Privacy Policy

Last updated: March 22, 2026

1. Introduction

This Privacy Policy explains how NextAlpha ("NextAlpha," "we," "us," or "our") collects, stores, uses, discloses, and otherwise processes information about you in the course of our business, including through our website at nextalpha.ai; the NextAlpha platform, our AI-powered investment research software-as-a-service offering; and our marketing and sales activities (collectively, our "Services"). It also sets out important information about your privacy rights.

NextAlpha is based in the Province of Quebec, Canada. We comply with the Personal Information Protection and Electronic Documents Act (PIPEDA), Quebec's Act respecting the protection of personal information in the private sector (commonly known as "Law 25" or "Loi 25"), and, where applicable, the European Union General Data Protection Regulation (GDPR).

By using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with this Privacy Policy, please do not use our Services.

2. Personal Information We Collect

We collect information that alone or in combination with other information in our possession could be used to identify you ("Personal Information") as follows:

2.1 Account Information

When you create an account to use our Services, we collect your name, email address, and password. If you sign up using a third-party authentication provider (such as Google or GitHub), we receive your name and email address from that provider.

2.2 Communication Information

If you communicate with us, we may collect your name, contact information, and the contents of any messages you send ("Communication Information").

2.3 Payment Information

When you purchase or subscribe to our Services, your billing information (such as your credit card number, expiration date, and billing address) is collected and processed by our third-party payment processor, Stripe. NextAlpha does not directly store your full credit card number. We may receive limited billing details (such as the last four digits of your card and billing address) from Stripe for record-keeping purposes ("Payment Information").

2.4 Usage and Chat Data

When you use our Services, we collect and store:

• Chat history (your queries and the AI-generated responses)
• Portfolio data (virtual portfolios, holdings, and transactions you create)
• Screening preferences and saved filters
• AI prompt usage counts for subscription quota management
• Documents and artifacts generated during your sessions

2.5 Technical Information

When you visit, use, and interact with our Services, we may receive certain information about your visit, use, or interactions ("Technical Information"), including:

• Log data (IP address, browser type and version, date and time of access)
• Usage data (pages viewed, features used, actions taken)
• Device information (operating system, device type, screen resolution)
• Cookies and similar tracking technologies (see Section 8)

2.6 Customer Support Information

When you contact us for customer support, feedback, or inquiries, we may collect your name, email address, and any other information you provide to assist you or resolve your issue ("Support Information").

3. How We Use Personal Information

We do not sell your Personal Information. We may use Personal Information for the following purposes:

• To provide, administer, maintain, improve, and analyze the Services
• To provide you with AI-powered financial research, portfolio simulation, and market analysis features
• To manage your account, subscriptions, and AI prompt quotas
• To provide you with customer support services
• To communicate with you, including about your account, new features, and promotions (with your consent where required)
• To develop new features and services
• To prevent fraud, criminal activity, or misuse of our Services, and to ensure the security of our IT systems, architecture, and networks
• To comply with legal obligations and legal process and to protect our rights, privacy, safety, or property, and/or that of our Affiliates, you, or other third parties

3.1 Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, our legal basis for collecting and using your Personal Information depends on the data concerned and the context in which we collect it. We rely on:

• Consent — where you have given us explicit consent to process your data (e.g., marketing communications)
• Contract performance — where processing is necessary to provide the Services you have requested
• Legitimate interests — where processing is necessary for our legitimate interests (e.g., service improvement, fraud prevention) and your interests or fundamental rights do not override those interests
• Legal obligation — where processing is necessary to comply with applicable law

4. AI and Data Processing

NextAlpha integrates multiple third-party AI models (such as those provided by Anthropic, OpenAI, Google, and xAI) to deliver its Services. It is important that you understand how your data interacts with these systems:

• No AI training on your data. NextAlpha will not use your Content or Customer Data to train AI models.
• Subprocessor restrictions. Our AI subprocessors are contractually prohibited from training their models on your Content or Customer Data, and from retaining or logging your data for human review.
• Data processing. Your Input (queries, portfolio instructions, screening criteria) is transmitted to the selected AI model provider solely to generate a response. The Output is then returned to you and stored in your chat history.
• Ephemeral processing. AI model providers process your Input on a transient basis to generate Output. They do not retain your data after processing is complete, except as required for abuse monitoring and safety for a limited period as defined in their respective data processing agreements.

