Privacy Policy
Last Updated: May 20, 2026
Introduction:
AXION ALGO ("AXION ALGO", "we", "us", or "our") is a SaaS platform (www.axion-algo.com) that provides access to AI-powered indicators on TradingView and an educational trading community via Discord and Telegram. Please note: AXION ALGO is not a legally registered business entity, but we are committed to protecting your privacy and handling your personal data responsibly. This Privacy Policy explains what information we collect, how we use and safeguard it, and your rights regarding your data.
Our services are intended for adults 18 years of age or older, and we do not knowingly collect information from anyone under 18. By using AXION ALGO, you agree to the collection and use of your information as described in this Policy. If you do not agree with any part of this Policy, please discontinue use of our services.
1. Information We Collect
We collect both personal information that you provide to us directly and data collected automatically as you use our services:
- Account and Contact Information: When you register or subscribe to AXION ALGO, we collect information such as your name and email address for account setup and communication. We also collect your TradingView username (to grant you access to our private TradingView indicators) and your Discord username and Telegram handle (to verify your identity and provide access to our members-only community channels). You may also provide us with other identifiers or contact details when communicating with us (for example, if you contact support). We do not collect sensitive personal details like government IDs or financial account numbers beyond what is described for payments.
- Payment and Transaction Data: All subscription payments are processed through our third-party payment processor, Stripe. AXION ALGO itself does not collect or store your full credit card details. When you make a purchase, Stripe will collect and process your payment information (e.g., card number, billing address) on our behalf. We receive from Stripe certain transactional details needed to manage your subscription – for example, your payment status, subscription plan, billing name/email, and confirmation of payment. This data allows us to activate your AXION ALGO membership and keep track of your subscription. (Refund Policy: AXION ALGO offers a one-time courtesy refund on your first month subscription fee if you meet our eligibility conditions (for example, if you are a first-time subscriber and request cancellation within the specified trial period). Beyond this initial courtesy refund, all sales are final and we do not offer refunds for subsequent subscription renewals or charges. This means that after your first-month refund (if utilized), any ongoing monthly fees are non-refundable. We disclose this refund policy here for transparency, though it may be further detailed in our terms of service.)
- Usage Data (Analytics and Cookies): Like most online services, we automatically collect certain data about your device and how you interact with our website. This usage data may include your IP address, browser type, device identifiers, pages visited, clicks and scrolling information, and timestamps of your visits. We use cookies and similar tracking technologies to facilitate this data collection. In particular, AXION ALGO utilizes analytics tools including Google Analytics, PostHog, and the Meta (Facebook) Pixel to gather information about user behavior and preferences on our site. These tools set cookies or use other identifiers to collect data on page views, features used, and engagement with our content, which helps us analyze how our website and service are performing and where improvements or optimizations are needed. We also use cookies for essential functions like keeping you logged in (session cookies for authentication) and preventing fraudulent use of the site. The Meta/Facebook Pixel and Google Analytics cookies may track your visits and actions on our site in order to measure the effectiveness of our marketing campaigns and advertisements (for example, if we run ads on Meta platforms, the Pixel helps us understand ad conversions and audience behavior). Cookie Choices: By using our site, you consent to the placement of these cookies as described. You can always adjust your browser settings to refuse or delete cookies, but be aware that some core features (like login sessions) may not function properly without them. We do not use cookies for any invasive profiling; their use is limited to the purposes stated (analytics, site functionality, and marketing performance tracking). For more details on how these third-party analytics services handle data, you can refer to their respective privacy policies (e.g., Google's and Meta's privacy notices).
2. How We Use Your Data
We use the collected information for the following purposes, in accordance with applicable law:
- Providing and Improving the Service: We process your personal data to deliver the services you signed up for – for example, using your TradingView username to grant you access to our AI-powered indicator on the TradingView platform, and using your Discord/Telegram username to authorize your entry into our private community channels. We also use your data to maintain your account, authenticate you upon login, and provide customer support. Additionally, usage and analytics data are used to understand platform performance and user behavior, which helps us troubleshoot issues, improve our features, and enhance your overall user experience. This may include analyzing how users interact with our website or indicators so we can refine our offerings and fix any problems.
- Communications: We may use your email address and/or messaging handles to send you service-related announcements and respond to your inquiries. For example, we will email you to confirm your subscription or payment, to send invoices or receipts, and to notify you of important updates or changes to our service. These transactional or administrative communications are necessary to operate the service. With your consent, we may also send occasional promotional or educational communications – such as newsletters, product updates, or special offers – but you have the option to unsubscribe from marketing emails at any time. (Opting out of marketing messages will not affect your receipt of essential account or billing notices.)
- Payments and Account Management: We use information from Stripe (such as your subscription status and payment confirmations) to manage your subscription access. This includes enabling or disabling features based on your subscription tier, and handling billing cycles. If you qualify for the one-time first-month refund, we will use your transaction data to process that refund via Stripe. Aside from this courtesy instance, our system will treat all subsequent charges as final. We keep a record of your subscription and payment history (e.g., active or canceled status, renewal dates) for accounting and customer service purposes.
- Analytics and Marketing: As noted, we analyze usage data (through Google Analytics, PostHog, etc.) to gain insights into user engagement and to measure the effectiveness of our site content and marketing campaigns. This information helps us tailor our services and marketing efforts. For example, analytics can tell us which pages or features are most popular, or how users are finding our site, which in turn informs our business decisions. We may also use aggregated analytics data to guide our advertising strategy (such as understanding conversion rates from ads). Importantly, these analytics tools provide us with statistics and trends – we do not use them to identify you individually beyond what is necessary for service provision. We do not sell any analytics data or personal information to advertisers or other third parties.
- Safety, Legal, and Compliance: We may process and retain personal data as needed to comply with applicable laws, regulations, and legal obligations. For instance, we could use or disclose information if required to fulfill a lawful request by authorities or to enforce our agreements and policies (such as investigating potential violations, fraud, or security issues). If we are ever involved in a legal dispute or government inquiry, we might need to preserve and review relevant data. Additionally, should there be changes in our organizational structure (for example, a potential business transfer or partnership in the future), personal data could be one of the transferred assets; however, if that occurs, we will ensure the recipient respects your privacy rights in line with this Policy and applicable law.
Outside of these rare circumstances, we do not share, sell, or rent your personal data to any third party for their own marketing or advertising purposes.
3. How We Disclose or Share Information
AXION ALGO may share your information with selected third parties only for the purposes described above, and always under appropriate safeguards:
- Service Providers: We rely on trusted third-party companies to support our platform's operations. These providers process data only on our behalf and under our instructions (as "data processors"). Key service partners include: Supabase (our cloud database and authentication provider where your account data is stored), Stripe (subscription billing and payment processing), PostHog and Google Analytics (analytics platforms), Meta/Facebook Ads (for advertising/analytics via Pixel), and communication platforms like Discord and Telegram (for community interaction). Each of these providers may receive the personal data necessary for their function – for example, Stripe will process payment details, and Supabase will host your account info. We ensure that all such partners are bound by privacy and security obligations. They are not permitted to use your data for anything outside the scope of providing services to AXION ALGO. Some of these third parties operate servers in other countries (including the United States), so your data may be transferred or stored internationally (see Section 6, International Data Transfers, below).
- Discord and Telegram: If you join our Discord server or Telegram group as part of the AXION ALGO community, your use of those platforms is also governed by the respective platform's privacy policy and terms. We may have access to your username or profile information on those services in order to verify your membership and administer our community (for example, to assign you subscriber roles on Discord). We do not collect additional personal information from your Discord or Telegram accounts beyond your chosen username or ID. Keep in mind that anything you voluntarily share within our Discord/Telegram channels (e.g., messages or content) is visible to other community members; you should only share information you are comfortable disclosing. We are not responsible for the privacy practices of Discord, Telegram, or other third-party platforms, but we will not disclose your personal data to the public or to any other users without your consent.
- Legal Requirements: We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court order, subpoena, or government demand). We may also disclose personal data if we believe in good faith that such action is necessary to comply with legal obligations; to protect and defend our rights or property; to prevent or investigate possible wrongdoing (such as fraud or security breaches); or to protect the personal safety of our users or the public.
- Business Transfers: Since AXION ALGO is not a registered corporation, a formal business transfer (merger, acquisition, sale of assets) is not anticipated at this time. However, if in the future the ownership or structure of AXION ALGO (or its assets) changes – for example, if we partner with another entity or form a company – user information may be transferred to the new owner/partner as part of that arrangement. Should such a transfer occur, we will provide notice and ensure your personal data remains subject to the protections of this Privacy Policy. You would have the opportunity to discontinue using the service if you do not agree with the new handling of your data.
No Selling of Personal Data: To reiterate, we do not sell your personal data to third parties under any circumstances. We also do not share your information with third parties for their independent marketing use. AXION ALGO's use of your data is limited to the purposes in this Policy, and any third-party processing is solely to help deliver or improve our own services as explained above.
4. Legal Bases for Data Processing
For individuals located in the European Economic Area (EEA), United Kingdom, or other regions with data protection laws (e.g., GDPR), we must disclose the legal grounds on which we process personal information. AXION ALGO processes personal data on the following bases:
- Contractual Necessity: Much of our data processing is justified by the need to fulfill our contract with you. When you subscribe to AXION ALGO or otherwise use our services, we must process certain personal data to provide what you have requested. This includes using your email for account creation, using your TradingView/Discord credentials to grant service access, and processing payments via Stripe. We cannot deliver the service without this information. In GDPR terms, this is processing that is necessary for the performance of a contract with you.
- Consent: In cases where we are not strictly required to collect or use data for contractual or legal reasons, we rely on your consent. For example, we seek your consent to use non-essential cookies and analytics tools (like Google Analytics and Meta Pixel) which help us analyze performance and market our services. Similarly, if we send you marketing emails or if you participate in any optional surveys or promotions, we do so based on your consent. You are free to withdraw your consent at any time – for instance, you can disable analytics cookies via your browser or opt out of marketing communications – without affecting your core use of the service. (Do note that if you withdraw consent for certain cookies, some site functionality might be limited, as described in Section 1.) Using our website with cookies enabled, or not opting out, will be considered consent for the relevant data processing. We will also request your consent wherever required by applicable law.
- Legitimate Interests: We may process some data under the lawful basis of legitimate interests. This means we have a legitimate (business or security) reason to use the data in ways that are expected and do not override your privacy rights. For example, improving our product, diagnosing technical issues, preventing fraud, or understanding how users engage with our platform are activities we pursue to make AXION ALGO better and more secure – these can be considered our legitimate interests. When we rely on this basis, we ensure that such processing is not invasive and is proportionate. You have the right to object to processing based on legitimate interests (see Section 7 on Your Rights). If you do object, we will review that request and cease the processing in question unless we have a compelling legitimate ground to continue or it is needed for legal reasons.
