Email & Newsletter Policy
Last Updated: May 20, 2026
1. Scope & Purpose
This policy explains in detail how Axion Algo ("we", "our", "us") collects, uses, tracks and protects the e-mail addresses of all users aged 18 or older who interact with our website (axion-algo.com), SaaS platform, indicators, or community channels. It complements our Terms & Conditions and Privacy Policy and is drafted to satisfy the requirements of:
- EU / UK GDPR and ePrivacy Directive (Art. 13) / PECR
- United States CAN-SPAM Act (15 USC § 7701 et seq.)
- Canada CASL (S.C. 2010, c. 23)
- California CCPA/CPRA
- Australia Spam Act 2003 and Privacy Act 1988
- Japan Act on Regulation of Transmission of Specified Electronic Mail (“Tokutei Denshi Mail Hōu”)
- Brazil Marco Civil da Internet (Law 12.965/14) and LGPD (Law 13.709/18) marketing provisions
- South Korea Act on Promotion of Information and Communications Network Utilization and Information Protection (“Network Act”) and PIPA
- Singapore PDPA 2012 and Do Not Call Provisions
- India Digital Personal Data Protection Act 2023 (DPDPA)
Where laws conflict, we follow the strictest rule applicable to the recipient. If you are under 18, you must not subscribe to, or interact with, any Axion Algo mailing list. This policy is binding on all Axion Algo personnel, contractors, processors and sub-processors (including our Email Service Provider) and forms part of our broader information-governance framework.
2. How We Obtain Your E-mail
- Automatic opt-in at registration or checkout – When you create an Axion Algo account, join a wait-list, or complete a purchase, you are automatically enrolled to receive service notifications and our newsletter. A notice beside every submit button explains this and links to this policy.
- Double opt-in (EU/UK/Canada/Japan/Korea/Brazil) – If your billing address or IP is in the EEA, UK, Canada, Japan, South Korea, or Brazil, you must confirm via the link in a verification e-mail before we send any marketing messages. The confirmation token is single-use, expires in 72 hours and is logged with timestamp, IP and User-Agent for proof-of-consent purposes.
- Support correspondence – If you write to our contact form, we reply to the address you used. This implicit consent extends only to the support ticket itself and any closely-related follow-up.
- Affiliate referrals – When an affiliate partner shares our product with you and you sign up via their referral link, your e-mail is collected by us directly (not by the affiliate) under the same opt-in rules above.
- Community/Discord SSO – If you connect a Discord account, we receive the verified e-mail tied to that identity solely to provision your seat on the relevant private channel.
We do not knowingly collect addresses from minors. If you believe a minor has subscribed, contact us and we will delete the data within 72 hours and place a hash of the address on a suppression list to prevent accidental re-subscription.
2.1 E-mail Address Verification at Signup
To protect deliverability and to detect typos or malicious submissions we run two real-time checks on every address presented at signup:
- MX record check – we resolve the DNS MX (Mail Exchanger) record of the domain to confirm it can receive mail. An address with no MX (or a malformed local part per RFC 5321/5322) is rejected.
- Disposable / throwaway domain blocklist – we query a Kickbox-class or NeverBounce-class disposable-email blocklist (continuously updated) and reject signups from known ephemeral providers (e.g., 10minutemail, mailinator, guerrillamail, tempmail derivatives). Legitimate privacy-preserving relays (Apple Hide My Email, Firefox Relay, DuckDuckGo Email Protection) are allowed.
Where double opt-in is required (see Section 2 above), the signup is treated as pending until the verification link is clicked, and the account cannot perform billable actions until that step is completed.
3. What We Send — List Segmentation
We maintain strictly segregated mailing lists so that consent and suppression decisions on one list do not affect the others (and vice-versa where the law permits). Each list has its own purpose, legal basis, retention and opt-out behaviour.
- Transactional – activations, invoices, failed-payment alerts, password resets, two-factor codes, magic links, refund confirmations, dispute responses. Sent automatically and on a strictly per-event basis. Mandatory while your account is active; cannot be opted out of without closing the account. Legal basis: contractual necessity.
- System / security – data-breach notifications, suspicious-login alerts, policy changes, mandatory legal notices. Mandatory; cannot be opted out of.
- Marketing newsletter – weekly or fortnightly digest of market commentary, indicator tips, educational content, promotional offers. Strictly opt-in (express consent in EU/UK/CA/JP/KR/BR; opt-in-presumed-from-purchase elsewhere, subject to soft opt-in rules).
- Product updates – new indicator releases, breaking changes, deprecations. Opt-out by default for paying customers (legitimate interest); fully opt-in for free / lapsed users.
- Affiliate communications – payout reports, referral statistics, programme news. Sent only to enrolled affiliates; separate suppression list from the marketing list.
- Surveys & research – product-development surveys, NPS, customer interviews. Always opt-in; never tied to any other list.
Subjects and "From" lines always identify Axion Algo and the nature of the message. Promotional messages are visually and textually distinct from transactional messages so a recipient can tell at a glance which is which.
