Privacy Policy
Effective Date: February 26, 2026 Last Updated: March 20, 2026
1. Introduction
Welcome to Axolect. Axolect is a collaborative infinite-canvas workspace for financial research - combining live market data with spatial collaboration tools for traders, investment teams, and research communities.
This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our waitlist website, use our platform at axolect.com (the "Service"), or interact with us in any way. It applies to all users worldwide, including those protected under the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), the Digital Personal Data Protection Act, 2023 (India) and related rules, and other applicable privacy laws.
By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please discontinue use of the Service immediately.
2. Information We Collect
2.1 Information You Provide Directly
Note: During the waitlist phase, we only collect Waitlist Information. The remaining data types apply once full platform access is granted. We do not knowingly collect personal data from children in jurisdictions where additional safeguards are required (including users under 18 in India) unless we have implemented a compliant consent flow.
| Data Category | Examples | Purpose |
|---|---|---|
| Waitlist Information | Email address | Early access notifications, product updates |
| Account Information | Email address, password (hashed) | Account creation, authentication, login |
| Profile Information | Display name, handle (@username), avatar URL, bio | Public profile display, community identity |
| Workspace Content | Canvases, cards, zones, threads, connections, tags, notes | Core product functionality |
| Comments & Discussions | Comment text, replies, votes (upvotes/downvotes) | Discussion features, karma system |
| Communications | Support requests, feedback, emails you send us | Customer support, product improvement |
2.2 Information Collected Automatically
| Data Category | Examples | Purpose |
|---|---|---|
| Usage Data | Pages viewed, features used, canvas interactions | Product analytics, performance optimization |
| Device & Browser Data | Browser type, operating system, screen resolution | Compatibility, responsive design |
| Log Data | IP address, access timestamps, referring URLs, error logs | Security, debugging, abuse prevention |
| Real-Time Data | Cursor positions, presence indicators | Live collaboration features |
| Performance Metrics | Page load times, interaction latency | Speed optimization (Vercel Speed Insights) |
2.3 Information from Third-Party Sources
We do not purchase data from third-party brokers. However, we receive limited information from:
- Authentication providers (e.g., Google, via Supabase Auth) - if you choose social login, we receive your name, email, and profile picture from the provider.
- Financial data APIs - we fetch publicly available market data (cryptocurrency prices, stock quotes) to display on your canvases. This data is about markets, not about you.
3. How We Use Your Information
We use the information we collect to:
- Provide and operate the Service - manage waitlist queue, create your account, sync your canvases, enable real-time collaboration.
- Personalize your experience - display your profile, karma score, and rank within workspaces.
- Communicate with you - send waitlist updates, product announcements, security alerts, and transactional emails. We will never send unsolicited marketing without your consent.
- Ensure security and prevent abuse - rate limiting, idempotency checks, input validation, and XSS sanitization.
- Monitor and improve the Service - analyze usage patterns, diagnose errors (via Sentry), measure performance (via Vercel Analytics).
- Enforce our Terms - detect violations of our Terms & Conditions.
- Comply with legal obligations - respond to lawful requests from authorities, enforce our legal rights.
We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects.
4. Legal Bases for Processing (GDPR)
If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, we process your personal data under the following legal bases:
- Contractual necessity: Account management, canvas data, collaboration features.
- Legitimate interest: Analytics, security monitoring, error tracking, service improvement.
- Consent: Waitlist signup, optional marketing communications, non-essential cookies.
- Legal obligation: Compliance with applicable laws, responding to data requests.
You may withdraw consent at any time by contacting us at privacy@axolect.com. Withdrawal does not affect the lawfulness of prior processing.
5. How We Share Your Information
We do not sell, rent, or trade your personal information to third parties. We share data only in the following specific circumstances:
5.1 Service Providers (Sub-Processors)
We use the following third-party services:
- Supabase: Database, authentication, real-time sync (AWS hosted).
- Vercel: Hosting, edge functions, analytics (Global CDN).
- Upstash: Redis caching, rate limiting (Serverless).
- Sentry: Error monitoring, performance tracking.
- CoinGecko API & Alpaca Markets: Cryptocurrency and stock market data handling.
All sub-processors are bound by data processing agreements (DPAs) requiring them to protect your data.
5.2 Other Users
When using collaborative features, certain information (like your handle, comments, and cursor position) is visible to other workspace participants. Content on public canvases is visible to anyone with the link.
5.3 Legal Requirements & Business Transfers
We may disclose information if required by law or to protect user safety. In the event of a merger, acquisition, or asset sale, your information may be transferred with advanced notice.
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Waitlist emails | Until you unsubscribe, your account is created, or the waitlist concludes |
| Account & profile data | Until you delete your account, plus 30 days for backups |
| Workspace content | Until deleted by the canvas owner, or upon account deletion |
| Server logs & analytics | 90 days (rolling) |
| Error tracking data (Sentry) | 90 days |
After the retention period, data is permanently deleted or irreversibly anonymized.
7. Data Security
We implement industry-standard security measures:
- Encryption in transit (HTTPS/TLS) and at rest (Supabase/AWS).
- Authentication via secure JWT tokens; passwords hashed.
- Row-Level Security (RLS) ensuring users only access authorized data.
- Protections against SSRF, XSS, and abuse through strict rate limiting and sanitization.
