Policy

PUBLIC_PRIVACY_POLICY

Privacy Policy

Controller: AlphaGen Holdings Limited ("AlphaGen", "we", "us",

"our"), Companies House no. 17084844, registered in England and Wales.

Product: AlphaGen AutoAnnotation System and the AlphaGen mobile

application (collectively, the "Services").

Effective date: 2026-04-23

Last updated: 2026-04-23

Contact: privacy@alpha-gen.ai

Data Protection Officer: dpo@alpha-gen.ai

---

1. Who this policy is for

This policy explains how AlphaGen collects, uses, stores, and

safeguards personal data when you:

Upload video or audio to the Services as a content contributor

(e.g. a researcher, clinician, or operator submitting training

footage).

Appear in video or audio that a third party has uploaded —

whether identifiable (named in metadata, features directly on

camera with consent) or as an unidentified bystander in public-

space footage.

Use the Services as an annotator or HITL operator, logging in

to the web dashboard or mobile app to label data, play HITL games,

or administer the platform.

Visit our website or contact us for information.

If your data is processed because of a direct contract between

AlphaGen and your employer or organisation ("the Customer"), the

Customer is the controller and AlphaGen is the processor. See §14.

Everything else in this document applies to AlphaGen's activities as

controller. TEST CHANGE UPDATE

---

2. Legal bases we rely on

We rely on the following Article 6 GDPR bases, depending on the

activity:

| Activity | Legal basis |

|---|---|

| Enrolling you as a contributor / operator and processing your footage | Consent (Art. 6(1)(a)) — you may withdraw at any time (§11) |

| Paying a subscription / issuing invoices / anti-fraud | Contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c)) |

| Keeping minimal audit logs of data access for regulator accountability | Legitimate interest (Art. 6(1)(f)) — see the DPIA for our balancing test |

| Responding to subject rights requests under Art. 15-22 | Legal obligation (Art. 6(1)(c)) |

| Responding to breach notifications to regulators or you | Legal obligation (Art. 6(1)(c)) |

Special-category data under Art. 9 (e.g. biometric identifiers,

health-indicative footage) requires explicit separate consent which

we capture on a distinct tick on the consent form. We do not process

Art. 9 data without that explicit tick.

---

3. What personal data we collect

3.1 From content contributors ("you upload video to us")

Your contact email (hashed + encrypted at rest).
The jurisdiction you're submitting from (ISO 3166-1 country code).
The raw video / audio you upload.
Metadata embedded in that footage (EXIF timestamps, GPS, device

ID) — stripped by Pass 0 on ingest; kept only on the signed

redaction manifest for regulator audit.

Consent history (timestamps + scopes you granted).

3.2 From people visible in uploaded footage

Identifiable participants (people who explicitly consented to

appear on camera): a separate subject record is created only if

the contributor identifies them and supplies an email. Otherwise

they exist in the footage as pixels which we redact.

Unidentified bystanders in public-space footage: no subject

record is created. Their faces, visible OCR text, license plates,

screens, and voice audio are redacted by our automated Pass 0

pipeline before anything downstream sees the footage.

Metadata-only mentions (someone named in captions / title /

transcript but not visible as the contributor): recorded as a

metadata subject reference so we can respond if the named person

later asks what we hold about them; no consent is implied.

3.3 From operators / annotators / players

Your username, email (hashed + encrypted at rest), and optional

display name.

Authentication tokens (scoped, rotated, device-bound).
Game performance data (scores, corrections submitted, time per

task). Used for trust-weighting and leaderboards.

Audit of every action you take inside the platform (logins, config

changes, rights-request fulfilment). This is an Art. 30 Record of

Processing Activities obligation on our side.

Aggregate performance metrics (accuracy, consistency, reaction time

distributions) — pseudonymised for internal analytics.

3.4 From website visitors

Standard request logs (IP, user-agent, referer) retained for 30

days for security / abuse analysis.

Cookies as listed in our Cookie Policy (§ separate document).
Email address and message content if you use the contact form.

3.5 What we DO NOT collect

We do not use web tracking pixels or third-party advertising

cookies.

We do not sell personal data.
We do not train models on your data without explicit consent for

the training scope.

We do not share raw footage with third parties (§7 covers the

narrow exceptions).

