Our policies, plainly stated.

Security concerns

security@a2b2.ai

OWN / Plaid discrepancies

Legal

A2B2 is not your financial institution and is not the source of truth for your holdings or transactions. Verify discrepancies with your institution directly.

Policy 03

Security Policy

Last updated: June 2026

These policies are published in English. In the event of any discrepancy between the English version and any translated version on this website, the English version prevails.

01 Scope & purpose

What this policy covers

We maintain a documented security policy to identify, limit, and monitor risks to the confidentiality, integrity, and availability of our systems, your data, and our partner integrations.

This policy applies to:

All A2B2 production systems and services
All staff, contractors, and third-party processors with access to our systems or data
All data processed on your behalf, including financial data retrieved via third-party financial connectivity integrations
Third-party integrations and sub-processors

02 Infrastructure

How we're built

Cloud provider: AWS us-east-1 (sole production cloud provider).

Architecture: Web / mobile clients → Edge WAF / CDN → API Gateway (Nginx) → BFF services (FastAPI, modular: auth / research / scour / connect / own / plaid / admin) → Data layer (PostgreSQL + Redis + pgvector).

Environment separation: Development / Sandbox (CI/dev), QA / Demo, and Production are maintained as separate environments with separate credentials and access controls. No production data in lower environments.

Secrets management: AWS KMS + AWS Secrets Manager with DEK/KEK structure and controlled key rotation.

03 Encryption

How we protect your data

Layer	Standard
Data in transit	TLS 1.2+ - all client↔server and server↔third-party service communications
Data at rest	AES-256-GCM - all persistent storage including Plaid access tokens
Third-party access tokens	Encrypted with AES-256-GCM before storage; decrypted in-memory per API call only; never transmitted to client or logged
Financial documents	Private storage with bucket-level encryption keys and temporary access links; not accessible via public URLs
Key management	AWS KMS with DEK/KEK structure; rotation schedule and break-glass procedure documented

04 Access control

Who can see what

Internal authentication: Google Workspace SSO with MFA enforced for all staff
API authentication: JWT-based; middleware stack enforces host allowlisting, HTTPS redirect, strict CORS, request ID tagging, and Redis sliding-window rate limiting
Least privilege: Applied across all system roles; production access limited to minimum necessary personnel
Third-party token access: Restricted to the relevant BFF service layer only; token decryption path is isolated from all other services
Audit logging: All administrative actions are recorded in an immutable audit log and reviewed quarterly
Access reviews: Quarterly review of all production access rights

Your data stays yours. Queries, uploaded documents, and portfolio positions you share with A2B2 are never visible to other users, advertisers, brokers, financial institutions, or A2B2 staff without your explicit consent.

05 Network security

How we secure the perimeter

Edge WAF: In place at all ingress points; filters malicious traffic before it reaches application services
Rate limiting: Redis-based sliding window at API gateway; per-IP and per-account throttling
CORS: Strict origin allowlisting enforced at all API endpoints
VPC segmentation: Production services isolated within VPC with defined security groups; database layer not publicly accessible
DDoS protection: AWS Shield via CloudFront at edge

06 Application security

How we secure the code

Activity	Tool / standard
SAST (static analysis)	Snyk - integrated in CI/CD pipeline; runs on every commit and pull request
Dependency / SCA scanning	Snyk - automated alerts on new CVEs in dependencies
Penetration testing	External penetration test planned for Q3 2026, post-launch; annual cadence thereafter or after any material infrastructure change. Vendor to be confirmed. Internal testing completed.
Webhook security (Plaid)	Plaid webhook signature verification via Plaid-Verification JWT header; unverified payloads rejected
Code review	All production changes require peer review before merge

Vulnerability remediation SLAs: Critical - 24 hours; High - 7 days; Medium - 30 days.

No background data mining: A2B2 never uses your data to train AI models without explicit opt-in consent, and never mines interaction data for advertising.

07 Logging & monitoring

How we watch for problems

Observability platform: Datadog (logging, metrics, alerting)
Log retention: 90 days (all service and access logs); automated purge after 90 days
Request tracing: Correlation IDs on all requests; structured logging throughout
PII / token redaction: Plaid tokens and financial credentials are excluded from all log output
Audit trail: Immutable audit log of all administrative and privileged access actions
Alerting: Automated alerts on anomalous access patterns, error rate spikes, and security events

08 Vendor security

How we vet third parties

Critical vendors are assessed at onboarding and annually. All sub-processors must meet equivalent encryption and access control standards, and provide prompt breach notification.

Vendor	Role	Assessment
Plaid Inc.	Investment data connectivity (OWN)	DPA in place; Plaid security review process; OAuth-only access (no credential storage)
AWS	Cloud hosting (us-east-1)	SOC 2 Type II; ISO 27001; AWS DPA
Datadog	Observability and logging	DPA in place; PII redaction confirmed; security assessment completed
Western LLM providers (OpenAI, Anthropic/Claude, Google/Gemini)	AI model inference	DPAs in place; training prohibition confirmed; ZDR where provider amendments confirm it - see vendor register
Chinese LLM providers (DeepSeek, Qwen, Kimi)	Non-personal AI tasks only (pending legal clearance)	Not cleared for processing personal or financial data. Subject to additional cross-border transfer and legal assessment before production use.

09 Incident response

What happens when something goes wrong

We maintain a documented incident response runbook covering detection, containment, third-party access token revocation, user notification, and partner notification.

Account security event notifications

We'll notify you promptly if we detect: a login from an unrecognised device or location; a password change you didn't initiate; MFA setting changes you didn't make; or unusual session activity that triggers security flags.

Account takeover response

If we detect a suspected compromise, we will terminate active sessions immediately, lock the account temporarily, and guide you through identity verification to restore access. Your OWN data connection will be suspended pending investigation. Contact security@a2b2.ai immediately if you believe your account has been accessed without your permission.

MFA guidance: MFA (via authenticator app or SMS) is strongly recommended for all accounts and required for all A2B2 staff. For accounts with active OWN portfolio connections, enabling MFA is strongly advised to protect financial data access. MFA setup is available at Account Settings → Security.

Breach notification

If we become aware of a security breach affecting your personal data:

Regulators: Notified within 72 hours - HK Privacy Commissioner (PCPD); applicable US state breach notification authorities
Affected users: Notified without undue delay where there is high risk to your rights and interests, including what happened, what data was affected, steps taken, and how to contact us or freeze your account

Your security responsibilities

Use a strong, unique password; enable two-factor authentication; never share credentials; log out on shared or public devices; report suspicious activity immediately to security@a2b2.ai.

10 Responsible disclosure

Found a vulnerability?

If you find a vulnerability, email security@a2b2.ai with a description, reproduction steps, and potential impact.

Email security@a2b2.ai. You'll receive an acknowledgement, and the team will keep you updated through the investigation. A2B2 operates under responsible disclosure principles - genuine security research is welcomed.

Please: Do not access or modify user data while investigating. Do not conduct denial-of-service testing. Allow us reasonable time to remediate before public disclosure. We do not operate a paid bug bounty programme at this time.

11 Regulatory compliance

The frameworks we operate under

We operate under the Publisher's Exclusion of the US Investment Advisers Act of 1940 and Hong Kong's Broadcaster/Journalist exemption under SFO Schedule 5. The platform provides intelligence, not regulated financial advice.

We honour data privacy rights under GDPR (where applicable), CCPA/CPRA (California), PDPO (Hong Kong), and other applicable US state privacy laws. To exercise your rights, contact privacy@a2b2.ai.

SOC 2 Type II audit: Currently underway, covering privacy, security, availability, and confidentiality. Final reports are available to enterprise clients under NDA on completion.

12 Roles & responsibilities

Who owns what

Role	Responsibility
COO	Policy owner; annual review sign-off; risk treatment decisions
CTO / Engineering Lead	Technical implementation; control design; security architecture; incident response lead
Engineering team	Operational adherence; vulnerability remediation; audit log architecture
All staff	Mandatory MFA; compliance with access control procedures; incident reporting

We review this policy annually and whenever there is a material change to the platform, infrastructure, regulatory environment, or partner requirements.