3.1 Transactional vs. Marketing — Strict Bifurcation
Transactional messages (receipts, password resets, security alerts, billing confirmations, subpoena responses, data-portability deliveries) are sent regardless of any marketing opt-out, because their delivery is required to perform the contract or to comply with the law. Each transactional message is generated by a deterministic event in the platform (e.g., a Stripe webhook, an auth event, a refund settlement), is short, action-oriented, contains no promotional cross-sell beyond a thin footer (if any), and is sent from a separate authenticated sub-domain (txn.axion-algo.com) so its reputation cannot be contaminated by marketing volume. Marketing messages by contrast are sent from marketing.axion-algo.com and use a different DKIM selector, a different IP pool, and different content templates. This bifurcation is fundamental to deliverability and to legal compliance.
4. How to Unsubscribe or Change Preferences
Every non-transactional e-mail includes a clearly visible Unsubscribe or Manage Preferences link that works with one click and with no additional information required. In addition every such e-mail carries the List-Unsubscribe and List-Unsubscribe-Post headers described in Section 18 below, so any modern e-mail client (Gmail, Yahoo, Apple Mail, Outlook) can offer a one-tap unsubscribe button at the top of the message.
You may also send a plain-language request ("unsubscribe", "stop e-mails", "opt out", etc.) to our contact form from the same address we hold, or via your dashboard's Email Preferences tab.
We process all opt-outs as quickly as possible and never later than:
- ten US business days (CAN-SPAM § 7704(a)(4)(A)),
- ten business days (CASL s. 11(3)),
- 72 hours, in practice, for most jurisdictions, and
- 30 days at the outside (GDPR Art. 21(3)).
Under CAN-SPAM we honour the opt-out for no less than 30 days following the date of the unsubscribe request (and in practice we honour it indefinitely unless you affirmatively re-subscribe through a fresh double opt-in). Opting out stops marketing mail but does not affect essential service communications. To stop those you must close your account.
4.1 Subscriber Preference Granularity
From the in-app Email Preferences centre you can tune your subscriptions along two axes:
- Frequency: daily digest, weekly digest, monthly digest, quarterly recap, or transactional-only.
- Categories: product releases, educational content, promotional offers, community announcements, beta invitations, research surveys.
Changes take effect on the next scheduled send (typically within minutes; always within 24 hours). A confirmation e-mail is sent to the address on file so that any unauthorised preference change is immediately visible.
5. Delivery & Data Processing Partners
We send mail through Resend (Resend, Inc., resend.com), our primary Email Service Provider (“ESP”) for both transactional and marketing traffic. Resend stores and processes your address on infrastructure located in the United States solely under our instructions and is bound by a signed Data Processing Agreement incorporating Standard Contractual Clauses (Module 2 / Module 3 as applicable) for any transfers of EU/UK personal data. Sub-processors used by Resend (e.g., AWS for compute and storage) are listed in their public sub-processor register and we are notified of changes.
We maintain contingency contracts with Amazon SES and Postmark as backup ESPs (placeholder — specific provider may change). Failover is automatic for transactional traffic if Resend reports an outage of more than 15 minutes; marketing traffic is queued and resumed when the primary recovers. Both backup providers are bound by equivalent DPAs and SCCs.
No other third party receives your address for independent use. If we replace Resend or change backup providers, we will update this policy and (for marketing subscribers) notify you by e-mail at least 30 days in advance.
6. Tracking, Analytics & Pixel Disclosure
Our HTML e-mails may contain:
- a 1 × 1 transparent pixel (the “open pixel”) that records an "open" event when images load in your mail client;
- redirect links of the form
https://click.axion-algo.com/…that count clicks in aggregate before forwarding you to the destination URL with no delay; and - UTM parameters appended to outbound links so we can attribute downstream conversions in our product analytics.
We use these metrics only to improve content and deliverability and to identify inactive subscribers for sunset processing (Section 15). They are never used to make automated decisions that have legal or similarly significant effects on you (GDPR Art. 22). You can avoid tracking by:
- disabling remote images in your mail client,
- using a privacy-relay address (Apple Hide My Email, Firefox Relay) that strips pixels in transit,
- emailing our contact form and asking us to flag your address as “no-pixel” (we honour these requests within 5 business days), or
- unsubscribing from marketing messages.
Transactional security mail may still include minimal system tracking (delivery receipt, bounce telemetry) for anti-fraud purposes; pixels are not used in transactional mail.
7. Legal Grounds for Processing
- Contractual necessity – we must use your address to deliver the service you requested (GDPR Art. 6(1)(b)).
- Consent – for newsletters, tutorials, and promotions (GDPR Art. 6(1)(a); ePrivacy Art. 13; CASL s. 6; LGPD Art. 7-I; PDPA s. 13). You may withdraw consent at any time and withdrawal is as easy as opt-in.
- Legitimate interests – to secure our platform, prevent fraud, perform deliverability analytics, and understand aggregate engagement, provided those interests do not override your rights (GDPR Art. 6(1)(f)).
- Legal obligation – to retain billing records or respond to lawful requests (GDPR Art. 6(1)(c)).
- Soft opt-in for similar products (EU/UK) – we may send you marketing about products and services similar to the one you purchased (ePrivacy Directive Art. 13(2); PECR reg. 22(3)), provided we collected the address in the course of a sale and we gave you a clear, simple opportunity to opt out at the time of collection and in every subsequent message.