---

4. How we use your data

| Purpose | Data used | Retention |

|---|---|---|

| Ingest + redact uploads | Raw footage | Raw deleted after 30 days by default (configurable per tenant); redacted copy retained per dataset retention policy |

| Train computer-vision models | Redacted footage + annotations (with training consent) | As long as the dataset is active; retraining triggers when contributors withdraw |

| HITL games + annotation QA | Redacted frames + your submissions | As long as you're active; deleted on account closure or withdrawal |

| Trust + quality scoring | Your annotation performance | 7 years from last activity, then deleted |

| Customer-facing dashboard (your organisation's DPO / operators) | Depends on the surface; gated by our RBAC clearance levels | Same as the underlying data |

| Breach notification | Just enough of the above to meet Art. 33/34 | Until the incident is closed + 7 years |

| Legal obligation response (subpoena, regulator request) | Whatever the order compels | As long as the legal obligation requires |

Automated decision-making under Art. 22: we run models that

generate annotations, but every annotation is reviewed or scored by

a human before it's used for training or decision-making about an

identifiable person. No solely-automated decision with legal or

similarly-significant effect is produced by the Services.

---

5. How long we keep data (retention)

Our retention periods are bounded and implemented:

Raw contributor uploads: 30 days by default. The first Pass 0

redaction produces a redacted copy that supersedes the raw on

most customer contracts. Longer retention requires written

agreement.

**Redacted derivative artifacts (frames, features, masks,

checkpoints)**: as long as the underlying dataset is active. When

a contributor withdraws, every derivative is flagged and the

dataset enters a retraining cascade within 30 days.

Subject rights request records + certificates: 7 years after

request closure (Art. 5(1)(e) + UK Limitation Act).

Audit logs of personal data access: 7 years, partitioned

monthly.

Operator account data: while you have an active account; 90

days after account closure unless longer retention is required by

legal obligation.

Backups: rotated on a 90-day schedule. When a subject is

deleted, the backups they exist in are tombstoned (entry in an

immutable "beyond use" ledger); once those backups age out, the

tombstone entry remains as permanent proof of deletion reach.

---

6. How we protect your data

6.1 Technical measures

Envelope encryption at rest: all personal data fields (email,

raw footage, redacted derivatives) are encrypted with per-tenant

data-encryption keys wrapped by a key-encryption-key held in our

KMS. Key rotation on a 90-day cadence.

Pass 0 pre-ingest redaction: face blur (ellipse mask,

feathered), OCR text destruction (3-stage pixelate + noise +

smear), license plate blur, screen blur, voice audio stripping

(unless explicit consent for audio retention is given), EXIF scrub.

Every Pass 0 run produces an Ed25519-signed manifest proving what

was found and blurred.

RBAC clearance hierarchy: raw > compliance > aggregates

> redacted. Every route that returns personal data has an

explicit clearance requirement. Raw-data access additionally

requires a two-person unmask-token ceremony with DPO sign-off.

Hash-chained audit tables (subject_events, data_lineage,

data_access_log): tamper detection without third-party

dependencies; verifiable end-to-end on demand.

Automated anomaly detection: 9 rule classes covering unusual

read volume, off-hours access, high gate-denial rate, chain breaks,

SLA breaches, consent expiry, dataset flag lag, and key rotation

imminence. Alerts route to the DPO + an operational on-call pager.

SIEM export: the same audit events stream to a configurable

SIEM (Splunk / Datadog / Elastic / similar) for longer-term

forensics.

Backup encryption + tombstones: backups encrypted with a

dedicated backup key separate from the online KEK. Every deleted

subject lands on the immutable tombstone ledger with backup

expiry timestamps.

6.2 Organisational measures

Data Protection Officer (DPO) at dpo@alpha-gen.ai.
Access reviews quarterly; stale unmask grants flagged

automatically.

Tabletop exercises quarterly — we run our breach response

pipeline end-to-end in drill mode, verified by an on-file

time-to-notify metric.

Mock regulator audits quarterly — three synthetic rights

requests (access, deletion, restriction) run through the real

rights-service to verify SLA adherence and produce an evidence

bundle.

Incident response per our Breach Response Playbook

(Art. 33/34 compliant 72-hour notification state machine).