- Legal Obligation: On occasion, we may need to process personal data to comply with a legal obligation, such as retaining transaction records for tax/audit purposes or responding to law enforcement requests. In such cases, the law itself provides the basis for processing.
We will normally identify the appropriate legal basis for each processing activity at the time of data collection or when we use the data. If you have questions about the specific basis applicable to your personal data, feel free to contact us.
5. Data Retention and Security
Retention Period
We retain your personal information only for as long as necessary to fulfill the purposes described in this Policy, unless a longer retention period is required or permitted by law. In practice, this means we keep your account data while your subscription or account is active. If you cancel your subscription or request deletion of your account, we will delete or anonymize your personal data associated with your account, typically within 30 days of such cancellation or request, barring any legal requirement to retain it longer. For example, we might retain certain payment records if needed for financial reporting or legal compliance. Usage data collected for analytics may be retained in aggregate form (without personal identifiers) after account deletion to help us with long-term business analysis, but this data will no longer be linked to you personally. We periodically review the data we hold and erase or anonymize personal data that is no longer needed.
Security Measures
We take the security of your data seriously and implement commercially reasonable measures to protect it from unauthorized access, alteration, disclosure, or destruction. These measures include encryption of data in transit (SSL/TLS), secure network and server configuration, and access controls. For instance, our website uses HTTPS encryption to secure data transfer, and our database (hosted on Supabase) is protected with authentication and row-level security rules to ensure that each user can only access their own data. We also restrict access to personal data to only those team members and service providers who need it to operate or improve the service, and all such persons are subject to confidentiality obligations. Additionally, we monitor for potential vulnerabilities and attacks, and we utilize tools (like PostHog and others) to log errors or unusual activities for security review.
Please note: no method of transmission over the internet or method of electronic storage is 100% secure. While we strive to protect your personal data, we cannot guarantee absolute security. You share and use our services at your own risk, but rest assured we are continuously working to maintain and improve security. If we ever experience a data breach affecting your personal information, we will notify you and the appropriate authorities as required by law.
6. International Data Transfers
AXION ALGO operates primarily online, and the tools and infrastructure we use may be located in multiple countries. In particular, our servers and service providers are likely located in the United States and other jurisdictions outside of your own country. This means that your personal data may be transferred to, stored, or processed in a country different from where you reside. For example, user account and analytics data are stored on Supabase and PostHog servers which (as of this Policy's date) reside in the U.S., and payment information is processed through Stripe's U.S. infrastructure. By using AXION ALGO, you acknowledge that your information may be transferred to and processed in other countries, including the United States.
When we transfer personal data internationally, we take steps to ensure appropriate safeguards are in place to protect your information. For instance, for users in the EEA/UK, if personal data is exported to a country not deemed to have "adequate" data protection by the EU, we will rely on approved mechanisms such as the European Commission's Standard Contractual Clauses (SCCs) or other legally recognized transfer frameworks to ensure your data remains protected. Our third-party processors, like Stripe and Supabase, also commit to such safeguards and comply with applicable data protection laws in transferring data. Despite differences in local laws, we will uphold the privacy protections outlined in this Policy for your data, wherever it is processed.
Please be aware that when your data is in another jurisdiction, it may be accessible to courts, law enforcement, and national security authorities of that jurisdiction under its laws. However, our agreements with service providers limit how and when they can access and use your data, and we will strive to ensure any access requests are handled in accordance with applicable data laws.
7. Your Data Rights and Choices
We respect your rights to control your personal data. Depending on your location and the applicable laws, you may have some or all of the following rights regarding your personal information:
- Right of Access: You have the right to request a copy of the personal data we hold about you, and to obtain information about how we process it. We will provide this in a commonly used electronic format.
- Right to Rectification: If any of your information is inaccurate or incomplete, you have the right to ask us to correct or update it. You can also update certain information directly by logging into your AXION ALGO account (if such functionality is available).
- Right to Erasure: You can request that we delete your personal data, for example if it is no longer necessary for the purpose it was collected, or if you withdraw consent (in cases where consent is the legal basis). We will honor valid deletion requests and erase your data, provided we do not have a legal obligation to retain it. Once deleted, your data (including your AXION ALGO account credentials) will be permanently removed from our active systems. (Note: Some residual information might remain in backups for a short period, but we will also purge backups within a reasonable time frame where feasible.)
- Right to Restrict Processing: You have the right to ask us to limit the processing of your data in certain circumstances – for instance, if you contest the accuracy of the data or object to our processing, we will restrict processing while your request is being reviewed.
- Right to Data Portability: For data you provided to us, you have the right to request that we transfer that data to another provider (or to you) in a structured, commonly used and machine-readable format, where technically feasible. This applies to personal data processed by us by automated means, based on your consent or a contract.
- Right to Object: You have the right to object to our processing of your personal information when we do so under a legitimate interest basis or for direct marketing. If you lodge an objection, we will consider it and stop or adjust processing unless we have compelling legitimate grounds that outweigh your rights or the processing is needed for legal claims. In the case of direct marketing (e.g., marketing emails), your objection is absolute – meaning we will stop using your data for that purpose as soon as possible.
- Right to Withdraw Consent: If we are processing any personal data based on your consent, you have the right to withdraw that consent at any time. This will not affect the lawfulness of any processing done before your withdrawal. For example, you can unsubscribe from our marketing emails via the "unsubscribe" link provided, or adjust your browser settings to withdraw consent for analytics cookies.
- Right not to be subject to Automated Decisions: AXION ALGO does not make any legally significant decisions about you using purely automated means (with no human involvement). If that ever changes, you would have the right to request human review of an automated decision.
To exercise any of these rights, please contact us at our contact form with your request. We may need to verify your identity before fulfilling certain requests (for your security, we will likely ask you to provide information that confirms you are the account holder). We will respond to your request within a reasonable timeframe and in accordance with applicable law. Please note that these rights are not absolute – certain laws may exempt or not apply to specific data or contexts. If we cannot fulfill your request in whole or in part, we will explain the reason (e.g., if we are prohibited by law or if we cannot verify your identity).
GDPR and International Rights: If you are in the EEA, UK, Switzerland or other regions with similar laws, you also have the right to lodge a complaint with a Data Protection Authority (DPA) or supervisory authority in your country if you believe we have infringed your privacy rights. We encourage you to contact us first, so we can address your concerns directly.
For California residents: under the California Consumer Privacy Act (CCPA) and similar regulations, you have rights to know about our data practices and to request deletion or opt-out of certain data sharing. We affirm that we do not sell personal information (as defined by CCPA), so the opt-out right is not applicable. We also will not discriminate against you for exercising any privacy rights. California residents may contact us to exercise access or deletion rights as described above. Residents of other jurisdictions will have similar rights to the extent provided by applicable laws, and we will endeavor to honor all legitimate requests regarding personal data regardless of your location.
8. Cookies and Tracking Technologies
(See also Section 1, "Usage Data," for an overview of how we use cookies and analytics.) We want to reiterate our use of cookies and your choices in a dedicated section for clarity. Cookies are small text files stored on your device by websites you visit. AXION ALGO uses both essential cookies and analytics cookies on our site:
- Essential Cookies: These are necessary for the website's core functionality. For example, we use cookies to remember your login session so you don't have to re-enter your credentials on every page. Essential cookies also help with security (e.g., to prevent cross-site request forgery or to keep you logged out after you explicitly log off). Because these cookies are necessary for the service to work, you cannot opt-out of them if you wish to use the site (though you can always block cookies entirely in your browser, but some features of our service may then not function). These cookies do not collect your personal details for marketing, but simply contain technical identifiers.
- Analytics and Advertising Cookies: These cookies collect information about how visitors use our site, which pages are popular, and how users interact with our content or ads. AXION ALGO uses first-party analytics cookies via PostHog and Google Analytics, which allow us to gather usage statistics (e.g., page response times, user navigation paths, errors) for internal analysis. We also use third-party cookies such as the Meta Pixel, which connects website activity to Meta's advertising platform, helping us measure ad conversions and create audiences for our ads. The data collected through these cookies may include things like your TradingView referral (if you came from our indicator link), how long you spend on certain pages, and which features you click on. This information is used only to improve our product and marketing effectiveness; we do not use it to identify you by name, and we do not allow third-party advertisers to plant their own tracking beyond the tools we've disclosed. For instance, PostHog is a product analytics tool that sets first-party cookies for event tracking (page views, button clicks, etc.), and Google Analytics uses cookies to track aggregate site usage and help us understand user demographics and interests (Google may provide us with anonymized demographic data if available). Meta Pixel cookies track visits and actions for the purpose of analyzing the success of ads on Facebook/Instagram and enabling us to reach interested users.
Your Choices for Cookies: When you first visit our site, we may prompt you with a cookie notice (if required by law) to inform you of our use of cookies. By continuing to use the site, you are consenting to the placement of cookies as described. However, you have the ability to manage cookies via your browser settings at any time. Most web browsers allow you to refuse new cookies, delete existing cookies, or notify you when new cookies are set. Please consult your browser's help documentation for instructions on how to do this. Additionally, for certain advertising cookies like those from Google or Meta, you can opt-out directly: for example, Google provides a browser add-on to opt-out of Google Analytics tracking, and you can adjust your ad preferences in your Facebook account settings for the Meta Pixel. Keep in mind that disabling all cookies might impact your user experience – for example, if cookies are disabled, our site may not remember your login, and some analytics features will not function (making it harder for us to improve our service). We do not currently respond to "Do Not Track" signals, in part because there is no unified standard for such signals; we instead provide the options above for you to control cookie tracking.
For more details on our use of cookies and tracking, or to change your preferences, you may contact us anytime at our contact form. We aim to be transparent about what data we collect and how it's used, so please reach out if you have any questions or concerns about our use of cookies or any other tracking technology.
9. State-Specific U.S. Privacy Rights
In addition to the CCPA/CPRA rights described in Section 7, residents of the U.S. states listed below have specific statutory privacy rights. We honour them to the extent applicable. To exercise any of these rights, email our contact form with the subject line “Privacy Rights Request – [State]”.
- California (CCPA/CPRA): Right to know, access, delete, correct, opt-out of sale or sharing for cross-context behavioural advertising, and limit the use of sensitive personal information. California residents may also request a list of categories of personal information disclosed to third parties for their direct-marketing purposes during the previous calendar year under the “Shine the Light” law (California Civil Code §1798.83); we do not currently disclose personal information to third parties for their direct-marketing purposes.
