Privacy Policy

Privacy Policy for a2ax.ai

Effective date: 2025-10-26
Last updated: 2025-10-26

a2ax.ai (“we,” “us,” or “our”) values your privacy. This Policy explains how we collect, use, share, and retain personal information when you use our website, web app, APIs, and related services (collectively, the “Services”).

1) Information We Collect

We collect information depending on how you interact with the Services:

A. Account & Identifiers

  • Name, username, avatar, email address, country/region, language preferences.

  • Third-party login data (see §4):

    • Google OAuth: basic profile (name, email, profile photo) and OAuth access/refresh tokens (used only for session/auth; we do not store your password).

    • LinkedIn / Twitter (X) OAuth: public profile details (display name, avatar, bio, profile link, public handle/ID) and OAuth tokens to perform clearly authorized actions.

B. Billing & Payments

  • Payment details processed by Stripe (e.g., payment method tokens, card type and last 4 digits, billing address, transaction history, subscription status). We do not store full card numbers or CVV on our servers; Stripe tokenizes and hosts payment data.

C. Usage Data & Logs

  • Access timestamps, request URLs, referrers, IP address (may be anonymized/masked by GA4 or server settings), browser and device info, OS and app versions, session duration, events and conversions.

  • Google Analytics 4 (GA4) may use cookies/local storage to measure usage and performance (see §4).

D. Communications

  • Emails, in-app messages, customer support records, and form submissions.

E. Optional Business Data

  • If you enter company/project information (e.g., Stripe revenue metrics, social links, investor materials), we store and process it to provide the features you select (e.g., dashboards, reports, third-party integrations).

2) How We Use Information

  • Provide, operate, and maintain the Services (account management, authentication, authorization).

  • Generate the analytics, dashboards, and reports you request (including from your connected Stripe/GA4/social accounts).

  • Billing, subscriptions, invoicing, fraud prevention, and risk control.

  • Improve features, user experience, reliability, and security; conduct de-identified statistics and performance monitoring.

  • Communicate with you (service notices, critical updates, support, and—with your consent—marketing communications you can opt out of at any time).

  • Comply with legal obligations and enforce our agreements (including abuse detection and audits).

3) Legal Bases (GDPR, where applicable)

  • Contract performance (delivering requested Services).

  • Legitimate interests (improving and protecting the Services).

  • Consent (e.g., certain cookies/analytics, optional marketing).

  • Legal obligations (e.g., tax/accounting, lawful requests).

4) Sharing with Third Parties (Processors & Disclosures)

We do not sell your personal information. We share it only as described below:

Processors (Service Providers)

  • Stripe (payments/subscriptions): processes payments, invoices, and tokens; we receive transaction status and necessary billing data.

  • Google Analytics 4 (GA4) (product analytics/performance): collects usage statistics to improve the Services. GA4 may use cookies/local storage; we can enable IP anonymization and data-sharing controls.

  • OAuth Providers:

    • Google (login/authorization; restricted scopes comply with Google policies).

    • LinkedIn / Twitter (X) (social login/profile retrieval, only for the purposes you authorize).

Legal & Safety

  • To comply with law, enforce our terms, protect users and the public, investigate fraud/security issues, or respond to lawful requests.

Business Transfers

  • In a merger, acquisition, or asset sale, data may be transferred subject to this Policy or equivalent protection.

We sign Data Processing Agreements (DPAs) with processors and require them to process data only under our instructions and with reasonable security measures.

5) Google User Data – Limited Use Requirements

  • Google user data obtained via Google OAuth is used only to provide or improve features directly related to that data; it is not used for ads or independent profiling.

  • No human access to such data without your explicit consent, unless necessary for security, fraud/abuse investigation, or to comply with law.

  • We do not share such data with third parties except as necessary to provide/improve features, with your consent, or as required by law.

  • If you revoke authorization, we will cease access and handle any stored data under our retention/deletion rules.

6) Cookies & Similar Technologies

  • We use necessary cookies (sessions, CSRF, abuse prevention) and analytics cookies (GA4).

  • You can manage cookie preferences via your browser and any in-product controls. Disabling analytics may reduce our ability to improve features but should not affect core functionality (unless otherwise indicated).

7) Data Retention & Deletion

  • Account data: retained while your account is active; deleted or anonymized within a reasonable period after closure (typically 30–90 days) unless law requires longer retention (e.g., invoices/tax records up to 7 years).

  • Logs & analytics: retained for security, audit, and performance for a limited period (typically 6–24 months) then deleted or aggregated.

  • Stripe billing records: retained as required by law and compliance.

  • Deletion requests: see §11 and contact details in §13. For Google/LinkedIn/Twitter (X) OAuth, you can also revoke authorization in your account with those services; we will stop access and remove tokens.

8) International Data Transfers

We may process and store data globally (including the U.S. and EU). We implement appropriate safeguards for cross-border transfers (e.g., EU Standard Contractual Clauses, SCCs).

9) Security

We use reasonable technical and organizational measures (encryption, least-privilege access, audits, tokenization, segmented storage) to protect data. No Internet transmission or storage is 100% secure.

10) Children’s Privacy

The Services are intended for users aged 16+ (or the local equivalent minimum age). If we learn that we collected data from a minor without appropriate consent, we will delete it promptly.

11) Your Rights

  • Access, correct, export, and delete your personal data.

  • Withdraw consent, object to, or restrict certain processing.

  • Opt out of marketing; manage cookies/analytics.

  • If you are in California or similar jurisdictions, you may have additional rights under CCPA/CPRA (access, deletion, correction, limit “sharing/sale,” opt out of behavioral advertising, etc.).

  • Submit a request using the contact in §13. We will respond within the timeframe required by applicable law. You may also lodge a complaint with your local authority.

12) Third-Party Sites & Social Platforms

Our Services may link to third-party sites or include social plugins. Their practices are governed by their own policies. Please review those policies before use.

13) Contact Us (DPO/Privacy)

For questions, requests, or complaints about this Policy or your data, contact:
Email: [email protected]
(Replace with your preferred address—e.g., [email protected] —and keep it consistent in your app and website footer.)

14) How to Submit Data Requests

  • General requests: email §13 with subject “Privacy Request – Access/Deletion/Export.”

  • Google data:

    1. In your Google Account → Security → “Third-party apps with account access,” revoke a2ax.ai;

    2. Email us to request deletion; we will remove associated tokens and stored copies (if any).

  • Stripe data: invoices/receipts may be retained for statutory periods; other data follows the principle of minimal necessary retention.

15) Changes to This Policy

We may update this Policy and show the “Last updated” date prominently. For material changes, we will notify you via in-product notice or email. Continued use after changes take effect means you accept the updated Policy.