---

7. Who we share your data with

AlphaGen does not sell personal data to anyone. We share only with:

Our sub-processors — a minimal list, each with a signed

Art. 28 Data Processing Agreement. The current list is published

at Sub-processor list and updated when

changes are made. As of the effective date above, it includes:

- AWS / Google Cloud / Microsoft Azure (hosting + KMS);

- Anthropic / OpenAI / Google (LLM inference, gated by consent

scope llm_inference + redacted inputs only);

- A statutory auditor (annual financial audit);

- A legal service provider (when we need to respond to a

regulator / subpoena).

Enforcement authorities when legally compelled (court order,

production order). We publish transparency numbers annually.

Your employer / customer account — if you use the Services

under an enterprise contract, the contract holder (your

organisation) can access redacted + aggregate data about your

activities. They cannot retrieve raw footage without the

two-person unmask ceremony.

In the event of a business transfer — with continuity of this

We do NOT share with:

Advertisers. We do not advertise inside the Services.
Data brokers.
Social media integrations (none exist in the product).

---

8. International transfers

Your data is primarily stored in the region closest to you (EU, UK,

US, or APAC, depending on the account). When cross-border transfers

are necessary — typically when using an LLM provider whose regional

footprint doesn't match ours — we rely on:

UK International Data Transfer Agreement (or UK Addendum to

SCCs) for UK to non-adequate countries;

EU Standard Contractual Clauses (2021 version, Module 2 or 3

as applicable) for EU / EEA to non-adequate countries;

A Data Transfer Impact Assessment (DTIA) documenting the

receiving jurisdiction's legal environment + supplementary measures

we apply (encryption in transit and at rest, access bans on US

surveillance requests for EU personal data, etc.).

The current DTIA per transfer is available to customers on request

via dpo@alpha-gen.ai.

---

9. Cookies

The Services set only necessary cookies:

alphagen_session — your authentication token, 30-day rolling

expiry, HttpOnly + Secure.

alphagen_csrf — CSRF protection on write endpoints.

We do not set analytics, advertising, or third-party tracking

cookies.

See our separate Cookie Policy for full

details.

---

10. Your rights

Under UK / EU GDPR you have the following rights, which AlphaGen

fulfils in full:

| Right | Article | How you exercise it |

|---|---|---|

| Access | 15 | Email privacy@alpha-gen.ai, or use the public intake form at the Services, or ask via the mobile app under Settings → Privacy & Data → Request my data |

| Rectification | 16 | Same channels; we apply the correction within 30 days |

| Erasure | 17 | Same channels; our deletion cascade runs within 30 days and produces a signed certificate |

| Restriction | 18 | Same channels; processing pauses immediately, retains data frozen |

| Portability | 20 | Same channels; we return your data in machine-readable JSON |

| Objection | 21 | Same channels; we narrow the scopes of processing you object to |

| Automated-decision review | 22 | Not applicable — see §4 |

| Withdraw consent | Art. 7 | Same channels; withdrawal triggers the deletion cascade |

We respond to every request within 30 calendar days per

Art. 12(3); in complex cases we may extend by two further months with

written justification.

You can complain to your data protection authority at any time. In

the UK that's the Information Commissioner's Office (ico.org.uk,

0303 123 1113). In the EU, your national DPA.

You do not need to pay us to exercise any right. We only charge if

the request is manifestly unfounded or excessive, per Art. 12(5) —

we've never charged anyone to date.

---

11. Withdrawing consent

Withdrawing consent is designed to be frictionless:

From the mobile app: Settings → Privacy & Data → Request my

data → select "Erasure (Art. 17)".

From the web portal: (upcoming) — until then, email

privacy@alpha-gen.ai with the subject "Withdraw consent".

By email: send to privacy@alpha-gen.ai from the same email

address you used to enrol.

Withdrawal triggers our deletion cascade: you are frozen immediately,

every derivative artifact is flagged, every model trained on your

data enters the retraining queue, and a signed deletion certificate

is emailed to you when the cascade completes. Expected turn-around

30 days; frozen effect is immediate.

---

12. Children

The Services are not directed at children under 16. We do not

knowingly collect personal data from anyone under 16. If you become

aware that a child has provided personal data to us, contact

privacy@alpha-gen.ai and we will delete it immediately.

Where a minor is visible in lawfully-submitted footage from a

parent / guardian (e.g. paediatric clinical research with IRB

approval), the contributor is required to document the guardian's

consent + the IRB approval before submission.

