αlphabell.
α · Legal · Privacy Policy

Privacy Policy

How alphabell processes personal data — third parties, retention windows, GDPR Art 6 bases, your rights, DPO contact.

Version 2.0
Last updated 2026-05-17
Questions legal@alphabell.com

1. Who we are

This Privacy Policy describes how alphabell ("we", "us", "the lab") processes personal data in connection with the dev.alphabell.com website and the related services it links to (collectively, the "Site"). For the purposes of the EU General Data Protection Regulation 2016/679 ("GDPR") and the UK General Data Protection Regulation, the lab is the data controller for personal data processed via the Site.

This policy is version 2.0, last updated 2026-05-17. Prior versions are archived in the internal index and available on request from the Data Protection Officer (DPO) at dpo@alphabell.com.

2. What personal data we process

We try to minimise. Specifically, we process:

  • Contact form submissions. Your name, email address, organisation (optional), and the content of your message. Submitted via the form at /contact or by direct email to a published lab address.
  • Newsletter and Talent Network subscribers. Your email address. Optional fields you may complete include name and country of residence. Used to send the quarterly research index and (for Talent Network) hiring announcements ahead of the public posting.
  • Careers applications. Your CV / résumé, the writing samples and proposal you submit, your contact details, and (for PhD and postdoctoral roles) the contact details of two references. Stored in a dedicated application database segregated from the public-website data path.
  • Analytics. Aggregated, cookie-less pageview analytics provided by Plausible Analytics. We do not receive an IP address, user-agent string, or device fingerprint that can be linked to a single visitor.
  • Server access logs. Standard HTTP request logs at the lab's web tier: IP address, user-agent, request path, response status, byte count, and request timestamp. Used for abuse detection, debugging, and capacity planning.
  • Authenticated areas. If you sign in to the internal index or the proposal queue as a contributor (a separate authentication path not accessible from the public Site), additional contributor-specific records apply. Those records are governed by the lab's research conduct charter and contributor onboarding agreement, not this policy.

3. Legal bases (GDPR Article 6)

Processing activityLegal basis
Newsletter, Talent NetworkArt. 6(1)(a) consent — given by submitting the subscription form. Withdrawn by clicking the unsubscribe link in any email or by writing to dpo@alphabell.com.
Contact formArt. 6(1)(f) legitimate interests — responding to inbound enquiries; balanced against the limited and self-disclosed nature of the data.
Careers applicationsArt. 6(1)(b) — pre-contractual steps at the request of the applicant; for reference-checking, Art. 6(1)(f) legitimate interests in evaluating the application, with safeguards described below.
Server access logsArt. 6(1)(f) legitimate interests — operating and securing the Site, detecting abuse, debugging, capacity planning.
Analytics (cookie-less)Art. 6(1)(f) legitimate interests — measuring aggregate Site use without identifying individual visitors.
Optional cookies (preferences, A/B test bucket)Art. 6(1)(a) consent — set only after the consent banner is acknowledged.

4. Retention

  • Contact form submissions: 12 months from receipt, then deleted unless an active correspondence requires longer retention.
  • Newsletter / Talent Network: until you unsubscribe. Unsubscribe records (your email + the unsubscribe event) are retained for 24 months as evidence of compliance, then deleted.
  • Careers applications: 24 months from the close of the application cycle, then deleted. Withdrawal of an application before the cycle closes triggers deletion within 30 days.
  • Server access logs: 14 days at full fidelity; aggregated counters retained for capacity-planning purposes for 24 months.
  • Analytics: aggregated counters retained indefinitely; individual session data not retained.
  • DPO correspondence: 6 years (the standard documentation period for data-rights requests).

5. Third parties (processors and sub-processors)

We use a small number of processors. Each is bound by a Data Processing Agreement consistent with GDPR Article 28; the current list is below.

