Privacy Policy

1. Introduction

Axot (the "Service") is operated by Ewalk, Inc. ("we", "our", "us"). This policy explains how we collect, use, store, and share your data when you use the Service.

2. Data we collect

2-1. Account information

• Email address (used for Magic Link authentication)

2-2. AI conversation data (core)

• AI conversations you capture (Gemini, Claude, ChatGPT, etc.)
• Prompts you sent (your questions)

2-3. Forge data (your own knowledge)

• Short notes you write in your own words about what you learned from a conversation
• Forge data is your own authored content and treated as your work

2-4. Axiom data (future feature)

• A context profile auto-generated from your accumulated Forge entries
• Includes topic distribution and thinking-style tendencies
• Axiom is shared externally only when you explicitly copy it as a context prompt or fetch it via the MCP tool get_axiom

2-5. Usage logs

• AI API usage logs (retained up to 7 days for token quota enforcement)
• Daily aggregates by provider and feature
• Dashboard access logs (for service improvement)

3. How we use your data

Anonymized data (B2B Insights, future)

We may, in the future, sell anonymized and aggregated "interest trend data" to B2B customers. This use is opt-out by default (Settings → Data usage).

4. Sharing with third parties

We do not share your data with third parties except in the following cases:

• AI processing pipeline: Google Gemini API (for Forge assistance, Axiom generation, MCP responses)
• Infrastructure: AWS (ECS / Aurora Serverless v2 / S3 / SES / CloudFront)
• Payments: Stripe (Pro / Expert plan billing)
• Legal requirements: when required to disclose by law

5. Storage and security

• Storage region: AWS us-east-1 (N. Virginia)
• Encryption: in transit (TLS 1.2+) and at rest (AWS default encryption)
• Access control: Magic Link authentication for users; API key authentication for MCP endpoints

6. Your rights

Axot is built on a Privacy by Design principle.

• Export: download all your data in JSON / CSV from Settings → Export
• Deletion (right to be forgotten): delete your account and all associated data from Settings → Delete Account. Backups are purged within 30 days.
• Correction: edit your Axiom directly from the dashboard if it contains errors
• Opt-out (B2B Insights): opt out of anonymized analytics from Settings → Data usage

7. GDPR / CCPA / APPI

GDPR (EU)

• Legal basis: contractual necessity (Art. 6(1)(b))
• Data processors: Google LLC (Gemini API), AWS, Stripe
• EU-to-US transfers governed by Standard Contractual Clauses (SCC)
• Data Processing Agreements (DPA) in place with all processors
• 72-hour breach notification: we will notify the relevant supervisory authority within 72 hours of a confirmed data breach

CCPA (California)

California residents may request disclosure, deletion, and opt-out of sale of their personal information. "Sale of data" (B2B Insights) is opt-out by default.

APPI (Japan)

We obtain prior consent before providing personal information to third parties and have filed as a personal information handling business operator where required.

8. Cookies and tracking

• We use Django session cookies for session management.
• We do not use third-party tracking scripts (e.g., Google Analytics) in Phase 1.
• If we add them later, we will request consent via a cookie banner.

9. Bounce and complaint handling

We use Amazon SES to send email. When a bounce or complaint occurs, we automatically suppress further delivery to that address via an SES → SNS → Webhook flow.

10. Changes to this policy

Material changes will be announced via email to your registered address and on this page. Continued use of the Service after changes constitutes acceptance of the updated policy.

11. Contact

• Email: privacy@axot.ai (coming soon)
• Languages: English, Japanese