Trust Center

Privacy Policy & Data Protection

Your privacy, rights, and data security are core to everything we build.

Version: 2.0.0
Last Updated: October 3, 2025
Effective Date: October 3, 2025

Introduction & Scope

Welcome to Axiom AI's Privacy Policy. This policy describes how Axiom AI Ltd. ("Axiom," "we," "us," or "our") collects, uses, shares, and protects personal information in connection with our institutional-grade AI trading analytics platform (the "Platform" or "Services").

Our Commitment: We are committed to transparency, user control, and compliance with global privacy standards. This policy applies to all users worldwide and reflects our adherence to:

  • GDPR (General Data Protection Regulation) - European Union
  • CCPA/CPRA (California Consumer Privacy Act) - United States
  • UK DPA (Data Protection Act 2018) - United Kingdom
  • SOC 2 / ISO 27001 - Security and privacy frameworks
  • SEC/FINRA - Financial industry cyber security requirements

This policy covers personal data collected through our website, platform, and related services. By using Axiom, you acknowledge and agree to the practices described in this policy.

Key Principle: We collect only what's necessary, use it fairly, protect it rigorously, and respect your rights at all times.

Data We Collect

We collect personal information necessary to provide, secure, and improve our Services. The categories of data we collect include:

A. Information You Provide Directly

  • Account Information: Email address, full name, organization name, role/title, professional credentials
  • Waitlist Applications: Email, name, organization, AUM range, intended use case, referral source
  • Contact Inquiries: Name, email, subject, message content
  • Payment Information: Processed securely by third-party payment processors (we do not store full credit card numbers)

B. Information Collected Automatically

  • Usage Data: Pages visited, features used, time spent, interaction patterns
  • Device Information: Browser type, operating system, device type (mobile/desktop/tablet), screen resolution
  • Network Information: Masked IP address (last octet removed: xxx.xxx.xxx.xxx), approximate geolocation (city/country), ISP
  • Session Data: Session ID (random UUID), visit timestamps, referrer URL
  • Performance Metrics: Page load times, API response times, error logs

C. Cookies and Tracking Technologies

We use cookies and similar technologies for authentication, security, analytics, and user preferences. See the Cookies & Web Tracking section for details.

What We DON'T Collect:
  • Full, unmasked IP addresses (always masked before storage)
  • Sensitive personal data (health, biometric, financial account details)
  • Keystroke logging or mouse movement tracking
  • Cross-site tracking for advertising purposes
  • Children's data (see Children's Privacy section)

How We Use Your Data

We use your personal information for the following lawful purposes:

1. Service Provision & Operations

  • Create and manage your account
  • Provide access to the Platform and its features
  • Process waitlist applications and onboarding
  • Authenticate users and manage sessions
  • Respond to support requests and inquiries

2. Platform Improvement & Analytics

  • Analyze usage patterns to improve user experience
  • Monitor platform performance and identify technical issues
  • Train AI models using de-identified, aggregated data only
  • Conduct A/B testing and feature experimentation

3. Security & Fraud Prevention

  • Detect and prevent unauthorized access
  • Identify and mitigate security threats
  • Prevent fraud, abuse, and policy violations
  • Maintain audit logs for compliance and investigations

4. Legal Compliance

  • Comply with applicable laws and regulations
  • Respond to lawful requests from authorities
  • Enforce our Terms of Service
  • Protect our rights, property, and safety

5. Marketing & Communications (With Consent)

  • Send product updates and feature announcements (opt-in only)
  • Share educational content and market insights (opt-in only)
  • Conduct user research and surveys (with explicit consent)
AI Model Training: When we use data for AI model improvement, it is always de-identified, aggregated, and stripped of personally identifiable information. We never train models on individual user data or identifiable trading patterns.

Data Sharing & Disclosure

We Do NOT Sell Your Data: Axiom has never sold, and will never sell, your personal information to third parties for monetary or other valuable consideration.

We share personal information only in the following limited circumstances:

A. Service Providers & Processors

We engage trusted third-party service providers to perform functions on our behalf. These providers have access to personal information only as needed to perform their functions and are contractually obligated to protect your data.

  • Cloud Infrastructure: Supabase (database hosting, EU/US data centers)
  • Email Services: Transactional email providers (waitlist confirmations, notifications)
  • Geolocation Services: ip-api.com, ipdata.co (IP-to-location lookup, ephemeral processing)
  • Analytics: Self-hosted analytics (no third-party analytics services)
  • Payment Processors: Stripe or similar (PCI-DSS compliant)

All service providers are vetted, sign Data Processing Agreements (DPAs), and meet our security and privacy standards.

B. Legal Requirements & Protection

We may disclose personal information if required by law or in good faith belief that such action is necessary to:

  • Comply with legal obligations (subpoenas, court orders)
  • Respond to lawful requests from government authorities
  • Protect and defend our rights or property
  • Prevent fraud, security threats, or illegal activity
  • Protect the personal safety of users or the public

C. Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your personal information may be transferred to the successor entity. We will provide notice before your data is transferred and becomes subject to a different privacy policy.

