Privacy Policy

Scientific Analytics Alliance Inc. (“SAA Alliance”, “Company”, “we”, “us”, or “our”), a corporation incorporated under the laws of the State of Delaware, United States (U.S. Federal Employer Identification Number / EIN: 37‑2226244), with its principal office at 8 The Green STE B, Dover, Kent County, DE 19901, USA, is committed to protecting the privacy and security of personal data.

This Privacy Policy describes how we collect, use, disclose, store, and safeguard information when you access or use our websites, platforms, APIs, and services (collectively, the “Services”), including but not limited to: risk.saa-alliance.com, analyzer.saa-alliance.com, arin.saa-alliance.com, invest.saa-alliance.com, crypto.saa-alliance.com, news.saa-alliance.com, and saa-alliance.com.

By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, you must discontinue use of the Services immediately.

This Policy is designed to comply with: the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK General Data Protection Regulation (“UK GDPR”), the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA / CPRA”), the Delaware Online Privacy and Protection Act, the Virginia Consumer Data Protection Act (“VCDPA”), the Colorado Privacy Act (“CPA”), the Connecticut Data Privacy Act (“CTDPA”), the Utah Consumer Privacy Act (“UCPA”), and other applicable international, federal, and state data-protection legislation.

For the purposes of GDPR and UK GDPR, the data controller is:

The Company acts as a data controller when processing personal data of website visitors, registered users, and business contacts. The Company acts as a data processor when processing data on behalf of enterprise clients under separate Data Processing Agreements (DPA).

3.1 Information You Provide Directly

• Account & Registration Data: Full name, email address, company / organization name, job title, phone number, and credentials when you create an account or request access to our platforms.
• Contact & Inquiry Data: Name, email, phone, message content, and any attachments when you contact us through forms, email, or other communication channels.
• Professional & Business Data: Company name, industry sector, regulatory jurisdiction, assets-under-management range, role within organization, and specific requirements for risk-analytics services.
• Transaction Data: Billing address, payment-method details, purchase history, and subscription information (payment-card data is processed exclusively by PCI DSS Level 1 certified third-party processors; we do not store card numbers).
• Research & Analytics Inputs: Tickers, portfolio compositions, risk parameters, and query data submitted to our analytical platforms for processing.

3.2 Information Collected Automatically

• Device & Technical Information: Browser type and version, operating system, device type, screen resolution, unique device identifiers, and hardware model.
• Log & Access Data: IP address, access timestamps (UTC), pages viewed, HTTP request / response codes, referring URL, click paths, and session duration.
• Usage & Analytics Data: Feature-utilization patterns, module interactions, report-generation frequency, API call volumes, and service preferences.
• Cookies & Tracking Technologies: Session cookies, persistent cookies, web beacons, pixel tags, and local-storage objects (see Section 9).
• Performance Data: Page-load times, error rates, and service-response metrics for quality assurance and operational monitoring.

3.3 Information from Third-Party Sources

• Business partners, resellers, and referral sources.
• Publicly available databases, company registries, and regulatory filings.
• Social-media platforms (LinkedIn, GitHub) when you link accounts or interact with our social presence.
• Fraud-prevention and identity-verification services.
• Credit-reporting agencies (for enterprise onboarding, with your consent).

4.1 Service Provision & Operations

• To provide, maintain, operate, and improve our Services across all platform domains.
• To process analytical requests — risk computations, report generation, Monte Carlo simulations, and ARIN Council verdicts.
• To manage your account, subscriptions, and API-access credentials.
• To provide technical support, respond to inquiries, and resolve incidents.
• To deliver real-time analytics via WebSocket connections and asynchronous pipelines.

4.2 Communication

• To send platform operational notices, security alerts, and maintenance notifications.
• To send product updates, feature announcements, and research publications (with your explicit consent; opt-out available at any time).
• To respond to your comments, questions, and professional inquiries.

4.3 Analytics, Research & Development

• To analyze aggregate usage patterns, optimize platform performance, and improve user experience.
• To develop new products, analytical models, and platform features.
• To conduct internal research for academic publications and whitepapers (using anonymized, aggregated data only).
• To train and improve our AI models using anonymized and de-identified data in compliance with applicable law.

4.4 Legal, Compliance & Security

• To comply with applicable laws, regulations, court orders, and governmental requests.
• To enforce our Terms of Use, acceptable-use policies, and contractual obligations.
• To detect, prevent, and address fraud, abuse, security incidents, and technical vulnerabilities.
• To protect the rights, property, safety, and interests of SAA Alliance, our users, and the public.
• To meet Know-Your-Customer (KYC) and Anti-Money-Laundering (AML) obligations where applicable.

