Privacy Policy

Last updated: March 25, 2026 · Version 2026-03-25

AKAXA Limited (“AKAXA,” “we,” “us,” or “our”) is the data controller for personal information processed through the AKAXA platform (“Service”). Our registered office is in Hong Kong Special Administrative Region (“Hong Kong SAR”).

1. Information We Collect

We collect the following categories of personal information:

• Account data: name, email address, company name, job title, user type (PE/VC/Startup), region
• Authentication data: password hash, login timestamps, verification tokens
• Usage data: analysis requests, feature usage, API calls, IP address, browser type
• Uploaded documents: financial statements, pitch decks, and other documents you choose to upload for analysis
• Payment data: billing information processed by Stripe (Tier 5 subscribers)
• Consent records: timestamps and version of Terms of Service and Privacy Policy accepted

2. Legal Basis for Processing (GDPR — EU/EEA Users)

Pursuant to GDPR Articles 13 and 14, we process your personal data on the following legal bases:

• Contract performance (Art. 6(1)(b)): account creation, service delivery, billing
• Legitimate interest (Art. 6(1)(f)): security, fraud prevention, platform improvement
• Legal obligation (Art. 6(1)(c)): compliance with applicable laws
• Consent (Art. 6(1)(a)): marketing communications (where applicable)

Data Protection Officer: privacy@akaxa.io

3. How We Use Your Information

• Providing and operating the AI-powered due diligence Service
• Sending transactional emails (verification, password reset, analysis completion)
• Account and subscription management
• Security monitoring and fraud prevention
• Platform analytics and product improvement
• Legal compliance and dispute resolution

4. Third-Party Data Sharing

We share data with the following sub-processors to operate the Service:

• Anthropic (Claude API): AI analysis processing — search queries, document excerpts (no PII)
• Perplexity AI: web research enrichment — search queries (no PII)
• Cloudflare: CDN, WAF, R2 object storage — server infrastructure
• Railway: application hosting — servers located in the United States
• Resend: transactional email delivery
• Sentry: error logging and monitoring — anonymized stack traces
• Stripe: payment processing (Tier 5 subscribers)

We do not sell personal information to third parties.

5. International Data Transfers

We transfer personal data to service providers in the United States and other countries. For EU/EEA users, transfers are protected by Standard Contractual Clauses (SCCs) Module 2 (controller to processor) as adopted by the European Commission.

6. Your Rights

EU/EEA Users (GDPR)

• Access (Art. 15): request a copy of your personal data
• Rectification (Art. 16): correct inaccurate data
• Erasure (Art. 17): request deletion of your data
• Portability (Art. 20): receive your data in a machine-readable format
• Object (Art. 21): object to processing based on legitimate interest
• Restrict (Art. 18): restrict processing in certain circumstances
• Lodge a complaint with your national supervisory authority

California Users (CCPA/CPRA)

• Right to know what personal information is collected
• Right to delete personal information
• Right to correct inaccurate information
• Right to opt-out of sale or sharing of personal information

AKAXA does not sell personal information. Do Not Sell or Share My Personal Information

Korean Users (PIPA)

We collect the following personal information:

• 수집 항목: 이름, 이메일, 회사명, 직책, 사용자 유형
• 수집 목적: 서비스 제공, 계정 관리, 분석 서비스
• 보관 기간: 계정 유지 기간 + 탈퇴 후 30일
• 국외 이전: 서버 소재지 미국 (Railway), AI 서비스 미국 (Anthropic, Perplexity)

불만 신고: 개인정보보호위원회(PIPC) · www.pipc.go.kr

Hong Kong Users (PDPO)

• Data Access Request (DAR): request access to your data
• Data Correction Request (DCR): request correction of inaccurate data
• Lodge a complaint with the Privacy Commissioner for Personal Data (PCPD): www.pcpd.org.hk

7. Data Security

We implement industry-standard security measures including encryption at rest (AES-256) and in transit (TLS 1.3), API key encryption using Fernet, access controls, and regular security reviews. No method of transmission over the internet is 100% secure.

8. Data Retention

We retain your personal data for the duration of your account, plus 30 days after account deletion (to allow for data export). Analysis results may be retained in anonymized form for platform improvement. Uploaded documents are deleted upon your request.

9. Cookies

We use essential cookies for authentication and security. We do not use advertising or tracking cookies. You can decline non-essential cookies via our cookie banner.

10. Children

The Service is not directed at children under 18. We do not knowingly collect personal information from minors.

11. Changes to This Policy

We will notify you of material changes by email and by posting a notice in the Service at least 30 days before the effective date.

12. Contact

AKAXA Limited · Hong Kong SAR
Privacy enquiries: privacy@akaxa.io
Data Protection Officer: privacy@akaxa.io