Privacy Policy

Last updated: April 12, 2026 · Version 2026-04-12

AKAXA Limited (“AKAXA,” “we,” “us,” or “our”) is the data controller for personal information processed through the AKAXA platform (“Services”). We are headquartered in Hong Kong SAR. This Privacy Policy complies with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable privacy laws globally.

Data Protection Officer: dpo@akaxa.io
Privacy Contact: privacy@akaxa.io

1. Information We Collect

• Account data: name, email address, phone number, company name, job title, company size
• Authentication data: password (encrypted), SSO provider details, login timestamps
• Company & analysis data: financial data, industry information, competitive landscape, M&A history, and other data uploaded for analysis
• Usage data: IP address, browser type, pages visited, features used, session duration, error logs
• Payment data: billing information processed by Stripe
• Communication data: support messages, survey responses, feedback

2. Legal Basis for Processing (GDPR)

• Contractual necessity (Art. 6(1)(b)): account creation, service delivery, billing
• Legitimate interest (Art. 6(1)(f)): security, fraud prevention, platform improvement
• Legal obligation (Art. 6(1)(c)): compliance with applicable laws
• Consent (Art. 6(1)(a)): marketing communications

3. How We Use Your Information

• Providing and operating the AI-powered analysis Services
• Account authentication, administration, and customer support
• Generating Analysis Reports and insights via AI systems
• Security monitoring, fraud prevention, and abuse detection
• Platform analytics and optimization using aggregated, de-identified data
• Legal compliance and dispute resolution

AI Data Processing & Zero Data Retention

AI partners (including Anthropic) process data through enterprise-grade APIs with contractual Zero Data Retention (ZDR) obligations. Customer data is not stored or used for AI model training by sub-processors after the processing session ends. AKAXA does not use Customer data to train, fine-tune, or improve machine learning models without explicit written consent.

4. Third-Party Data Sharing

We share data with the following sub-processors to operate the Services:

• Anthropic (Claude API): AI analysis processing (USA) — Zero Data Retention policy
• Perplexity AI: web research enrichment (USA) — search queries only
• Cloudflare: CDN, WAF, R2 object storage (USA/EU)
• Railway: application hosting (USA)
• Resend: transactional email delivery (USA)
• Sentry: error monitoring — anonymized stack traces
• Stripe: payment processing

We do not sell or share personal information for targeted advertising. All sub-processors have signed Data Processing Agreements requiring equivalent security measures. Changes to sub-processors are notified with 30 days' notice.

5. International Data Transfers

EU to Hong Kong SAR transfers: Transfers from the EU/EEA to AKAXA in Hong Kong SAR are protected by Standard Contractual Clauses (Module 2: Controller to Processor) as adopted by the European Commission, as required by GDPR Article 46.

Hong Kong SAR to US transfers: For secondary transfers to US-based sub-processors, we rely on Standard Contractual Clauses (SCCs Module 3: Processor to Processor) as adopted by the European Commission.

6. Automated Decision-Making (GDPR Art. 22)

AKAXA's AI-powered analysis provides decision support tools only. We do not engage in automated decision-making that produces legal effects or similarly significant effects on data subjects. All Analysis Reports are advisory in nature and require review by qualified human professionals. Each Customer's data is processed in a logically isolated environment.

7. Your Rights

EU/EEA Users (GDPR)

• Access (Art. 15): request a copy of your personal data
• Rectification (Art. 16): correct inaccurate data
• Erasure (Art. 17): request deletion of your data
• Portability (Art. 20): receive your data in a machine-readable format (CSV, JSON)
• Object (Art. 21): object to processing based on legitimate interest
• Restrict (Art. 18): restrict processing in certain circumstances
• Withdraw consent at any time without affecting prior processing
• Lodge a complaint with your national supervisory authority

California Users (CCPA/CPRA)

• Right to know what personal information is collected and how it is used
• Right to delete personal information
• Right to correct inaccurate information
• Right to opt-out of sale or sharing (AKAXA does not sell data)
• Right to non-discrimination for exercising privacy rights

Do Not Sell or Share My Personal Information

Korean Users (PIPA)

For users located in the Republic of Korea, AKAXA complies with the Personal Information Protection Act (PIPA):

• 수집 항목: 이름, 이메일, 회사명, 직책, 사용자 유형
• 수집 목적: 서비스 제공, 계정 관리, AI 분석 서비스
• 보관 기간: 계정 유지 기간 + 탈퇴 후 30일
• 파기 절차: 전자적 파일은 복구 불가능한 방법으로 삭제 (PIPA 제21조)
• 국외 이전: 서버 소재지 홍콩 (Hong Kong SAR), AI 서비스 미국 (Anthropic, Perplexity)

불만 신고: 개인정보보호위원회(PIPC) · www.pipc.go.kr

8. Data Security

We implement industry-standard security measures including encryption at rest (AES-256) and in transit (TLS 1.2+), Fernet symmetric encryption for sensitive fields, role-based access controls (RBAC), multi-factor authentication for admin access, real-time monitoring, and audit logging. Breach notification is provided within 72 hours of confirmation.

9. Data Retention

• Account data: duration of subscription + 1 year
• User Data: subscription + 30 days (export) + 90 days (backup)
• Usage logs: 90 days (operational); 12 months (aggregated analytics)
• Payment records: 7 years (tax/accounting compliance)
• Support communications: 3 years after final interaction

After retention expires, electronic files are destroyed using methods that render recovery impossible (cryptographic erasure), in compliance with Korea PIPA Article 21.

10. Cookies

We use essential cookies for authentication and security. We do not use advertising or tracking cookies. You can decline non-essential cookies via our cookie banner.

11. Children

The Services are not directed at individuals under 18. We do not knowingly collect personal information from minors.

12. Changes to This Policy

Material changes that reduce privacy protections require 30 days' notice by email and in-app notification, with a right to terminate without penalty. Continued use constitutes acceptance of the updated policy.

13. Contact

AKAXA Limited · Hong Kong SAR
Privacy enquiries: privacy@akaxa.io
Data Protection Officer: dpo@akaxa.io
Response Time: 5 business days