- Virginia (VCDPA): Right to access, correct, delete, data portability, opt-out of targeted advertising, sale, and profiling that produces legal or similarly significant effects. Right to appeal a denial of a privacy request — submit appeals to the same support address with the subject line “VCDPA Appeal”.
- Colorado (CPA): Right to access, correct, delete, data portability, opt-out of targeted advertising/sale/profiling. Right to appeal denials.
- Connecticut (CTDPA): Same suite of rights as Colorado, plus right to appeal.
- Utah (UCPA): Right to access, delete, data portability, opt-out of targeted advertising and sale. No appeal right under UCPA itself, but we voluntarily offer one.
- Texas (TDPSA): Right to access, correct, delete, data portability, opt-out of targeted advertising/sale/profiling and right to appeal.
- Oregon, Montana, Iowa, Delaware, New Hampshire, New Jersey, Minnesota, Maryland, Tennessee, Indiana, Kentucky & Rhode Island: If you reside in one of these states and their state privacy law is in effect for the request type, we will honour the equivalent of the rights listed above (access, deletion, correction, opt-out, portability, appeal). If you are unsure whether your state law applies, contact us and we will let you know.
Global Privacy Control (GPC): Where required by law, we treat a GPC browser signal as a valid opt-out request for sale and targeted advertising. You do not need to submit a separate request if we receive a GPC signal from your browser.
Authorised agent: Residents of California and other states allowing it may designate an authorised agent to submit requests on their behalf. We will require (a) a signed written authorisation from the consumer, or a copy of a valid power of attorney, and (b) verification of the consumer's identity directly with us before fulfilling the request.
Sensitive personal information: We do not collect sensitive personal information as defined by U.S. state privacy laws (e.g., government IDs, biometric data, precise geolocation, racial or ethnic origin, religious beliefs, sexual orientation, immigration status, mental or physical health diagnoses). The only data that may be considered sensitive is the last four digits of a payment card, retained for fraud-prevention and billing-support purposes; we do not use such data for any other purpose.
10. International Privacy Frameworks
Brazil (LGPD): If you are in Brazil, you have the rights set out in Law No. 13,709/2018 (LGPD), including confirmation of processing, access, correction, anonymisation, blocking or elimination of unnecessary data, portability, deletion, information about third parties with whom we shared data, information about the possibility of refusing consent, and revocation of consent. To exercise these rights, contact our contact form. Our legal basis for processing under LGPD typically corresponds to contractual necessity, consent, legitimate interest or compliance with legal obligations.
Canada (PIPEDA & CASL): If you are in Canada, you have rights under PIPEDA to access and correct your personal information and to withdraw consent (subject to legal or contractual restrictions). Marketing communications follow the Canadian Anti-Spam Legislation (CASL) — see our Email Policy for opt-in and unsubscribe details. You may file a complaint with the Office of the Privacy Commissioner of Canada (OPC) if you believe your rights have been violated.
United Kingdom (UK GDPR & DPA 2018): UK residents have the same rights as EEA residents under GDPR; complaints may be filed with the Information Commissioner's Office (ICO) at ico.org.uk.
Switzerland (revFADP): Swiss residents have rights equivalent to GDPR under the revised Federal Act on Data Protection; complaints may be filed with the Federal Data Protection and Information Commissioner (FDPIC).
Australia (Privacy Act 1988): Australian users have the right to access and correct personal information and to lodge a complaint with the Office of the Australian Information Commissioner (OAIC).
Japan (APPI), South Korea (PIPA), Singapore (PDPA), New Zealand (Privacy Act 2020): If you are a resident of these jurisdictions, we will respond to lawful requests under your applicable data-protection law and apply the same access, deletion and correction procedures described in this Policy.
Adequacy and Standard Contractual Clauses: Where we transfer personal data from the EEA, UK or Switzerland to a country not deemed adequate by the European Commission (or the UK or Swiss equivalent), we rely on the 2021 EU Standard Contractual Clauses (with the UK Addendum or Swiss Annex where applicable), supplemented with technical and organisational measures appropriate to the category of data and the recipient.
11. Children's Data & Age Restrictions
The Service is intended exclusively for adults aged 18 years or older. We do not knowingly collect personal information from anyone under 18. We comply with the U.S. Children's Online Privacy Protection Act (COPPA) by not directing the Service at children under 13. If you are a parent or guardian and you become aware that your child has provided us with personal information, please contact us at our contact form and we will delete the information promptly. If we discover that we have collected personal information from a person under 18 without verification of parental consent (where required), we will take steps to remove that information from our servers.
12. Sub-Processors & Data Recipients
We engage carefully vetted sub-processors to deliver the Service. Each sub-processor is contractually obligated to use personal data only on our documented instructions, maintain appropriate technical and organisational security measures, and assist us in meeting our data-protection obligations. As of the “Last Updated” date, our key sub-processors are:
- Supabase Inc. (USA) — managed PostgreSQL database & authentication.
- Stripe, Inc. (USA) — payment processing and fraud prevention.
- Hetzner Online GmbH (Germany) — server hosting for some application workloads.
- Cloudflare, Inc. (USA) — content delivery network, DDoS protection and DNS.
- PostHog Inc. (USA / UK) — product analytics.
- Google LLC (USA) — Google Analytics (web analytics) and Workspace (internal email).
- Meta Platforms, Inc. (USA) — Meta Pixel for ad measurement (only when you accept marketing cookies).
- TikTok Pte. Ltd. (Singapore / USA) — TikTok Pixel for ad measurement (only when you accept marketing cookies).
- Sentry, Inc. (USA) — error monitoring; payloads may incidentally include IP addresses or stack traces.
- Anthropic, PBC and/or OpenAI, L.L.C. (USA) — large-language-model APIs used solely for internal tooling and not for processing personally identifiable user data.
- Discord, Inc. and Telegram FZ-LLC — community channels; their privacy policies govern your use of their platforms.
- TradingView, Inc. (USA) — invite-only indicator delivery. We share your TradingView username so they can grant access; we do not share other personal data.
- Mailchimp / Intuit, Inc. (USA) — email marketing and transactional newsletters.
- Inbucket / SMTP relay providers — transactional email delivery.
Up-to-date sub-processor information is available on request. We will provide reasonable advance notice (where required by applicable law or executed Data Processing Agreements) before adding a new sub-processor that materially affects the processing of EU/UK personal data.
13. Data Retention Schedule
We retain personal data only for as long as necessary for the purpose for which it was collected, except where a longer period is required by law. The table below summarises our typical retention practices.
- Account profile (name, email, TradingView username): life of the account + 30 days after deletion request.
- Subscription & billing records (invoices, last 4 digits of card, billing country): 7 years for tax and accounting compliance.
- Support ticket history: up to 3 years from last contact.
- Server logs (IP, user-agent, route, timestamps): 90 days, then aggregated or deleted.
- Analytics events (PostHog / GA aggregated): up to 26 months at the event level, indefinitely in aggregate.
- Marketing list: until unsubscribe or 24 months of inactivity.
- Affiliate tracking data: 60 days for attribution + 7 years for payout records (tax).
- Backups: 35 days encrypted backups, then purged.
- Security incident logs: 1 year minimum, or longer where required.
Once retention ends, we either delete the data or irreversibly anonymise it.
14. Automated Decision-Making & Profiling
We do not subject you to decisions based solely on automated processing (including profiling) that produce legal effects concerning you or similarly significantly affect you, within the meaning of Article 22 GDPR. We use automated tools for fraud detection, rate-limiting, security and basic personalisation of marketing content, but final decisions on enforcement actions (e.g., suspending accounts) involve human review. If we ever introduce Article-22 automated decision-making, we will update this Policy and inform affected users.
15. Data Breach Notification
We follow industry-standard incident-response procedures: detect, contain, investigate, remediate and notify. If we determine that a personal-data breach has occurred and is likely to result in a risk to your rights and freedoms, we will:
- Notify the competent supervisory authority within 72 hours of becoming aware, as required by GDPR Article 33 and analogous laws.
- Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms, with a clear description of the nature of the breach, the likely consequences, the measures taken or proposed, and the contact point for more information.
- Comply with state-specific U.S. breach-notification laws (e.g., California Civil Code §1798.82 and equivalents) including notice to state Attorneys General where required.
16. Marketing, Profiling & Targeted Advertising
We may use a limited set of personal information (email, country, plan tier) to send marketing communications, run lookalike audiences on Meta or TikTok, and re-target you with ads about Axion Algo on third-party platforms. You can opt out at any time by (a) clicking “unsubscribe” in any marketing email, (b) declining marketing cookies in our cookie banner, (c) sending a GPC signal from your browser where applicable, or (d) emailing our contact form. We do not sell your personal data and we do not engage in profiling that produces legal effects.
17. Detailed Personal Data Categories
To provide maximum transparency, the table below describes each distinct category of personal information Axion Algo collects, together with its source, the operational purpose served by the processing, the typical retention window, with whom (if anyone) the data is shared, and the corresponding GDPR Article 6 lawful basis (and, where relevant, the Article 9 condition). This granularity is intended to satisfy Articles 13 and 14 of the GDPR/UK GDPR, Article 6 of Brazil's LGPD, and the “notice at collection” requirement of the CCPA/CPRA. Where multiple bases apply (for example, a single processing operation may be justified both as contractual necessity and as a legal obligation), we identify the primary basis we rely upon and also list the secondary, alternative basis.
17.1 Account Identity
Data items: email address, display name (if provided), salted & hashed password (bcrypt cost-12 or Supabase Auth equivalent), email-verification token, two-factor authentication seed (TOTP secret, encrypted at rest), session tokens, and account creation timestamp. Source: collected directly from you at registration, password reset or 2FA enrolment. Purpose: to create and authenticate your Axion Algo account, send security notifications, and prevent account takeover. Retention: life of the account plus 30 days after a deletion request; hashed passwords are never recoverable. Shared with: Supabase (auth provider), Cloudflare (TLS termination), Sentry (only on crash, never in plaintext). GDPR Art. 6 basis: Art. 6(1)(b) — necessary for the performance of the contract for the Service. We never use Account Identity data for marketing without separately obtained consent under Art. 6(1)(a).
17.2 Billing Information
Data items: Stripe customer ID, Stripe subscription ID, last four digits of payment card, card brand, card expiry month/year, billing postal code/country, currency, and a Stripe-issued payment-method fingerprint. Source: Stripe, Inc., which acts as an independent controller for the underlying card data and as a processor for the metadata we receive. Axion Algo does not see or store full PAN, CVV, or magnetic-stripe data. Purpose: to charge subscription fees, present an “ending in **** 4242” reference on receipts, and process refunds. Retention: seven (7) years following the last invoice, consistent with IRS, HMRC, Agencia Tributaria, and ATO record-keeping rules. Shared with: Stripe and our accountants. GDPR Art. 6 basis: Art. 6(1)(b) for billing and Art. 6(1)(c) for tax retention. Where Stripe acts as an independent controller (fraud prevention, regulatory reporting), Stripe's own privacy policy applies in addition.