Security Assurance & Audit

Last updated: June 2026

Completed

Internal pen test

Conducted pre-launch; findings reviewed and remediated

Live

Snyk CI/CD scanning

SAST and SCA on every commit and pull request

Planned H2 2026

External pen test + SOC 2 Type I

Vendor selection in progress; ISO 27001 scoping to follow

01 Purpose

What this policy covers

A2B2 (operated by Equora AI Limited, registered in Hong Kong SAR, company number 80313661, and Equora AI and Technologies Inc., registered in Delaware, USA, company number 10608583) operates a layered security assurance programme to gain confidence that its security controls are effective, proportionate, and maturing over time. As a pre-launch platform (June 2026), the programme is sequenced to deliver foundational assurance at launch and independent third-party certification post-launch.

This policy describes the assurance activities, their current status, and what evidence is available to enterprise partners, cyber insurers, and regulatory bodies.

02 Continuous automated scanning

Automated security on every commit

Activity	Detail
Tool	Snyk - integrated in CI/CD pipeline
Coverage	SAST (static application security testing) and SCA (software composition analysis / dependency scanning)
Frequency	Every commit and pull request; blocking thresholds on critical and high severity findings
Output	Automated alerts; engineering team responsible for remediation within SLA
Remediation SLAs	Critical: 24 hours - High: 7 days - Medium: 30 days

03 Penetration testing

Testing against real attack scenarios

Type	Status	Detail
Internal penetration test	Completed	Conducted by internal security-competent team prior to launch; findings reviewed and remediated
External penetration test	Planned Q3 2026	Annual cadence thereafter, or after any material infrastructure change. Vendor selection in progress.
Scope	Full application stack	Includes API layer, authentication flows, financial connectivity integrations, data storage, and access controls
Remediation	Per IS Policy SLAs	Critical: 24 hours - High: 7 days

Enterprise clients may request the internal penetration test executive summary under NDA. The external test report will be available to enterprise clients under NDA on completion (H2 2026 target).

04 Internal security reviews

Architecture reviews and change management

Architecture reviews conducted on all material changes to data flows, third-party integrations, and infrastructure
Financial connectivity integrations reviewed specifically: token lifecycle, data minimisation (BFF normalisation layer), webhook signature verification
Review outputs documented and tracked against remediation
Cadence: event-driven on material change, plus quarterly structured review

05 Certifications roadmap

Third-party certification programme

Framework	Current status	Target
SOC 2 Type I	Planned post-launch	H2 2026 (indicative)
SOC 2 Type II	Planned - follows Type I	2027 (indicative)
ISO 27001	Candidate framework - scoping underway	To be confirmed
ISO 27701 (privacy extension)	Candidate framework - under evaluation	To be confirmed

As a pre-launch fintech, external certifications are on the roadmap rather than in-hand. The current programme provides foundational assurance during the launch period. Enterprise clients requiring SOC 2 reports may sign up to receive them automatically on completion.

06 Vulnerability management

How vulnerabilities are found and fixed

Snyk provides continuous scanning of A2B2 code and all dependencies
New CVEs: triaged on detection; Critical and High actioned within SLA
DAST: external assessment planned as part of the Q3 2026 pen test engagement
Security advisories from key vendors (AWS, Plaid, Datadog) monitored continuously
Responsible disclosure: security researchers may report vulnerabilities to security@a2b2.ai. We acknowledge within two business days and operate under responsible disclosure principles

07 Evidence for partners

What we can share on request

On request and subject to NDA, A2B2 can provide:

Evidence item	Availability
Snyk scan summary (findings and remediation status)	Available on request
Internal penetration test executive summary	Available under NDA
Architecture overview and data flow diagram	Available under NDA
Policy pack (this document and linked policies)	Available publicly at a2b2.ai/policies
External penetration test report	Available under NDA post-completion (H2 2026 target)
SOC 2 report	Available under NDA post-audit (2027 target)

Security questionnaire requests and evidence packs: security@a2b2.ai

08 Assurance roadmap

What we've done and what's next

Milestone	Activity	Status
Pre-launch	Internal penetration test	Completed
Pre-launch	Snyk SAST and SCA in CI/CD pipeline	Completed
Pre-launch	Internal security architecture reviews	Completed
Post-launch Q3 2026	External penetration test	Planned
Post-launch H2 2026	SOC 2 Type I readiness assessment	Planned
2027	SOC 2 Type I audit	Roadmap
2027	ISO 27001 scoping and gap assessment	Roadmap

09 Roles

Who owns what

Role	Responsibility
COO	Programme owner; partner evidence sign-off; annual policy review
CTO / Engineering Lead	Technical assurance activities; penetration test oversight; architecture reviews
Engineering team	Remediation within SLAs; Snyk findings triage

This policy is reviewed annually and on material change to the platform or partner requirements. Related policies: Security Policy - Risk Assessment Process Policy.

Policy 05

Risk Assessment Process

Last updated: June 2026

01 Purpose & scope

Why we assess risk formally

A2B2 (operated by Equora AI Limited, registered in Hong Kong SAR, company number 80313661, and Equora AI and Technologies Inc., registered in Delaware, USA, company number 10608583) maintains a defined and documented process for performing information security risk assessments. The process is structured to identify, evaluate, and treat risks to A2B2 systems, user data, and partner integrations in a repeatable manner consistent with ISO 27001 principles.

This process applies to:

All A2B2 production systems and services
New product features and third-party integrations on onboarding
All sub-processors: Plaid, AWS, Datadog, AI model providers
Material changes to infrastructure, data flows, or regulatory requirements
Post-incident and near-miss reviews

02 When assessments run

Trigger events for risk assessment

Trigger	Frequency / condition
Baseline review	Annual
New third-party integration	At onboarding (financial data connectivity providers, cloud services, AI providers)
Material product change	New data type, feature category, or module
Material infrastructure change	New cloud service, new region, new vendor
New or revised regulatory requirement	On identification
Post-incident or near-miss	Within 5 business days of incident closure

03 Methodology

How risks are assessed

A2B2 uses a qualitative risk assessment framework based on likelihood × impact scoring.

Step	Activity
1. Identify	Enumerate assets, data flows, threat vectors, and control gaps in scope
2. Assess	Rate each risk: Likelihood (1-5) × Impact (1-5) = Risk Score (1-25)
3. Treat	For each risk: Accept / Mitigate / Transfer / Avoid - with documented rationale
4. Document	Record in risk register with owner, treatment decision, and target date
5. Monitor	Track residual risk and control effectiveness over time
6. Review	Quarterly risk register review; formal annual refresh

04 Risk scoring scale

How scores map to required action

20-25

Critical

Immediate escalation to COO/CTO. Treatment plan within 24 hours.

12-19

High

Treatment plan within 7 days.

6-11

Medium

Treatment plan within 30 days.

1-5

Low

Accept with documented rationale, or schedule for next review.

05 Risk register

Maintaining the live register

A2B2 maintains a live risk register. Each entry contains:

Risk ID and description
Asset or system affected
Likelihood score, impact score, risk score (1-25)
Risk owner (named individual)
Treatment decision and controls applied or planned
Residual risk score post-treatment
Target completion date and review date

The risk register is reviewed quarterly by the COO and CTO and serves as the primary input to the annual ISO 27001 Statement of Applicability review.

The risk register is an internal document. An extract relevant to a specific enterprise client integration can be provided under NDA on request at security@a2b2.ai.

06 Vendor risk

Third-party and sub-processor assessment

Critical vendors are assessed at onboarding and reviewed annually:

Vendor	Assessment activities
Plaid Inc.	Security documentation review; DPA review; incident notification obligations confirmed; token lifecycle and data minimisation verified
AWS (us-east-1)	SOC 2 / ISO 27001 report review; AWS DPA; shared responsibility model documented
Datadog	Security documentation review; DPA; PII handling and data residency confirmed; log redaction verified
Western LLM providers (OpenAI, Anthropic/Claude, Google/Gemini)	DPA review confirming training prohibition; retention window documented; subprocessor arrangements and breach notification obligations reviewed; ZDR status confirmed in vendor register; annual re-assessment
Chinese LLM providers (DeepSeek, Qwen, Kimi) - restricted	Additional legal clearance required before use with personal or financial data. Restricted to non-personal contexts. Cross-border transfer and data sovereignty require separate legal assessment.