8. Your Rights
Access, rectification, erasure, restriction, portability, objection, and withdrawal of consent.
- California residents: right to know, delete, correct; right to limit use of sensitive personal information; we do not sell personal information and we do not “share” it for cross-context behavioural advertising as defined by CPRA.
- EU/UK residents: right to lodge a complaint with a supervisory authority (e.g., Spanish AEPD, UK ICO, Irish DPC).
- Canadian residents: right to complain to the Office of the Privacy Commissioner of Canada and the CRTC.
- Brazilian residents: right to complain to the Autoridade Nacional de Proteção de Dados (ANPD).
- Indian residents: right to complain to the Data Protection Board under the DPDPA.
Submit requests to our contact form. We may ask for proof of identity (verification token bound to the e-mail on file) and will respond within statutory deadlines.
9. Security
We protect mailing-list data with TLS 1.2+ encryption in transit, AES-256 encryption at rest, role-based access control for staff, mandatory 2-factor authentication on all admin consoles, monthly access reviews, and quarterly security reviews. Mailing-list exports are gated behind a separate “export” role and produce an audit log entry with reviewer, timestamp, scope and reason. Despite these measures, no online system is 100% secure; you share your address at your own risk.
10. Data Retention
- Marketing list – kept until you unsubscribe or after 24 months of inactivity, whichever comes first.
- Transactional records – retained for the life of your account and up to seven years thereafter for accounting, tax, and anti-fraud purposes.
- Suppression list – retained for 5 years after the last suppression event in plaintext, then pseudonymised (SHA-256 hash with secret salt) to prevent accidental re-add. See Section 16 (Sunset Policy).
When retention ends, we delete or anonymise the address.
11. International Transfers
Because Resend's infrastructure is hosted in the United States (primarily AWS us-east-1 and us-west-2), your address may be stored outside your country. We rely on the EU Commission's Standard Contractual Clauses (Module 2) supplemented by a Transfer Impact Assessment, the UK International Data Transfer Addendum, the Swiss FDPIC requirements, and (where applicable) the EU-US Data Privacy Framework certification of our processors. The same protections described in this policy apply regardless of where the data is physically stored.
12. Sender Authentication: SPF, DKIM, DMARC, MTA-STS, TLS-RPT, ARC
We authenticate our outgoing emails with a layered set of internet standards designed to defeat spoofing, phishing and downgrade attacks. Emails from us will always come from a verified verified email domain or a Resend-authenticated sub-domain we control (see Section 17 for the sub-domain split).
12.1 SPF (RFC 7208)
Our Sender Policy Framework record authorises Resend's sending infrastructure (include:_spf.resend.com) and our legacy/operational mail relays. The record ends in a hard fail (-all) so that any unauthorised sender is rejected outright rather than soft-failed. We periodically audit the record to avoid the 10-lookup limit.
12.2 DKIM (RFC 6376)
Each outbound message is signed with a 2048-bit RSA DKIM signature using rotating selectors. Signing keys are rotated at least every 180 days; old selectors are kept in DNS for 7 days after rotation to honour in-flight retries. Headers signed include the canonical set: From, To, Subject, Date, Message-ID, MIME-Version, Content-Type, List-Unsubscribe, List-Unsubscribe-Post.
12.3 DMARC (RFC 7489)
Our DMARC policy is currently being ramped up:
- Phase 1 (current):
p=none— monitor only. Aggregate reports (rua=) are collected and analysed for unauthorised sources. - Phase 2 (next 60 days):
p=quarantine; pct=25→pct=100as confidence grows. - Phase 3 (target):
p=rejecton all sending sub-domains. Reject is the policy required for BIMI logo display (see Section 13).
Aggregate reports are sent to our contact form. Forensic / failure reports (ruf=) are collected to our contact form where the reporting domain permits forwarding personal data (most do not, in light of GDPR). Reports are processed by an automated analyser that flags any new source IP within one hour.
12.4 MTA-STS (RFC 8461)
We publish an MTA-STS policy at https://mta-sts.axion-algo.com/.well-known/mta-sts.txt with mode enforce, requiring sending MTAs to verify our MX hostnames via valid TLS certificates and to drop the connection rather than fall back to plaintext on downgrade. We plan to apply for MTA-STS preloading once the policy has been stable for 12 months.
12.5 TLS-RPT (RFC 8460)
We publish a TLS Reporting record (_smtp._tls.axion-algo.com) so that remote MTAs can report TLS negotiation failures. Reports are reviewed weekly and any persistent failure with a recognised receiver triggers an investigation within one business day.
12.6 ARC (RFC 8617)
For messages forwarded by mailing lists or alias services (which would otherwise break SPF / DKIM alignment), we honour Authenticated Received Chain (ARC) headers preserved by intermediaries, and we seal our own ARC headers on outbound traffic when relaying through Resend so that downstream receivers can see the original authentication results. This protects subscribers who read our e-mails through forwarders, group lists, or corporate gateways.