17.3 Subscription State
Data items: active plan tier (Starter, Pro, Elite), trial status, period start and end dates, scheduled cancellation timestamp, grandfathered-price flag, coupon code redeemed, dunning state. Source: Stripe webhooks. Purpose: to gate feature access, compute MRR/ARR, present in-app upgrade prompts, and trigger renewal-reminder emails. Retention: for the life of the subscription plus seven (7) years (statute of limitations for contract claims in most US states and EU Member States). Shared with: Stripe, our tax platform, and aggregated MRR exports to PostHog (no individual-level identifiers leave our environment except Stripe-managed metadata). GDPR Art. 6 basis: Art. 6(1)(b).
17.4 Indicator Usage Data
Data items: which presets and templates you load, alert configurations created, parameter values changed (denominated as numeric ranges, not absolute values), screen on which an action occurred, and the duration between events. Source: first-party event tracking inside the Axion Algo dashboard. Note: we do not receive your TradingView chart, ticker, or candle data — that data stays on TradingView and never crosses to our infrastructure. Purpose: to understand which features deliver value, to prioritise our product roadmap, and to diagnose usability issues. Retention: twelve (12) months at event level; thereafter aggregated. Shared with: PostHog (EU region) only. GDPR Art. 6 basis: Art. 6(1)(f) — legitimate interest in product improvement; the data is not sensitive and the processing is reasonably expected of a SaaS provider. You may opt out at any time by emailing our contact form with the subject “Opt-out: Usage Analytics”.
17.5 Technical Telemetry
Data items: truncated IP address (last octet zeroed for IPv4, last 80 bits for IPv6), user-agent string, operating-system family and version, viewport dimensions, time zone, language preference, and a partial device fingerprint (canvas + WebGL hash, no font enumeration). Source: automatic, captured by our edge layer (Cloudflare) and our application servers. Purpose: to detect credential-stuffing attacks, prevent multi-account abuse of free trials, mitigate denial-of-service traffic, and reproduce bug reports. Retention: ninety (90) days at raw level, then aggregated into anonymous counters retained twelve (12) months. Shared with: Cloudflare (WAF/CDN), Sentry (only on error). GDPR Art. 6 basis: Art. 6(1)(f) — legitimate interest in security and fraud prevention, with Recital 49 expressly recognising network and information security as a legitimate interest.
17.6 Marketing & Engagement
Data items: whether you opened a given email, which links you clicked, the timestamp of the open/click, your Resend message ID, and your unsubscribe status. Source: Resend tracking pixels and link wrappers, when you read marketing email from us. Purpose: to measure campaign performance, suppress dead addresses, and avoid e-mailing recipients who consistently do not engage. Retention: until you unsubscribe plus thirty (30) days for the suppression list. Shared with: Resend. GDPR Art. 6 basis: Art. 6(1)(a) (consent) for opt-in marketing in jurisdictions requiring consent (EEA, UK, Switzerland, Brazil) and Art. 6(1)(f) (legitimate interest in measuring our own communications) for engagement analytics. You may withdraw consent in every email or by replying STOP.
17.7 Support Communications
Data items: the content of any support ticket, e-mail thread, Discord direct message to staff, or Telegram message you send to our help account, including any attachments and the metadata accompanying them. Source: you, voluntarily. Purpose: to investigate and resolve your issue, to train new support staff using redacted excerpts, and to maintain a searchable knowledge base. Retention: three (3) years from your last contact. Shared with: our help-desk vendor (currently Resend inbound + Linear for triage) and any sub-processor specifically referenced in the issue (for example, Stripe for a refund dispute). GDPR Art. 6 basis: Art. 6(1)(b) — necessary to perform your contract for the Service (support is part of the offering).
17.8 Affiliate Data
Data items: referral codes generated and used, attribution clicks, conversion events, payouts owed, payout method (PayPal email, Wise account, bank IBAN/SWIFT for wire), and W-8/W-9/IR3 tax forms for affiliates who exceed reporting thresholds. Source: you (signup and tax form), the visitor whose click is attributed, and Stripe (conversion). Purpose: to compute commissions, pay affiliates, and comply with US Form 1099-NEC and equivalent foreign tax reporting. Retention: seven (7) years. Shared with: Stripe Connect (or alternative payout processor), tax authorities to whom we are required to report. GDPR Art. 6 basis: Art. 6(1)(b) for the affiliate contract and Art. 6(1)(c) for the tax-reporting portion.
17.9 Cookies & Trackers
Data items: per our Cookie Policy — essential session, CSRF, and load-balancing cookies plus opted-in analytics and marketing identifiers. Source: set by our browser-side code or by sub-processors. Purpose: as disclosed in Section 1 and the Cookie Policy. Retention: per the maximum lifetime documented for each cookie in the Cookie Policy. Shared with: the sub-processor that set the cookie. GDPR Art. 6 basis: Art. 6(1)(b) for strictly necessary cookies; Art. 6(1)(a) (consent under ePrivacy Directive Article 5(3)) for all non-essential cookies.
17.10 Public Profile Data
Data items: Discord username and snowflake ID, Telegram handle, optional avatar URL, and any custom public status you choose to display in our community. Source: Discord and Telegram OAuth flows that you complete to link your account. Purpose: to grant role-based access in our community, display your name in community-facing leaderboards (if you have opted in), and credit you for educational contributions you choose to publish. Retention: until you disconnect the linked account or request deletion. Shared with: Discord and Telegram (as independent controllers for their own platforms). GDPR Art. 6 basis: Art. 6(1)(a) (consent), because you actively elect to surface your identity inside the community.
18. Sensitive Personal Information
Under the California Privacy Rights Act (CPRA) §1798.140(ae), and analogous definitions in Colorado, Connecticut, Virginia, Texas, Oregon, Montana, Delaware, New Hampshire, New Jersey, Minnesota, Maryland, Rhode Island, Indiana, Tennessee, and Iowa, “sensitive personal information” (SPI) encompasses, among other things, the following categories:
- Government-issued identifiers such as Social Security number, driver's licence number, state-ID card number, or passport number.
- Account log-in, financial-account, debit-card, or credit-card number in combination with any required security or access code, password, or credentials allowing access to an account.
- Precise geolocation (locating you within a radius of 1,850 feet / 564 metres or smaller).
- Racial or ethnic origin, religious or philosophical beliefs, or union membership.
- The contents of mail, e-mail, and text messages, unless the business is the intended recipient of the communication.
- Genetic data.
- Processing of biometric information for the purpose of uniquely identifying a natural person.
- Personal information collected and analysed concerning a consumer's health.
- Personal information collected and analysed concerning a consumer's sex life or sexual orientation.
- Citizenship or immigration status.
Axion Algo's SPI Inventory. Axion Algo does not collect, derive, infer, or process any of the categories listed above with the following two narrowly tailored exceptions:
- Account credentials — specifically a salted-and-hashed password, an encrypted TOTP secret (where you elect to enable two-factor authentication), and the session cookies that derive from those credentials. We treat these as SPI for compliance purposes and apply heightened protection: hashes are never logged, the TOTP seed is encrypted with a key that rotates annually, and access is restricted to a documented “break-glass” runbook.
- Payment-account information — routed in its entirety to Stripe; Axion Algo retains only the last four digits and the brand, both of which are SPI under CPRA when combined with the cardholder's identity. Stripe acts as the PCI-DSS Level 1 service provider; Axion Algo's exposure is confined to a non-sensitive token.
Right to Limit Use of SPI (CPRA §1798.121). California residents may direct Axion Algo to limit the use of their SPI to that which is necessary to perform the services reasonably expected by an average consumer requesting those services. Because our only SPI is used exclusively to authenticate you and to bill you, every use already falls within the permitted “limit” defined by §1798.121(a). Nevertheless, you may submit a written request invoking the right; we will confirm receipt within 10 business days and respond on the merits within 45 days.
Special-Category Data (GDPR Article 9). The SPI listed above largely overlaps with Article 9 “special categories of personal data.” Axion Algo does not knowingly process special-category data. If a user voluntarily transmits special-category data through a support ticket (for example, by describing a medical reason for a refund request), we redact the data on intake and apply Article 9(2)(a) explicit consent as the basis for the brief period of retention required to action the request.
19. Per-Jurisdiction Expansion
19.1 European Economic Area & United Kingdom (GDPR / UK GDPR)
Axion Algo processes personal data of EEA and UK residents in accordance with Regulation (EU) 2016/679 (GDPR), the UK GDPR (as defined by the European Union (Withdrawal) Act 2018), and the UK Data Protection Act 2018. Our lawful bases under Article 6(1) are:
- Art. 6(1)(a) consent — non-essential cookies, optional newsletter subscription, optional public-leaderboard inclusion.
- Art. 6(1)(b) contract — provision of the indicator, billing, support, affiliate payouts.
- Art. 6(1)(c) legal obligation — tax retention, AML/KYC for affiliate payouts above thresholds, response to lawful authority requests.
- Art. 6(1)(d) vital interests — never relied on; included for completeness.
- Art. 6(1)(e) public task — not applicable to Axion Algo.
- Art. 6(1)(f) legitimate interests — product analytics, security telemetry, anti-abuse, business intelligence; balanced via documented Legitimate Interests Assessments (LIAs) on file.
Transparency notices (Articles 13 & 14). This Policy, together with our Cookie Policy and any contextual just-in-time notices in product flows, fulfils our information duties. Where we obtain personal data indirectly (for example, an affiliate's click attribution that includes the visitor's IP address), we apply Article 14 and surface a notice on first interaction.
International transfers (Chapter V). When we transfer personal data outside the EEA or UK to a country not recognised by an adequacy decision, we rely on the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914 of 4 June 2021) and, for UK transfers, the International Data Transfer Addendum issued by the ICO under s.119A of the DPA 2018. We do not currently operate Binding Corporate Rules (BCRs), as Axion Algo is too small to undergo the multi-year approval process. Adequacy decisions we rely upon include those covering Andorra, Argentina, Canada (commercial organisations), the Faroe Islands, Guernsey, the Isle of Man, Israel, Japan (private-sector), Jersey, New Zealand, the Republic of Korea, Switzerland, the United Kingdom (from the EU side), Uruguay, and the United States limited to DPF-certified recipients.
