a copy of that data.

6.2 Right to Rectification

You may ask us to correct, update, or complete any inaccurate or incomplete personal information we hold about you.

6.3 Right to Erasure (“Right to be Forgotten”)

In certain circumstances, you may request that we delete your personal information, for example, if it is no longer necessary for the purpose it was collected or if you withdraw your consent.

6.4 Right to Restrict Processing

You may request that we limit how we use your data—for example, while we verify the accuracy of information or handle an objection.

6.5 Right to Object

You may object to the processing of your personal data when it is based on our legitimate interests (such as direct marketing).

6.6 Right to Data Portability

You may request a copy of your data in a structured, commonly used, machine-readable format, and ask us to transfer it to another controller, where technically feasible.

6.7 Right to Withdraw Consent

If we process your data based on consent (e.g., for marketing emails), you have the right to withdraw that consent at any time without affecting the lawfulness of prior processing.

6.8 Right to Lodge a Complaint

If you believe your rights have been violated, you may lodge a complaint with your local data protection authority. We encourage you to contact us first so we can resolve any concerns.

6.9 Rights under Specific Laws

  • GDPR / UK-GDPR: All the rights above apply.
  • California (CCPA/CPRA): You have rights to request information about data we collect, opt-out of “sale or sharing” of data, and non-discrimination for exercising rights.
  • India (DPDP Act 2023): You have the right to access, correct, and erase your data, nominate a representative, and seek grievance redressal.

7. Sensitive Information

7.1 Financial Data

  • Transactional details, investment portfolios, credit information, deal terms, and other financial documents uploaded to the platform.
  • Data extracted from contracts, loan agreements, or other private credit documentation.

7.2 Legal & Corporate Data

  • Confidential legal agreements, contracts, NDAs, or internal corporate communications.
  • Proprietary corporate information that could impact business operations or competitive advantage.

7.3 Personal Identifiable Information (PII)

  • Names, email addresses, phone numbers, and job titles included in documents or accounts.
  • Any other identifiers that could reveal the identity of a natural person.

7.4 How We Protect Sensitive Data

  • Encryption in transit and at rest (TLS 1.2/1.3, AES-256).
  • Tenant isolation and VPC architecture to prevent cross-customer access.
  • Role-based access control (RBAC) and least-privilege policies for internal users.
  • Audit trails and monitoring to detect unauthorized access.
  • SOC 2 and ISO 27001 compliance to ensure adherence to global security standards.

7.5 Purpose of Processing

Sensitive information is used solely to:

  • Provide and improve AlphaStream’s AI-powered platform services.
  • Ensure accurate document processing, analysis, and reporting.
  • Maintain platform security, compliance, and performance.

7.6 Third-Party Sharing Restrictions

  • Sensitive data is never sold or rented.
  • Third-party vendors or service providers can access sensitive data only when necessary to provide services and under strict contractual and security obligations.

8. Disclosure of Personal data to third parties

8.1 Service Providers

We may share personal data with vendors and partners who provide services on our behalf, including:

  • Cloud hosting and infrastructure providers (e.g., AWS, GCP, Azure).
  • Analytics, monitoring, and performance tools to optimize platform usage.
  • Customer support and CRM platforms for onboarding, ticketing, and communications.
  • Payment processors (if applicable).

These service providers are contractually obligated to protect your data and process it only as instructed by AlphaStream AI.

8.2 Professional & Advisory Services

We may share personal data with:

  • Legal advisors, auditors, or compliance experts for audit, reporting, or regulatory purposes.

8.3 Business Transactions

  • In the event of a merger, acquisition, sale of assets, or corporate restructuring, your personal data may be transferred as part of the business transaction.
  • We ensure that any acquiring entity maintains the same level of data protection.

8.4 Legal and Regulatory Requirements

  • We may disclose personal data if required to comply with laws, regulations, or valid legal requests.
  • This includes responding to governmental authorities, court orders, or law enforcement investigations.

8.5 Third-Party Integrations

  • If you voluntarily connect your AlphaStream account to external platforms or tools, personal data may be shared as needed to enable those integrations.
  • Users have full control over these connections.

8.6 Aggregated or De-Identified Data

  • AlphaStream may share anonymized or aggregated data for research, product development, or reporting purposes.
  • Such data cannot identify individual users.

9. Transfer of Personal data

9.1 Global Data Processing

  • Personal data may be processed or stored in countries where AlphaStream or our service providers operate, including the United States, Singapore, and India.
  • These locations may have different data protection laws, but we ensure your data receives adequate protection.

9.2 Safeguards for International Transfers

  • Standard Contractual Clauses (SCCs) or equivalent legal agreements are used where required.
  • Transfers comply with applicable laws such as GDPR, UK-GDPR, and DPDP (India).
  • Data is always transmitted securely using encryption and secure communication channels.