12.7 Anti-Spoofing Stack Summary
- SPF with hard fail (
-all). - DKIM 2048-bit RSA with rotating selectors.
- DMARC with aggregate & forensic reporting; policy ramping to
p=reject. - MTA-STS in
enforcemode; preload candidate. - TLS-RPT for transport-layer feedback.
- ARC sealing on outbound; verification on inbound forwards.
- BIMI with Verified Mark Certificate (Section 13).
If you receive an email claiming to be from Axion Algo from any other address — for example a free Gmail or Outlook account — treat it as suspicious and forward it to our contact form.
Whitelisting: To ensure delivery of critical transactional emails (account confirmation, password resets, billing receipts, security alerts), add our contact form, our contact form and our contact form to your address book and mark them as “Not Spam” in your email client. Some corporate firewalls block transactional providers — if you do not receive an expected email within 10 minutes, check the Junk/Spam folder.
13. BIMI (Brand Indicators for Message Identification)
BIMI is a technical standard that allows e-mail receivers to display a verified brand logo next to authenticated messages in the recipient's inbox. Axion Algo has implemented BIMI and holds a Verified Mark Certificate (VMC) issued by a CA/B-Forum-recognised certificate authority. The VMC is bound to our DNS-published BIMI record at default._bimi.axion-algo.com and references our trademark-registered logo in SVG Tiny PS format.
Supporting clients include:
- Gmail (web, Android, iOS) — VMC required.
- Yahoo Mail and AOL Mail.
- Apple Mail on iOS 16+, iPadOS 16+, macOS Ventura+.
- Fastmail and various BIMI-aware clients.
BIMI display is contingent on DMARC enforcement at p=quarantine or p=reject with a non-trivial percentage. While we ramp DMARC enforcement (Section 12.3), logo display may be intermittent. Once we reachp=reject at pct=100, the Axion Algo logo should appear next to every authenticated message in supporting inboxes.
14. Frequency, Categories & Preferences
Approximate frequency by category, assuming you remain subscribed:
- Transactional & security: only as triggered (signup, payment, security event). Cannot be opted out of while your account is active.
- Educational newsletter: up to 2 emails per week.
- Product updates & release notes: 1 to 4 emails per month, depending on release cadence.
- Promotional offers: at most 2 emails per month on average.
- Surveys & research: infrequent and always optional.
You can fine-tune which categories you receive by clicking “Manage Preferences” at the bottom of any marketing email, by visiting the Email Preferences page in your dashboard, or by emailing us with the categories you wish to keep or stop.
15. Bounces, Inactivity, Suppression & Re-Engagement
15.1 Bounce Categories & Handling
- Hard bounce (5xx SMTP, mailbox not found, domain not resolvable) — the address is added to the suppression list immediately and we will not retry. Hard bounces protect our sender reputation and are non-negotiable for marketing volume.
- Soft bounce (4xx SMTP, full mailbox, temporary DNS failure, greylisting) — we retry with exponential backoff up to 3 attempts over 72 hours. If all retries fail the address is moved to soft-suppression and the next scheduled send is held; persistent soft bounces over a 30-day window are escalated to permanent suppression.
- Complaint / Feedback Loop (FBL) — if the recipient marks our message as spam in a participating mailbox (Gmail Postmaster, Yahoo, Outlook SNDS / JMRP, AOL), the FBL report triggers immediate suppression and an internal review of the campaign that caused it.
- Challenge / response (Boxbe, EarthLink, etc.) — we do not auto-respond to challenge messages. If a challenge is received, the address is moved to a challenge-pending state and is suppressed from further marketing sends until the recipient affirmatively whitelists us via the challenge link.
- Unsubscribe — the request is honoured immediately (within minutes; always within statutory deadlines).
15.2 Suppression List Management
We maintain a global suppression list: any unsubscribe from any list (marketing, product, surveys, affiliate) is propagated to a master suppression table within the same send cycle. By default an unsubscribe on one list suppresses the address across all non-mandatory lists, on the principle that recipients should not have to opt out from multiple lists separately. Where the recipient explicitly opts out from only one category via the Email Preferences centre, we honour that granularity and keep other category subscriptions intact.
Suppression-listed addresses are never re-added to any marketing list except via a fresh double opt-in initiated by the user themselves — for example, by re-subscribing through the public signup form and confirming the verification e-mail. Staff cannot manually re-add a suppressed address; the database constraint physically prevents it.
15.3 Re-Engagement Policy
Subscribers who have not opened or clicked any marketing message in the past 90 days are considered “at risk.” They receive a single, lightweight re-engagement e-mail (“Still want to hear from us?”) with a clear Yes / No call to action. Recipients who click Yes are returned to the active list. Recipients who do not respond within a further 90 days enter the sunset funnel below.
15.4 Sunset Policy
Subscribers who do not engage in any way for a continuous 6 months after the re-engagement attempt are moved to the inactive list and stop receiving marketing e-mail. Their address remains on the suppression list to prevent accidental re-subscription. After 5 years on the suppression list with no further activity, the raw address is purged and replaced with a salted SHA-256 hash; the hash is retained indefinitely to prevent re-add, but the underlying e-mail cannot be reconstructed from it.