Vendor security bulletins and advisory notifications are monitored continuously as part of the quarterly risk register review.

07 Process outputs

What the process produces

Updated risk register with current scores and owner assignments
Treatment plans with named owners and target completion dates
Input to annual security policy review cycle
Evidence pack for partner due diligence and ISO 27001 audit purposes

08 Roles

Who owns what

Role	Responsibility
COO	Process owner; approves risk treatment decisions; signs off annual review
CTO / Engineering Lead	Technical risk identification; control design and implementation; vendor assessment
Engineering team	Control implementation; remediation within defined SLAs

Policy 06

Data Retention & Deletion

Last updated: June 2026

The key commitments: Financial connectivity data is purged within 90 days of disconnect. AI query data is deleted after 12 months. You can request full account deletion at any time. We retain only what is legally necessary or operationally required.

01 Purpose & scope

Why this policy exists

A2B2 (operated by Equora AI Limited, registered in Hong Kong SAR, company number 80313661, and Equora AI and Technologies Inc., registered in Delaware, USA, company number 10608583) maintains this policy to comply with applicable US data privacy laws - primarily CCPA/CPRA and relevant state laws - and to reflect data minimisation principles: retain only what is necessary, for only as long as necessary.

This policy applies to all personal and operational data processed by A2B2, including:

User account and identity data
Financial connectivity data (OWN module, via Plaid)
AI interaction and query data (RESEARCH module)
Technical and system logs
Expert-published content (CONNECT module)
Compliance and legal records

For Hong Kong users, applicable PDPO retention obligations are described in the Privacy Policy.

02 Account & identity data

Account data retention

Data type	Retention period	Legal basis	Deletion method
Account identity (name, email, device ID)	Account duration + 5 years post-closure	CPRA audit evidence; legal obligation	Secure deletion
Professional credentials (verified professional and CIO tiers)	Account duration + 5 years post-closure	CPRA; legal obligation	Secure deletion
Marketing preferences and consent records	Account duration + 5 years	CPRA; legal obligation	Secure deletion
Account closure records	5 years from closure date	CPRA; legal obligation	Secure deletion
Support and complaint correspondence	5 years	Legitimate interest; legal obligation	Secure deletion
CPRA privacy rights request records	5 years from request date	CPRA compliance evidence	Secure deletion

03 Financial data (OWN module)

Portfolio data retention

On disconnect: When you disconnect a financial account, the Plaid access token is revoked immediately and all derived holdings, transactions, and tokens are purged within 90 days - from primary databases, Redis cache, and backup systems.

Data type	Retention period	Trigger	Deletion method
Financial connectivity access_token (AES-256-GCM encrypted)	Until user-initiated disconnect	Revocation via Plaid API on disconnect	Immediate on disconnect initiation
Financial connectivity item_id	Until user-initiated disconnect	User revocation	Secure deletion from database
Derived holdings and transactions (normalised HoldingDTOs)	Account duration, or 90 days post-disconnect - whichever is earlier	User-initiated disconnect or account closure	Secure deletion
Raw financial connectivity API payloads	Not retained	N/A - not persisted by design	N/A
Financial connectivity access logs	90 days	Automated	Automated purge via Datadog retention policy
Financial data in backups	90 days from disconnect	Backup rotation cycle	Backup purge cycle

04 AI & interaction data

Query and output retention

Data type	Retention period	Legal basis	Deletion method
AI interaction data (queries and outputs, RESEARCH module)	12 months from interaction date	Legitimate interest	Secure deletion
Documents uploaded for RESEARCH interrogation	90 days post-query	Contract performance	Secure deletion
Compliance check logs (pre-publication output screening)	3 years minimum	Legal obligation	Secure deletion

To request early deletion of AI interaction data, email privacy@a2b2.ai or use Account Settings → Privacy.

05 Technical & operational logs

System logs retention

Data type	Retention period	Legal basis	Deletion method
System and application access logs	90 days	Legitimate interest	Automated purge
Financial connectivity access logs	90 days	Legitimate interest	Automated purge via Datadog
Security and audit event logs	12 months minimum	Legitimate interest; legal obligation	Secure deletion
Error logs (Datadog)	90 days	Legitimate interest	Automated purge via Datadog policy

06 Expert content (CONNECT)

Published content retention

Data type	Retention period	Legal basis	Deletion method
Expert-published content and Consensus Cards	Account duration + 3 years post-closure	Legitimate interest	Secure deletion or anonymisation

07 Deletion standards

How data is deleted

Standard	Application
Secure deletion	Cryptographic erasure or data overwrite applied to all personal and financial data at end of retention period
Backup purge	Retained data is purged from backups within the same retention window as primary storage. Backup rotation is configured to enforce this automatically
Automated purge	Implemented via scheduled jobs for log and short-retention data categories. Purge job execution is monitored and failures are alerted
Cache purge	Redis cache entries for Plaid-derived data are cleared immediately on user disconnect

08 Your deletion rights

How to request deletion

Request type	How to submit	Timeline
OWN financial data only	Account Settings → OWN → Disconnect	Access token revoked immediately; data purged within 90 days
Full account deletion	Account Settings → Delete Account	All data purged per schedule above, subject to legal retention obligations
Specific data category deletion	Email privacy@a2b2.ai with your account email and what you wish deleted	Response within 45 days (extendable by 45 days for complex requests)
AI interaction data (early deletion)	Account Settings → Privacy, or email privacy@a2b2.ai	Within 30 days of request

Authorised agents (California): Deletion requests are accepted via authorised agent with written authorisation. Identity is verified directly with you before fulfilling the request.

Deletion requests do not affect data we are legally required to retain - for example, records needed for tax, AML, or active legal proceedings.

09 Exemptions

When retention is extended

Data may be retained beyond the standard retention periods where:

Required by applicable law (tax, AML, regulatory investigation, or court order)
Subject to an active litigation hold
Needed to resolve an ongoing regulatory complaint or dispute

All exemptions are documented on a case-by-case basis with a named owner and review date. Extended retention is the exception, not the rule.

10 US law compliance

Laws this policy addresses

Law	Key obligation met
CCPA/CPRA (California)	Data minimisation; deletion on request; SPI limitations; 5-year audit evidence retention; CPRA rights request records
Colorado CPA	Deletion right; appeal process within 45 days
Connecticut CTDPA	Deletion right; correction right; appeal process
Virginia VCDPA	Deletion right; correction right; appeal process
Utah UCPA	Deletion right; opt-out of data sale (not applicable - A2B2 does not sell data)
COPPA	No data collected from under-13s; immediate deletion if detected

This policy is reviewed annually and whenever there is a material change to applicable law, data infrastructure, or platform scope. Related policies: Privacy Policy - Security Policy.

11 Contact

Reach us

Privacy & deletion requests

Security

security@a2b2.ai

Legal

Policy 07

AI Transparency & Data Use

Last updated: June 2026

The core commitment: A2B2 never uses your queries or portfolio data to train AI models. AI outputs are informational only - nothing constitutes investment advice. Every output passes through a pre-delivery compliance check before you see it.

01 About this notice

What this notice covers

This document combines A2B2's AI Transparency Notice and AI Data Use Policy. It explains how AI is used on the platform, which AI systems process your data, the known limitations of those systems, and your rights in relation to AI-generated outputs.

This notice applies to all A2B2 tiers and both launch markets (US and Hong Kong). It should be read alongside the Privacy Policy and Terms of Use.

For questions about how credits work with AI features, see FAQ - Credits.

02 How our AI works

The two-step interrogation

A2B2 uses a structured two-step interrogation approach that distinguishes it from a single-model AI assistant:

Step 1: Examine what you bring

When you submit a query, document, or content to the platform, A2B2 first interrogates the input itself - assessing source credibility, logical soundness, analytical completeness, and internal consistency. This step surfaces weaknesses or gaps in the information before any model response is generated.