D. With Your Consent

We may share your information for other purposes with your explicit consent or at your direction.

No Sharing with:
  • Advertisers or ad networks
  • Data brokers or aggregators
  • Unaffiliated third parties for their marketing
  • Social media platforms (except for explicit integrations you authorize)

Cookies & Web Tracking

We use cookies and similar tracking technologies to enhance your experience, provide security, and analyze platform usage.

A. Types of Cookies We Use

Session CookiesRequired

Authentication and session management

Duration: Session (deleted when browser closes)

axiom_session_idOptional

Unique session identifier for analytics

Duration: 30 days

CSRF TokenRequired

Cross-site request forgery protection

Duration: Session

User PreferencesOptional

Remember your settings (theme, language)

Duration: 1 year

B. Third-Party Cookies

We minimize third-party cookies. Currently, we use:

  • Supabase: Database authentication and session management
  • Payment Processors: Secure payment processing (only on checkout pages)

C. Your Cookie Choices

You have several options to control cookies:

  • Browser Settings: Most browsers allow you to block or delete cookies
  • Do Not Track (DNT): We respect DNT signals and will not track users who enable it
  • Cookie Banner: Manage preferences through our cookie consent banner (if applicable in your jurisdiction)

Note: Disabling essential cookies may impair platform functionality.

D. Analytics & Performance

We collect analytics data to understand usage patterns and improve the Platform. This includes:

  • Page views and navigation paths
  • Feature usage and interaction patterns
  • Performance metrics (load times, errors)
  • Geographic distribution (city/country level only)
  • Device and browser types

All analytics data is stored in our own infrastructure—we do not use Google Analytics or similar third-party services.

Privacy-First Analytics: Our analytics system automatically masks IP addresses, respects DNT headers, and never tracks users across sites.

Your Rights & Choices

We respect your privacy rights under GDPR, CCPA, UK DPA, and other applicable laws. You have the following rights regarding your personal information:

🔍

Right to Access

Request a copy of all personal data we hold about you

✏️

Right to Rectification

Correct inaccurate or incomplete personal data

🗑️

Right to Erasure

Request deletion of your personal data ("Right to be Forgotten")

Right to Restrict

Limit how we process your personal data

🚫

Right to Object

Object to processing based on legitimate interests or for marketing

📦

Right to Portability

Receive your data in a machine-readable format (CSV/JSON)

📧

Right to Opt-Out

Unsubscribe from marketing emails at any time

⚖️

Right to Lodge Complaint

File a complaint with your local data protection authority

How to Exercise Your Rights

To exercise any of these rights, please contact us at:

Response Time: Within 30 days (GDPR) or 45 days (CCPA)

When contacting us, please include:

  • Your full name and email address
  • The specific right you wish to exercise
  • Any relevant details (e.g., session ID for deletion requests)
  • Proof of identity (to prevent unauthorized access)

CCPA-Specific Rights (California Residents)

If you are a California resident, you have additional rights under CCPA:

  • Right to Know: Request disclosure of personal information collected, used, and shared in the past 12 months
  • Right to Delete: Request deletion of personal information
  • Right to Opt-Out of Sale: We do NOT sell personal information, so no opt-out is necessary
  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

Data Protection Authorities

If you believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local supervisory authority:

Data Security Practices

We implement industry-leading security measures to protect your personal information from unauthorized access, disclosure, alteration, and destruction.

A. Technical Safeguards

  • Encryption at Rest: AES-256 encryption for all data stored in databases
  • Encryption in Transit: TLS 1.3 for all data transmitted over networks
  • Access Controls: Role-based access control (RBAC) with principle of least privilege
  • Multi-Factor Authentication: MFA required for all administrative accounts
  • Secure Development: Code reviews, security testing, and vulnerability scanning
  • Intrusion Detection: Real-time monitoring and alerting for suspicious activity

B. Organizational Safeguards

  • Employee Training: Mandatory security and privacy training for all staff
  • Background Checks: Pre-employment screening for roles with data access
  • Confidentiality Agreements: All employees sign NDAs and data protection agreements
  • Incident Response: Documented procedures for breach detection and response
  • Regular Audits: Internal and external security audits

C. Compliance & Certifications

SOC 2 Type II

Security, availability, and confidentiality controls (in progress)

ISO 27001

Information security management system (roadmap)

GDPR Compliance

Full compliance with EU data protection requirements

PCI DSS

Payment card security via certified processors

D. Breach Notification

In the unlikely event of a data breach that affects your personal information:

  • We will notify affected users within 72 hours of discovery (GDPR requirement)
  • Notification will include: nature of breach, data affected, potential consequences, mitigation steps
  • We will report to relevant supervisory authorities as required by law
  • We maintain cyber insurance and incident response partnerships
Audit Logs: We maintain comprehensive audit logs of all access to personal data. These logs are tamper-proof, encrypted, and retained for 7 years for compliance and forensic purposes.

Data Retention

We retain personal information only as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, and resolve disputes.