5. Aggregated Information

We may aggregate Personal Information and use the aggregated information to analyze the effectiveness of our Services, to improve and add features to our Services, and to analyze general behavior and characteristics of users. We may share aggregated, anonymized information (such as general user statistics) with third parties, publish such aggregated information, or make it generally available. Aggregated information will not identify you or any individual user.

6. Disclosure of Personal Information

In certain circumstances, we may share your Personal Information with third parties without further notice to you, unless required by law, including in the following situations:

• Vendors, Service Providers, and Subprocessors. We may share your data with third-party service providers who perform services on our behalf, such as hosting (Supabase), payment processing (Stripe), AI model providers, and analytics services. These providers are bound by contractual obligations to protect your data.
• Business Transfers. If NextAlpha is involved in a merger, acquisition, reorganization, or sale of assets, your Personal Information may be transferred as part of that transaction. We will notify you of any such change.
• Legal Requirements. We may disclose your Personal Information if required to do so by law, regulation, court order, or other governmental request.
• Affiliates. We may share your data with our Affiliates, who are bound by this Privacy Policy.
• Safety and Security. We may disclose your data where we believe it is necessary to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person, or violations of our Terms of Service.

7. Your Privacy Rights

Depending on your location, you may have the following rights regarding your Personal Information:

7.1 Rights Under Canadian Law (PIPEDA and Quebec Law 25)

• Right of access. You have the right to request access to the Personal Information we hold about you.
• Right to rectification. You have the right to request that we correct any inaccurate or incomplete Personal Information.
• Right to withdraw consent. Where processing is based on your consent, you may withdraw consent at any time.
• Right to deletion. You may request the deletion of your Personal Information, subject to certain legal exceptions.
• Right to portability. Under Quebec Law 25, you have the right to receive your Personal Information in a commonly used technological format and to have it transferred to another organization, where technically feasible.
• Right to de-indexation. Under Quebec Law 25, you have the right to request that we cease disseminating your Personal Information or de-index any hyperlink associated with your name where the dissemination contravenes the law or a court order.

7.2 Rights Under the GDPR (EEA, UK, and Switzerland)

If you are located in the EEA, UK, or Switzerland, you additionally have the right to:

• Restrict or object to the processing of your Personal Information
• Not be subject to a decision based solely on automated processing, including profiling
• Lodge a complaint with your local data protection authority

7.3 Exercising Your Rights

To exercise any of the above rights, please contact us at privacy@nextalpha.ai. We will respond to your request within the timeframes required by applicable law (30 days under PIPEDA and Quebec Law 25; one month under the GDPR). We may ask you to verify your identity before processing your request. We reserve the right to limit our facilitation of such requests to what is required by applicable law.

7.4 Privacy Officer

In accordance with Quebec Law 25, NextAlpha has designated a person responsible for the protection of personal information. Inquiries or complaints regarding our handling of your Personal Information can be directed to our Privacy Officer at privacy@nextalpha.ai. If you are not satisfied with our response, you may file a complaint with the Commission d'accès à l'information du Québec (CAI) or, for matters under federal jurisdiction, the Office of the Privacy Commissioner of Canada (OPC).

8. Cookies and Tracking Technologies

We use cookies and similar technologies to:

• Authenticate your session and keep you logged in
• Remember your preferences and settings
• Analyze usage patterns to improve our Services
• Ensure the security and proper functioning of our platform

We may use analytics tools to help us understand how users interact with our Services. These tools may use cookies to collect information such as pages visited, time spent on pages, and links clicked.

8.1 Managing Cookies

You can control cookies through your browser settings. Most browsers allow you to block or delete cookies. Please note that disabling certain cookies may limit your ability to use some features of our Services.

8.2 Do Not Track Signals

Our website currently does not respond to "Do Not Track" ("DNT") signals and operates as described in this Privacy Policy whether or not a DNT signal is received.