---

13. How we handle breaches

If we detect or are notified of a personal data breach that is

likely to result in a risk to your rights and freedoms:

We notify the relevant supervisory authority within 72 hours

of detection (Art. 33).

We notify affected data subjects without undue delay if the

breach is likely to result in a high risk to their rights

(Art. 34), unless we have taken subsequent measures that reduce

the risk to low.

We document every incident — real or drill — in our breach

ledger, hash-chained for tamper detection.

---

14. Who our customers are + how they fit

AlphaGen's customers are **autonomous-vehicle / robotics / embodied-AI

companies** who supply real-world video or audio for model training.

Our product is a privacy-respecting ingest + redaction + annotation

pipeline that they integrate into their own data operations.

Depending on the arrangement, the Customer plays one of two roles:

14.1 Customer as controller, AlphaGen as processor (typical)

When the Customer uploads footage they already own or have consent

for, the Customer is the controller and AlphaGen is the

processor under an Art. 28 Data Processing Agreement.

In that role:

AlphaGen processes personal data only on the Customer's

documented instructions (purpose, retention, storage region).

The Customer must satisfy the consent + lawful-basis

requirements for the data subjects in their footage BEFORE they

upload. This is captured in the supplier attestation step at

ingest — the Customer signs a JSON attestation with their

account key stating the data was collected lawfully, what

redactions (if any) they already performed, and what consent

scope covers it.

AlphaGen still runs Pass 0 redaction on ingest as a

belt-and-braces measure — faces, OCR text, licence plates,

screens, voice audio all get redacted regardless of the

Customer's claim. The signed redaction manifest proves what we

found and blurred.

The Customer's privacy policy — not this one — governs what the

Customer tells data subjects. This AlphaGen policy describes

what WE do as the processor.

Data subjects may still contact us directly at

privacy@alpha-gen.ai; we route the request to the Customer's

designated DPO.

Every sub-processor AlphaGen uses is disclosed in the contracted

DPA with prior notice to the Customer before any change.

14.2 Customer as joint controller (special-case deployments)

For Customers whose product is itself a data-collection service (e.g.

a fleet operator whose vehicles record drivers), we may agree in the

master services agreement to act as joint controllers under

Art. 26. That relationship is formalised per deployment in a Joint

Controller Arrangement annexed to the DPA. Each such arrangement is

disclosed to affected data subjects in the Customer's own notice.

14.3 Siloed / segregated deployments

Customer data is always tenant-scoped — per-tenant KEKs, per-tenant

consent gate, per-tenant audit trails. Customers contracting for

siloed processing get a dedicated deployment where none of their

data is co-mingled with other tenants' data. The obligations above

apply either way; only the infrastructure topology changes.

14.4 Data subjects in Customer footage

The natural persons visible or audible in Customer-supplied video

are the Customer's data subjects, not AlphaGen's direct users.

Their GDPR rights still apply — the Customer is responsible for

fulfilling them under its own lawful basis, and AlphaGen assists

under the Art. 28 DPA. The public rights-request form at

/privacy/request is routed to the correct Customer DPO on receipt.

---

15. How to contact us

| | |

|---|---|

| Privacy matters | privacy@alpha-gen.ai |

| Data Protection Officer | dpo@alpha-gen.ai |

| Company postal address | AlphaGen Holdings Limited, [street address], United Kingdom |

| UK ICO complaint portal | ico.org.uk/make-a-complaint |

We aim to respond to privacy correspondence within five working days

at most.

---

16. Changes to this policy

When we change this policy substantively (new processing purpose,

new sub-processor, new retention rule), we will:

Email the notice to contributors and operators whose consent

is currently active at least 30 days before the change.

Post the change with the Last updated date above.
Publish a diff of what changed under

docs/legal/privacy/policy-changelog.md.

Minor wording / clarification changes are still logged in the

changelog but not emailed.

---

17. Supervisory authority details (UK)

If you are not satisfied with our response you can lodge a

complaint with:

Information Commissioner's Office

Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

Helpline: 0303 123 1113

Website: ico.org.uk

For EU residents, contact your national data protection authority.

A list is maintained at

edpb.europa.eu/about-edpb/board/members_en.

---

*This policy is maintained under version control in the AlphaGen

engineering repository at

docs/legal/privacy/PUBLIC_PRIVACY_POLICY.md. It is reviewed every

six months (or sooner on material change) by the Data Protection

Officer.*