16. Phishing & Impersonation Defense
We will never ask you by email for your password, your TradingView password, your full credit-card number, your two-factor codes, the seed phrase to a crypto wallet, or any API keys to a broker or exchange. If you receive any message that asks for these, it is a phishing attempt — do not reply, do not click links, and report it to our contact form. We will never include unexpected attachments. Always check the sender domain before clicking any link in an email purporting to be from us. Our official sender domains are axion-algo.com and the sub-domains listed in Section 17 below; anything else — including look-alike domains such as axion-alg0.com, axion-algo.io, axion-algos.com or axionalgo.com — is not us.
17. IP & Domain Reputation Management
Deliverability rests on the long-term reputation of the IP addresses and the sending domains we use. We protect that reputation with the following operational practices:
17.1 Sub-Domain Segmentation
txn.axion-algo.com— transactional traffic only (receipts, password resets, magic links). Highest priority warm-up and lowest tolerance for spam complaints.marketing.axion-algo.com— newsletter, promotions, product updates. Separated from transactional so that any reputation hit on marketing volume does not affect delivery of receipts.mail.axion-algo.com— general operational mail (support replies, person-to-person correspondence from staff mailboxes).bounce.axion-algo.com— envelope-from (Return-Path) domain used for VERP-style bounce processing.
17.2 IP Warm-Up
Any newly-assigned sending IP undergoes a 4–6 week warm-up in which volume is ramped gradually (typically 50, 100, 500, 1 000, 5 000, 10 000, 50 000 messages per day) and engagement is monitored at each step. If the open rate falls below 15% or the complaint rate rises above 0.05% at any step, the ramp is paused and root-caused before resuming.
17.3 ESP Throttling
We honour per-receiver throttling guidance published by major mailbox providers (Gmail Postmaster Tools, Yahoo Sender Hub, Microsoft SNDS) and rely on Resend's built-in queue management to spread sends over an acceptable cadence. We do not send blast campaigns at peak local hours; large sends are time-zoned and spread over the recipient's morning window.
17.4 Reputation Monitoring
We continuously monitor:
- Google Postmaster Tools (IP and domain reputation).
- Microsoft SNDS and JMRP feedback.
- Public blocklists (Spamhaus, SURBL, URIBL, Barracuda, Sorbs).
- Mail-Tester scores on canonical campaign templates.
- DMARC aggregate reports for unauthorised sources.
Any negative signal triggers a documented incident-response playbook with target resolution times.
18. List-Unsubscribe Headers — RFC 8058 One-Click
In line with the Gmail and Yahoo bulk-sender requirements that took effect in February 2024 (and ramped through 2024–2025), every marketing message we send carries:
List-Unsubscribe: </contact>, <https://axion-algo.com/u/…>— the dual-format header (mailto + https) that RFC 2369 and RFC 8058 require so that the recipient's mail client can offer an inbox-native unsubscribe button.List-Unsubscribe-Post: List-Unsubscribe=One-Click— the RFC 8058 trigger that lets the receiver submit the unsubscribe via a single HTTP POST without any confirmation page, click-through or login. We honour the POST as a final unsubscribe instruction with no further user interaction required.
These headers are present on every send above 1 message per recipient per day and are mandatory for any sender shipping more than 5 000 messages per day to Gmail or Yahoo — a threshold we cross on a regular basis. We comply with the headers regardless of volume, on every marketing send, as a matter of policy.
19. Spam Complaint Rate — Targets & Corrective Action
Per the Gmail and Yahoo 2024 bulk-sender requirements, we target a spam complaint rate of below 0.10% at all times, measured over a rolling 7-day window in Google Postmaster Tools. Internally we treat 0.30% as a hard ceiling that must never be reached on any single send.
- If the rolling rate exceeds 0.10%, the campaign owner is notified within one hour and a root-cause review is scheduled.
- If a single send exceeds 0.20%, the campaign is paused mid-flight, the segment is investigated, and any remaining queue is suspended pending review.
- If we approach 0.30%, all marketing sends are paused company-wide and a deliverability incident is opened.
Corrective actions include list pruning, segment narrowing, content review, frequency reduction, re-warm of the affected IP/domain, and (if necessary) a temporary switch to the backup ESP.
20. Templates & Accessibility
Axion Algo's e-mail templates follow WCAG 2.1 Level AA where the constraints of the HTML-e-mail medium allow it. Specifically:
- All images carry meaningful
alttext or are marked as decorative (alt=""). - Text and background colours meet a contrast ratio of at least 4.5 : 1 for body text and 3 : 1 for large text.
- Heading semantics (
<h1>,<h2>) are preserved so that screen readers can navigate the message. - Tabular data uses proper
<table>markup withscopeattributes on headers. - Every HTML message carries a
text/plainalternate generated from the same source content; recipients reading via screen readers or low-bandwidth devices receive the plain-text version cleanly. - Links use descriptive anchor text (no “click here” anti-pattern); the destination domain is announced for users who hover or use assistive technology.