DPIA (Article 35). Axion Algo has performed a Data Protection Impact Assessment for the following processing operations identified as potentially high risk: (i) systematic anti-abuse fingerprinting; (ii) cross-platform identity linking between Stripe, Discord, and Telegram. The DPIA records are available to the competent supervisory authority on request.
Supervisory authority and complaints. EEA residents may complain to the supervisory authority of their habitual residence, place of work, or place of the alleged infringement (GDPR Art. 77). UK residents may complain to the Information Commissioner's Office. We respectfully ask that you contact us first so we can address your concern directly.
19.2 California (CCPA / CPRA)
California residents have, in addition to the rights listed in Sections 7 and 9, the following clarifications: (a) Financial incentives. Axion Algo does not offer financial incentives, price differences, or service-level differences in exchange for personal information. (b) Sale & share opt-out. Axion Algo does not sell personal information and does not share personal information for cross-context behavioural advertising as defined by Cal. Civ. Code §1798.140(ah). (c) Global Privacy Control. When our servers detect the “Sec-GPC: 1” HTTP header or the equivalent client signal, we treat the request as a valid opt-out of sale and sharing for every device and browser session originating that signal. (d) Sensitive PI right to limit. See Section 18 above. (e) Minors. We do not have actual knowledge of selling or sharing personal information of consumers under 16 without affirmative authorisation (opt-in) from the consumer (if 13 to 16) or the consumer's parent or guardian (if under 13).
19.3 Virginia (VCDPA)
The Virginia Consumer Data Protection Act (Va. Code Ann. §59.1-575 et seq.) entered into force 1 January 2023. Virginia residents have rights of access, correction, deletion, portability, and opt-out of targeted advertising, sale, and profiling in furtherance of decisions producing legal or similarly significant effects. To invoke any right, e-mail our contact form with subject “VCDPA Request”. We respond within 45 days; appeals (subject “VCDPA Appeal”) within 60 days; the Virginia Attorney General may be contacted thereafter.
19.4 Colorado (CPA)
The Colorado Privacy Act (C.R.S. §6-1-1301 et seq.), effective 1 July 2023, grants Colorado residents the same five rights as Virginia plus the right to appeal. Universal Opt-Out Mechanisms (UOOMs) recognised by the Colorado Attorney General — currently the Global Privacy Control — are honoured at our edge layer with no separate user action required.
19.5 Connecticut (CTDPA)
The Connecticut Data Privacy Act (Conn. Gen. Stat. §42-515 et seq.) entered force 1 July 2023. CTDPA is materially similar to the CPA, plus a dedicated “consumer health data” chapter; see Section 25 below for how we handle CHD.
19.6 Utah (UCPA)
The Utah Consumer Privacy Act (Utah Code Ann. §13-61-101 et seq.) took effect 31 December 2023. UCPA grants rights of access, deletion, portability, and opt-out of targeted advertising and sale, but does not provide a statutory appeal right. We voluntarily extend an appeal process to Utah residents.
19.7 Texas (TDPSA)
The Texas Data Privacy and Security Act (Tex. Bus. & Com. Code §541) became enforceable 1 July 2024. It applies to any person who conducts business in Texas and processes or sells personal data (no revenue threshold), and grants Texans the right to access, correct, delete, port, and opt out of targeted advertising, sale, and profiling. The Texas Attorney General has primary enforcement authority and may seek injunctive relief plus penalties of up to USD 7,500 per violation. Texans may submit requests with the subject “TDPSA Request”.
19.8 Oregon (OCPA)
The Oregon Consumer Privacy Act (ORS §646A.570 et seq.) entered force 1 July 2024 (1 July 2025 for non-profits). Oregonians have the same rights as Coloradans plus the right to obtain a list of specific third parties to whom the controller has disclosed personal data (a stronger right than most other state laws). We will provide such a list within 45 days upon request.
19.9 Montana (MCDPA)
The Montana Consumer Data Privacy Act (Mont. Code Ann. §30-14-2801 et seq.) took effect 1 October 2024. Materially aligned with Connecticut, with no cure period after 1 April 2026.
19.10 Iowa (ICDPA)
The Iowa Consumer Data Protection Act (Iowa Code Ch. 715D) entered force 1 January 2025. The ICDPA is narrower than most sister statutes: there is no correction right, no profiling-opt-out right, and a 90-day cure period applies permanently.
19.11 Delaware (DPDPA)
The Delaware Personal Data Privacy Act (Del. Code tit. 6 §12D) took effect 1 January 2025. Delaware extends the CPA-style rights and includes consumer health data within the definition of sensitive data.
19.12 New Hampshire (NHDPA)
The New Hampshire Data Privacy Act (NH RSA §507-H) became effective 1 January 2025. NHDPA follows the Connecticut model and offers a 60-day cure period through 31 December 2025.
19.13 New Jersey (NJDPA)
The New Jersey Data Privacy Act (P.L. 2023, c.266) entered force 15 January 2025. NJDPA introduces a notable financial threshold (USD 25 million or 100,000+ consumers) for applicability, broad sensitive-data definitions, and a recognition of UOOMs that we honour by default.
19.14 Minnesota (MCDPA)
The Minnesota Consumer Data Privacy Act (Minn. Stat. §325O.05) entered force 31 July 2025. Minnesota adds a unique “right to question the result of profiling”: if any solely-automated decision adversely affects you, you may request the data used, the principal reasons, and a manual reassessment. Axion Algo does not currently employ such profiling, but we have engineered our request-intake to absorb the Minnesota workflow.
19.15 Maryland (MODPA)
The Maryland Online Data Privacy Act (S.B. 541) entered force 1 October 2025. MODPA introduces the strictest data minimisation standard in the United States: personal data may only be collected to the extent “reasonably necessary and proportionate” to provide or maintain the service. Sale of sensitive data is prohibited outright.
19.16 Rhode Island (RIDPA)
The Rhode Island Data Transparency and Privacy Protection Act (R.I. Gen. Laws §6-48.1) became effective 1 January 2026. Rhode Island requires that controllers identify, in their privacy notice, all third parties to whom personal data has been sold; Axion Algo's answer is and remains “none.”
19.17 Indiana (INCDPA)
The Indiana Consumer Data Protection Act (Ind. Code §24-15) entered force 1 January 2026. INCDPA aligns substantially with Virginia. Indiana residents may submit requests with the subject “INCDPA Request”.
19.18 Tennessee (TIPA)
The Tennessee Information Protection Act (Tenn. Code Ann. §47-18-3201 et seq.) entered force 1 July 2025. Tennessee provides a safe harbour for controllers that adhere to the NIST Privacy Framework or a comparable programme; Axion Algo has aligned its written information security programme with NIST Privacy Framework v1.0 Core Functions.
19.19 Florida (FDBR)
The Florida Digital Bill of Rights (Fla. Stat. §501.701 et seq.) took effect 1 July 2024 but applies only to controllers making more than USD 1 billion in global gross revenue. Axion Algo is far below that threshold and FDBR therefore does not directly apply; however, we voluntarily extend the rights of access, deletion, correction, and opt-out to Florida residents.
19.20 Quebec (Law 25, formerly Bill 64)
Quebec's Act respecting the protection of personal information in the private sector, as amended by Law 25, introduces explicit-consent requirements, a duty to publish a privacy-incident register, mandatory privacy-by-default for social-media-style products, and a right to data portability in a structured technological format effective 22 September 2024. Quebec residents may exercise rights through our contact form with subject “Loi 25” and may complain to the Commission d'accès à l'information.
19.21 Brazil (LGPD)
See Section 10 for the core rights. Additional points: our legal bases under LGPD Article 7 most commonly relied upon are VII (execution of a contract), IX (legitimate interest), and I (consent). Where we transfer Brazilian personal data internationally, we rely on Article 33(II) standard contractual clauses approved by the ANPD or, where unavailable, Article 33(VIII) specific consent. The ANPD may be contacted at www.gov.br/anpd.
19.22 Argentina (PDPA Law 25,326)
Argentina's Personal Data Protection Act (Ley 25.326) and implementing Regulation 1558/2001 confer rights of access, rectification, suppression, and confidentiality. The regulator, the Agencia de Acceso a la Información Pública, has been notified of our processing through our local data registration filings, where applicable. The EU recognises Argentina as adequate, simplifying cross-border transfers.
19.23 Mexico (LFPDPPP)
Mexico's Federal Law on the Protection of Personal Data Held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares) grants ARCO rights: Access, Rectification, Cancellation, and Opposition. Requests may be submitted to our contact form with subject “ARCO”, and we respond within twenty (20) business days as required by Article 32. The competent authority is the Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI).
19.24 Australia (Privacy Act 1988 & Amendments)
Axion Algo complies with the thirteen Australian Privacy Principles set out in Schedule 1 of the Privacy Act 1988 (Cth), as updated by the Privacy and Other Legislation Amendment Act 2024 (which introduced, among other items, a statutory tort of serious invasions of privacy and new children's online privacy code obligations). Australian residents may complain to the Office of the Australian Information Commissioner (OAIC). We comply with the Notifiable Data Breaches scheme (Part IIIC) by notifying the OAIC and affected individuals as soon as practicable after forming a reasonable belief that an eligible data breach has occurred.
19.25 South Africa (POPIA)
The Protection of Personal Information Act 4 of 2013 entered full force on 1 July 2021. POPIA grants the eight conditions for lawful processing (accountability, processing limitation, purpose specification, further-processing limitation, information quality, openness, security safeguards, and data subject participation). South African data subjects may complain to the Information Regulator. Axion Algo's information officer for POPIA purposes may be contacted by emailing our contact form with subject “POPIA Information Officer”.
19.26 Singapore (PDPA)
Singapore's Personal Data Protection Act 2012 (as amended 2020) imposes the obligations of consent, purpose limitation, notification, access & correction, accuracy, protection, retention limitation, transfer limitation, accountability, data-breach notification, and data portability. We respect the Do-Not-Call (DNC) Registry; Singaporean phone numbers added to the DNC Registry will not receive marketing calls or SMS from us. Our Data Protection Officer may be reached at the support e-mail above with subject “Singapore PDPA DPO”.
19.27 South Korea (PIPA)
The Personal Information Protection Act (Act No. 10465, as amended through 2023) requires explicit consent for the collection and use of personal information, separate consent for cross-border transfers, and a domestic representative for certain non-resident controllers. Where the threshold for appointing a domestic representative is triggered, Axion Algo will appoint such a representative and disclose contact details here. Korean data subjects may complain to the Personal Information Protection Commission (PIPC).
19.28 India (DPDPA 2023)
The Digital Personal Data Protection Act, 2023 is in the process of being operationalised through Rules. Where Axion Algo processes the personal data of Indian residents, we will comply with the DPDPA's notice, consent, and purpose-limitation requirements; appoint a Consent Manager mechanism where prescribed; and respond to data principal rights of access, correction, erasure, grievance redressal, and nomination. Children's data (under 18) requires verifiable parental consent in India, a stricter standard than COPPA's under-13 threshold; accordingly, we apply our 18+ adult-only policy to Indian users by default.