For individuals in the European Economic Area (EEA), European Union, United Kingdom, and Switzerland, we process personal data on the following lawful bases:

• Performance of Contract (Art. 6(1)(b)): Processing necessary to perform our contract with you, including account management, service delivery, and support.
• Legitimate Interests (Art. 6(1)(f)): Processing for our legitimate business interests balanced against your rights — including service improvement, fraud prevention, network security, direct marketing to existing clients, and internal analytics.
• Consent (Art. 6(1)(a)): Where you have given explicit, informed, freely-given, and specific consent for particular processing activities, such as marketing communications and non-essential cookies.
• Legal Obligation (Art. 6(1)(c)): Processing necessary to comply with applicable laws, regulatory requirements, court orders, and binding legal obligations.
• Vital Interests (Art. 6(1)(d)): In exceptional circumstances, to protect the vital interests of a natural person.

You may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal. Contact o.slieptsov@saa-alliance.com.

6.1 Service Providers & Sub-Processors

We engage carefully vetted third-party processors under written Data Processing Agreements (DPA) with appropriate technical and organizational security measures:

• Cloud Infrastructure: NVIDIA (GPU compute, NIM API), Amazon Web Services (hosting, S3, Lambda), and Cloudflare (CDN, DDoS protection).
• Payment Processing: PCI DSS Level 1 certified payment processors.
• Analytics: Google Analytics (with IP anonymization enabled), application-performance-monitoring tools.
• Communication: Email-delivery services, customer-support platforms.
• AI Providers: NVIDIA NIM API for LLM inference — subject to enterprise data-processing terms; user data is not used for model training.

6.2 Legal Requirements

We may disclose personal data when required by applicable law, regulation, legal process, or enforceable governmental request. We will attempt to notify affected users unless legally prohibited from doing so.

6.3 Business Transfers

In connection with any merger, acquisition, reorganization, change of control, or sale of all or substantially all of the Company’s assets, personal data may be transferred to the acquiring entity. We will provide notice and, where required, obtain consent before such transfer.

6.4 With Your Consent

We may share your information for purposes not listed above only with your explicit, informed consent.

6.5 No Sale of Personal Data

SAA Alliance does not sell, rent, or trade personal data to third parties for their commercial or marketing purposes. We do not participate in data-broker transactions.

As a U.S.-incorporated company operating globally, your personal data may be transferred to, stored, and processed in: the United States, the European Union, the United Kingdom, and any jurisdiction where our infrastructure providers operate.

For transfers from the EEA / UK to countries without an adequacy decision by the European Commission or UK Government, we implement appropriate safeguards including:

• Standard Contractual Clauses (SCCs): As adopted by the European Commission (Decision 2021/914) and incorporated by reference under UK GDPR.
• EU-U.S. Data Privacy Framework: Where applicable and certification is maintained.
• Supplementary Measures: Technical measures (encryption in transit and at rest, pseudonymization), organizational measures (access controls, need-to-know basis), and contractual measures (enhanced sub-processor obligations).
• Transfer Impact Assessments (TIA): We conduct TIAs for transfers to assess the adequacy of protection in the recipient country and the effectiveness of supplementary measures.

Copies of our SCCs and transfer mechanisms are available upon request at o.slieptsov@saa-alliance.com.

We implement appropriate technical and organizational security measures consistent with ISO 27001 principles and industry best practices:

• Encryption: TLS 1.3 for data in transit; AES-256 encryption for data at rest.
• Access Controls: Role-based access control (RBAC), multi-factor authentication (MFA), principle of least privilege.
• Infrastructure: Isolated VPC networks, firewall rules, intrusion-detection / prevention systems, DDoS protection (Cloudflare).
• Monitoring: Security Information and Event Management (SIEM), continuous log aggregation, automated anomaly detection.
• Testing: Regular vulnerability assessments, penetration testing, and dependency auditing.
• Incident Response: Documented incident-response procedures with 72-hour breach-notification capability (per GDPR Art. 33).
• Personnel: Employee background checks, security-awareness training, and confidentiality agreements.

No method of transmission over the Internet or electronic storage is 100% secure. While we implement commercially reasonable safeguards, we cannot guarantee absolute security of personal data.

9.1 Types of Cookies

• Strictly Necessary Cookies: Required for platform operation — session management, authentication state, CSRF protection, load balancing. Cannot be disabled.
• Functional Cookies: Remember preferences such as language, dashboard layout, and timezone settings.
• Analytics Cookies: Google Analytics (with IP anonymization) — measure traffic, pageviews, bounce rate, and session duration to improve service quality.
• Performance Cookies: Application-performance monitoring — page-load times, API latency, error rates for service reliability.

9.2 Cookie Controls

You can manage cookie preferences through your browser settings. Most browsers allow you to refuse cookies, delete existing cookies, or be notified before a cookie is set. Disabling strictly necessary cookies will impair platform functionality. We honor Do-Not-Track (DNT) signals where technically feasible.

9.3 No Marketing Cookies

SAA Alliance does not deploy third-party advertising or retargeting cookies on our platforms. We do not participate in ad networks or cross-site behavioral tracking.

