Last updated: 23 May 2026
gAInXalpha (operated from 19 Queen Elizabeth Street, London, Southwark, SE1 2LP, United Kingdom) engages a limited set of third-party processors to operate the Service. Each processor acts on our documented instructions under a written agreement that includes the obligations required by Article 28 of the UK GDPR and the EU GDPR, including confidentiality, security, sub-processor controls, assistance with data-subject requests, breach notification, and deletion or return of personal data on termination. Copies of the relevant Data Processing Agreement (DPA) are available on request to support@gainxalpha.com.
Current sub-processors
| Processor | Role | Location | Data category | Transfer mechanism |
|---|---|---|---|---|
| Stripe Payments Europe, Ltd. | Payment processing and subscription billing | Ireland (EU) | Billing reference, payment-method token, last-4 digits, billing country — full card data never leaves Stripe’s PCI-DSS environment | N/A (intra-EU) |
| OpenAI, L.L.C. | Large language models used to generate article text, news summaries, and AI agent commentary | United States | Article prompts assembled from public market data and licensed news only — no account data, watchlists, or support messages are sent to OpenAI | EU Standard Contractual Clauses (2021/914) plus a Transfer Impact Assessment |
| Amazon Web Services EMEA SARL (Bitnami WordPress AMI) | Application and database hosting | Germany — AWS region eu-central-1 (Frankfurt) | All Service data, including account records, subscription state, content, and operational logs | N/A (data hosted in the EU) |
| Pro Software Ltd (AuthSMTP / securemail.pro) | Transactional email relay for subscription, account, and support emails | United Kingdom | Recipient email address, sender header, and the body of each transactional message | N/A (UK adequacy decision) |
| Google LLC (Site Kit + Google Analytics 4) | Aggregate site-usage analytics; only loaded after explicit cookie consent | United States (with EU front-ends) | Pseudonymised usage events: page views, referrer, device class, approximate city derived from IP. No content of forms or messages. | EU Standard Contractual Clauses (2021/914) plus Google’s additional safeguards under the EU-US Data Privacy Framework |
| WebToffee (Cookie Law Info plugin, self-hosted) | Consent management and cookie preference centre | Self-hosted on our AWS eu-central-1 instance | Consent record (categories accepted, timestamp, hashed IP) | N/A (self-hosted) |
How we vet a new sub-processor
Before engaging any new sub-processor we review its security posture, the categories of personal data it would receive, its own sub-processors, and the legal basis for any transfer outside the UK or EEA. We require a written Data Processing Addendum containing the Article 28 obligations and the latest Standard Contractual Clauses where applicable.
Changes to this list
We will update this page when a sub-processor is added, removed, or replaced. Material changes — meaning the addition of a new processor that receives personal data in a new jurisdiction, or a change of role for an existing processor — are announced to active subscribers by email at least fourteen (14) days before they take effect. If you object to a material change you may cancel your subscription within those fourteen days and we will refund any unused portion of the current billing period on a pro-rata basis.
Requesting a Data Processing Agreement
Business or institutional subscribers, and any data subject acting through a controller, may request a copy of our Data Processing Agreement or of an underlying sub-processor agreement by emailing support@gainxalpha.com with the subject line “DPA request”. We aim to respond within ten (10) business days.
Contact
Questions about sub-processors, transfers, or our DPA programme: support@gainxalpha.com.