Step 2: Examine the models

A2B2 then routes your query to multiple frontier AI models simultaneously and cross-examines their responses. Where models converge, that consensus is highlighted. Where they diverge, the divergence is surfaced transparently - you see both the agreement and the disagreement, not a blended answer that conceals uncertainty.

You decide. A2B2 delivers a validated synthesis of multiple model responses. It does not form a proprietary investment view. The language frame is always that of an aggregator: "sources suggest," "consensus across models indicates," "views are divided." If an output looks like a personal recommendation, use the Flag button immediately.

03 AI systems in use

Where AI operates on the platform

Pillar	AI role	Notes
RESEARCH	Multi-model ensemble - simultaneous querying of multiple frontier LLMs; consensus and divergence surfaced	Core intelligence engine. Credits consumed per research session. See FAQ - Credits for detail.
CONNECT	AI-assisted interview structure for expert content; compliance pre-check on expert submissions before publication	AI assists structuring; human expert provides views. Content is from verified contributors.
OWN	Portfolio visualisation with AI analysis layer - pattern identification and contextualisation across holdings	Analysis is informational only. No buy/sell recommendations generated. Read-only aggregation.
Platform-wide	Pre-delivery compliance check on all AI outputs before display	Automated filter. Outputs flagged as potentially constituting investment recommendations are suppressed pending human review.

04 What AI can and cannot do

Capabilities & hard limits

AI can	AI cannot and will not
Synthesise and summarise publicly available information and research	Provide personalised investment advice or recommendations
Cross-examine multiple model perspectives and surface consensus or divergence	Assess your personal financial situation, risk tolerance, or suitability
Pressure-test arguments, identify logical gaps, and assess source credibility	Execute trades, move funds, or instruct any financial institution
Structure and contextualise your portfolio data for display purposes	Guarantee the accuracy or completeness of any output
Assist in organising research, comparing sources, and structuring analysis	Replace a licensed financial professional's advice

05 Known limitations

What AI gets wrong

Transparency about limitations is a core A2B2 principle. The following limitations apply to all AI systems on the platform:

Hallucination: AI models can generate plausible-sounding but incorrect information, including fabricated citations, statistics, or entity names. Always verify material facts independently.
Knowledge cutoffs: Frontier models have training data cutoffs. Recent events, regulatory changes, and market developments may not be reflected. Check in-app for the current knowledge date of each model.
Consensus bias: When multiple models agree, that consensus may reflect shared training data rather than objective truth. Agreement does not equal accuracy.
Jurisdiction gaps: AI models may have uneven coverage of non-US regulatory environments, including Hong Kong. Local legal and regulatory analysis should always be verified with a qualified local professional.
No real-time data by default: AI outputs are not connected to live market data unless explicitly stated in-app. Price-sensitive queries require independent verification with current sources.
Context window limits: Very long documents may be truncated or summarised with loss of nuance. For complex documents, review the AI's treatment of each section rather than only the final synthesis.

06 Human oversight

Where humans are in the loop

A2B2 maintains human oversight at multiple points in the AI pipeline:

Pre-delivery compliance check: All AI outputs pass through an automated compliance filter before reaching you. Outputs flagged as potentially constituting personalised investment recommendations are suppressed and escalated to human review before delivery or deletion.
Expert content review: All CONNECT content from verified contributors undergoes a human compliance review before publication, in addition to automated checks.
AI output complaint review: All complaints about AI outputs are escalated to human review as a matter of policy. See Complaints Policy for SLAs.
Model assessment: AI providers are assessed annually, and their data processing agreements are reviewed to confirm training-use prohibitions remain in place.

Requesting human review

If you receive an output that you believe is incorrect, harmful, or constitutes a recommendation, you can:

Use the [Flag this output] button within the platform to trigger immediate review
Email support@a2b2.ai with the output text, your query context, and why you believe it was wrong or harmful

07 AI models used

Which models power the platform

A2B2 uses multiple third-party frontier large language model (LLM) providers via API. The active model mix is shown in-app within the RESEARCH interface and may change as we evaluate performance, safety, and cost. The canonical sub-processor list as of publication is:

Group 1 - Cleared for personal and financial data processing:

Provider	Organisation	DPA in place	Data retention position
OpenAI (GPT series)	OpenAI Inc., USA	Yes	Training prohibition confirmed. ZDR configuration applied where supported by provider API - see vendor register.
Claude (Anthropic)	Anthropic PBC, USA	Yes	Training prohibition confirmed. ZDR configuration applied where supported by provider API - see vendor register.
Gemini	Google LLC, USA	Yes	Training prohibition confirmed. ZDR configuration applied where supported by provider API - see vendor register.

Group 2 - Non-personal, non-financial use only (pending legal clearance):

Provider	Organisation	DPA status	Use restriction
DeepSeek	DeepSeek, China	Under review	Not cleared for personal or financial data in production. Use restricted to non-personal contexts pending legal review and confirmation in the vendor register.
Qwen	Alibaba Cloud, China	Under review	Not cleared for personal or financial data in production. Use restricted to non-personal contexts pending legal review and confirmation in the vendor register.
Kimi	Moonshot AI, China	Under review	Not cleared for personal or financial data in production. Use restricted to non-personal contexts pending legal review and confirmation in the vendor register.

Vendor register: The AI Provider Vendor Register is the authoritative source of truth for each provider's DPA status, training prohibition, and ZDR configuration. It is maintained internally and updated as provider agreements change. Enterprise clients and qualified reviewers may request a copy under NDA at security@a2b2.ai.

Three-tier AI data position - we distinguish between three levels, and only represent what is confirmed for each provider:

Training prohibition - the provider is contractually prohibited from using your data to train or improve its general models. This is our baseline requirement for all production providers.
Limited provider retention - where permitted under the applicable DPA, a provider may retain prompts, outputs, or related metadata for a limited period for abuse monitoring, security, compliance, or operational purposes. This does not permit training use where a training prohibition applies.
True Zero Data Retention (ZDR) - data is deleted immediately after the AI response and is not retained by the provider at all. This requires a separate provider approval, enterprise configuration, or signed amendment - and is confirmed in the vendor register before we represent it publicly.

Pre-publication review requirement: Any user-facing statement that refers to "zero data retention", "immediate deletion", "no retention", or equivalent language must be reviewed against the current vendor register before publication. Until ZDR is separately signed, configured, and confirmed for a specific provider, we use training prohibition and limited provider retention language only.

AI providers must be assessed and approved before production use with real user data. The assessment covers: data processing terms, training-use position, data retention window, subprocessor arrangements, breach notification obligations, and cross-border transfer mechanisms. Providers with unresolved data sovereignty, retention, training-use, security, or regulatory risks must not be used for production processing of personal or financial data without written approval from legal counsel or a named risk owner.

Providers are re-assessed annually. The vendor register records, for each production provider: production status, DPA or equivalent agreement, training prohibition confirmation, applicable retention window, ZDR status, and next review date.

To request the current vendor register or a DPA summary, email security@a2b2.ai.

08 AI data use

How your data flows through AI

What we do not do

We do not use your queries, documents, or portfolio data to train any AI model - ours or third-party providers'
Approved providers operate under training prohibitions; any short-term provider retention for operational or security purposes does not permit training use
We do not share your interaction data with other users
We do not use financial data from OWN to generate targeted advertising

What we can and cannot say

What A2B2 states publicly about AI providers is determined by what is confirmed in the vendor register at the time of publication:

Before a DPA is signed: we do not make definitive statements that provider protections are contractually confirmed
After a DPA with training prohibition is signed: we may state that the provider is contractually prohibited from using customer data to train its models
After ZDR is separately signed and configured: we may additionally state that the provider does not retain data after the AI response is returned

Any change that introduces a new AI provider, alters routing or fallback logic, or involves a claim of ZDR as a security control triggers a review of this policy and the vendor register before the change goes live.

