Data Processing & Cookies

Data Processing & Cookie Policy

Maximum Transparency. Maximum Legal Compliance.

Version: 1.0.0
Last Updated: October 4, 2025

Introduction & Compliance

Axiom AI Ltd. ("Axiom," "we," "us," or "our") collects and processes personal data to the maximum extent legally permitted under applicable privacy laws, including:

  • GDPR (EU General Data Protection Regulation) - Art. 6 legal bases
  • CCPA/CPRA (California Consumer Privacy Act)
  • UK DPA (Data Protection Act 2018)
  • SEC Regulation S-P (Privacy of Consumer Financial Information)
  • FINRA Cyber Security and Data Protection requirements
Our Collection Philosophy: We collect data necessary for platform functionality, analytics, compliance, operational improvement, business intelligence, and—where you have consented—marketing communications. We maximize data utility within legal boundaries to provide you with the best possible service while respecting your privacy rights.

Legal Bases for Processing (GDPR Art. 6)

  • Consent: Marketing emails, non-essential cookies, optional features
  • Contract Performance: Account creation, service delivery, support
  • Legal Obligation: Compliance, audit, regulatory reporting
  • Legitimate Interests: Analytics, fraud prevention, platform improvement, business operations (balanced against your rights)

Types of Data Collected

We collect the following categories of data to the maximum extent permitted by law:

Account & Identity Information

Required

Examples:

  • Email address (required)
  • Full name
  • Organization name
  • Job title/role
  • Phone number (optional)
  • Professional credentials
  • Assets under management (AUM) range
  • Investment experience level
  • Intended use case
  • Referral source
Legal Basis:
Contract performance, consent
Retention:
Duration of account + 30 days (or longer per regulatory requirements)

Device & Technical Information

Optional

Examples:

  • IP address (masked: xxx.xxx.xxx.xxx)
  • Approximate geolocation (city, region, country—NOT precise GPS)
  • Browser type and version
  • Operating system
  • Device type (mobile/tablet/desktop)
  • Screen resolution
  • Language preferences
  • Time zone
  • User agent string
  • Referrer URL
  • Network/ISP information
Legal Basis:
Legitimate interests (security, analytics, fraud prevention)
Retention:
90 days active, 12 months archive

Site Usage & Behavioral Data

Optional

Examples:

  • Pages visited and navigation paths
  • Session start/end timestamps
  • Time spent on each page
  • Click/scroll/hover events
  • Features used and interaction patterns
  • Search queries within platform
  • Form submissions and field interactions
  • Error messages and logs
  • Performance metrics (page load times, API latency)
  • A/B test assignments
Legal Basis:
Legitimate interests (product improvement, UX optimization)
Retention:
90 days active, 12 months aggregate

Marketing & Campaign Data

Optional

Examples:

  • UTM parameters (source, medium, campaign, content)
  • Campaign click-through and conversion events
  • Email open/click rates
  • Newsletter subscription status
  • Marketing consent preferences
  • Ad platform identifiers (hashed)
  • Referral codes
Legal Basis:
Consent (for marketing), legitimate interests (for attribution)
Retention:
18 months (or until consent withdrawn)

Communication Records

Optional

Examples:

  • Support ticket content
  • Live chat transcripts
  • Email correspondence
  • Phone call records (if applicable)
  • Feedback and survey responses
  • User research session notes
Legal Basis:
Contract performance, legitimate interests (support quality)
Retention:
3 years from last interaction

Consent & Preference Records

Required

Examples:

  • Cookie consent choices
  • Terms of Service acceptance
  • Privacy Policy acceptance
  • Marketing opt-in/opt-out status
  • Communication channel preferences
  • Data subject rights requests (access, deletion, etc.)
  • Audit trail of all preference changes
Legal Basis:
Legal obligation, legitimate interests (compliance audit)
Retention:
7 years (regulatory requirement)

Financial & Transaction Data

Optional

Examples:

  • Subscription tier and billing cycle
  • Payment method type (NOT full card numbers)
  • Billing address
  • Transaction history and invoices
  • Discount/promo code usage
  • (Note: Full payment card data processed by PCI-DSS compliant third parties only)
Legal Basis:
Contract performance, legal obligation (tax, accounting)
Retention:
7 years (tax/accounting requirement)

Security & Fraud Prevention Data

Optional

Examples:

  • Login attempts (successful/failed)
  • Authentication events (MFA, SSO)
  • Session security tokens (hashed)
  • Rate limit counters
  • Bot detection scores
  • Anomaly detection alerts
  • Suspicious activity logs
  • IP reputation data
Legal Basis:
Legitimate interests (security, fraud prevention), legal obligation
Retention:
12 months active, 7 years audit archive

