Privacy Policy

Last updated: May 12, 2026 · Effective: May 12, 2026 · Governing law: State of Arizona, United States

Summary for developers: We collect account data, API usage logs, and security signals (IP, device fingerprints). We do not sell your data. We do not use your data to train AI models. You can request deletion at any time. EU/UK users have full GDPR rights. California residents have full CCPA rights.

1. Who We Are

Coaxiom LLC ("Coaxiom," "we," "us," or "our") is a limited liability company registered in the State of Arizona, United States. We operate the website coaxiom.io, the Coaxiom Price Intelligence API, and the Coaxiom Exchange (collectively, the "Services").

Data Controller: Coaxiom LLC
Privacy contact: [email protected]
Legal/DPO inquiries: [email protected]

We do not currently have a formal EU/UK data protection officer designation (we do not meet the mandatory DPO threshold), but all data protection inquiries are handled by our legal team within the timelines required by applicable law.

2. Data We Collect

2.1 Account and Identity Data

2.2 Seller / KYC Verification Data (Exchange only)

Sellers listing compute capacity on the Coaxiom Exchange must complete identity verification. We collect, or our verification partners collect on our behalf:

This data is collected under a legal obligation (AML/sanctions compliance) and is handled under heightened security controls. It is not used for marketing purposes.

2.3 Usage and API Data

2.4 Security and Fraud Prevention Data

2.5 Payment Data

We do not store raw payment card data. All payment processing is handled by Stripe, Inc. We store your Stripe customer ID and subscription status. For Exchange sellers, Stripe Connect handles payout data including bank account routing information.

2.6 Communications Data

2.7 Data We Do Not Collect

We do not collect or process the content of your AI model requests or outputs. Coaxiom is a price intelligence and marketplace platform; we do not operate inference infrastructure. Your actual prompts, model responses, and application data never pass through our systems.

3. How We Use Your Data

PurposeData usedLegal basis (GDPR)
Providing the Services Account data, API key, tier/subscription Contract performance (Art. 6(1)(b))
Billing and payment processing Email, Stripe customer ID, subscription data Contract performance (Art. 6(1)(b))
Security and fraud prevention IP address, device fingerprint, network signals, account links Legitimate interests (Art. 6(1)(f)) — protecting our platform and users
Sanctions and AML compliance (Exchange) KYC/KYB identity data, OFAC screening results Legal obligation (Art. 6(1)(c))
NCMEC mandatory reporting Account data, usage logs Legal obligation (Art. 6(1)(c)) — 18 U.S.C. § 2258A
Analytics and product improvement Usage logs, API call patterns (aggregated, not sold) Legitimate interests (Art. 6(1)(f)) — improving service quality
Newsletter and product updates Email address, subscription preference Consent (Art. 6(1)(a)) — you can opt out at any time
Responding to legal requests Any relevant account or usage data Legal obligation (Art. 6(1)(c))

We do not use your data to train machine learning or AI models. We do not sell your personal data to third parties. We do not use your data for advertising profiling.

4. Data Retention

Data categoryRetention periodReason
Account and authentication data Duration of account + 90 days after deletion request Service continuity; grace period for accidental deletion
API usage logs 90 days (free/developer) · 1 year (team/enterprise) Billing disputes, rate-limit enforcement
Security logs (IP, fingerprint) 180 days Fraud investigation; pattern detection
KYC / seller verification data 5 years from last transaction, or as required by law AML compliance, legal hold obligations
Payment records 7 years Tax and accounting requirements (IRC § 6001)
NCMEC reports (if any) Permanent (required by law) 18 U.S.C. § 2258A
Newsletter subscription data Until you unsubscribe + 30 days Unsubscribe list maintenance
Support communications 3 years Dispute resolution reference

When a retention period expires, data is either deleted or irreversibly anonymized (aggregated into statistics with no individual linkability).

5. Third-Party Subprocessors

We share your data with the following subprocessors as necessary to deliver the Services. All subprocessors are bound by data processing agreements (DPAs) consistent with GDPR Article 28.

