Privacy Policy

Last updated: February 16, 2026

1. Introduction

Axiom Refract ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share your information when you use the Axiom Refract enterprise code analysis platform ("the Service").

By using the Service, you consent to the data practices described in this policy.

2. Data We Collect

2.1 Account Information

When you create an account, we collect your email address, name, and authentication credentials (stored as secure hashes, never in plaintext).

2.2 Source Code

When you submit code for analysis, we temporarily store your source code for the duration of the analysis pipeline. See our Data Handling Policy for detailed information on how code is processed and retained.

2.3 Analysis Results

We store the analysis reports, health scores, and associated metadata generated from your code. These are retained as part of your account data.

2.4 Usage Data

We collect information about how you interact with the Service, including pages visited, features used, analysis jobs submitted, and error events. This data is used to improve the Service and diagnose issues.

2.5 Technical Data

We automatically collect browser type, operating system, IP address, and device information when you access the Service. IP addresses are retained for security and rate-limiting purposes.

3. How We Use Your Data

We use your data for the following purposes:

  • Service Delivery: To analyze your code, generate reports, and provide analysis results.
  • Account Management: To authenticate your identity and manage your subscription.
  • Service Improvement: To understand usage patterns and improve the platform (using aggregated, anonymized data only).
  • Security: To detect and prevent abuse, fraud, and security threats.
  • Communication: To send you service-related notifications, such as analysis completion emails and account alerts.
  • Legal Compliance: To comply with applicable laws, regulations, and legal processes.

4. What We Do NOT Do With Your Data

  • We never use your source code to train AI models or machine learning systems.
  • We never sell your personal information or source code to third parties.
  • We never share your source code with other users or customers.
  • We never retain your source code beyond the configured retention period.

5. Data Retention

Source Code: Retained only for the duration of analysis plus your configured retention period. Default retention is 30 days after analysis completion, after which source code is permanently deleted from our storage.

Analysis Reports: Retained as long as your account is active. You may delete individual reports at any time.

Account Data: Retained as long as your account is active. Upon account deletion, all associated data is permanently removed within 30 days.

Usage and Technical Data: Retained in aggregated, anonymized form for up to 24 months for service improvement purposes.

6. Data Sharing

We share your data only in the following limited circumstances:

  • Infrastructure Providers: We use cloud infrastructure services to host and operate the platform. These providers process data on our behalf under strict contractual obligations.
  • Email Delivery: We use third-party email services (e.g., Resend) to send analysis completion notifications. Only your email address and notification content are shared.
  • Legal Requirements: We may disclose data if required by law, legal process, or government request.
  • Business Transfers: In the event of a merger, acquisition, or asset sale, your data may be transferred as part of the transaction, with notice provided to you.

Payment Information

We use Stripe, Inc. as our payment processor. When you make a purchase or subscribe to a paid plan, your payment details are collected directly by Stripe through their secure hosted checkout page and are subject to Stripe's Privacy Policy.

What we receive from Stripe: Your billing name, billing address, last four digits of your card, card brand (e.g., Visa, Mastercard), and transaction amounts. This information is used for invoice records and customer support.

What we never receive or store: Your full card number, CVV/security code, bank account credentials, or any other payment instrument details. This data goes directly to Stripe and never passes through our servers.

7. Your Rights

7.1 General Rights (All Users)

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate personal data.
  • Deletion: Request deletion of your account and all associated data.
  • Data Export: Download your analysis reports and account data.

7.2 GDPR Rights (EU/EEA Users)

If you are located in the European Union or European Economic Area, you have additional rights under the General Data Protection Regulation (GDPR):

  • Right to Restrict Processing: Request that we limit how we process your data.
  • Right to Data Portability: Receive your data in a structured, machine-readable format.
  • Right to Object: Object to processing based on legitimate interests.
  • Right to Lodge a Complaint: File a complaint with your local data protection authority.

7.3 CCPA Rights (California Users)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA):

  • Right to Know: What personal information we collect, use, and disclose.
  • Right to Delete: Request deletion of your personal information.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your rights.
  • Right to Opt-Out: We do not sell personal information, so no opt-out is needed.

8. Cookies and Local Storage

The Service uses essential cookies and local storage for authentication session management and user preferences. We do not use third-party advertising or tracking cookies.

  • Session Cookies: Required for authentication. Expire when you close your browser or after your session timeout.
  • Preference Storage: Local storage for UI preferences (theme, layout). Stored locally on your device only.

9. Security

We implement industry-standard security measures to protect your data:

  • Encryption at rest and in transit (TLS 1.2+).
  • Per-tenant data isolation in storage.
  • JWT-based authentication with token rotation.
  • Rate limiting to prevent abuse.
  • Audit logging for security-relevant events.

10. Contact

For privacy-related inquiries, data access requests, or to exercise your rights, contact us at privacy [at] axiomrefract.com.