19.29 Japan (APPI)
Japan's Act on the Protection of Personal Information (Act No. 57 of 2003, last amended 2022) requires opt-in consent for cross-border transfers, except where the recipient is in a country deemed adequate (such as the EEA) or has put in place an APPI-compliant protective framework. The Personal Information Protection Commission (PPC) is the supervisory authority. We honour requests for disclosure, correction, and suspension of use under APPI Articles 28–30.
19.30 Switzerland (revFADP)
The revised Federal Act on Data Protection (revFADP) entered force 1 September 2023. revFADP closely mirrors the GDPR, with notable differences: profiling requires explicit consent where it involves high risk; the right to a copy of personal data is articulated as a right of information rather than access; and Swiss-recognised SCCs are referred to in our DPAs via the “Swiss Annex”. Complaints may be filed with the Federal Data Protection and Information Commissioner (FDPIC).
19.31 China (PIPL) — Limited Applicability
Axion Algo does not actively offer the Service in the People's Republic of China, does not market in Mandarin, and does not localise pricing for CNY. The Personal Information Protection Law (PIPL) and its security-assessment framework therefore do not, in our assessment, apply to our processing. Should a resident of the PRC nevertheless access the Service, we will respect their requests for access, correction, deletion, and copy of personal data on a voluntary basis.
19.32 Thailand (PDPA)
The Personal Data Protection Act B.E. 2562 (2019) entered full force on 1 June 2022. We respect Thai data subject rights to access, correction, deletion, restriction, portability, and objection. Where consent is the lawful basis, we obtain explicit consent in a clearly distinguishable form. The Personal Data Protection Committee (PDPC) is the regulator.
20. Children's Privacy — COPPA, KOSA, SCOPE, SB 976, AB 2273
Axion Algo is not directed at children under 13 years of age and is, by terms of service, available only to users 18 and older. Notwithstanding our adults-only posture, the following statutory regimes inform our design:
- COPPA (15 U.S.C. §6501 et seq.). We do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently done so, we delete the information within ten (10) business days, deactivate the account, and (where contact information for a parent is available) notify the parent.
- KOSA (Kids Online Safety Act, S.1409 / H.R.7891, pending federal enactment). Should KOSA be enacted in its current form, Axion Algo will publish an annual independent audit, implement a duty of care for users under 17, and offer parental tools. Our 18+ gate currently obviates most KOSA obligations.
- Texas SCOPE Act (HB 18, eff. 1 September 2024). The SCOPE Act applies to “digital service providers” that the operator knows or reasonably should know are used by minors. Because Axion Algo's product (TradingView indicators for adult traders) is structurally not used by minors, the SCOPE Act's registration and parental-consent requirements are not triggered for our standard offering.
- California SB 976 (Protecting Our Kids from Social Media Addiction Act, eff. 1 January 2025). SB 976 regulates “addictive feeds” for minors. Axion Algo does not operate an algorithmic feed and does not target minors, so SB 976 does not impose substantive obligations on us.
- California AB 2273 (Age-Appropriate Design Code Act). AB 2273 was largely enjoined by the Ninth Circuit in NetChoice v. Bonta (Aug 2024). We monitor the litigation and stand ready to comply with any portion that ultimately survives review.
- UK Children's Code (Age Appropriate Design Code). Although not directly applicable, we have drawn from its fifteen standards in designing privacy-by-default elements of our product.
Parental notification process. A parent or guardian who believes a child under 13 has registered for Axion Algo may e-mail our contact form with subject “COPPA Parental Request”. We will: (i) acknowledge within two (2) business days; (ii) suspend the account immediately as a precaution; (iii) verify the identification of the parent through reasonable means; (iv) delete the child's personal information within ten (10) business days of verification; and (v) confirm deletion in writing.
21. Named Sub-Processor List
Building on Section 12, this Section provides the canonical, named list of sub-processors that Axion Algo engages, the purpose of the engagement, the principal processing location, the data-protection contract in force, and a link to the sub-processor's own privacy notice.
- Supabase Inc. — managed PostgreSQL, authentication, and storage. Primary processing region: US-East (AWS us-east-1). DPA in force: Supabase Data Processing Addendum incorporating EU SCCs (modules 2 and 3) and the UK IDTA Addendum. Privacy notice: supabase.com/privacy.
- Stripe, Inc. / Stripe Payments Europe Ltd. — payment processing, tax calculation, subscription management. Processing locations: Ireland (EU primary), USA (secondary). DPA in force: Stripe Data Processing Agreement incorporating SCCs (Module 1 controller-to-controller for card data; Module 2 controller-to-processor for metadata we direct). Stripe is the PCI-DSS Level 1 controller of full card data. Privacy notice: stripe.com/privacy.
- PostHog Inc. — product analytics. Processing region: EU (eu.posthog.com). DPA in force: PostHog DPA with EU SCCs (where personnel access from outside the EU is required). Privacy notice: posthog.com/privacy.
- Functional Software, Inc. d/b/a Sentry — error and performance monitoring. Processing region: EU (sentry.io EU). DPA in force: Sentry DPA with EU SCCs. Privacy notice: sentry.io/privacy/.
- Cloudflare, Inc. — content delivery, Web Application Firewall, DNS, bot mitigation. Processing location: global edge network with regional caching. DPA in force: Cloudflare DPA incorporating SCCs and Cloudflare's Customer Data Processing Addendum. Privacy notice: cloudflare.com/privacypolicy.
- Resend, Inc. — transactional and marketing email. Processing location: USA. DPA in force: Resend DPA with EU SCCs. Privacy notice: resend.com/legal/privacy-policy.
- Discord Inc. — community channels. Discord acts as an independent controller for the data processed within its platform; Axion Algo's involvement is limited to creating role-grant requests via the Discord API. Privacy notice: discord.com/privacy.
- Hetzner Online GmbH — bare-metal and cloud hosting for selected application workloads. Processing location: Germany (Falkenstein/Nuremberg). Vercel Inc. — edge hosting for the marketing site, processing location: global edge with regional invocations. DPAs with both providers incorporate EU SCCs.
- TradingView, Inc. — the Service's indicators are technical scripts loaded inside an iframe embedded on TradingView. Axion Algo shares your TradingView username with TradingView solely to grant invite-only access; we do not share any other personal data and we do not receive your TradingView chart data. Privacy notice: tradingview.com/policies.
We maintain an internal change-management process for sub-processor onboarding: each new sub-processor must execute a written DPA before any production data is sent, the contract is reviewed by our legal counsel, and the sub-processor must sign a security questionnaire. Where required by an executed customer DPA, we will provide thirty (30) days' written notice before engaging a materially new sub-processor.
22. Data Protection Impact Assessment (DPIA)
Article 35 of the GDPR requires controllers to carry out a Data Protection Impact Assessment before commencing any processing operation likely to result in a high risk to the rights and freedoms of natural persons. Axion Algo has identified the following processing activities as requiring a DPIA, and has completed each:
- DPIA-001: Anti-abuse identity correlation. Cross-references Stripe customer fingerprints, partial browser fingerprints, and Discord IDs to detect coordinated trial abuse. Mitigations: pseudonymisation at intake, 90-day retention cap on raw vectors, manual human review prior to any account-level enforcement.
- DPIA-002: Affiliate financial onboarding. Collection of W-8/W-9 forms, IBANs, and payout history. Mitigations: hardware-key-protected access to the tax-form vault, encryption at rest with separate KMS key, retention aligned to IRS seven-year rule.
- DPIA-003: Community moderation logging. Logging of Discord message metadata when a moderation action is taken. Mitigations: data minimisation (only the offending message and its immediate context are stored), purpose limitation (used only for appeal review and pattern-of-abuse detection), retention of twelve (12) months.
Each DPIA documents the necessity and proportionality of the processing, identifies risks to data subjects, sets out the mitigations applied, and records the residual-risk decision by Axion Algo's privacy committee. DPIA records are available to supervisory authorities on request.
23. Privacy by Design & by Default (GDPR Art. 25)
Article 25 of the GDPR requires controllers to implement appropriate technical and organisational measures designed to implement data-protection principles and integrate the necessary safeguards into processing. Axion Algo operationalises Article 25 through the following commitments:
- Data minimisation. Each new feature is reviewed against a “minimum data” checklist; if a proposed field is not strictly necessary, it is removed from the design before code review.
- Pseudonymisation. Server-side analytics identifiers are randomly generated UUIDv7 values, decoupled from email address; the mapping table is segregated and access-controlled.
- Encryption at rest. Production database volumes (Supabase) are encrypted at rest using AES-256-GCM; object storage is encrypted by the storage provider; off-site backups are independently encrypted before leaving the production environment.
- Encryption in transit. All client traffic uses TLS 1.3; server-to-server links require mTLS where supported, otherwise TLS 1.2+ with strong-cipher enforcement.
- Separation of duties. Production database access is gated by a break-glass workflow logged in our ticketing system; the engineer requesting access cannot self-approve.
- Defaults set to privacy. New accounts have public-profile sharing disabled, marketing email disabled, and analytics-cookie consent unset (we render no opt-in opt-in by default in EEA/UK/CH/BR regions).
24. Cookieless Tracking Technologies
Beyond traditional HTTP cookies addressed in Section 8 and the Cookie Policy, Axion Algo's footprint includes the following technologies that may or may not require user consent depending on jurisdiction:
- Server-side analytics. Where commercially feasible we prefer first-party server-side event capture (events are emitted by our backend to PostHog using a first-party subdomain {eu.events.axion-algo.com}), which avoids browser-side tracking and reduces ad-blocker breakage. The data captured is identical to that of the client SDK, but the transport path is server-to-server.
- Browser fingerprinting. Axion Algo does not actively fingerprint visitors using techniques such as canvas-fingerprinting, audio-context fingerprinting, font enumeration, or device-sensor enumeration. The only partial fingerprint we collect (Section 17.5) is limited to a canvas + WebGL hash for anti-abuse detection, and we regard this as “partial fingerprinting” subject to legitimate-interests balancing.
- Local Storage and IndexedDB. The Service uses Local Storage to cache certain preferences (theme, last-used preset). These are not used for analytics or marketing.
- Pixel beacons. Where used (Meta Pixel, TikTok Pixel), they are gated behind explicit consent in jurisdictions requiring it. The pixels respect the same opt-out as our cookies and honour the Global Privacy Control signal.