9.3 Purpose of Transfers

  • To provide, maintain, and improve our AI-powered platform services.
  • To perform analytics, reporting, and security monitoring.
  • To enable collaboration with global partners and service providers.

9.4 Your Rights Regarding Transfers

  • You have the right to ask about the countries where your data is processed.
  • You can exercise your rights (access, correction, deletion) regardless of where your data is stored.

10. Data security

10.1 Infrastructure & Access Controls

  • Virtual Private Cloud (VPC) and Tenant Isolation: Each client’s data is securely segregated to prevent unauthorized access.
  • Role-Based Access Control (RBAC): Employees and contractors can only access data necessary for their role.
  • Single Sign-On (SSO) & Multi-Factor Authentication (MFA): Strengthened authentication for internal users.

10.2 Data Protection Measures

  • Encryption in transit and at rest: All data is encrypted using TLS 1.2/1.3 for transit and AES-256 for storage.
  • Regular backups: Encrypted backups are maintained with redundancy to ensure business continuity.
  • Audit trails & monitoring: Continuous logging of access and actions to detect and prevent unauthorized activity.

10.3 Application & Platform Security

  • Secure development practices: Code reviews, vulnerability testing, and secure coding standards.
  • Regular security assessments: Penetration tests and vulnerability scans conducted periodically.
  • AI model safeguards: Sensitive financial and legal data processed securely within the platform.

10.4 Organizational Security Measures

  • Employee training: Ongoing security, privacy, and compliance education.
  • Confidentiality agreements: Binding agreements for all staff handling personal or sensitive data.
  • Dedicated Security & Compliance Team: Monitors adherence to policies, regulations, and best practices.

10.5 Incident Response & Business Continuity

  • Incident response plan: Procedures to detect, contain, and remediate security incidents.
  • Disaster recovery planning: Ensures minimal disruption and data recovery in case of unforeseen events.

11. Data retention

11.1 Retention Periods

  • Account Information & Contact Data: Retained for as long as your account is active or as needed to provide services, comply with contractual obligations, or fulfill legitimate business purposes.
  • Uploaded Financial & Legal Documents: Stored securely for the duration of the client engagement or until deletion is requested, unless retention is required by law.
  • Usage & Analytics Data: Retained for performance monitoring, security analysis, and product improvement for a limited period (typically 12–24 months) before anonymization or deletion.

11.2 Deletion & Anonymization

  • When data is no longer required, AlphaStream securely deletes or anonymizes it to prevent identification of individuals.
  • Clients can request deletion of personal or uploaded data, subject to contractual and legal obligations.

11.3 Legal & Compliance Retention

  • Certain data may be retained longer if required to comply with laws, regulatory obligations, or to resolve disputes.

11.4 Review & Updates

  • Retention policies are reviewed regularly to ensure compliance with evolving legal requirements and industry best practices.

12. Cookies and similar technology

12.1 What We Collect Using Cookies

  • Essential Cookies: Required for the operation of our website or platform (e.g., login sessions, security features).
  • Performance & Analytics Cookies: Track usage patterns, page visits, and engagement to optimize platform performance.
  • Functional Cookies: Remember your preferences, language settings, or customized features.
  • Marketing & Targeting Cookies (with consent): Help us deliver relevant content, offers, or advertisements based on user interactions.

12.2 How We Use This Information

  • To ensure the website and platform function correctly.
  • To analyze and improve the user experience and platform performance.
  • To personalize content and communications when you provide consent.
  • To monitor platform security and prevent unauthorized or fraudulent activity.

12.3 Third-Party Cookies

  • We may allow third-party service providers (e.g., analytics or marketing platforms) to place cookies to help us improve the platform.
  • These third parties cannot access other personal data outside the scope of their services.

12.4 Managing Cookies

  • You can control or disable cookies through your browser settings.
  • Some cookies are essential; disabling them may impact platform functionality.
  • For non-essential cookies, we provide a consent mechanism when you first visit the website.

12.5 Retention of Cookies

  • Cookies and similar technologies are stored for the duration necessary to fulfill their intended purpose (typically ranging from a few hours to up to 24 months, depending on the type and function of the cookie).
  • We provide a cookie banner and preference center that allows users to manage their consent for non-essential cookies in accordance with applicable data protection and e-privacy laws. Users may update or withdraw their consent at any time through the preference settings available on our website.

13. Updates

We may update this policy; changes will be posted here.

Contact: privacy@alphastream.ai
Address: Global Tech Park – Smartworks Tower A, Second Floor 9/7, Hosur Main Road Dairy Colony, Adugodi Bangalore, Karnataka – 560030