This Privacy Policy explains how AlphaClone Systems collects, uses, stores, and protects your personal information. Read it in full before using our platform.
The data controller responsible for your personal information is:
AlphaClone Systems LLC
Email: [email protected]
Data Protection Officer (DPO): [email protected]
Website: https://alphaclonesystems.com
When you register an account, we collect: full name, email address, password (stored as a salted bcrypt hash — never in plain text), company name, phone number (optional), profile photo (optional), timezone, and country.
Data you create or import while using the platform, including: CRM contact records, invoice and quote data, contract documents, financial records (journal entries, expenses, chart of accounts), project and task records, calendar events, meeting recordings (stored in your workspace only), and team member information.
When you connect Gmail, AlphaClone requests the following Google OAuth scopes:
What we do NOT do with Gmail data:
Gmail data is retrieved in real time via Google's API and displayed only to the authenticated user. You can revoke AlphaClone's Gmail access at any time from your Google Account Permissions page.
We automatically collect technical data when you use the platform: IP address, browser type and version, operating system, device type, pages visited, features used, session duration, and error logs. This data is used for platform security, debugging, and improving the user experience.
Payment processing is handled entirely by Stripe, Inc. AlphaClone never stores, processes, or has access to your credit card details. What we retain is limited to: Stripe Customer ID, subscription plan details, billing address, and payment history (invoice amounts and dates). See Stripe's Privacy Policy for how they handle payment data.
The AI Growth Agent uses publicly available business directory data to identify prospective leads. We do not scrape private data or use data obtained through unauthorized means. Outreach conversations managed by the AI agent are stored in your workspace and are not accessible to other users or AlphaClone staff without your consent.
AlphaClone's MCP server enforces strict technical controls: all data is scoped to your tenant workspace only, DELETE and DDL operations are blocked, and credentials/secrets are never transmitted. MCP access tokens are user-generated and can be revoked at any time from Settings → Integrations → MCP.
For users in the European Economic Area (EEA), United Kingdom, and other GDPR-applicable jurisdictions, our legal basis for processing your data is:
Contract Performance (Art. 6(1)(b) GDPR)
Processing necessary to provide the services you've subscribed to — account management, invoicing, CRM functionality, and platform features.
Legitimate Interests (Art. 6(1)(f) GDPR)
Platform security monitoring, fraud prevention, technical debugging, and product improvement analytics.
Legal Obligation (Art. 6(1)(c) GDPR)
Responding to lawful government or court orders, tax compliance, and financial record-keeping obligations.
Consent (Art. 6(1)(a) GDPR)
Non-essential cookies (analytics, marketing), Gmail API access, and marketing communications. You may withdraw consent at any time.
We do not sell, rent, or trade your personal data. We share data only with the following service providers, strictly for the purpose of delivering our service:
| Provider | Purpose | Data Shared |
|---|---|---|
| Supabase (US) | Database & authentication | All platform data (encrypted at rest) |
| Stripe, Inc. (US) | Payment processing | Email, billing address, Stripe customer ID |
| Google LLC (US) | Gmail API, OAuth sign-in | Google account OAuth token, email actions only |
| Cloudflare, Inc. (US) | Bot protection & security (Turnstile) | IP address, browser metadata, telemetry |
| Vercel, Inc. (US) | Application hosting & CDN | IP address, request metadata |
| Resend / SendGrid | Transactional email delivery | Email address, email content (transactional only) |
| Anthropic / Manus AI (optional) | MCP AI agent integration (user-initiated) | CRM data transmitted only when user activates MCP integration |
All third-party providers are contractually bound to process data only as instructed and to implement appropriate security measures. Transfers to the United States are covered by Standard Contractual Clauses (SCCs) where required by GDPR.
We retain your data for as long as your account is active and for a period afterward as required by law or legitimate business interest:
Depending on your jurisdiction, you have the following rights regarding your personal data. To exercise any of these rights, email [email protected]. We will respond within 30 days.
Right of Access / Right to Know
Request a copy of all personal data we hold about you (GDPR, CCPA).
Right to Rectification
Request correction of inaccurate or incomplete data.
Right to Erasure / Right to Delete
Request deletion of your data ("right to be forgotten").
Right to Portability
Receive your data in a structured, machine-readable format.
Right to Restrict Processing
Request that we limit processing of your data in certain circumstances.
Right to Object
Object to processing based on legitimate interests or for direct marketing.
Right to Opt-Out of Sale or Sharing
California residents can opt out of the sale or sharing of their personal information (CCPA). AlphaClone does not sell personal data.
Right to Non-Discrimination
You will not receive discriminatory treatment for exercising your privacy rights (CCPA).
We implement enterprise-grade security to protect your data:
In the event of a security breach that poses a high risk to the rights and freedoms of individuals (e.g., unauthorized access to unencrypted personal data), AlphaClone Systems will notify all affected users and relevant supervisory authorities without undue delay, and in any event within 72 hours of becoming aware of the breach. Notifications will include the nature of the breach, potential consequences, and the mitigation measures taken.
We use cookies and similar tracking technologies. Our Cookie Policy (linked below) provides full details on all cookies used, their purposes, and how to manage your preferences. You may update your cookie preferences at any time using the cookie preference center accessible from the bottom of any page.
The AlphaClone Business OS is intended for use by businesses and professionals aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with personal data, contact us at [email protected] and we will delete the data immediately.
We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email and display a notice in the platform dashboard at least 14 days before the changes take effect. Continued use of the platform after the effective date constitutes acceptance of the updated policy. The "Last updated" date at the top of this page reflects the most recent revision.
For privacy-related enquiries, data subject rights requests, or complaints:
Privacy & Data Protection: [email protected]
Legal Department: [email protected]
General Support: [email protected]