Summary for developers: We collect account data, API usage logs, and security signals (IP, device fingerprints). We do not sell your data. We do not use your data to train AI models. You can request deletion at any time. EU/UK users have full GDPR rights. California residents have full CCPA rights.
Coaxiom LLC ("Coaxiom," "we," "us," or "our") is a limited liability company registered in the State of Arizona, United States. We operate the website coaxiom.io, the Coaxiom Price Intelligence API, and the Coaxiom Exchange (collectively, the "Services").
Data Controller: Coaxiom LLC
Privacy contact: [email protected]
Legal/DPO inquiries: [email protected]
We do not currently have a formal EU/UK data protection officer designation (we do not meet the mandatory DPO threshold), but all data protection inquiries are handled by our legal team within the timelines required by applicable law.
Sellers listing compute capacity on the Coaxiom Exchange must complete identity verification. We collect, or our verification partners collect on our behalf:
This data is collected under a legal obligation (AML/sanctions compliance) and is handled under heightened security controls. It is not used for marketing purposes.
We do not store raw payment card data. All payment processing is handled by Stripe, Inc. We store your Stripe customer ID and subscription status. For Exchange sellers, Stripe Connect handles payout data including bank account routing information.
We do not collect or process the content of your AI model requests or outputs. Coaxiom is a price intelligence and marketplace platform; we do not operate inference infrastructure. Your actual prompts, model responses, and application data never pass through our systems.
| Purpose | Data used | Legal basis (GDPR) |
|---|---|---|
| Providing the Services | Account data, API key, tier/subscription | Contract performance (Art. 6(1)(b)) |
| Billing and payment processing | Email, Stripe customer ID, subscription data | Contract performance (Art. 6(1)(b)) |
| Security and fraud prevention | IP address, device fingerprint, network signals, account links | Legitimate interests (Art. 6(1)(f)) — protecting our platform and users |
| Sanctions and AML compliance (Exchange) | KYC/KYB identity data, OFAC screening results | Legal obligation (Art. 6(1)(c)) |
| NCMEC mandatory reporting | Account data, usage logs | Legal obligation (Art. 6(1)(c)) — 18 U.S.C. § 2258A |
| Analytics and product improvement | Usage logs, API call patterns (aggregated, not sold) | Legitimate interests (Art. 6(1)(f)) — improving service quality |
| Newsletter and product updates | Email address, subscription preference | Consent (Art. 6(1)(a)) — you can opt out at any time |
| Responding to legal requests | Any relevant account or usage data | Legal obligation (Art. 6(1)(c)) |
We do not use your data to train machine learning or AI models. We do not sell your personal data to third parties. We do not use your data for advertising profiling.
| Data category | Retention period | Reason |
|---|---|---|
| Account and authentication data | Duration of account + 90 days after deletion request | Service continuity; grace period for accidental deletion |
| API usage logs | 90 days (free/developer) · 1 year (team/enterprise) | Billing disputes, rate-limit enforcement |
| Security logs (IP, fingerprint) | 180 days | Fraud investigation; pattern detection |
| KYC / seller verification data | 5 years from last transaction, or as required by law | AML compliance, legal hold obligations |
| Payment records | 7 years | Tax and accounting requirements (IRC § 6001) |
| NCMEC reports (if any) | Permanent (required by law) | 18 U.S.C. § 2258A |
| Newsletter subscription data | Until you unsubscribe + 30 days | Unsubscribe list maintenance |
| Support communications | 3 years | Dispute resolution reference |
When a retention period expires, data is either deleted or irreversibly anonymized (aggregated into statistics with no individual linkability).
