Privacy Policy — Axis

Axis is a multi-tenant operations platform for virtual assistant service businesses. Workspaces are created by paying customers (“Workspace Owners”) who invite their team members to collaborate inside the Workspace.

• For Customer Data inside a Workspace (such as client records, tasks, hiring requests, weekly reports, attendance, time entries, and uploaded files), the Workspace Owner is the data controller and Operator is the data processor. If you are an Authorized User and have questions about how a Workspace handles your data, please contact your Workspace Owner directly.
• For account-level data (such as the email and name you use to log in, billing details for paying Customers, security logs, and product analytics about how features are used), Operator acts as a data controller.

This Privacy Policy explains both roles. Where Operator acts as a processor, we process Customer Data only under the documented instructions of the Workspace Owner.

We use personal data to:

• Provide, operate, and maintain the Service.
• Authenticate users and secure accounts.
• Process payments and manage Subscriptions.
• Send transactional emails (account verification, password reset, billing receipts, security alerts).
• Provide customer support.
• Detect, prevent, and respond to abuse, fraud, and security incidents.
• Improve the Service through aggregated, non-identifying analytics.
• Comply with legal obligations.

We do not sell personal data, and we do not use Customer Data to serve advertising.

Where the GDPR applies, we rely on the following legal bases:

• Contract — to provide the Service to Workspace Owners and Authorized Users.
• Legitimate interests — to secure the Service, prevent abuse, and improve features in ways that do not override your rights.
• Consent — for any optional processing that requires it. You can withdraw consent at any time.
• Legal obligation — to comply with applicable law, such as tax and accounting requirements.

We share personal data with the following subprocessors only as needed to operate the Service:

A current list of subprocessors is maintained at [SUBPROCESSORS PAGE URL]. We will provide notice of new subprocessors via [NOTIFICATION CHANNEL — e.g., email to Workspace Owners or an updates page] before they begin processing personal data, so that Workspace Owners have a reasonable opportunity to object.

We may also share personal data:

• With your Workspace Owner and other Authorized Users, in accordance with the access permissions configured in your Workspace.
• With our professional advisors (lawyers, accountants, auditors) under confidentiality obligations.
• In connection with a corporate transaction (merger, acquisition, financing, or sale of assets), in which case we will require the recipient to honor this Privacy Policy.
• When required by law, court order, or to protect rights, safety, and property.

Personal data may be transferred to and processed in countries other than the country where you are located, including the United States. Where we transfer personal data out of the EEA, UK, or other regions with similar requirements, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or other lawful transfer mechanisms.

• Workspace data is retained for as long as the Workspace exists. When a Workspace Owner deletes a Workspace, the Workspace data is removed from active systems immediately and from encrypted backups within 30 days.
• Account information for Authorized Users is retained while the account is active. If you no longer belong to any Workspace, you may request deletion of your account by contacting [PRIVACY EMAIL].
• Request and security logs are retained for 30 days.
• Billing records are retained for the period required by applicable tax and accounting law (typically 7 years).
• Support correspondence is retained for as long as reasonably necessary to provide ongoing support and resolve disputes.

We use industry-standard security measures, including:

• Encryption in transit (TLS).
• Password hashing using Auth.js v5.
• Role-based access controls and tenant isolation.
• Audit logging for sensitive actions.
• Regular security review of our infrastructure and dependencies.

While we work hard to protect personal data, no system is completely secure, and we cannot guarantee absolute security. If we become aware of a personal data breach affecting your data, we will notify the affected Workspace Owner without undue delay, in accordance with applicable law.

Axis uses a single session cookie required to keep you signed in. We do not use third-party tracking cookies, advertising pixels, or cross-site analytics. Because the session cookie is strictly necessary to provide the Service, no consent banner is required in most jurisdictions.

You can clear or block cookies through your browser settings, but doing so will prevent you from signing in to the Service.

Axis is intended for use by businesses and is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact [PRIVACY EMAIL] and we will take steps to delete it.

Certain features in Axis send prompts and the relevant Workspace context to Anthropic's Claude API to generate AI outputs.

• Per Anthropic's commercial API terms, inputs and outputs are not used to train Anthropic's foundation models.
• Anthropic acts as a sub-processor of Operator with respect to AI feature processing.
• The data sent to Anthropic is limited to what is necessary to fulfill the prompt — typically the prompt itself and a contextual subset of Workspace data relevant to the request.
• Anthropic may retain prompt and output data for a limited period for abuse-prevention and operational purposes, in accordance with its own published policies.

If you do not wish to use AI features, you may avoid invoking them. Workspace Owners may also disable AI features at the Workspace level in [SETTINGS LOCATION].

We may update this Privacy Policy from time to time. If we make a material change, we will provide notice via email to Workspace Owners or by posting a notice in the Service. The “Last updated” date at the top of this Policy reflects the latest revision.

For privacy questions, requests, or complaints, contact us at:

• Privacy contact: [PRIVACY EMAIL]
• General support: [SUPPORT EMAIL]
• Operator: [COMPANY NAME], [COMPANY ADDRESS], [COUNTRY OF REGISTRATION]

If you are in the EEA or UK and we do not resolve your concern, you have the right to lodge a complaint with your local data protection authority.