21. Co-Marketing & Partner Emails
Occasionally we may run a co-marketing campaign with a partner (e.g., a broker, a TradingView educator, a prop firm). Any co-marketed email will (a) be sent from our infrastructure, (b) clearly state the partner's identity, and (c) honour the same unsubscribe mechanism. We do not share your email address with the partner unless you affirmatively click through and provide your email on the partner's landing page, in which case the partner's privacy policy applies to that interaction.
22. CAN-SPAM Act (15 USC § 7701) — Detailed Compliance
The CAN-SPAM Act of 2003 governs commercial electronic mail directed to recipients in the United States. Axion Algo complies with all seven principal obligations:
- Accurate “From”, “To”, “Reply-To” and routing information. Headers must accurately identify the person or business that initiated the message. Our “From” line always shows “Axion Algo” and our authenticated sub-domain; our “Reply-To” points to a monitored mailbox; our routing information (Received, Return-Path, DKIM) accurately reflects the sending path.
- Non-deceptive subject lines. Subject lines accurately reflect the message's contents. We do not use subject lines that imply a personal relationship, an urgent security event, a billing problem or a regulatory notice unless the body of the message genuinely concerns that topic.
- Identification as an advertisement (where applicable). Where a message is primarily commercial (an “ARC commercial designation,” per FTC guidance), we identify it as an advertisement in the body. For messages that contain both commercial and transactional content, we treat the message as commercial if the primary purpose is commercial under the FTC's “primary purpose” analysis (16 CFR 316.3).
- Valid physical postal address. Every commercial message contains a valid, working physical postal address for Axion Algo (placeholder — the operating entity's registered address as published in our company information page). A post office box registered with the USPS or an equivalent commercial mail receiving agency registered with the relevant authority is permitted by the FTC and may be used where appropriate.
- Functioning unsubscribe link processed within 10 business days. Every commercial message contains a clear and conspicuous unsubscribe mechanism. We honour the opt-out within 10 business days (the statutory maximum; internally we target within minutes). The unsubscribe mechanism remains operational for at least 30 days after the message was sent.
- Honour opt-outs for at least 30 days. Once a recipient unsubscribes, we will not send commercial mail to that address for at least 30 days; in practice we treat the unsubscribe as permanent until the recipient affirmatively re-subscribes through a fresh double opt-in.
- No selling or transferring opt-out addresses. Addresses that have opted out are never sold, leased, exchanged or transferred to any third party for purposes other than legal compliance with CAN-SPAM itself (e.g., a vendor that helps us process suppression at scale).
Commercial vs. transactional vs. relational content. CAN-SPAM distinguishes three message types:
- Commercial — primary purpose is to advertise or promote a commercial product or service. Full CAN-SPAM obligations apply.
- Transactional or relationship — primary purpose is to facilitate, complete or confirm a commercial transaction the recipient has already agreed to (e.g., receipts, password resets, warranty information, account-balance changes). Only the header-accuracy and routing-information rules apply; the unsubscribe rules and physical-address rule do not.
- Dual-purpose — if a message has both purposes, we apply the FTC's primary-purpose test and default to treating the message as commercial whenever there is any doubt.
Criminal penalties. CAN-SPAM imposes criminal penalties (and the FTC may impose civil penalties of up to US$53,088 per violation as of 2024 adjustments) for harvesting e-mail addresses from web sites without permission, for dictionary attacks against domains, for relay or retransmission through other computers without authorisation, and for materially falsified header information. We do not engage in any of these practices and we will report any third party that uses our brand to do so.
23. CASL (Canada Anti-Spam Legislation) — Detailed
Canada's Anti-Spam Legislation (S.C. 2010, c. 23) is among the strictest e-mail marketing regimes in the world. For recipients in Canada we apply the following:
- Express consent (opt-in) required. We do not send Commercial Electronic Messages (CEMs) to Canadian recipients without their express consent. Consent is captured at signup via an unticked checkbox describing the categories of message the recipient agrees to receive, with a clear identification of Axion Algo as the requesting party and a link to this policy. Records of consent (timestamp, IP, form version) are retained for the longer of (a) the duration of the relationship plus three years or (b) any statutory minimum.
- Implied consent — existing business relationship. Where we have an existing business relationship with a Canadian recipient (e.g., a purchase, a written contract or an enquiry handled in the previous 2 years), CASL permits implied consent for that window.
- Implied consent — existing non-business relationship. Similar implied consent applies to existing non-business relationships (e.g., a donation or volunteer relationship) for a 2-year window.
- Conspicuously published business address. A person or organisation that has conspicuously published a business e-mail address (with no statement that they do not wish to receive unsolicited CEMs) provides implied consent for CEMs relevant to their business role.
- Sender identification. Every CEM clearly identifies Axion Algo, our mailing address, and at least one of our telephone number, e-mail address, or web address (CASL s. 6 and Electronic Commerce Protection Regulations).
- Unsubscribe within 10 business days. The CEM must include a functional, no-cost, plain-language unsubscribe mechanism that works for at least 60 days after the message is sent and that is given effect within 10 business days. We target same-day processing.
- Transitional period. The transitional implied-consent period for pre-2014 contacts ended on 1 July 2017. We do not rely on it for any current sends.
