Who is responsible
Alvo is currently a pilot product. The data controller, legal details, customer roles, and data subject request process must be approved before production access.
Privacy and data
Alvo Privacy Policy.
This page explains what data the product needs, what remains local in the browser, what may be sent to the server, and how Alvo is being prepared for a responsible production launch.
Updated 17 May 2026Short version
V1 works as decision support and does not submit orders to XMtrade/PXS.
Short version
- V1 works as decision support and does not submit orders to XMtrade/PXS.
- CSV files are read in the browser; the current version does not store the original file on the server.
- AI briefs and audit events may process trading parameters, date, prices, and technical request metadata.
- Before commercial launch, the policy needs the legal entity, DPA/SCC where required, and a DPO or privacy owner contact.
Data we process
We may process interface preferences, language, theme, strategy parameters, BESS assumptions, trade date, hourly prices, calculation output, audit events, technical request headers, and data the user voluntarily imports or sends through the API.
Why this data is needed
Data is used to load market prices, build a recommended plan, generate an AI explanation, run risk checks, export CSV files, support PWA behavior, secure the API, apply rate limits, and maintain an action log.
What stays local
Language, theme, density, strategy parameters, and BESS settings are stored in browser localStorage; for signed-in accounts, the current strategy and saved profiles can also sync to Alvo tenant storage. CSV import is parsed by client-side code, and the workspace then uses normalized hourly values.
Transfer and storage
API requests may contain prices, settings, trade date, and audit metadata. In v1, the audit endpoint returns an event for the interface; long-term tenant storage, retention periods, and access roles must be formalized separately.
User rights
Users should have a channel to access, correct, delete, restrict, or object to personal data processing. Production needs a response SLA, a contact, and a request verification procedure.
Security
Alvo uses server-side payload validation, API security headers, rate limiting, no-store API responses, and data minimization. Integration secrets, keys, and production credentials must not be stored in the browser.
International transfers and vendors
If production uses cloud services, LLM providers, or analytics outside Ukraine or the EEA, contractual terms, risk assessment, and data transfer mechanisms must be set according to applicable law.
Short version
Production readiness checklist
Before commercial launch, the policy needs the legal entity, DPA/SCC where required, and a DPO or privacy owner contact.
- Legal entity, address, and privacy contact.
- Roles: controller, processor, customer tenant, vendors.
- Retention policy for audit, API logs, and support requests.
- DPA/SCC and subprocessors list if cloud or AI providers are used.
- Cookie and analytics consent if third-party analytics is added.
Need an operational review?
After the legal structure is chosen, this policy should be reviewed with counsel and aligned with the real data architecture.