SubprocessorPurposeData sharedLocation
Supabase, Inc. Database, authentication, and real-time infrastructure Account data, API logs, KYC data United States (AWS us-east-1)
Stripe, Inc. Payment processing, subscriptions, Stripe Connect payouts Email, billing address, payment data United States / Global
Stripe Identity Seller KYC — photo ID and liveness verification ID document images, selfie images (Exchange sellers only) United States
Resend, Inc. Transactional email delivery (welcome, alerts, magic links) Email address, email content United States
IPQualityScore LLC IP risk scoring, VPN/Tor/proxy detection IP address (at signup and transaction time) United States
Netlify, Inc. Hosting, serverless function execution, CDN IP address, request logs (standard web server logs) United States
Cloudflare, Inc. DNS, CDN, DDoS protection IP address, request metadata (not payload) United States / Global edge
Confluent, Inc. Event streaming for real-time price data pipeline Price events (no personal data) United States

We do not use advertising networks, data brokers, or behavioral tracking platforms.

6. International Data Transfers

Coaxiom is headquartered in the United States. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your personal data is transferred to and processed in the United States.

We rely on the following transfer mechanisms to legitimize cross-border transfers:

You may request a copy of our transfer mechanisms by contacting [email protected].

7. Data Sovereignty and Residency

By default, all account and usage data is stored in the United States (AWS us-east-1 via Supabase). We do not currently offer EU-only or regional data residency configurations for standard plans.

Enterprise plans may request dedicated data residency in supported AWS or GCP regions (EU-West, APAC). Contact [email protected] to discuss residency requirements before signing up.

Exchange seller KYC data is subject to US legal jurisdiction regardless of the seller's location, due to our OFAC screening obligations under US law. If this is incompatible with your local data residency requirements, you may not be eligible to participate in the Exchange.

8. Your Rights

Access Request a copy of all personal data we hold about you.
Rectification Correct inaccurate or incomplete personal data.
Erasure ("Right to be Forgotten") Request deletion of your account and personal data, subject to retention obligations.
Data Portability Receive your data in a structured, machine-readable format (JSON/CSV).
Restriction of Processing Ask us to limit how we process your data while a dispute is pending.
Objection Object to processing based on legitimate interests, including profiling.
Withdraw Consent Withdraw newsletter consent at any time via the unsubscribe link in any email.
Lodge a Complaint File a complaint with your local data protection authority (EEA/UK users).

To exercise any of these rights, email [email protected]. We respond within 30 days (GDPR) or 45 days (CCPA). We may ask you to verify your identity before actioning a request.

Note on KYC/AML data: Erasure requests for seller identity verification data may be partially denied where we have legal obligations to retain that data (e.g., OFAC compliance records). We will inform you of any retention that overrides your erasure request.

9. California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act (as amended by CPRA):

To submit a CCPA request, email [email protected] with subject line "CCPA Request." We do not honor Global Privacy Control (GPC) signals at this time as we do not sell data.

Categories of Personal Information Collected (CCPA Disclosure)

CategoryExamplesCollected?Sold?
IdentifiersEmail, IP address, device fingerprint, API keyYesNo
Personal recordsName, government ID (Exchange sellers only)Yes (Exchange)No
Protected characteristicsAge, national origin (for KYC compliance)Limited (Exchange)No
Commercial informationSubscription tier, purchase historyYesNo
Internet/network activityAPI logs, browsing activity on coaxiom.ioYesNo
Geolocation dataCountry/region from IP (not GPS)YesNo
Sensitive: government ID numberEIN, SSN equivalent (Exchange business sellers)Yes (Exchange)No
InferencesRisk score, fraud flagYes (internal only)No

10. Cookies and Tracking

We use the following technologies on coaxiom.io:

We do not use cross-site tracking cookies, third-party ad networks, or retargeting pixels beyond the above.

11. Security

We implement the following security measures to protect your personal data:

In the event of a data breach affecting your personal data, we will notify affected users and relevant supervisory authorities within the timeframes required by applicable law (72 hours under GDPR where feasible; California residents notified without unreasonable delay).

12. Children's Privacy

Our Services are directed at businesses and developers and are not intended for use by individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a minor, contact [email protected] immediately and we will delete it promptly.

13. Links to Third-Party Services

Our Services contain links to AI provider pricing pages, documentation, and external resources. This Privacy Policy does not apply to those third-party sites. We encourage you to review the privacy policies of any third-party services you access.

14. Changes to This Policy

We may update this Privacy Policy periodically. Material changes — including changes to data retention periods, new subprocessors, or changes to your rights — will be communicated by email to your registered address at least 14 days before taking effect. Continued use of the Services after the effective date constitutes acceptance.

We maintain a changelog of material changes to this policy. Prior versions are available upon request at [email protected].

15. Contact

For privacy requests, data subject rights, and general inquiries:

Coaxiom LLC