How Data Is Processed & Used

We process your data for the following purposes, maximizing utility within legal boundaries:

1. Platform Functionality & Service Delivery

Legal Basis: Contract Performance

Core operational purposes necessary to provide the Axiom platform

  • Create and manage your account
  • Authenticate users and manage sessions
  • Process waitlist applications
  • Provide AI analytics and signals
  • Generate reports and dashboards
  • Facilitate broker integrations (read-only API)
  • Handle support requests
  • Process payments and billing

2. Analytics & Product Improvement

Legal Basis: Legitimate Interests

Understanding how users interact with our platform to improve UX, performance, and features

  • Analyze usage patterns and feature adoption
  • Conduct A/B testing and experimentation
  • Measure page performance and identify bottlenecks
  • Track conversion funnels and user journeys
  • Identify pain points and usability issues
  • Prioritize product roadmap based on usage data
  • Monitor platform health and reliability

3. AI Model Training & Improvement

Legal Basis: Legitimate Interests

Enhancing our AI models using aggregated, de-identified data

  • Train AI models on AGGREGATED, DE-IDENTIFIED data only
  • Improve signal accuracy and prediction models
  • Develop new features and analytics capabilities
  • Benchmark model performance
  • Research market patterns and trends
  • (Note: Individual user data is NEVER used for training without de-identification)

4. Security, Fraud Prevention & Abuse Detection

Legal Basis: Legitimate Interests + Legal Obligation

Protecting our platform, users, and business from threats

  • Detect and prevent unauthorized access
  • Identify bot traffic and automated abuse
  • Monitor for suspicious activity and fraud
  • Enforce rate limits and usage policies
  • Respond to security incidents
  • Maintain audit logs for compliance
  • Conduct security assessments

5. Legal Compliance & Regulatory Reporting

Legal Basis: Legal Obligation

Meeting our obligations under applicable laws and regulations

  • Maintain records for audit and regulatory inspection
  • Respond to lawful requests from authorities
  • Enforce Terms of Service
  • Conduct internal compliance reviews
  • Prepare regulatory filings (if required)
  • Preserve data for litigation holds

6. Marketing & Business Development (With Consent)

Legal Basis: Consent

Communicating with users who have opted in to marketing

  • Send product updates and feature announcements
  • Share educational content and market insights
  • Invite to webinars and events
  • Conduct user research and surveys
  • Personalize marketing content based on behavior
  • Measure campaign effectiveness
  • (Note: You can opt out at any time)

7. Business Intelligence & Strategic Planning

Legal Basis: Legitimate Interests

Understanding our business performance to make informed decisions

  • Aggregate user demographics and firmographics
  • Analyze market trends and opportunities
  • Forecast growth and resource needs
  • Evaluate partnership opportunities
  • Benchmark against competitors
  • Support investor relations and reporting
Automated Decision Making: Axiom does NOT use automated decision-making that produces legal or similarly significant effects (GDPR Art. 22). Any AI-driven features (e.g., signal recommendations) are informational only and always subject to human review and user discretion.

Data Combination & Linkage

We may combine data from multiple sources to create a more complete picture:

  • Link account data with usage behavior for personalization
  • Combine device/session data for fraud detection
  • Merge marketing data with conversion events for attribution
  • Aggregate all data types for business intelligence

We NEVER sell or disclose linked data to advertisers or data brokers.

Data Sharing & Parent Company Processing

PARENT COMPANY DISCLOSURE:

All data collected by Axiom AI is processed by Axiom AI Ltd., located in United States, as our data controller and/or processor under applicable law. Axiom AI Ltd. has access to all categories of data described in this policy for the purposes outlined above.

Legal Basis for Cross-Border Transfer: Standard Contractual Clauses (EU Commission approved), adequacy decisions, and/or your explicit consent where required.

Third-Party Processors & Service Providers

We share data with the following categories of processors, all bound by Data Processing Agreements (DPAs) and contractual privacy obligations:

Cloud Infrastructure

Providers:
  • Supabase (database hosting)
  • Vercel/Netlify (web hosting)
  • AWS/GCP (backup storage)
Data Shared: All categories (encrypted at rest and in transit)
Location: EU, US (with SCCs)
Purpose: Platform hosting and operation

Analytics & Performance Monitoring

Providers:
  • Self-hosted analytics
  • Error tracking services (e.g., Sentry)
  • Performance monitoring (e.g., Datadog)
Data Shared: Usage data, device/technical info, error logs
Location: EU, US
Purpose: Site analytics and performance optimization