25. Biometric Privacy — BIPA, CUBI, HB 1493
A number of jurisdictions impose strict requirements on the collection of biometric identifiers and biometric information. The most prominent are:
- Illinois Biometric Information Privacy Act (BIPA), 740 ILCS 14. Requires written informed consent prior to collection, a published retention schedule, destruction within three years of last interaction, and provides a private right of action with statutory damages (USD 1,000 / USD 5,000 per violation, recently clarified by the Illinois Supreme Court in Cothron v. White Castle as “per scan” rather than “per person”, though subsequent amendments may apply).
- Texas Capture or Use of Biometric Identifier (CUBI) statute, Tex. Bus. & Com. Code §503.001. Requires informed consent and limits sale of biometric data, enforceable by the Texas Attorney General.
- Washington HB 1493 (RCW 19.375). Requires notice and consent for the enrolment of biometric identifiers in a database for a commercial purpose.
- Other states. New York City Local Law 3 of 2021, Portland Ord. 30.01.140 (banning private-sector facial recognition in public accommodations), and an increasing number of state-level proposals.
Axion Algo's biometric posture. Axion Algo does not collect biometric identifiers or biometric information, as defined in BIPA, CUBI, or HB 1493. We do not operate facial-recognition, voiceprint, retina/iris-scan, hand-geometry, or fingerprint capture. If a user inadvertently uploads biometric data via a support attachment (for example, a screenshot containing a face for an unrelated troubleshooting purpose), we delete the attachment within twenty-four (24) hours of identification and notify the user that the file was destroyed.
26. Consumer Health Data
Consumer health data is increasingly regulated as a stand-alone category, distinct from HIPAA-protected PHI. The principal regimes are:
- Washington My Health My Data Act (MHMDA), RCW 19.373. Effective 31 March 2024 for regulated entities and 30 June 2024 for small businesses. Imposes opt-in consent, geofencing prohibitions, a dedicated consumer health-data privacy policy, a separate consent for sale, and a private right of action.
- Nevada SB 370. Effective 31 March 2024. Similar scope to MHMDA but without a private right of action; enforcement by the Nevada Attorney General.
- Connecticut CTDPA — consumer-health-data chapter. Public Act 23-56 added sections targeting consumer health data with opt-in consent, prohibition of geofencing around healthcare facilities, and granular sale restrictions.
Axion Algo does not process consumer health data. Our Service measures financial-market indicators and has no connection to physical or mental health, gender-affirming care, reproductive services, biometric or genetic data, or any of the categories enumerated in MHMDA §1923.020. If a user voluntarily shares such data through a support channel, we redact the data on intake and delete the underlying message within twenty-four (24) hours, retaining only an anonymised note for audit purposes.
27. Cross-Context Behavioural Advertising
California Civil Code §1798.140(k) defines “cross-context behavioural advertising” as the targeting of advertising to a consumer based on the consumer's personal information obtained from the consumer's activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts.
Axion Algo does not engage in cross-context behavioural advertising. Specifically: (i) we do not place advertising tags on the Axion Algo dashboard that would allow third-party advertisers to retarget our authenticated users across the web; (ii) any pixels active on our marketing pages (Meta Pixel, TikTok Pixel) fire only when consent is given and are used for conversion measurement of campaigns whose landing page is Axion Algo's own; (iii) we do not append Axion Algo identifiers to data brokers or to ad-network cookie pools.
Global Privacy Control. Axion Algo recognises and honours the Global Privacy Control (GPC) browser signal as a valid opt-out of sale and sharing under CCPA/CPRA, CPA, CTDPA, and analogous state laws that recognise universal opt-out mechanisms. The signal is consumed at the edge layer and propagated to all relevant downstream tags within milliseconds.
28. Annual Privacy Metrics Report
Aligned with California Civil Code §1798.130(a)(5) and to promote transparency more generally, Axion Algo publishes an annual Privacy Metrics Report in the first quarter of each calendar year. The Report covers the preceding calendar year and discloses, at a minimum:
- Total number of consumer requests received, broken down by category (access, deletion, correction, opt-out of sale, opt-out of sharing, right to limit SPI, portability, appeal).
- Total number complied with in whole.
- Total number complied with in part, and the reasons.
- Total number denied, and the principal reasons.
- Median and mean number of days to substantive response.
- Aggregated geographic distribution of requests (by region where the threshold for statistical disclosure is not breached).
- Total number of personal-data incidents that crossed the internal “notifiable” threshold, even if ultimately not notified externally.
The Report is published at the Axion Algo /transparency URL and remains accessible for at least three calendar years.
29. DPO, EU Representative, and UK Representative
Data Protection Officer (DPO). Article 37 of the GDPR requires a controller to designate a DPO only where the controller is a public authority, where its core activities consist of regular and systematic large-scale monitoring of data subjects, or where its core activities consist of large-scale processing of special-category data. Axion Algo is none of the above, and accordingly is not required to designate a statutory DPO. We have nevertheless appointed an internal “Privacy Lead” who can be reached at our contact form (alias of the support address) and who functions in a manner analogous to a DPO for our customers' convenience.
EU Article 27 Representative. Article 27 of the GDPR requires a controller established outside the EU that targets data subjects in the EU to designate, in writing, a representative in the Union. A representative is being appointed and contact details will be published here: [Placeholder — to be appointed]. Until that appointment, you may correspond with our Privacy Lead at the e-mail above.
UK Article 27 Representative. The analogous UK requirement under Article 27 of the UK GDPR is fulfilled by the same appointment process, with a dedicated UK contact: [Placeholder — to be appointed].
30. Data Processing Agreement (DPA)
Axion Algo offers a written Data Processing Agreement to B2B Institutional customers (asset managers, family offices, proprietary trading firms) and to other counter-parties whose compliance teams require one. The standard Axion Algo DPA incorporates by reference:
- The European Commission's Standard Contractual Clauses (2021/914) for controller-to-processor transfers (Module 2) or processor-to-sub-processor transfers (Module 3), as applicable.
- The UK Information Commissioner's Office International Data Transfer Addendum (IDTA).
- The Swiss FADP Rider, providing equivalence for Swiss transfers.
- A sub-processor list and change-notification mechanism (see Section 21).
- Audit and assistance obligations consistent with GDPR Article 28(3)(f) & (h).
- Detailed Annexes I (description of processing), II (technical and organisational measures), and III (sub-processors).
Requests for a DPA may be sent to our contact form with the subject “DPA Request”.
31. Profiling & Automated Decision-Making
Article 22 of the GDPR (and analogous provisions in the LGPD, CCPA, CPA, CTDPA, and Quebec Law 25) confer on data subjects the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.
Axion Algo does not make decisions producing legal or similarly significant effects on users by solely automated means. Specifically:
- The technical signals produced by our indicators (long / short / neutral, support / resistance levels, alerts) are mathematical outputs of publicly known formulas applied to price data; they are not decisions about a user, they are information presented to a user.
- Decisions to suspend or terminate an account always involve human review. Automated heuristics may flag an account, but enforcement action is taken only after a member of our operations team has reviewed the case.
- Refund and chargeback decisions are similarly subject to human review.
- Marketing personalisation is limited to broad cohorts (plan tier, opt-in language) and does not constitute Article 22 profiling.
Should Axion Algo ever introduce solely-automated decision-making within Article 22, we will (a) update this Policy with at least 30 days' advance notice, (b) implement appropriate safeguards including a right to human intervention and a right to contest, and (c) document the operation in our Article 35 DPIA register.
32. Children Mistakenly Registered — Removal Process
Notwithstanding our 18+ age gate and Discord/Telegram verification flow, it is theoretically possible that a minor could circumvent the controls and create an Axion Algo account. Where we discover such an account, we follow this process:
- Discovery. Through routine sweep (Section 33 below), user report, parental contact, or external notification.
- Confirmation. Our operations team reviews the available evidence (date-of-birth supplied at signup, linked Discord/Telegram account metadata, support-ticket context) and concludes whether the account holder is, more likely than not, under the age of 18 (or under 13 for COPPA purposes).
- Suspension. The account is suspended immediately and any active subscription is paused; the user is notified at the email on file.
- Parental notification. If we have or can reasonably obtain parental contact information, we notify the parent or guardian and explain the next steps.
- Grace period. The parent or guardian has thirty (30) days to (a) confirm the child's age and request immediate deletion, (b) request export of personal data prior to deletion, or (c) provide verifiable proof that the account holder is in fact 18+.
- Deletion. Absent a successful (c) within the grace period, the account and all associated personal data are deleted in accordance with our retention policy and the deletion is logged.
33. Data Breach Notification — Detailed Per Jurisdiction
Our incident-response procedure is jurisdiction-aware. The table below summarises the principal timing and threshold rules that govern our external notifications.
33.1 EU and UK (GDPR / UK GDPR)
Article 33 requires notification to the competent supervisory authority within seventy-two (72) hours of becoming aware of a personal-data breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Article 34 requires notification to affected data subjects without undue delay where the breach is likely to result in a high risk. We maintain a written notification template prepared in coordination with privacy counsel.
33.2 United States — State Breach Notification Laws
All fifty states, the District of Columbia, Puerto Rico, the US Virgin Islands, and Guam have breach-notification statutes. Notification timing varies materially:
- Alabama (Ala. Code §8-38-1). “As expeditiously as possible and without unreasonable delay” and in any event within 45 days; Attorney General notice required where more than 1,000 residents affected.
- California (Cal. Civ. Code §1798.82). In the most expedient time possible and without unreasonable delay; if more than 500 California residents are affected, a sample notice must be submitted to the Attorney General.
- New York (NY Gen. Bus. Law §899-aa, as amended by SHIELD Act). In the most expedient time possible consistent with legitimate law-enforcement needs; AG, DOS, and SP notified for breaches affecting NY residents.
- Florida (Fla. Stat. §501.171). Within thirty (30) days of determination; AG notice for breaches affecting 500+ residents.
- Illinois (815 ILCS 530). In the most expedient time possible and without unreasonable delay; AG notice for breaches affecting 500+ residents within 45 days.
- Texas (Tex. Bus. & Com. Code §521.053). Without unreasonable delay and not later than the 60th day; AG notice for breaches affecting 250+ Texas residents.
- Substitute notice. Where the cost of providing individual notice would exceed USD 250,000 or the number of persons to be notified exceeds 500,000, most state laws permit substitute notice consisting of e-mail where addresses are available, conspicuous posting on the breached entity's website, and notification to major statewide media.
33.3 Sectoral US Laws
HIPAA (45 CFR §164.400 et seq.). Not applicable. Axion Algo is neither a Covered Entity nor a Business Associate; we do not process Protected Health Information. GLBA (15 USC §6801 et seq.). Not applicable. Axion Algo is not a financial institution within the meaning of GLBA.