9. Security

We take reasonable and appropriate steps to protect your Personal Information in an effort to prevent loss, misuse, and unauthorized access, disclosure, alteration, and destruction. We use appropriate technical and organizational measures to protect your Personal Information, which may include:

• Encryption of data in transit (TLS) and at rest
• Row-level security (RLS) policies to ensure data isolation between users
• Access controls and authentication safeguards (including support for multi-factor authentication)
• Regular security monitoring and intrusion detection
• Contractual data protection obligations with all subprocessors

While we strive to protect your Personal Information, no method of transmission over the Internet or method of electronic storage is completely secure. We cannot guarantee absolute security.

10. Data Retention and Deletion

We retain your Personal Information for as long as necessary to fulfill the purposes for which we collected it, unless a longer retention period is required or permitted by law. Specifically:

• Account data is retained for the duration of your account and deleted upon account deletion, subject to legal retention requirements.
• Chat history and portfolio data is retained for as long as your account is active. You may delete individual conversations or portfolios at any time.
• Payment records are retained as required for tax, accounting, and legal compliance purposes.
• Technical and usage data is retained in anonymized or aggregated form for analytics purposes.

Upon termination of your account, we will delete or anonymize your Personal Information within a reasonable timeframe, except where retention is required by applicable law.

11. Privacy Impact Assessments

In accordance with Quebec Law 25, NextAlpha conducts privacy impact assessments before implementing any new project involving the collection, use, or disclosure of Personal Information, and before any disclosure of Personal Information outside of Quebec. These assessments evaluate the necessity and proportionality of data collection, potential privacy risks, and measures to mitigate those risks.

12. Confidentiality Incident Response

In the event of a confidentiality incident (unauthorized access, use, disclosure, or loss of Personal Information) that presents a risk of serious harm, NextAlpha will:

• Take reasonable measures to reduce the risk of harm and prevent new incidents
• Notify the Commission d'accès à l'information du Québec (CAI) in accordance with Quebec Law 25
• Notify affected individuals when the incident presents a risk of serious injury
• Maintain a register of all confidentiality incidents as required by law

13. International Data Transfers

By using our Services, you understand and acknowledge that your Personal Information may be transferred from your location to our facilities and servers in Canada, and to other countries where our service providers operate (including the United States for AI model processing, payment processing, and hosting services).

We employ appropriate safeguards for cross-border transfers of Personal Information, including:

• Contractual data protection clauses with all service providers
• Privacy impact assessments for transfers outside of Quebec, as required by Quebec Law 25
• Compliance with the European Commission adequacy decisions and Standard Contractual Clauses (SCCs) where applicable for transfers from the EEA

Before transferring Personal Information outside of Quebec, NextAlpha assesses whether the receiving jurisdiction provides adequate protection. Where adequate protection is not ensured, we implement additional contractual and technical safeguards.

14. Children's Privacy

Our Services are not directed to anyone under the age of 16. NextAlpha does not knowingly collect Personal Information from anyone under the age of 16. If you have reason to believe that a minor under the age of 16 has provided Personal Information to NextAlpha through our Services, please email us at privacy@nextalpha.ai and we will endeavor to delete that information from our systems.

15. Links to Other Websites

Our Services may contain links to other websites not operated or controlled by NextAlpha, including social media services ("Third Party Sites"). The information that you share with Third Party Sites will be governed by the specific privacy policies and terms of service of those Third Party Sites and not by this Privacy Policy. We encourage you to review the privacy policies of any Third Party Sites you visit.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will post an updated version on this page and update the "Last updated" date at the top of this page. For material changes, we will notify you by email or by a prominent notice on our website, as required by applicable law. Your continued use of the Services after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

17. Language

The parties have expressly requested that this Privacy Policy and all related documents be drafted in English. Les parties aux présentes ont expressément demandé que cette politique de confidentialité et tous les documents connexes soient rédigés en anglais. A French version of this Privacy Policy may be made available for convenience; in the event of any discrepancy, the English version shall prevail, except where prohibited by applicable law.

18. Contact Us

If you have questions about this Privacy Policy, our privacy practices, or wish to exercise your privacy rights, you can contact us at: