AluSmart
Raw Material Purchase Decision App
Privacy Policy

Your data, on AluSmart.

This policy explains what we collect, why we collect it, and the controls you have. It applies to every part of AluSmart — the marketplace, RFQ flow, market-price feed, chats, payments, and admin tools.

Last updated: 19 May 2026

1. Information we collect

  • Account profile — name, email, mobile, company, role, city, state, country, and (optional) GSTIN. You enter this on signup or in Profile.
  • Marketplace activity — products you list, RFQs you send or receive, quotes, enquiries, supplier ratings, and chats.
  • Payments — invoice number, amount, currency, payment status, the payment provider's order/payment ID, and a copy of the gateway response. We never see or store your card / UPI details — those go directly to Razorpay or Stripe.
  • Usage signals — last login time, last seen time (used for the "online" dot in chat), AI recommendation views (used to enforce daily plan caps), and product view counts.
  • Preferences — display currency, language, timezone, notification toggles, marketing-email opt-in.

2. How we use this information

  • To operate the marketplace — show products, route RFQs to the right sellers, deliver chat messages, and process payments.
  • To enforce your subscription plan limits (RFQs / products / alerts / AI insights per period).
  • To send transactional notifications when you ask for them (price alerts, RFQ updates, payment receipts).
  • To compute reports and analytics for your own use (purchase history, savings, supplier performance).
  • To compare a product against current market prices (LME) so you can make better buying decisions.
  • To prevent abuse — e.g. one rating per buyer per supplier, debounced refresh, AI-cap audit log.

We do not sell your personal information to third parties.

3. Supplier name visibility

If you list products as a seller, your name and company are hidden by default — buyers see "Verified seller" across the marketplace, RFQs, and chats. The AluSmart admin team enables name visibility on a per-account basis after a manual verification step. You can request a status change at any time via the contact details below.

4. Live market data

Spot metal prices come from MetalpriceAPI and FX rates from ExchangeRate-API. Both APIs receive only the request itself — no personal data of yours is transmitted. Every fetch is stored as a row in our market_prices table so historical charts and reports work without further external calls.

5. Payments & subscriptions

Subscription checkouts redirect to Razorpay (default) or Stripe. Your card/UPI/bank details are entered on the provider's hosted page and never reach AluSmart servers. We record the outcome — paid / failed / refunded — plus the provider's transaction ID and a copy of the webhook payload for accounting.

Refund requests are handled per the gateway's policy. New users start on the Free plan automatically — no payment information is required to use AluSmart at the Free tier.

6. Email & in-app messages

  • Transactional emails — signup verification, password reset, alert triggers, payment receipts. These are sent only when you trigger them or when an alert you configured fires.
  • In-app notifications — controlled by Settings → Notifications. Toggling off stops the corresponding channel. Each alert can also override the global setting per channel.
  • Marketing emails — opt-in only. Disabled by default.

7. AI recommendations

The "AI Recommendation" feature on each product page is a transparent rule-based scoring engine. It uses your product price, the live LME benchmark, recent trend data, and other seller listings in the same category to compute a BUY / HOLD / WAIT decision and a confidence score. We do not currently call any external AI/LLM service for this — every signal is visible to you in the breakdown table.

Each view is logged (date + product) so we can enforce the daily quota on the Free plan; the log is not used for any other purpose and is purged after 90 days.

8. Cookies & sessions

We use a single HTTP-only session cookie to keep you signed in. No tracking pixels, no analytics SDKs, no third-party advertising cookies are loaded by AluSmart. The session is destroyed when you click Logout or expires after extended inactivity.

9. Security

  • Passwords are hashed with bcrypt (work factor 12) — we never store plaintext passwords.
  • Sessions are HTTP-only; the secure flag is enabled in production so the cookie only travels over HTTPS.
  • Password-reset tokens are cryptographically random, single-use, and expire after 1 hour.
  • Forgot-password responses are deliberately uniform so attackers can't enumerate which emails are registered.
  • Admin functions are gated behind account_type = 'admin' and re-checked on every request.

10. Your rights

You can:

  • View and edit your profile fields at any time from Profile.
  • Update your display currency, language, timezone, and notification preferences from Settings.
  • Delete your own product listings and cancel any subscription from Billing.
  • Request full account deletion or a data export by emailing the address below — we'll act on the request within 30 days.
  • Object to processing for any purpose listed above; we'll stop unless a legal obligation requires us to continue.

11. Data retention

  • Account data — for as long as your account exists, plus 6 months after deletion for legal / accounting compliance.
  • Payment records — minimum 7 years (Indian accounting standard).
  • Chat messages — kept while the conversation exists; deleted when both parties remove it.
  • AI recommendation views — 90 days, rolling.
  • Email + heartbeat logs — 30 days, rolling.

12. Changes to this policy

If we change anything material we'll surface a notice inside the app and email anyone with notifications enabled. Continuing to use AluSmart after a change means you accept the updated policy.

13. Contact us

Questions, data requests, or anything else: privacy@alusmartpro.com · billing@alusmartpro.com for payment issues.