33.4 Canada (PIPEDA)
Section 10.1 of PIPEDA requires notification to the Office of the Privacy Commissioner of Canada, and to affected individuals, where a breach creates a real risk of significant harm. Notification must be given as soon as feasible after the organisation determines the breach has occurred.
33.5 Australia
Part IIIC of the Privacy Act 1988 (the Notifiable Data Breaches scheme) requires notification to the OAIC and affected individuals as soon as practicable after the organisation forms a reasonable belief that an eligible data breach has occurred.
33.6 Brazil (LGPD)
Article 48 of the LGPD requires the controller to communicate to the ANPD and to the data subject the occurrence of a security incident that may create relevant risk or damage to the data subjects, within forty-eight (48) hours per ANPD guidance.
33.7 Other Jurisdictions
We additionally follow notification rules under the South Korean PIPA (24-hour notification to PIPC for breaches affecting more than 1,000 data subjects), Singapore PDPA (notifiable data-breach regime since February 2021), Switzerland revFADP (notification to the FDPIC as soon as possible), and Japan APPI (notification to the PPC and to affected data subjects under the 2022 amendment).
34. Sale / Disclosure for Monetary or Other Valuable Consideration — Last 12 Months
Categorical Statement. In the twelve (12) months preceding the “Last Updated” date of this Policy, Axion Algo has not sold personal information as that term is defined by the CCPA/CPRA, by Va. Code §59.1-575, by C.R.S. §6-1-1303, by Conn. Gen. Stat. §42-515, or by any other applicable US state privacy law. Axion Algo also has not shared personal information for cross-context behavioural advertising. Axion Algo does not intend to sell or share personal information in the future; should that posture ever change, this Policy will be updated with at least thirty (30) days' advance notice and an opt-out mechanism will be exposed at the {/do-not-sell-or-share} URL prior to any such sale or sharing.
Disclosures for a business purpose. While we do not sell personal information, we do disclose personal information to the sub-processors listed in Section 21 for the limited business purposes described in each entry. Such disclosures are governed by written contracts that prohibit the recipient from using the personal information for any purpose other than performing the contracted services and from retaining, using, or disclosing the personal information outside of the direct business relationship.
35. Detailed Retention Schedule
Section 13 lists summary retention windows. This Section provides the complete schedule, by category, and identifies the legal driver behind each retention period.
- Account profile (Section 17.1). Active life of the account plus a six-year tail to satisfy the longest contractual statute of limitations in jurisdictions where we have customers (e.g., 6 years under the UK Limitation Act 1980 for contract claims). Where you request deletion, the tail collapses to 30 days subject to (a) any ongoing dispute and (b) the billing-records exception below.
- Billing and tax records (Section 17.2 / 17.3). Seven (7) years from the close of the fiscal year in which the transaction occurred. Drivers: 26 USC §6501 (US), HMRC's 6-year rule (UK), Spain's Ley General Tributaria art. 66 (4-year minimum; we apply the longer 7-year window for harmonisation), Australia's ITAA 1936 §262A (5-year minimum).
- Indicator usage data (Section 17.4). Twelve (12) months at event level, then aggregated.
- Technical telemetry (Section 17.5). Ninety (90) days raw, twelve (12) months aggregated counters.
- Marketing engagement (Section 17.6). Until unsubscribe plus thirty (30) days for the suppression list.
- Support communications (Section 17.7). Three (3) years from the last contact, after which the ticket is anonymised.
- Affiliate data (Section 17.8). Seven (7) years for tax reporting; payout history retained for the same period.
- Cookies and trackers (Section 17.9). As specified in the Cookie Policy on a per-cookie basis.
- Server logs. 90 days at file level, then purged or aggregated.
- Security incident logs. Minimum one (1) year, longer where the incident is under regulatory or litigation hold.
- Backups. Thirty-five (35) days encrypted retention; deletion requests are honoured by suppressing the data in the active environment immediately and by allowing the backup-retention window to elapse naturally (rather than performing destructive operations against backups, which would compromise restorability).
36. California “Shine the Light”
California Civil Code §1798.83 (the “Shine the Light” statute) permits California residents to request, once per calendar year and free of charge, a list of the categories of personal information disclosed by a business to third parties for the third parties' own direct-marketing purposes during the immediately preceding calendar year, together with the names and addresses of those third parties.
Axion Algo has not disclosed personal information to third parties for those third parties' own direct-marketing purposes in the preceding calendar year. Accordingly, the Shine the Light response that we would issue today is: zero categories, zero recipients. California residents wishing to confirm this in writing may send a request to our contact form with subject “Shine the Light”; we will respond within thirty (30) days.
37. Sale of Business, Reorganisation, or Bankruptcy Transfer
In the event of a merger, acquisition, asset sale, reorganisation, change of control, financing transaction, insolvency, receivership, administration, liquidation, or bankruptcy involving Axion Algo or any successor business entity that holds the Axion Algo service or its assets, personal information may be transferred to the successor or acquiring party as one of the transferred assets. Such a transfer will be subject to:
- The notice and (where required) consent requirements of applicable law, including but not limited to GDPR Article 6(1)(f) balancing where the basis is legitimate interest, LGPD Article 7 considerations, and the various US state privacy laws' treatment of mergers and acquisitions.
- A binding commitment from the successor or acquirer to honour the terms of this Privacy Policy (or a successor policy that is at least as protective of personal information) with respect to the transferred personal information.
- An e-mail notification to affected users describing the transaction, the identity of the successor, and the rights available to the user, including the right to delete the account prior to the closing date.
Where the transferring party is in insolvency proceedings, applicable bankruptcy law (e.g., 11 USC §363(b)(1)(A) in the US, Insolvency Act 1986 in the UK) may impose additional protections including consumer-privacy-ombudsman review.
38. Children's Online Privacy Sweep
Notwithstanding the 18+ gate, Axion Algo conducts a quarterly review of accounts for evidence of underage users. The sweep:
- Queries linked Discord accounts for known school-affiliation indicators, “teen” or “kid” substrings, and account-creation dates inconsistent with adulthood claims.
- Reviews any support tickets containing keywords associated with minor status (“parent”, “school”, “allowance”).
- Flags accounts whose payment method is associated with a school district or with a parent-controlled prepaid product, where such information is surfaced by Stripe.
Flagged accounts are manually reviewed by a member of the operations team; where the review concludes that the user is more likely than not under 18, the Section 32 removal process is initiated.
39. PII Pseudonymisation & Encryption
We employ the following controls to protect personal information from unauthorised access or disclosure:
- Passwords. Hashed using bcrypt with a work factor of at least 12 (or the Supabase Auth default, which is currently equivalent), with a unique random salt per credential. Plaintext passwords are never logged, never stored, and never transmitted other than over TLS at the moment of submission.
- Two-factor authentication secrets. Encrypted at rest with AES-256-GCM using a key managed by the Supabase Vault.
- Personal data at rest. Database volumes are encrypted using AES-256 with provider-managed keys. Object storage is encrypted using AES-256 with provider-managed keys. Backups are independently encrypted before leaving the production environment.
- Personal data in transit. All client traffic uses TLS 1.3 with PFS-only cipher suites. Internal service-to-service traffic uses TLS 1.2+ with mutually authenticated client certificates where supported.
- Pseudonymisation. Analytics, error reporting, and internal dashboards use UUIDv7 identifiers rather than e-mail addresses or names. The mapping table is stored in a separate database schema with row-level security and access logging.
- Access control. Production database access requires hardware-key-based authentication, MFA, and a documented break-glass approval from a different team member.
40. No Sale of Personal Information — Do Not Sell or Share My Personal Information
AXION ALGO DOES NOT SELL OR SHARE YOUR PERSONAL INFORMATION. Axion Algo does not sell personal information for monetary or other valuable consideration and does not share personal information for cross-context behavioural advertising. This statement applies to every user, in every jurisdiction, at all times in the twelve months preceding the “Last Updated” date and prospectively from that date forward.
California Civil Code §1798.135 requires businesses that sell or share personal information to display, on the homepage and in the privacy policy, a “Do Not Sell or Share My Personal Information” link. Because Axion Algo neither sells nor shares personal information, we are not statutorily required to display that link; however, in the interest of transparency we maintain a /do-not-sell-or-share endpoint that reaffirms the foregoing statement and that may, in the future, host an opt-out mechanism if our practices ever change.
Equivalent “right to opt out of sale” provisions exist under the VCDPA (§59.1-577(A)(5)), CPA (§6-1-1306(1)(a)), CTDPA (§42-518(a)(5)), UCPA (§13-61-201(4)), TDPSA (§541.051(a)(5)), and most successor state statutes; the Axion Algo “no sale, no share” posture renders each of those opt-outs structurally satisfied by default.
41. Material Changes — 30-Day Email Notice
Where Axion Algo proposes to make a material change to this Privacy Policy — for example, adding a new category of personal information, introducing a new lawful basis, commencing sale or sharing for the first time, materially expanding the sub-processor list, or shortening a retention period for data we have already collected — we will provide affected users with at least thirty (30) days' advance notice by e-mail to the address on file, in addition to updating the “Last Updated” date and (where relevant) publishing a redline of the changes.
Non-material changes (typographical corrections, clarifications that do not alter substantive rights or obligations, updates to sub-processor sub-region within the same legal regime) may be made without individual notice but will still be reflected in the “Last Updated” date.
42. Changes to This Privacy Policy
We may update or revise this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make changes, we will update the "Last Updated" date at the top of the Policy. If the changes are significant, we may also provide a more prominent notice (such as by email notification to our subscribers or a notice on our website). We encourage you to review this Policy periodically to stay informed about how we are protecting your information.
Your continued use of AXION ALGO after any modifications to the Privacy Policy will signify your acceptance of the changes. If you do not agree with any updated terms, you should discontinue using the services and may request that we delete your personal data.
43. Contact Us & Data Protection Officer
We have appointed an internal Data Protection contact (acting as DPO for GDPR purposes where required by Article 37 GDPR). You can reach them at the support email below by including “DPO” in the subject line.
If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us at our contact form. This is the dedicated support email for AXION ALGO, and we will do our best to respond promptly to your inquiry.
You may also reach out to us through our community channels (Discord or Telegram) for general questions, but for privacy-specific inquiries (such as data access or deletion requests), email is preferred so we can properly authenticate and address your request. Since AXION ALGO is not a registered legal entity, email is the primary method to reach the operator(s) of the service. We are committed to resolving any issues related to your privacy and to answering any questions you may have about how your information is handled.
Thank you for reading our Privacy Policy. We value your trust in AXION ALGO and are dedicated to keeping your personal data safe and your privacy rights respected.