10.1 GDPR / UK GDPR Rights

If you are located in the EEA, EU, or UK, you have the following rights under data-protection law:

• Right of Access (Art. 15): Obtain confirmation of processing and a copy of your personal data.
• Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data.
• Right to Erasure (Art. 17): Request deletion of personal data (“right to be forgotten”) where permitted by law.
• Right to Restriction (Art. 18): Request restriction of processing under certain conditions.
• Right to Data Portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format (JSON / CSV).
• Right to Object (Art. 21): Object to processing based on legitimate interests, including profiling.
• Right to Withdraw Consent (Art. 7(3)): Withdraw previously given consent at any time.
• Right to Lodge a Complaint: File a complaint with your local supervisory authority (for UK: the Information Commissioner’s Office; for EU: your national DPA).

10.2 CCPA / CPRA Rights (California Residents)

• Right to know what categories and specific pieces of personal information are collected.
• Right to know the business or commercial purpose for collecting personal information.
• Right to know the categories of third parties to whom data is disclosed.
• Right to request deletion of personal information.
• Right to correct inaccurate personal information.
• Right to opt-out of the sale or sharing of personal information (SAA Alliance does not sell personal data).
• Right to limit use and disclosure of sensitive personal information.
• Right to non-discrimination for exercising privacy rights.

10.3 Additional U.S. State Privacy Rights

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and other states with comprehensive privacy legislation have similar rights including access, correction, deletion, portability, and opt-out of targeted advertising. Contact o.slieptsov@saa-alliance.com to exercise these rights.

10.4 Exercising Your Rights

To exercise any of the above rights, submit a verifiable request to: o.slieptsov@saa-alliance.com. We will verify your identity and respond within: 30 days (GDPR), 45 days (CCPA / CPRA), or as specified by applicable law. Complex requests may be extended by an additional period with notice.

We retain personal data only for as long as necessary to fulfill the purposes described in this Policy, unless a longer retention period is required or permitted by law:

• Account Data: For the duration of your account plus 90 days after closure (to enable reactivation).
• Transaction & Billing Data: 7 years from the date of the transaction (US tax and accounting requirements).
• Analytical Results & Reports: 12 months (unless you request earlier deletion).
• Server Logs & Access Data: 90 days (security and debugging purposes).
• Communication Records: 3 years from last interaction (for customer-support continuity).
• Marketing Consent Records: For the duration of consent plus 3 years (to demonstrate compliance).
• Legal & Regulatory Records: As required by applicable law, regulation, or legal proceeding.

Upon expiration of the retention period, personal data is securely deleted or anonymized using industry-standard methods. Anonymized data may be retained indefinitely for statistical and research purposes.

Our Services employ AI and machine-learning technologies for risk analysis, report generation, and verdict synthesis (ARIN Platform, ARIN22 deterministic kernel). Important disclosures:

• AI-generated outputs (risk scores, BUY / SELL / HOLD / AVOID verdicts) are analytical tools, not investment, legal, or tax advice. SAA Alliance platforms provide research and analytics; they do not constitute individualized investment, legal, or tax advice. Past performance does not guarantee future results.
• No automated decisions are made that produce legal effects or similarly significant effects on individuals without human oversight.
• NVIDIA NIM API processes analytical queries under enterprise terms — user data is not used for third-party model training.
• NeMo Guardrails enforce safety, factuality, and regulatory-language compliance on every agent output before consensus aggregation.
• A full cryptographic audit trail is maintained for every AI verdict, enabling regulatory review and explainability under EU AI Act requirements.
• You have the right to request human review of AI-generated analytical outputs that materially affect you.

Our Services are designed for professional and institutional use and are not directed at individuals under the age of 18 (or the digital consent age in your jurisdiction, whichever is higher). We do not knowingly collect personal data from minors. If we become aware that personal data of a minor has been collected, we will take prompt steps to delete such data and terminate the associated account.

Our Services may contain links to third-party websites, applications, and services including NVIDIA, Google, GitHub, LinkedIn, SSRN, and financial-data providers. We are not responsible for the privacy practices, content, or security of these third-party services. We recommend reviewing the privacy policies of any third-party services you access through our platform.

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or business operations. We will notify you of material changes by:

• Posting the updated policy on saa-alliance.com/privacy-policy/.
• Updating the “Last Updated” date at the top of this document.
• Sending email notification for material changes affecting your rights (where we have your contact information).
• Displaying a prominent notice on our platforms for 30 days after significant changes.

Your continued use of the Services after publication of the updated Policy constitutes acceptance. If you disagree with the changes, you must discontinue use and may request deletion of your account data.

This Privacy Policy is governed by the laws of the State of Delaware, United States, without regard to conflict-of-law principles. For EEA / UK residents, this is without prejudice to your mandatory consumer-protection rights under your local law. Disputes shall be resolved through binding arbitration in Wilmington, Delaware under the AAA Commercial Arbitration Rules, except where prohibited by applicable consumer-protection legislation.