Back

Privacy Policy

Last updated: May 2026

1. What We Collect

When you create an Axos account we collect your email address, full name, IP address (for rate limiting and abuse prevention), basic usage telemetry, account preferences, portfolio data you choose to add (manual entries, connected wallet addresses, exchange API keys — encrypted at rest), and chat / research history generated through the product.

2. How We Use It

  • To deliver the Axos product and connected services
  • To send transactional and (with consent) marketing emails
  • To prevent abuse through rate limiting
  • To measure and improve the product (analytics)
  • To run AI features (chat, research, reports) you explicitly trigger
  • To meet legal obligations (tax, anti-fraud)

3. Sub-processors (Article 28 GDPR)

We share data with the following sub-processors, scoped to the purposes listed:

  • Supabase (USA / EU) — Postgres database + auth + storage
  • Vercel (USA) — hosting + serverless compute
  • Stripe (USA / IE) — payment processing + tax reporting
  • Resend (USA) — transactional email delivery
  • Cloudflare (USA) — Turnstile bot mitigation + CDN
  • Anthropic (USA) — LLM provider for AI features
  • Google AI Studio (USA) — LLM provider (Gemini) for AI features
  • OpenRouter (USA) — LLM fallback gateway
  • CoinGecko (SG) — public crypto market data
  • Nansen (SG) — on-chain analytics
  • LunarCrush (USA) — social sentiment signals
  • Coinalyze, BGeometrics, SoSoValue, CryptoRank — market & on-chain signals
  • Alchemy (USA) — blockchain RPC for wallet sync
  • Privy (USA) — embedded wallet provider (opt-in)
  • Sentry (USA) — error monitoring
  • PostHog (USA / EU) — product analytics (with consent)
  • Featurebase (USA) — user feedback platform (when used)
  • TikTok Pixel, Reddit Pixel — marketing measurement (with consent only)

We sign Data Processing Agreements (or rely on the provider's published DPA) with each sub-processor that handles identifiable personal data. None of our sub-processors sell your data.

3a. Legal Basis for Processing (GDPR Art. 6)

We process personal data under the following legal bases:

  • Contract — to deliver the Service you signed up for (account, subscription, AI features you trigger).
  • Legitimate interest — for security, rate-limiting, abuse prevention, error monitoring, and product improvement analytics.
  • Consent — for marketing emails, marketing pixels (TikTok / Reddit), and non-essential analytics (PostHog). You can withdraw consent at any time.
  • Legal obligation — for tax/invoice retention (7 years), anti-fraud, and lawful requests.

3b. International Data Transfers

Some sub-processors listed above are located outside the EU/EEA (mainly USA). Where data is transferred from the EU/EEA to a country without an adequacy decision, we rely on Standard Contractual Clauses (SCCs) as published by the European Commission, plus supplementary technical measures (encryption in transit and at rest). You can request a copy of the relevant transfer mechanism at support@axoss.io.

4. Cookies

The site sets the following cookies:

  • auth_refresh — HttpOnly refresh token (essential, login).
  • axos_logged_in — public session hint across subdomains (essential).
  • axos_consent — your cookie choices (essential).
  • __stripe_* — payment session (essential when checking out).
  • cf-turnstile — bot challenge (essential).
  • _ttp — TikTok measurement (marketing — only with consent).
  • _rdt_uuid — Reddit measurement (marketing — only with consent).
  • ph_* — PostHog product analytics (analytics — only with consent).

5. Retention

  • Chat history — 12 months from creation, then auto-deleted.
  • Analyses and research outputs — 24 months.
  • Portfolio snapshots — 36 months.
  • Transactions and invoice records — 7 years (Stripe / tax law).
  • Account-level data — kept until you delete your account.

6. Your Rights

You can access, export, correct, and delete your data at any time. Logged-in users can run an export or delete their account directly from the Settings page. EU/UK/EEA residents have rights under the GDPR (including the right to lodge a complaint with a supervisory authority); Brazilian residents have analogous rights under the LGPD.

6a. Age Requirement

You must be at least 18 years old (or the minimum age of digital consent in your jurisdiction, whichever is higher) to use Axos. We do not knowingly collect personal data from anyone under that age. If you believe we have collected data from a minor, contact support@axoss.io for immediate deletion.

6b. Data Breach Notification

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of it (GDPR Art. 33). If the breach poses a high risk to you specifically, we will notify you directly via email without undue delay (GDPR Art. 34). Brazilian residents will be notified in accordance with the LGPD Art. 48.

7. Landing Page Service Data (Axoss)

In addition to the Axos cryptocurrency platform, we operate a landing page design service under the "Axoss" brand. The data practices described below apply specifically to that service and supplement the sections above.

7.1 Data we collect for the landing page service

  • Business information — name and description of what is sold, used to generate the landing page content.
  • Contact email — used to deliver the preview link and any communications related to the project.
  • Google Drive folder URL (optional) — if provided by the client, used to share assets.
  • Billing information — processed by Stripe; we do not store full payment details.

7.2 How we use this data

  • Generate the requested landing page HTML and email copy.
  • Host the preview at a unique URL on axoss.pro.
  • Communicate preview links, revisions, and delivery.
  • Process payment and record completion via Stripe webhook.

7.3 Sharing

Landing page data is not sold and is shared only with the sub-processors listed in Section 3 strictly to operate the service — Stripe for payment processing, Vercel for hosting, and Supabase / Neon for the database backing the preview store.

7.4 Retention

Landing page records are kept while the preview is active. After a project is archived or the client requests deletion, we remove the row from our database within 30 days, except as required for accounting or legal compliance.

8. Contact

Questions, requests, or complaints? Reach us at:

AxosAI, Inc.
2942 North 24th Street
Phoenix, AZ 85016, United States
EIN 30-1481275
Email: support@axoss.io