We share your data with the following subprocessors as necessary to deliver the Services. All subprocessors are bound by data processing agreements (DPAs) consistent with GDPR Article 28.
| Subprocessor | Purpose | Data shared | Location |
|---|---|---|---|
| Supabase, Inc. | Database, authentication, and real-time infrastructure | Account data, API logs, KYC data | United States (AWS us-east-1) |
| Stripe, Inc. | Payment processing, subscriptions, Stripe Connect payouts | Email, billing address, payment data | United States / Global |
| Stripe Identity | Seller KYC — photo ID and liveness verification | ID document images, selfie images (Exchange sellers only) | United States |
| Resend, Inc. | Transactional email delivery (welcome, alerts, magic links) | Email address, email content | United States |
| IPQualityScore LLC | IP risk scoring, VPN/Tor/proxy detection | IP address (at signup and transaction time) | United States |
| Netlify, Inc. | Hosting, serverless function execution, CDN | IP address, request logs (standard web server logs) | United States |
| Cloudflare, Inc. | DNS, CDN, DDoS protection | IP address, request metadata (not payload) | United States / Global edge |
| Confluent, Inc. | Event streaming for real-time price data pipeline | Price events (no personal data) | United States |
We do not use advertising networks, data brokers, or behavioral tracking platforms.
Coaxiom is headquartered in the United States. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your personal data is transferred to and processed in the United States.
We rely on the following transfer mechanisms to legitimize cross-border transfers:
You may request a copy of our transfer mechanisms by contacting [email protected].
By default, all account and usage data is stored in the United States (AWS us-east-1 via Supabase). We do not currently offer EU-only or regional data residency configurations for standard plans.
Enterprise plans may request dedicated data residency in supported AWS or GCP regions (EU-West, APAC). Contact [email protected] to discuss residency requirements before signing up.
Exchange seller KYC data is subject to US legal jurisdiction regardless of the seller's location, due to our OFAC screening obligations under US law. If this is incompatible with your local data residency requirements, you may not be eligible to participate in the Exchange.
To exercise any of these rights, email [email protected]. We respond within 30 days (GDPR) or 45 days (CCPA). We may ask you to verify your identity before actioning a request.
Note on KYC/AML data: Erasure requests for seller identity verification data may be partially denied where we have legal obligations to retain that data (e.g., OFAC compliance records). We will inform you of any retention that overrides your erasure request.
If you are a California resident, you have the following additional rights under the California Consumer Privacy Act (as amended by CPRA):
To submit a CCPA request, email [email protected] with subject line "CCPA Request." We do not honor Global Privacy Control (GPC) signals at this time as we do not sell data.
| Category | Examples | Collected? | Sold? |
|---|---|---|---|
| Identifiers | Email, IP address, device fingerprint, API key | Yes | No |
| Personal records | Name, government ID (Exchange sellers only) | Yes (Exchange) | No |
| Protected characteristics | Age, national origin (for KYC compliance) | Limited (Exchange) | No |
| Commercial information | Subscription tier, purchase history | Yes | No |
| Internet/network activity | API logs, browsing activity on coaxiom.io | Yes | No |
| Geolocation data | Country/region from IP (not GPS) | Yes | No |
| Sensitive: government ID number | EIN, SSN equivalent (Exchange business sellers) | Yes (Exchange) | No |
| Inferences | Risk score, fraud flag | Yes (internal only) | No |
We use the following technologies on coaxiom.io:
We do not use cross-site tracking cookies, third-party ad networks, or retargeting pixels beyond the above.
We implement the following security measures to protect your personal data:
In the event of a data breach affecting your personal data, we will notify affected users and relevant supervisory authorities within the timeframes required by applicable law (72 hours under GDPR where feasible; California residents notified without unreasonable delay).
Our Services are directed at businesses and developers and are not intended for use by individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a minor, contact [email protected] immediately and we will delete it promptly.
Our Services contain links to AI provider pricing pages, documentation, and external resources. This Privacy Policy does not apply to those third-party sites. We encourage you to review the privacy policies of any third-party services you access.
We may update this Privacy Policy periodically. Material changes — including changes to data retention periods, new subprocessors, or changes to your rights — will be communicated by email to your registered address at least 14 days before taking effect. Continued use of the Services after the effective date constitutes acceptance.
We maintain a changelog of material changes to this policy. Prior versions are available upon request at [email protected].
For privacy requests, data subject rights, and general inquiries:
Coaxiom LLC