Note: No method of electronic transmission is 100% secure. We cannot guarantee absolute security.
8. Cookies and Tracking Technologies
We use cookies for authentication (Supabase Auth sessions), and basic site analytics (Vercel Analytics) and error logging (Sentry). We do not use third-party advertising cookies. We do not currently honor Do Not Track (DNT) browser signals as no industry standard for DNT compliance exists.
9. Your Privacy Rights
Regardless of your location, you may:
- Access, Correct, Delete, or Export your personal data.
9.1 Additional Rights Under GDPR (EEA, UK, Switzerland)
- Right to restriction of processing, data portability, to object, and to lodge a complaint with your local Data Protection Authority.
9.2 Additional Rights Under CCPA/CPRA (California Residents)
- Right to know what we collect, request deletion or correction, opt-out of sale/sharing (we do not sell data), and right to non-discrimination.
- No lookback limitation applies.
9.3 Additional Rights Under India's DPDP Act
Subject to applicable law and verification requirements, users in India may request:
- Access to a summary of personal data being processed and related processing information.
- Correction, completion, updating, and erasure of personal data.
- Withdrawal of consent where processing is consent-based.
- Grievance redressal through our designated contact channels.
- Nomination of another individual to exercise applicable rights in the event of death or incapacity.
To exercise these rights, contact us at privacy@axolect.com. We will respond within legally mandated timelines. Where Indian law applies, we aim to resolve valid rights and grievance requests within the period required under applicable law (up to 90 days unless a shorter period is prescribed).
10. International Data Transfers
Your data may be transferred to and processed in countries outside your country of residence, including the United States. When we transfer data from the EEA, UK, or Switzerland, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- Adequacy Decisions where applicable, supported by supplementary technical and organizational security measures to ensure your data receives strong protections regardless of jurisdiction.
For data processing subject to Indian law, we implement reasonable contractual, technical, and organizational safeguards and will comply with applicable transfer restrictions and government notifications issued under Indian data protection law.
11. India-Specific Privacy Disclosures
The following terms apply to users in India in addition to the rest of this Privacy Policy.
11.1 Children's Data (India)
Under Indian law, a child is an individual who has not completed 18 years of age. We do not knowingly process personal data of children in India without required verifiable consent from a parent or lawful guardian. If we learn that such data was processed without required consent, we will take steps to suspend processing and delete or remediate the data as required by law.
11.2 Grievance Redressal (India)
If you are in India and have a privacy grievance, you may contact our designated grievance channel at privacy@axolect.com with the subject line "India Privacy Grievance". This inbox functions as our designated India privacy grievance contact channel. You may also contact legal@axolect.com for escalation. We will acknowledge and resolve grievances within the timelines required by applicable Indian law.
11.3 Personal Data Breach Notifications
Where required under applicable law, including Indian law, if a personal data breach is likely to affect you, we will notify you in plain language with available details on: (a) the nature of the breach, (b) likely consequences, (c) steps we have taken or are taking to mitigate impact, and (d) how you can contact us for support.
11.4 Data Transfers and Government Restrictions
We may process personal data in multiple jurisdictions through our service providers. For personal data governed by Indian law, we will honor any applicable government restrictions or conditions on transfers and processing.
11.5 Consumer-Facing Disclosures for Paid Plans in India
If and when we offer paid plans to consumers in India, we will publish required consumer-facing disclosures on our website and checkout surfaces, including legal entity details, contact channels, grievance channels, and refund/cancellation information, as required by applicable law.
12. Google API Services User Data
Axolect integrates with Google Sign-In via Supabase Auth. This section explains exactly what Google Account data we access, why, and how it is handled.
12.1 Scopes Requested
We request only the following minimum OAuth 2.0 scopes:
| Scope | Purpose |
|---|---|
openid | Verify your identity with a stable Google-issued subject identifier |
email | Use your email address as your Axolect account identifier |
profile | Pre-fill your display name and avatar when you create your account |
We do not request access to Google Drive, Gmail, Calendar, Contacts, Google Docs, YouTube, or any other Google service.
12.2 Data Received from Google
When you authenticate with Google Sign-In, we receive:
- Email address - stored as your unique account identifier; used for transactional emails (security alerts, waitlist updates). Never used for unsolicited marketing without your consent.
- Display name - stored as your default Axolect display name; you can update or delete it at any time.
- Profile picture URL - stored as your default avatar; you can replace or remove it at any time.
We do not receive or store your Google Account password, phone number, payment methods, or any other Google Account data.
12.3 How We Use This Data
Google Account data is used solely to:
- Create and authenticate your Axolect account.
- Pre-populate your user profile for convenience.
It is never:
- Sold, rented, or traded to third parties.
- Used for advertising, profiling, or automated decision-making.
- Shared with anyone outside our sub-processors listed in Section 5.1, who are bound by Data Processing Agreements.
12.4 Limited Use Compliance
Axolect's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- We only use the data to provide or improve the Axolect service.
- We do not use it for any purpose unrelated to the user-facing features described above.
- We do not transfer this data to third parties except as necessary to operate the service, with appropriate confidentiality obligations, or as required by law.
13. Contact Information
For any questions about this Privacy Policy or to exercise your privacy rights, please contact us at:
- Privacy: privacy@axolect.com
- Legal: legal@axolect.com
- Security: security@axolect.com