ProcessorPurposeLocationTransfer mechanism
Plausible AnalyticsPrivacy-respecting, cookie-less site analyticsGermany / EUEEA processor — no extra-EU transfer required.
ResendTransactional and newsletter email deliveryUnited StatesEU Standard Contractual Clauses (Commission Decision 2021/914), Module 2.
CloudflareCDN, DDoS protection, edge TLS termination on selected pathsGlobal (data routed through the closest edge)EU SCCs (2021/914) plus Cloudflare's published Data Processing Addendum.
GitHub (Microsoft)Hosting of the lab's open-source repositories under github.com/alphabell-labs; issue trackingUnited StatesEU SCCs (2021/914). Note: we receive only the data you actively share with GitHub when you click out to it.
alphabell mail relayOperated by the lab on its own infrastructure; receives transactional and contributor email at @alphabell.com and relays via the lab's nebula-mail SMTP pathLab-operated infrastructure in the United StatesLab-operated; no third-party access beyond the processors listed above.

6. International transfers

Where personal data leaves the European Economic Area ("EEA") or the United Kingdom, we rely on the EU Standard Contractual Clauses (Commission Decision (EU) 2021/914 of 4 June 2021), supplemented by the UK Addendum issued by the Information Commissioner's Office for transfers from the UK. We carry out a transfer impact assessment per the EDPB's Recommendations 01/2020 before adding any new processor whose data centres or staff are located outside the EEA / UK.

7. Your rights

Under the GDPR and the UK GDPR you have the following rights, which we honour for personal data we control:

  • Right of access (Art. 15) — request a copy of the personal data we hold on you.
  • Right to rectification (Art. 16) — correct inaccurate data.
  • Right to erasure / "right to be forgotten" (Art. 17) — delete personal data where the legal basis no longer applies.
  • Right to restrict processing (Art. 18).
  • Right to data portability (Art. 20) — receive your data in a structured, machine-readable format.
  • Right to object (Art. 21) — object to processing based on legitimate interests, including the careers reference-checking flow.
  • Right to withdraw consent (Art. 7(3)) — at any time, without affecting the lawfulness of processing carried out before withdrawal.
  • Right to lodge a complaint with your local supervisory authority (Art. 77). For Israeli applicants the equivalent is the Privacy Protection Authority; for UK applicants, the Information Commissioner's Office.

Requests should be addressed to dpo@alphabell.com. We will respond within one month of receipt, or within three months for unusually complex requests with an interim acknowledgement.

8. EU and UK representatives

As required by Article 27 GDPR for controllers established outside the EEA / UK:

  • EU representative: alphabell EU Representative, c/o Praxis AI Studies Stichting, Keizersgracht 207, 1016 DT Amsterdam, Netherlands. Reachable at eu-rep@alphabell.com.
  • UK representative: alphabell UK Representative, c/o Cantor Initiative Ltd., 5 New Street Square, London EC4A 3TW, United Kingdom. Reachable at uk-rep@alphabell.com.

Both representatives may be contacted directly for data-protection enquiries, in addition to the DPO. Contacting the representative does not relieve the lab of its responsibilities under the GDPR or the UK GDPR.

9. Children

The Site is not directed at children under 16 (or under 13 in the United States, or under 17 in some other jurisdictions, whichever is highest where you reside). We do not knowingly collect personal data from children. If you become aware that a child has provided personal data via the Site, please contact dpo@alphabell.com and we will delete the data promptly.

10. Security

We maintain technical and organisational measures appropriate to the risks of the processing — encryption in transit (TLS 1.2+), encryption at rest for application databases, signed deployment artefacts, audit logging of administrative access, and the lab's published vulnerability-disclosure policy at /legal/security. We do not pretend that our measures are sufficient against state-level adversaries; the lab's broader threat model is documented in our internal-index methodology entries.

11. Data Protection Officer

The lab's Data Protection Officer can be reached at dpo@alphabell.com. Encrypted communication is preferred for sensitive matters; the DPO's PGP key fingerprint is published at /legal/security.

12. Changes to this policy

We update this policy when our processing changes substantively. Material changes are announced in the public news index at /news/ and the policy's version number and last-updated date are incremented. The current version is 2.0; the current effective date is 2026-05-17.