Optional platform improvement

With your explicit consent, anonymised and aggregated interaction data may be used to improve A2B2's own validation architecture - not for general model training. This is an opt-in setting. You can opt out at any time via Account Settings → Privacy → Data use preferences with no effect on service quality.

08b Monitoring architecture

How monitoring features use AI

Features such as portfolio event alerts, key-date monitoring, review-date tracking, and overnight intelligence cycles are designed so that third-party AI providers do not continuously hold or process your full financial data.

The architecture follows this pattern:

A2B2 stores structured monitoring data - portfolio snapshots, product review dates, maturity dates, watchlists, and user-authorised preferences - in A2B2's own database, not in a third-party AI system
A2B2's own rules layer monitors trigger conditions - checking for events, thresholds, and dates without involving an external AI model in ongoing background monitoring
A third-party AI provider is called only when a trigger fires - and only with the minimum context necessary to generate the user-facing explanation, alert, or next-step framing
Any AI call follows the vendor register - provider selection, DPA status, and retention position are governed by the vendor register at the point of the call

This means your financial data is not being continuously processed by or retained in third-party AI infrastructure. The AI is a generation layer called on demand - not a continuous data store.

For features under development, this architecture is the design target. If a specific feature requires a different model, it will be disclosed in the relevant feature documentation and reflected in an updated vendor register before launch.

Anonymisation process

Before any interaction data is used for platform improvement: (1) all direct identifiers are removed; (2) query text is assessed for indirect identifiers and generalised where necessary; (3) data is aggregated so individual patterns are not visible. Anonymised data is not re-identifiable.

Retention

AI interaction data (queries and outputs) is retained for 12 months from the date of interaction, then securely deleted. To request early deletion, contact privacy@a2b2.ai.

09 EU AI Act

Regulatory alignment

A2B2 launches in the US and Hong Kong at MVP. EU and UK launch is a future milestone, subject to a formal regulatory compliance gate. The EU AI Act and UK AI governance framework will be assessed as part of that gate before any launch in those markets.

In the interim, A2B2 applies the following EU AI Act principles as best practice, regardless of jurisdiction:

Transparency: Users are informed when they are interacting with AI-generated content
Human oversight: Meaningful human review is maintained at key points in the AI pipeline (see Section 6)
Accuracy and robustness: Known limitations are disclosed (see Section 5); outputs are cross-examined across multiple models to reduce single-model error
Non-discrimination: AI systems are not used to make decisions with significant legal effects on users without human review
No high-risk use cases at launch: A2B2 does not use AI for credit scoring, insurance underwriting, employment decisions, or any other category designated as high-risk under the EU AI Act

10 Reporting errors

Found a problem with an AI output?

AI output quality and safety is a priority. If you encounter an output that is incorrect, harmful, biased, or appears to constitute investment advice:

In-app: Use the [Flag this output] button on any AI-generated response. This triggers immediate human review.
By email: support@a2b2.ai - include the output text, the query you submitted, why you believe it was wrong or harmful, and its effect on you.

AI output complaints are a priority category - see our Complaints Policy for the full process and SLAs. Initial substantive response within 10 business days.

AI feedback

Privacy

Complaints

Policy 08

Financial Disclaimer & Data Sources

Last updated: June 2026

The single most important thing: Nothing on A2B2.ai constitutes investment advice, a recommendation to buy or sell any security, or personalised financial advice. A2B2 does not manage assets, execute transactions, or act as a registered investment adviser. Always consult a licensed financial professional before making investment decisions.

01 Not a financial adviser

A2B2 is a publisher

A2B2.ai is a hybrid intelligence and service platform operated by Equora AI Limited. We are not a registered investment adviser, broker-dealer, financial planner, or licensed financial institution in any jurisdiction.

US: Publisher's Exclusion

In the United States, A2B2 operates under the Publisher's Exclusion from the definition of "investment adviser" under the Investment Advisers Act of 1940, 15 U.S.C. § 80b-2(a)(11)(D). This exclusion applies to publishers of bona fide financial publications of general and regular circulation that provide general financial information rather than personalised investment advice.

A2B2 provides general financial intelligence and does not provide personalised investment advice, manage assets, or hold client funds.

Hong Kong: Broadcaster/Journalist Exemption

In Hong Kong, A2B2 operates under the broadcaster/journalist exemption in Schedule 5 of the Securities and Futures Ordinance (Cap. 571). This exemption applies to persons providing information or analysis of a general nature that does not constitute regulated investment advice.

A2B2 does not carry on a regulated activity as defined under the SFO. Nothing on the platform constitutes a solicitation, offer to buy or sell, or management of investments.

02 Intelligence, not advice

What we provide vs. what we don't

A2B2 provides	A2B2 does not provide
Multi-model AI synthesis of publicly available financial information and research	Personalised investment recommendations tailored to your circumstances
Aggregation and display of your portfolio data (read-only)	Portfolio management, rebalancing, or discretionary investment decisions
Intelligence published by verified professionals (CONNECT)	Endorsement of any view expressed by contributors
Comparison and contextualisation of market data and research	Real-time market data guaranteed to be current or complete
Tools to organise, structure, and pressure-test your own research	Suitability assessments or tax advice

Language frame

A2B2 operates in an aggregator frame. Our outputs are expressed as: "sources suggest," "consensus across models indicates," "market views are divided," "analysts note." This framing is intentional and material. If any output appears to constitute a personal recommendation, report it immediately using the [Flag this output] button.

03 No liability for investment decisions

Responsibility stays with you

A2B2 is not liable for any investment loss, missed gain, financial decision, or action taken in reliance on any content, output, data, or analysis provided by the platform.

By using A2B2, you acknowledge that:

You are making your own independent investment decisions
You will not rely solely on platform outputs for investment decisions without independent verification
You will consult a licensed financial professional where appropriate
You understand that AI outputs may be incorrect, incomplete, or outdated

For the full limitation of liability, see Section 10 of the Terms of Use.

04 Market data & past performance

Data quality & what past data tells you

Market data may be delayed. Unless explicitly labelled as real-time, market data displayed on A2B2 may be delayed by up to 15-20 minutes or longer, depending on the data provider and asset class. See the in-app data source labels for the delay applicable to each data point.

Past performance is not indicative of future results. Historical data, backtests, and past performance figures displayed on A2B2 are provided for informational context only. They do not predict or guarantee future performance of any security, fund, or market.

Verify before acting. Material information should be independently verified with primary sources - company filings, exchange data, regulatory disclosures - before being acted upon.

Professional advice. Consult a licensed financial adviser, accountant, or tax professional before making any investment, tax, or financial planning decision.

05 Jurisdiction notes

Where A2B2 operates

A2B2 is designed and tested for users in the United States and Hong Kong at MVP launch. These are the only jurisdictions where A2B2 has assessed regulatory requirements at this time.

Users in other jurisdictions: Access to A2B2 from jurisdictions outside the US and Hong Kong is at the user's own risk. A2B2 makes no representation that the platform is appropriate or compliant for use in other jurisdictions. Nothing on the platform is directed at or intended for users in the European Union, United Kingdom, or any other jurisdiction not listed above.

As A2B2 expands to additional markets, jurisdiction-specific disclaimers will be added to this page. UK and EU launch is subject to a formal regulatory compliance gate.

06 Data source & accuracy

Where our data comes from

A2B2 draws on multiple data sources across the platform. The table below summarises source categories and their general refresh approach. Current refresh cadences for live data are displayed in-app alongside each data point.

Source category	Description	Refresh
Market data vendors	Licensed third-party providers of equities, fixed income, FX, and fund data	See in-app for current cadences; may include delays
User portfolio data (OWN)	Data retrieved via Plaid from your connected financial institutions	On-demand retrieval; reflects institution's data at time of fetch
CONNECT content	Intelligence published by verified professional contributors	Published on contribution; human-reviewed before publication
RESEARCH outputs	AI-synthesised responses from multiple frontier models	Generated at query time; subject to model knowledge cutoffs
Public sources	Publicly available regulatory filings, news, company disclosures referenced by AI models	Subject to model training data cutoffs; may not reflect recent events

A2B2 does not guarantee the accuracy, completeness, or timeliness of any data on the platform. Market data is sourced from third-party vendors and may contain errors. AI outputs may contain factual inaccuracies. Always verify material data with primary sources.