- Enforcement. CASL is enforced by the Canadian Radio-television and Telecommunications Commission (CRTC), the Competition Bureau and the Office of the Privacy Commissioner. Administrative monetary penalties can reach CA$1 million for individuals and CA$10 million for organisations per violation, plus statutory damages under the (currently-suspended) private right of action.
24. GDPR E-Marketing (EU) & ePrivacy Directive Art. 13
In the European Economic Area, the United Kingdom and Switzerland, e-marketing is governed by the General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) as the lex generalis and the ePrivacy Directive 2002/58/EC (as amended) as the lex specialis, transposed locally (in the UK, by the Privacy and Electronic Communications Regulations 2003 / “PECR”).
- Soft opt-in for similar products. Under ePrivacy Art. 13(2) we may send marketing about our own similar products or services to a recipient who provided their e-mail in the context of a purchase, provided we gave them a clear and free opportunity to opt out at the time of collection and in every subsequent message. This soft opt-in is narrow: it does not cover entirely new product lines, partner offers, or third-party promotions.
- Explicit consent for new prospects. For any recipient who has not purchased — e.g., wait-list signups, lead-magnet downloads, webinar attendees — we require freely-given, specific, informed and unambiguous consent (GDPR Art. 4(11)). Consent is captured via an unticked checkbox with granular, separate options per processing purpose; we do not bundle marketing consent with terms-of-service acceptance.
- Transparent purpose. Every consent request identifies Axion Algo as the controller, lists the categories of message and frequency, and links to this policy and our Privacy Policy.
- Data minimisation. We collect only the e-mail address and (optionally) first name and country for segmentation. We do not require additional fields as a condition of marketing consent.
- Right to object. The recipient may object to marketing processing at any time under GDPR Art. 21(2); the objection is absolute and is processed within 72 hours, with a maximum statutory deadline of 30 days.
- PECR / UK equivalence. In the UK, PECR regulation 22 imposes the same soft-opt-in/explicit-consent regime; the Information Commissioner's Office (ICO) is the enforcement authority and may impose civil monetary penalties of up to £500 000 (under PECR) or the higher GDPR ceilings where the underlying breach also engages the UK GDPR.
25. Australian Spam Act 2003 & Privacy Act 1988
For recipients in Australia we comply with the Spam Act 2003 (Cth) and the Privacy Act 1988 (Cth) as supplemented by the Australian Privacy Principles (APPs).
- Consent. CEMs require either express consent (an affirmative act such as ticking an unticked box at signup) or inferred consent (an existing business relationship, the conspicuous publication of a work e-mail address). We default to express consent for Australian recipients.
- Identification. Each CEM clearly identifies Axion Algo as the sender and how to contact us (postal address, e-mail, web).
- Functional unsubscribe. A clear, low-cost unsubscribe is present in every CEM and is honoured within 5 business days (the statutory maximum).
- Enforcement. The Australian Communications and Media Authority (ACMA) enforces the Spam Act and may impose civil penalties of more than AU$1.65 million per day of contravention for body corporates, plus injunctions and enforceable undertakings.
26. Japan Specified Email Act (Tokutei Denshi Mail Hōu)
Japan's Act on Regulation of Transmission of Specified Electronic Mail (Act No. 26 of 2002, as amended) regulates marketing e-mail to Japanese recipients.
- Opt-in required. Since the 2008 amendment, marketing e-mail to Japanese recipients requires affirmative opt-in.
- Sender identification. Each message must clearly identify the sender's name, address, and a way to contact the sender.
- Unsubscribe. A clearly displayed unsubscribe mechanism must be present and honoured promptly.
- Record-keeping. Records of consent must be retained for at least one month after the cessation of the marketing relationship.
- Criminal penalties. Violations can result in imprisonment of up to 1 year or fines of up to ¥1 million for individuals and up to ¥30 million for legal entities. Enforcement is by the Ministry of Internal Affairs and Communications and the Consumer Affairs Agency.
27. Brazil Marco Civil & LGPD Marketing Provisions
Brazil's Marco Civil da Internet (Law 12.965/14) and the Lei Geral de Proteção de Dados (LGPD, Law 13.709/18) jointly regulate marketing e-mail to Brazilian residents.
- Opt-in basis. LGPD Art. 7-I requires consent for the processing of personal data for marketing purposes (in the absence of another legal basis).
- Consent withdrawal honoured. Under LGPD Art. 8§5, consent may be revoked at any time by simple and free procedures; we honour withdrawal within 72 hours.
- Transparency. Privacy notices must be in Portuguese (we provide localised consent flows for Brazilian IPs/billing addresses) and must explain purposes, retention, and recipient rights.
- ANPD enforcement. The Autoridade Nacional de Proteção de Dados (ANPD) supervises LGPD compliance. Administrative sanctions can reach BRL 50 million per infraction (capped at 2% of group revenue in Brazil per year).
28. South Korea Network Act & Personal Information Protection Act
For recipients in the Republic of Korea, the Act on Promotion of Information and Communications Network Utilization and Information Protection (“Network Act”) and the Personal Information Protection Act (“PIPA”) impose the strictest marketing-e-mail regime among the major Asia jurisdictions.