Retention Periods by Data Type

Waitlist Applications
Active
24 months from last interaction
Archive
2 years in cold storage
Deletion
Permanently deleted after archive period
User Accounts (Active)
Active
Duration of account + 30 days
Archive
N/A
Deletion
Deleted 30 days after account closure
Analytics & Logs
Active
90 days in hot storage
Archive
12 months in cold storage
Deletion
Permanently deleted after archive
Email Communications
Active
18 months from last email
Archive
N/A
Deletion
Deleted after 18 months
Session Data
Active
30 minutes (active) / 24 hours (inactive)
Archive
N/A
Deletion
Auto-deleted
Support Tickets
Active
3 years from resolution
Archive
N/A
Deletion
Deleted after 3 years
Financial Records
Active
7 years (legal requirement)
Archive
N/A
Deletion
Deleted after 7 years

Aggregated & De-Identified Data

Data that has been fully anonymized and aggregated (cannot be linked back to individuals) may be retained indefinitely for:

  • Platform analytics and performance monitoring
  • AI model training and improvement
  • Market research and trend analysis
  • Academic and industry publications

Early Deletion Requests

You may request early deletion of your data at any time by contacting privacy@axiom-ai.online. We will comply within 30 days, except where retention is required by law.

Backup Retention: Data in backups is retained for disaster recovery purposes and will be overwritten within 90 days. If you request deletion, your data will be removed from active systems immediately and from backups within 90 days.

International Data Transfers

Axiom operates globally and may transfer, store, and process your personal information in countries other than your own. We ensure appropriate safeguards are in place for all international transfers.

A. Data Storage Locations

  • Primary: European Union (Supabase EU data centers)
  • Secondary: United States (Supabase US data centers)
  • Backup: Encrypted backups stored in multiple regions

B. Legal Mechanisms for Transfers

When transferring data from the EU/UK to other countries, we rely on:

  • Standard Contractual Clauses (SCCs): EU Commission-approved contracts with data processors
  • Adequacy Decisions: Transfers to countries deemed adequate by the EU Commission
  • Binding Corporate Rules: Internal policies ensuring GDPR-level protection globally
  • Data Protection Agreements (DPAs): Contracts requiring GDPR compliance from all processors

C. EU-US Data Privacy Framework

For transfers to the United States, we comply with applicable frameworks and ensure our US-based processors are certified or have implemented appropriate safeguards.

D. Your Rights Regarding Transfers

If you are an EU/UK/EEA resident, you have the right to:

  • Request information about where your data is stored
  • Object to transfers if you believe adequate safeguards are not in place
  • Request a copy of the safeguards we use (e.g., SCCs)
Transparency Commitment: Upon request, we will provide a list of all countries where your data may be processed and the legal basis for each transfer. Contact privacy@axiom-ai.online for details.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other operational needs.

How We Notify You

  • Material Changes: We will provide 7 days advance notice via email and prominent notice on the Platform
  • Minor Changes: Updated "Last Modified" date at the top of this policy
  • Version History: Previous versions available upon request

Your Choices After Changes

If you disagree with changes to this policy:

  • You may cease using the Platform and request account deletion
  • For material changes that affect your rights, continued use constitutes acceptance
  • We will provide opt-out mechanisms where required by law

Version Control

Current Version:2.0.0
Last Updated:October 3, 2025
Effective Date:October 3, 2025

To request a copy of previous versions, contact privacy@axiom-ai.online

Contact & Data Rights Requests

For questions about this Privacy Policy, to exercise your rights, or to report privacy concerns, please contact us:

Privacy Team
privacy@axiom-ai.online

Data rights requests, privacy inquiries

Response: 30 days (GDPR) / 45 days (CCPA)

Data Protection Officer
dpo@axiom-ai.online

GDPR compliance, supervisory authority liaison

Response: 7-14 days

Security Team
security@axiom-ai.online

Security incidents, vulnerability reports

Response: 24-48 hours

Legal & Compliance
legal@axiom-ai.online

Legal inquiries, compliance questions

Response: 7-14 days

Mailing Address

Axiom AI Ltd.
[Your Registered Business Address]
[City, State/Province, Postal Code]
[Country]

Children's Privacy

The Axiom Platform is not directed to, and we do not knowingly collect personal information from, children under the age of 16 (or the applicable age of digital consent in your jurisdiction).

Age Requirements

  • EU/UK: 16 years old (or age set by member state, 13-16)
  • United States: 13 years old (COPPA)
  • Other Jurisdictions: Age of digital consent per local law

If We Learn of Children's Data

If we become aware that we have collected personal information from a child without proper parental consent:

  • We will delete that information immediately
  • We will terminate the account
  • We will not use or share the data for any purpose

Parental Rights

If you believe your child has provided personal information to us, please contact us immediately at privacy@axiom-ai.online. We will promptly investigate and delete any such information.

Additional Resources

For more information about Axiom's policies and practices:

Terms of Service

User agreement and service terms

Cookie Policy

Detailed cookie usage and preferences

Security Center

Platform security and risk methodology

Compliance Overview

Regulatory compliance and certifications

Data Processing Agreement

For business customers (downloadable)

Analytics & Data Usage

Technical documentation on data practices

External Privacy Resources

Version 2.0.0 • Last Updated October 3, 2025