Communication & Support

Providers:
  • Email service (transactional email provider)
  • Support ticketing system
  • Live chat platform (if applicable)
Data Shared: Email, name, support inquiries, communication history
Location: US (with SCCs)
Purpose: Customer communication and support

Payment Processing

Providers:
  • Stripe (PCI-DSS Level 1)
  • PayPal (if applicable)
Data Shared: Billing info, transaction data (NOT full card numbers)
Location: US, EU
Purpose: Payment processing and billing

Security & Fraud Prevention

Providers:
  • Bot detection services
  • IP reputation databases
  • Security monitoring tools
Data Shared: IP addresses, device fingerprints, login attempts
Location: US, EU
Purpose: Security and fraud prevention

Marketing & Attribution (With Consent)

Providers:
  • Email marketing platform (e.g., SendGrid)
  • UTM tracking
  • Campaign analytics
Data Shared: Email, marketing preferences, campaign interactions
Location: US
Purpose: Marketing communications and attribution

Geolocation Services

Providers:
  • ip-api.com
  • ipdata.co
  • GeoJS
Data Shared: IP addresses (ephemeral processing only)
Location: Various
Purpose: Approximate geolocation for analytics and security

Compliance & Legal

Providers:
  • Audit firms
  • Legal counsel
  • Regulatory authorities (when required)
Data Shared: As necessary for compliance, audit, or legal matters
Location: Various
Purpose: Compliance, audit, and legal obligations

Data Disclosure to Authorities

We may disclose data to government authorities or law enforcement when:

  • Required by law (subpoena, court order, regulatory request)
  • Necessary to protect our rights, property, or safety
  • Necessary to prevent fraud, abuse, or illegal activity
  • Necessary to protect user safety or public safety

Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your data may be transferred to the successor entity. We will provide notice and obtain consent if required by law.

Cookies & Tracking Technologies

We use cookies and similar tracking technologies to the maximum extent permitted by law. You can manage your cookie preferences at any time.

Cookie Management: You can control cookies through our cookie banner (if shown), your browser settings, or by contacting us at privacy@axiom-ai.online. Note: Disabling essential cookies may impair platform functionality.

Cookie Categories

Essential (Strictly Necessary)

RequiredCannot Opt-Out
axiom_session
Provider: Axiom AI (First-Party)
Expiry: Session (deleted on browser close)
Purpose: Authentication and session management
Data Collected: Session ID (random UUID)
csrf_token
Provider: Axiom AI (First-Party)
Expiry: Session
Purpose: Cross-site request forgery protection
Data Collected: Random token
sb-*
Provider: Supabase (Third-Party)
Expiry: Session or 7 days
Purpose: Database authentication
Data Collected: Auth tokens (encrypted)

Analytics & Performance

OptionalCan Opt-Out
axiom_analytics_id
Provider: Axiom AI (First-Party)
Expiry: 2 years
Purpose: Track unique visitors and sessions
Data Collected: Random visitor ID, pages visited, timestamps
axiom_session_id
Provider: Axiom AI (First-Party)
Expiry: 30 days
Purpose: Session tracking for analytics
Data Collected: Session start/end, page views

Functional & Preferences

OptionalCan Opt-Out
axiom_preferences
Provider: Axiom AI (First-Party)
Expiry: 1 year
Purpose: Remember your settings (theme, language)
Data Collected: User preferences (JSON)
cookie_consent
Provider: Axiom AI (First-Party)
Expiry: 1 year
Purpose: Remember your cookie preferences
Data Collected: Consent choices

Marketing & Attribution (With Consent)

OptionalCan Opt-Out
utm_*
Provider: Axiom AI (First-Party)
Expiry: 90 days
Purpose: Track campaign source and attribution
Data Collected: UTM parameters (source, medium, campaign)
referral_code
Provider: Axiom AI (First-Party)
Expiry: 90 days
Purpose: Track referral partners
Data Collected: Referral code

Other Tracking Technologies

  • Local Storage: Browser storage for user preferences and cached data (never shared with third parties)
  • Session Storage: Temporary storage cleared on browser close
  • Pixels & Beacons: Small images for email tracking (only with consent for marketing emails)
  • Device Fingerprinting: Limited use for fraud prevention only (not for tracking or advertising)

Do Not Track (DNT) & Global Privacy Control (GPC)

We respect Do Not Track (DNT) and Global Privacy Control (GPC) browser signals where required by law. When enabled:

  • We will NOT set non-essential cookies
  • We will NOT track your activity for marketing purposes
  • Analytics will be minimized or anonymized

How to Manage Cookies

Option 1: Cookie Banner (if displayed in your jurisdiction)

  • Click "Cookie Settings" in the banner
  • Toggle categories on/off
  • Save your preferences

Option 2: Browser Settings

  • Chrome: Settings → Privacy and security → Cookies
  • Firefox: Settings → Privacy & Security → Cookies
  • Safari: Preferences → Privacy → Cookies
  • Edge: Settings → Cookies and site permissions

Option 3: Contact Us

Email privacy@axiom-ai.online to opt out of specific cookie categories.