07 Error reporting

Found an inaccuracy?

We take data quality seriously. If you identify an error in market data, an AI output, or any content on the platform:

In-app: Use the [Flag this output] or [Report an issue] button on any content or data point
By email: privacy@a2b2.ai - include the specific data point, expected value, and source

We investigate data quality reports and escalate to data providers where appropriate. We will acknowledge reports within 3 business days.

08 Third-party data terms

Restrictions on data use

Market data and other third-party data displayed on A2B2 is provided under licences that restrict how it may be used. By using the platform, you agree that you will not:

Redistribute or resell market data obtained via A2B2 to any third party
Use market data for automated trading systems or systematic strategies without obtaining appropriate licences directly from data providers
Scrape or harvest data from A2B2 for commercial purposes
Use data in ways that violate the terms of the underlying data licences

A2B2 is not liable for any breach of third-party data terms arising from a user's use of data beyond the scope of their subscription. For data licensing enquiries, contact legal@a2b2.ai.

Legal

Data quality

08 Expert network

CIO verification, compensation & conflicts

Verification. Before any expert publishes or responds to questions on CONNECT, we check professional credentials against applicable registries (including FINRA BrokerCheck, SEC IAPD, and the SFC Public Register), confirm institutional affiliation, and review for regulatory actions or material compliance events. Credentials are verified at onboarding; we may re-verify or remove expert status at any time.

Compensation. Experts are not paid by A2B2 for contributing content or responding to questions. Any arrangement involving compensation or material benefit from A2B2 to an expert will be disclosed on that expert's profile and on any content they publish.

Conflicts of interest. Experts must disclose financial interests in instruments they discuss, paid or commercial relationships with issuers or distributors, and affiliations that may represent a conflict. All CONNECT content passes A2B2's pre-publication compliance review. Content that appears to constitute undisclosed promotion is rejected before it reaches users.

When you receive a response from a verified CIO on A2B2, you can see their verified identity, credentials, and any disclosed affiliations on their profile. You are receiving an informed professional view, not regulated financial advice.

Policy 09

Complaints Policy & Accessibility

Last updated: June 2026

We want to know if something went wrong. Complaints are taken seriously at A2B2. AI output complaints are a priority category and are always escalated to human review.

01 How to complain

Raising a complaint

Complaints can be submitted through any of the following channels:

In-app: Help → Contact Us → Make a Complaint
By email: support@a2b2.ai

What to include

To help us investigate promptly, please include:

Your name and account email address
A description of what went wrong and when it happened
The outcome you are seeking

For AI output complaints, please also include:

The specific output text you are concerned about
The query context (what you asked)
Why you believe the output was wrong or harmful
Its effect on you

02 Our process

What happens next

Stage	Timeline
Acknowledgement	Within 3 business days
Substantive response	Within 28 calendar days
Complex complaints	Interim update provided; resolved within 56 calendar days

Our acknowledgement will confirm receipt of your complaint, give you a reference number, and tell you who is handling it. Our substantive response will address the substance of your complaint and tell you what action, if any, we are taking.

All complaints are treated confidentially. Only personnel involved in investigating your complaint will have access to the details.

03 AI output complaints

Complaints about AI outputs

AI output complaints are a priority category at A2B2. If you believe a platform output was incorrect, harmful, biased, or constituted investment advice, your complaint will be:

Escalated to human review as a matter of policy
Assessed for whether the compliance pre-check should have caught the output
Used to improve our AI compliance controls where appropriate

Priority SLA: Initial substantive response to AI output complaints within 10 business days - faster than the standard 28-day timeline.

You can also flag outputs in real time using the [Flag this output] button within the platform. This triggers an immediate human review queue separate from the formal complaints process.

For more on how AI outputs are generated and the compliance checks in place, see the AI Transparency & Data Use Policy.

04 If you're not satisfied

Escalation routes

If you are not satisfied with our response to your complaint, you have the right to escalate to external bodies:

Hong Kong

Privacy complaints: Office of the Privacy Commissioner for Personal Data (PCPD) - pcpd.org.hk
Consumer complaints: Consumer Council - consumer.org.hk

United States

Privacy (California): California Privacy Protection Agency (CPPA) - cppa.ca.gov
Privacy (federal): Federal Trade Commission - ftc.gov
State AG: Your state Attorney General's consumer protection division

05 Record keeping

How long we keep records

All complaints and related investigation records are retained for 5 years from the date of the complaint, in accordance with our Privacy Policy and data retention schedule.

Records are maintained to enable us to: track complaint trends and improve the platform; demonstrate compliance with our complaints obligations; support any regulatory investigations or legal proceedings.

Complaints

AI output issues

Legal

06 Accessibility statement

Our accessibility commitment

A2B2 is committed to making its platform accessible to as many people as possible, including those with disabilities. We aim to meet or exceed the Web Content Accessibility Guidelines (WCAG) 2.1 Level AA standard across all A2B2 interfaces.

Scope

This statement applies to:

a2b2.ai - main marketing and information site
luma.a2b2.ai - platform application

Target standard

We target WCAG 2.1 Level AA compliance across all interfaces. This includes:

Sufficient colour contrast for text and UI components
Keyboard navigability throughout the application
Screen reader compatibility (ARIA labels and semantic HTML)
Resizable text without loss of content or functionality
Accessible form controls and error messages

Accessibility audit

A formal accessibility audit is planned before or immediately after warm launch. Findings will be published in an updated version of this statement. In the interim, accessibility issues can be reported to support@a2b2.ai.

Legal frameworks

US: Americans with Disabilities Act (ADA); Section 508 of the Rehabilitation Act
Hong Kong: Disability Discrimination Ordinance (Cap. 487); Equal Opportunities Commission guidance on digital accessibility

Contact for accessibility issues

If you encounter any accessibility barrier on any A2B2 interface, please contact us:

Email: support@a2b2.ai
In-app: Help → Contact Us → Accessibility issue

We will acknowledge accessibility reports within 3 business days and aim to resolve or provide a workaround within 28 days of acknowledgement.

Assistive technology note: If you use assistive technology and are experiencing difficulty with any part of A2B2.ai or luma.a2b2.ai, please contact support@a2b2.ai. We will work with you directly to ensure you can access the information or service you need.

Policy 10

Cookie & Tracking Policy

Last updated: June 2026

No marketing cookies at launch. A2B2 does not use marketing or advertising cookies at launch. This policy will be updated when our cookie inventory is fully audited and our consent management platform is live.

01 What cookies are

How cookies work

Cookies are small text files stored on your device when you visit a website or use a web application. They allow the site to remember information about your visit - such as whether you are logged in, your preferences, and how you use the service.

Cookies can be set by the website itself (first-party) or by third-party services embedded in the website (third-party). They can be session cookies (deleted when you close your browser) or persistent cookies (stored for a set period).

A2B2 uses cookies on both a2b2.ai and luma.a2b2.ai. This policy explains what types of cookies we use and how you can control them.

02 Cookie types

What we use & why

Category	Purpose	Retention	Can be disabled?
Essential	Authentication (login session), security tokens, CSRF protection, session management. Required for the platform to function.	Session or until logout	No - required for service
Functional	User interface preferences (theme, layout, notification settings). Remembers choices you have made.	Up to 12 months	Yes - via Privacy Settings
Analytics	Usage patterns, feature engagement, error frequency. Used to understand and improve the platform. Third-party analytics provider in use.	Up to 24 months	Yes - via cookie banner or Privacy Settings
Marketing	Not in use at launch.	N/A	N/A

Analytics: We use a third-party analytics provider to understand how the platform is used. Analytics data is aggregated and pseudonymous. The specific provider and their data processing terms are detailed in our sub-processor list, available at privacy@a2b2.ai. Analytics cookies are not set when Do Not Track is active.