- Explicit consent. Prior, separate and explicit consent is required for any marketing e-mail to a Korean recipient.
- “Advertisement” label. The subject line of every marketing e-mail must contain the prefix “(광고)” (the Korean word for “advertisement”) or the English equivalent “[AD]”, immediately followed by the subject. We automatically add this label to any marketing send that targets a Korean recipient.
- Sender identification. The body of the message must include the sender's name, contact, and a functioning opt-out mechanism.
- Opt-out mechanism. An unsubscribe option must be free of charge and honoured promptly.
- Night-time restriction. Marketing e-mail between 21:00 and 08:00 local time requires separate explicit consent. We schedule sends to Korean recipients only within the permitted window unless such separate consent has been obtained.
- Enforcement. The Korea Communications Commission (KCC) and the Personal Information Protection Commission (PIPC) enforce these requirements; penalties include fines of up to KRW 30 million per violation and criminal sanctions for serious or repeated breaches.
29. Singapore PDPA & Do-Not-Call
The Personal Data Protection Act 2012 (PDPA) and its Do Not Call (DNC) Provisions regulate marketing communications to Singapore residents.
- Consent. Marketing e-mail requires consent; the consent must be informed and may be withdrawn at any time.
- Sender identification. Every message must identify the sender and provide contact information.
- Unsubscribe. A clear, no-cost unsubscribe option must be present and honoured promptly.
- DNC Registry. The DNC provisions apply primarily to telephone marketing but extend to certain message types; we check Singapore subscribers against the relevant registers where applicable.
- Enforcement. The Personal Data Protection Commission (PDPC) enforces the PDPA. Financial penalties can reach SGD 1 million or 10% of annual turnover in Singapore (whichever is higher) for serious breaches, with a baseline of SGD 200 000 for many infractions.
30. India Digital Personal Data Protection Act 2023 (DPDPA)
India's Digital Personal Data Protection Act 2023 governs the processing of digital personal data (including e-mail) for Indian Data Principals.
- Consent basis. Marketing e-mail to Indian residents is processed on the consent basis (s. 6 DPDPA); consent must be free, specific, informed and unambiguous, and we provide a notice in clear language at the point of collection.
- Withdrawal. Data Principals may withdraw consent at any time with effect equally simple as the original opt-in.
- Data Principal rights. Indian recipients have rights of access, correction, erasure, and grievance redressal; requests are processed through our standard privacy intake.
- Data Protection Board. Enforcement is by the Data Protection Board of India. Financial penalties can reach INR 250 crore (approximately US$30 million) per breach.
31. International Transfers of E-mail Data
Our primary ESP, Resend, is hosted in the United States and therefore your e-mail address and engagement metadata may be processed there. Where the recipient is in the EEA, UK, Switzerland, Brazil, South Korea, Japan, India or any other jurisdiction with cross-border data-transfer rules, we rely on appropriate safeguards:
- EU Commission Standard Contractual Clauses (Module 2, controller-to-processor) signed with Resend, supplemented by a Transfer Impact Assessment;
- UK International Data Transfer Addendum;
- Swiss FDPIC clauses;
- ANPD-recognised contractual clauses for transfers out of Brazil;
- KCC-approved cross-border contracts for transfers out of South Korea;
- PIPC-compliant notices and consent for transfers out of Japan;
- DPDPA-compliant cross-border transfer mechanisms for Indian data principals (subject to the Central Government's restricted-jurisdictions notification, when issued).
Where any of the above is unavailable for a particular jurisdiction or where the recipient explicitly objects to cross-border processing, we will either refrain from sending marketing content or seek a local-only processing arrangement with an alternative ESP.
32. Right to Object & Withdraw
You may withdraw consent or object to marketing processing at any time and through any of the following channels, each of which has the same legal effect:
- the one-click
List-Unsubscribeheader in your inbox (Section 18); - the unsubscribe link at the foot of every marketing message;
- the Email Preferences centre in your dashboard;
- an e-mail to our contact form or our contact form; or
- (for affected jurisdictions) a request to your local supervisory authority, which we will action on receipt.
We process all such requests with no questions asked and at no cost to the recipient. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
33. Reporting Spam from Us
If you believe you have received an e-mail from us in circumstances that violate this policy or applicable law, please report it to our contact form. Include the original message with full headers if possible. We acknowledge every abuse report within 24 hours and complete an initial investigation within 48 hours, with corrective action (e.g., suppression, list audit, ESP escalation) documented in the response.
34. Policy Changes & Update Notice
We may update this document to reflect new laws or business practices. A revised version will carry a new "Last updated" date. Material changes— for example a change of ESP, a new processing purpose, a new category of marketing list, a change of legal basis, or a material change to the suppression / retention regime — will be announced by e-mail to subscribers at least 30 days before they take effect, accompanied by a site-wide banner. Minor edits (typo fixes, clarifications, formatting) are effective on posting.
35. Contact
Questions, objections, unsubscribe requests or correspondence about your e-mail data:
- General privacy and e-mail-data questions: our contact form
- Spam reports and impersonation incidents: our contact form
- General support and unsubscribe requests: our contact form
We aim to reply within three working days and always within legal time limits.