User Rights & Choices

Under GDPR, CCPA, UK DPA, and other privacy laws, you have the following rights:

👁️

Right to Access

Request a copy of all data we hold about you

How: Email privacy@axiom-ai.online with subject 'Data Access Request'

✏️

Right to Rectification

Correct inaccurate or incomplete data

How: Update in account settings or email us

🗑️

Right to Erasure

Delete your data ("Right to be Forgotten")

How: Email privacy@axiom-ai.online with subject 'Deletion Request'

Right to Restrict

Limit how we process your data

How: Specify restrictions in email to privacy@axiom-ai.online

🚫

Right to Object

Object to processing based on legitimate interests

How: Email privacy@axiom-ai.online with specific objections

📦

Right to Portability

Receive your data in machine-readable format (CSV/JSON)

How: Email privacy@axiom-ai.online with subject 'Data Export'

📧

Right to Opt-Out (Marketing)

Unsubscribe from marketing emails

How: Click 'Unsubscribe' in any email or email us

⚖️

Right to Complain

Lodge complaint with supervisory authority

How: Contact your local data protection authority (e.g., ICO, CNIL)

CCPA-Specific Rights (California Residents)

  • Right to Know: Categories and specific pieces of data collected in past 12 months
  • Right to Delete: Request deletion of personal information
  • Right to Opt-Out of Sale: We do NOT sell data, so no opt-out necessary
  • Right to Non-Discrimination: We will not discriminate for exercising rights
  • Authorized Agent: You may designate an agent to make requests on your behalf

Response Times

  • GDPR: 30 days (may extend to 60 days for complex requests)
  • CCPA: 45 days (may extend to 90 days with notice)
  • UK DPA: 30 days
Identity Verification: To protect your privacy, we may ask for proof of identity before fulfilling data subject rights requests. This is a security measure to prevent unauthorized access to your data.

Data Retention Policy

We retain data for as long as necessary to fulfill the purposes outlined in this policy, comply with legal obligations, and resolve disputes.

Data TypeActive RetentionArchive PeriodTotal Max
Account Data (Active Users)Duration of account30 days after closureAccount duration + 30 days
Waitlist Applications24 months from submission2 years cold storage4 years total
Usage & Analytics Data90 days12 months (aggregated)15 months total
Communication Records3 years from last interactionNone3 years
Financial/Transaction Data7 years (legal requirement)None7 years
Consent & Preference Records7 years (audit requirement)None7 years
Security & Audit Logs12 months7 years8 years total
Marketing Data (With Consent)18 months or until consent withdrawnNone18 months max
Session Data30 minutes (active) / 24 hours (inactive)None24 hours
Aggregated/De-identified DataIndefinite (cannot be re-identified)N/AIndefinite

Early Deletion

You may request early deletion of your data at any time by contacting privacy@axiom-ai.online. We will comply within 30 days, except where retention is required by law.

Backup Retention: Data in backups will be overwritten within 90 days. Deleted data is removed from active systems immediately but may persist in backups until the backup cycle completes.

Compliance Audits & Policy Updates

Regular Audits & Reviews

  • Quarterly: Internal compliance review of data practices
  • Semi-Annual: Privacy impact assessment (if material changes)
  • Annual: External legal counsel review
  • Ad-Hoc: When launching new features or changing practices

Policy Updates

We may update this policy from time to time. We will notify you of material changes by:

  • Email notification (to registered users)
  • Prominent banner on the website
  • Updating the "Last Updated" date at the top

Advance Notice: Material changes will have a 7-day advance notice period before taking effect.

Version History

Current Version:1.0.0
Last Updated:October 4, 2025

To request previous versions, contact privacy@axiom-ai.online

Contact & Inquiries

For questions about this policy, data processing inquiries, or to exercise your rights:

Privacy & Data Protection

privacy@axiom-ai.online

Data rights requests, privacy inquiries, cookie management

Response: 30 days (GDPR) / 45 days (CCPA)

Data Protection Officer (DPO)

dpo@axiom-ai.online

GDPR compliance, supervisory authority liaison

Response: 7-14 days

Related Policies

Privacy Policy

Full privacy policy

Terms of Service

User agreement

Disclosures

Legal disclaimers

Security

Platform security

Version 1.0.0 • Last Updated October 4, 2025