03 Managing preferences

Your cookie controls

Cookie banner

On your first visit to a2b2.ai or luma.a2b2.ai, a cookie banner will allow you to accept or decline non-essential cookies. Essential cookies cannot be declined as they are necessary for the platform to function.

Privacy settings

You can update your cookie preferences at any time via the Privacy Settings link in the site footer, or within the platform at Account Settings → Privacy → Cookie preferences.

Browser controls

You can also manage cookies through your browser settings. Most browsers allow you to:

View cookies that have been set
Delete individual cookies or all cookies
Block all cookies or cookies from specific sites
Set preferences for future cookie handling

Note that blocking essential cookies will prevent you from logging in or using core platform features. Browser cookie management instructions:

Chrome: Settings → Privacy and security → Cookies and other site data
Safari: Settings → Privacy
Firefox: Settings → Privacy & Security → Cookies and Site Data

04 Do Not Track

Honouring DNT signals

A2B2 honours browser Do Not Track (DNT) signals. When DNT is active in your browser:

Analytics cookies are not set
No usage data is sent to third-party analytics providers
Essential and functional cookies required for the platform to operate are still set

DNT is a browser-level preference you can set in your browser settings. It does not affect essential session and security cookies.

05 Sub-processors

Third-party tracking services

Analytics and functional cookie services may involve third-party sub-processors. Details of the analytics provider used by A2B2, including their data processing terms and privacy policy, are maintained in our sub-processor list.

To request the current sub-processor list, contact privacy@a2b2.ai. The list will also be published directly on this page once our consent management platform is live and the cookie inventory audit is complete.

No marketing cookies at launch. This policy will be updated when the cookie inventory is audited and our consent management platform is live. The full cookie audit and consent management platform are planned for completion before or immediately after warm launch.

Cookie & privacy queries

Policy 11

Early Access NDA

Version: v1.0

Platform disclaimer: A2B2 is a hybrid intelligence and service platform. Nothing on this platform constitutes investment advice, a recommendation to buy or sell any security, or personalised financial advice. A2B2 does not manage assets, execute transactions, or act as a registered investment advisor. Always consult a licensed financial professional before making investment decisions.

01 Confidential information

What you must protect

1.1 What is Confidential Information

"Confidential Information" means all non-public information about the A2B2.ai platform that you access, observe, or receive during testing. This includes:

Platform user interface, design, features, and functionality (including unreleased features)
AI model behaviour, query responses, Consensus Cards outputs, and insight generation processes
Platform architecture, data flows, integrations, and technical infrastructure
Bugs, errors, performance issues, workarounds, and known limitations
Pricing, business model, commercial strategy, and go-to-market plans
Product roadmap, planned features, and development timelines
Content of feedback sessions, product walkthroughs, demos, and onboarding calls
Any written, verbal, or digital materials A2B2 shares with you in connection with testing

1.2 What is NOT Confidential Information

Information is not Confidential Information if you can demonstrate that it:

Is or becomes publicly available through no act or omission of yours
Was rightfully in your possession before A2B2 disclosed it to you, without any obligation of confidentiality
Was independently developed by you without reference to A2B2's Confidential Information
Was rightfully given to you by a third party without restriction on disclosure
Is required to be disclosed by law, regulation, or court order (subject to clause 6)

02 Your obligations

What you agree to

By accessing the platform, you agree to:

2.1 Reasonable careProtect all Confidential Information using the same degree of care you apply to your own most sensitive personal or financial information, and in no event less than reasonable care.

2.2 Testing use onlyUse Confidential Information solely to test the platform and provide feedback to A2B2. You may not use it for any commercial purpose, personal investment decision, or any other purpose outside this Agreement.

2.3 No disclosureDo not disclose, describe, copy, summarise, or distribute Confidential Information to any other person without A2B2's prior written consent. This includes family members, colleagues, and advisers.

2.4 No screenshots or recordingsDo not take screenshots, screen recordings, photographs, or any other visual or audio capture of the platform interface, outputs, or any A2B2 materials, without A2B2's explicit written permission for each instance.

2.5 No public discussionDo not post, publish, or discuss the platform, its features, its AI outputs, its bugs, or your testing experience on social media, forums, review sites, messaging groups, or any other public or semi-public channel until A2B2 has made a public announcement specifically about the relevant feature or product.

2.6 Permitted sharingYou may share Confidential Information with A2B2's employees and representatives when participating in authorised feedback sessions. You may not share it with any third party.

03 Feedback ownership

Who owns what you contribute

3.1 A2B2 owns your feedbackAll comments, suggestions, bug reports, ideas, feature requests, recommendations, and other feedback you provide during testing ("Feedback") shall be the sole and exclusive property of A2B2 from the moment of creation. You hereby irrevocably assign to A2B2 all right, title, and interest in and to your Feedback, including all intellectual property rights subsisting therein.

3.2 No compensationA2B2 is not obliged to act on, compensate you for, credit you for, or acknowledge your Feedback in any way.

3.3 A2B2 may use freelyA2B2 may use, reproduce, modify, adapt, and commercially exploit your Feedback for any purpose without any obligation of confidentiality to you and without any further consent required.

04 Platform conditions

What you're testing

4.1 Beta statusThe platform is a pre-commercial, early-access version. Features may be incomplete, unstable, inaccurate, or subject to change, withdrawal, or discontinuation at any time and without notice.

4.2 No warrantyThe platform is provided "as is" for testing only. We make no representations or warranties - express or implied - about accuracy, completeness, fitness for purpose, or suitability for any particular use, including any investment-related use.

4.3 AI outputs are not financial advice. All outputs generated by the A2B2.ai platform during testing - including market insights, portfolio analysis, Consensus Cards, RESEARCH outputs, EXPLORE alerts, CONNECT content, and all AI-generated content - are informational only. They do not constitute: regulated financial advice; personalised investment recommendations; a solicitation to buy, hold, or sell any financial instrument; or portfolio management. Do not make any investment decision based on platform outputs during testing.

4.4 Not a regulated adviserEquora AI Limited and Equora AI and Technologies Inc. are not a regulated financial adviser, broker-dealer, or investment manager in any jurisdiction. Platform outputs are intelligence, not advice.

4.5 Market data accuracyMarket data, portfolio valuations, and other data displayed during testing may be delayed, incomplete, or contain errors. It must not be relied upon for any financial decision.

4.6 Past performanceAny historical data displayed does not predict or guarantee future results.

05 Data during testing

How your data is used in testing

5.1 Testing activity dataDuring the testing period, we collect data about how you interact with the platform - queries submitted, features used, session duration, errors encountered, and navigation patterns. This is used solely to improve the platform.

5.2 Financial and portfolio dataIf you connect portfolio accounts, input financial holdings, or provide other personal financial data during testing, we will process it to generate platform outputs and for product development. See our Privacy Policy for full details.

5.3 AI model improvement (opt-in)Your interaction data may be used to improve our AI models in anonymised and aggregated form. You can opt out by emailing privacy@a2b2.ai. Opting out has no effect on your testing access.

5.4 Third-party AI providersWe use approved third-party AI model providers to generate platform outputs. All providers used for personal or financial data operate under data processing agreements (DPAs) that prohibit use of your data for general model training. Where permitted under the applicable DPA, a provider may retain prompts, outputs, or metadata for a limited period for abuse monitoring, security, compliance, or operational purposes - this does not permit training use. True Zero Data Retention (where data is deleted immediately after the AI response) requires a separate signed amendment and is confirmed in the vendor register before being represented to users. Until ZDR is confirmed for a specific provider, the operative position is training prohibition combined with limited operational retention. Provider status is maintained in the AI Provider Vendor Register.

06 Required disclosure

If you're legally required to disclose

If you are legally required to disclose any Confidential Information (for example, by court order, subpoena, or regulatory requirement), you must:

Give A2B2 prompt written notice as soon as reasonably practicable before disclosure, to the extent permitted by law; and
Cooperate with A2B2's reasonable efforts to seek a protective order or other appropriate relief limiting the scope of disclosure.

07 Return of materials

When testing ends

7.1When your testing access ends - or if we ask at any time - you must promptly delete or destroy all Confidential Information in your possession, including any notes, copies, summaries, or extracts.

7.2If we request written confirmation of deletion, you must provide it within five (5) business days.

08 Term & survival

How long this Agreement lasts

8.1 DurationThis Agreement begins when you first access the testing platform.

8.2 Post-testing survivalYour confidentiality obligations under clauses 2, 3, and 7 survive the end of your testing access and remain in force for two (2) years from the date your access ends.

8.3 Trade secretsObligations relating to A2B2's trade secrets - including AI model architecture, proprietary algorithms, data processing methods, and platform source code - continue for as long as that information remains a trade secret, regardless of the two-year survival period.

09 Remedies

What happens if you breach this Agreement

9.1You acknowledge that any breach of this Agreement may cause A2B2 irreparable harm for which monetary damages would be an inadequate remedy.

9.2A2B2 shall be entitled to seek injunctive relief or other equitable remedies from a court of competent jurisdiction without the need to post a bond, provide security, or prove actual damages, in addition to any other remedies available at law or in equity.

10 Governing law

Which law applies

10.1This Agreement is governed by and construed in accordance with the laws of the Hong Kong Special Administrative Region, without regard to conflict of laws principles.

10.2Each party irrevocably submits to the exclusive jurisdiction of the courts of Hong Kong SAR to hear and determine any dispute arising out of or in connection with this Agreement.

US testers: see the United States Addendum below, which modifies governing law and dispute resolution for US-resident testers.

11 General provisions

The standard terms

11.1 EligibilityYou confirm that you are 18 or older and have the legal capacity to enter into this Agreement.

11.2 Entire agreementThis Agreement constitutes the entire agreement between you and A2B2 regarding confidentiality of the testing platform and supersedes all prior oral or written agreements on the same subject matter.

11.3 AmendmentWe may update this Agreement by providing 14 days' advance written notice. Continuing to access the platform after that period counts as acceptance.

11.4 SeverabilityIf any provision of this Agreement is found invalid or unenforceable, it will be modified to the minimum extent necessary to make it enforceable, or severed if modification is not possible.

11.5 No waiverA2B2's failure or delay in enforcing any provision is not a waiver of its rights.

11.6 No employment or partnershipNothing in this Agreement creates an employment, agency, partnership, or joint venture relationship between you and A2B2.

11.7 NoticesNotices to A2B2 under this Agreement should be sent to legal@a2b2.ai. Notices to you will be sent to the email address you provided at registration.

A United States Addendum

Additional terms for US testers

Applies to US-resident testers only

A0 - Scope and precedence

This addendum applies to all Testers who are resident in, or who access the A2B2.ai testing platform from, the United States of America. In the event of any conflict between this addendum and the main Agreement, this addendum prevails for US Testers. All other provisions of the main Agreement not expressly modified by this addendum continue to apply in full.

A1 - Governing law and dispute resolution

A1.1 Governing law: For US Testers, this Agreement is governed by the laws of the State of Delaware, without regard to conflict of laws principles. Equora AI and Technologies Inc. operates as a Delaware C-Corporation for US-facing purposes.

A1.2 Mandatory individual arbitration: Any dispute arising out of or relating to this Agreement shall be resolved by binding individual arbitration administered by JAMS in New York, New York, before a single arbitrator, under the JAMS Comprehensive Arbitration Rules and Procedures in effect at time of filing.

A1.3 Class action waiver: YOU AND A2B2 EACH WAIVE THE RIGHT TO PARTICIPATE IN A CLASS ACTION LAWSUIT OR CLASS-WIDE OR COLLECTIVE ARBITRATION. All claims must be brought in your individual capacity.

A1.4 Small claims exception: Either party may bring an individual action in a court of competent small claims jurisdiction for qualifying disputes.

A1.5 Injunctive relief: Either party may seek emergency injunctive or other equitable relief from a court of competent jurisdiction solely to prevent irreparable harm pending arbitration.

A1.6 Arbitration opt-out: You may opt out of mandatory arbitration by notifying A2B2 in writing at legal@a2b2.ai within 30 days of first accepting this Agreement. Your opt-out notice must include your full name and state that you are opting out of arbitration. Opting out does not affect any other provision.

A1.7 Arbitration costs: A2B2 will pay arbitration costs for claims under $10,000 where you are the claimant, unless the arbitrator determines the claim is frivolous.

A2 - US investment regulatory disclosures

A2.1 Not registered: Equora AI Limited and A2B2.ai are NOT registered with the SEC or FINRA as investment advisers, broker-dealers, or in any other regulated capacity. A2B2 does not hold any US state-level investment adviser registration.

A2.2 Publisher's Exclusion: A2B2.ai operates as a financial information publisher, relying on the publisher's exclusion under Section 202(a)(11)(D) of the Investment Advisers Act of 1940, as interpreted in Lowe v. SEC, 472 U.S. 181 (1985). Platform outputs are general and impersonal in character. They are not tailored investment recommendations for specific individuals.

A2.3 No advisory relationship: Nothing in this Agreement creates an investment advisory, broker-customer, fiduciary, or any other regulated financial relationship between you and Equora AI and Technologies Inc.

A2.4 No FDIC or SIPC coverage: The platform does not hold, manage, or custody assets. No amounts shown on the platform are FDIC-insured or SIPC-protected.

A3 - Colorado AI Act disclosures

A3.0 Applicability: This clause applies to Colorado-resident testers. Colorado SB 24-205 (effective February 1, 2026) imposes disclosure requirements on deployers of high-risk AI systems.

A3.1 AI disclosure: The A2B2.ai platform uses artificial intelligence, including large language models, to generate wealth intelligence outputs. During testing, individual AI outputs are not reviewed by a human before delivery to you.

A3.3 Human review right: You may request that A2B2 arrange a human review of any AI-generated output you believe is inaccurate or has adversely affected you. Submit requests to legal@a2b2.ai with subject line "Colorado AI Act – Human Review Request."

A3.4 Data correction right: Contact privacy@a2b2.ai with subject "Colorado AI Act – Data Correction Request." A2B2 will respond within 45 days.

A4 - California consumer privacy rights (CPRA)

A4.0 Applicability: This clause applies to California-resident testers under the CPRA (Cal. Civ. Code §§ 1798.100 et seq.).

A4.1 Your CPRA rights: Know · Delete · Correct · Opt out of sale or sharing (A2B2 does not sell or share personal information) · Limit use of sensitive personal information (including financial data and portfolio information) · Non-discrimination for exercising rights.

A4.2 Sensitive personal information: Portfolio data and financial holdings constitute sensitive personal information under CPRA. A2B2 uses this data only for the purposes described in clause 5 - platform output generation and product development. A2B2 does not use SPI for inferring characteristics or targeted advertising.

A4.3 Exercising rights: Email privacy@a2b2.ai with subject "CPRA Rights Request – [right being requested]." A2B2 will respond within 45 days.

A5 - Electronic signatures (ESIGN / UETA)

A5.1 Legal validity: By clicking to accept this Agreement or by accessing the testing platform, you provide your electronic signature. Under the E-SIGN Act (15 U.S.C. § 7001 et seq.) and applicable state law, your electronic acceptance constitutes a legally binding signature.

A5.2 Electronic communications consent: You consent to receive this Agreement, all amendments, and all notices electronically to the email address you provided at registration.

A5.3 Record retention: A2B2 will maintain a record of your electronic acceptance, including the timestamp, IP address, and email address, for the duration of this Agreement and five years thereafter.

Acceptance

By accessing the A2B2.ai testing platform, you confirm that:

You have read and understood this Agreement in full
You are 18 or older and have legal capacity to contract
You agree to be bound by all terms of this Agreement
Platform outputs are informational only - not regulated financial advice
You have not been induced to enter this Agreement by any representation not set out herein

Public access requests are temporarily closed while we prepare the launch package. Return to A2B2 home →

Offer window Jun 15 – Sep 15, 2026 · time- and quota-limited · Founding Member Programme

Contact

Legal queries

Privacy / data