Privacy Policy

Legal

Last updated: March 2026 · Effective date: March 2026

The short version: Axis collects only what is necessary to provide the service. We do not sell your data, share it with advertisers, or use it to train AI models. Your organisation's data is yours. You can request deletion at any time.

1. Who we are

Axis is a resource planning platform for professional services firms, operated by Axis HQ Pty Ltd (Australia) and/or Axis HQ Ltd (United Kingdom), collectively referred to in this policy as "Axis", "we", "us", or "our".

This policy applies to all users of the Axis platform at axishq.app and any associated applications or services.

2. Our role — controller and processor

Axis acts in two distinct capacities depending on whose data is being processed:

Data controller — for data collected directly from individuals who create accounts with Axis (names, email addresses, login activity, billing details). Axis determines the purpose and means of processing this data and is directly responsible for it under GDPR and the Australian Privacy Act.

Data processor — for personal data that a subscribing organisation (the Customer) enters into Axis about their own staff, such as names, roles, skills, leave records, and allocation history. In this capacity, Axis processes data on the Customer's instructions. The Customer is the data controller for their staff data and is responsible for: having a lawful basis to process it (typically legitimate interests as an employer), informing their staff that the data is held in Axis, and handling data subject requests from their staff in the first instance.

This distinction matters in practice. If a staff member whose data appears in Axis (but who has no Axis login) wishes to exercise their rights — access, erasure, rectification — the correct first step is to contact their employer (the Customer), who can action the request directly within the platform. If an individual contacts Axis directly, we will acknowledge the request, identify the relevant Customer, and work with them to fulfil it. We will not ignore direct requests on the basis that the individual's employer is the data controller.

For Enterprise customers, a full Data Processing Agreement (DPA) is available on request at hello@axishq.app. The DPA governs Axis's obligations as a processor of Customer staff data and includes the standard contractual clauses required for international data transfers.

3. What data we collect and why

2.1 Account and organisation data

When you sign up for Axis, we collect:

Your name and email address (for authentication and account management)
Your organisation's name and domain
Billing information including payment method details (processed and stored by Stripe — we do not store card numbers)
Your selected data residency region (UK, EU, US, or AU)

Lawful basis (GDPR): Performance of a contract (Article 6(1)(b)). Australian Privacy Act: Collection is necessary for the primary purpose of providing the service.

2.2 People and resource planning data

The core function of Axis requires you to enter data about the people in your organisation, including:

Staff names, job grades or levels, working hours, and team membership
Project names, client names, and allocation data (days planned per person per period)
Skills and practice area tags you assign to staff members
Leave records
Pipeline and tender information

This data is entered by your organisation's administrators and users. Axis processes it solely to provide the resource planning features you have subscribed to.

Lawful basis (GDPR): Performance of a contract (Article 6(1)(b)) for organisational data; legitimate interests (Article 6(1)(f)) for individual staff data, balanced against staff members' privacy interests. We recommend that subscribing organisations inform their staff that their name, role, and allocation data will be held in Axis.

2.3 Usage and technical data

We collect limited technical data to operate and improve the service:

Log data including IP addresses, browser type, pages visited, and timestamps
Session and authentication tokens (managed via Clerk)
Error reports and performance monitoring data
Aggregate usage statistics (feature usage counts, session lengths)

Lawful basis (GDPR): Legitimate interests (Article 6(1)(f)) — necessary for security, debugging, and service improvement. Australian Privacy Act: Collected for the secondary purpose of service improvement, which users would reasonably expect.

2.4 Ask (AI feature) data

When you use the Ask feature, your question and relevant context from your organisation's data (people, allocations, pipeline information) is sent to Anthropic's API to generate a response. We log:

Token counts, latency, and estimated cost (for billing and abuse prevention)
A one-way hash of the question text (for rate limiting) — not the question itself

We do not log question text or response content. Anthropic's data processing is governed by their Privacy Policy. Anthropic does not use API inputs to train their models.

Lawful basis (GDPR): Performance of a contract (Article 6(1)(b)). Organisations can disable the Ask feature entirely from their configuration settings if they prefer not to send any data to Anthropic.

4. Data residency and transfers

Axis supports data residency selection for Enterprise tier organisations. Your organisation's resource planning data (people, projects, allocations) is stored in the region you select:

UK — eu-west-2 (London), Amazon Web Services
EU — eu-central-1 (Frankfurt), Amazon Web Services
US — us-east-1 (Virginia), Amazon Web Services
AU — ap-southeast-2 (Sydney), Amazon Web Services

Starter and Growth tier organisations are hosted in the UK region by default.

Authentication services are provided by Clerk, which may process data internationally. Clerk maintains appropriate safeguards including Standard Contractual Clauses for transfers from the EEA. Billing is processed by Stripe, which operates globally under appropriate data transfer mechanisms.

For UK and EEA customers: where personal data is transferred outside the UK or EEA, we rely on adequacy decisions or Standard Contractual Clauses as the legal transfer mechanism.

5. How we use your data

We use the data we collect to:

Provide, operate, and maintain the Axis platform
Process payments and manage your subscription
Send transactional emails (account confirmation, billing receipts, service notices)
Respond to support requests
Detect and prevent fraud, abuse, and security incidents
Comply with legal obligations
Improve the service using aggregate, anonymised usage data

We do not use your data to:

Sell or rent data to third parties
Display advertising
Train AI or machine learning models
Profile individual staff members for purposes beyond the resource planning service

6. Who we share data with

We share data only with the following categories of sub-processors, under contractual obligations to protect your data:

Clerk — authentication and identity management
Stripe — payment processing and subscription management
Amazon Web Services — cloud infrastructure and data storage
Neon — database hosting (operates on AWS infrastructure)
Vercel — application hosting, serverless compute, and edge delivery (Vercel operates on AWS infrastructure)
Anthropic — AI processing for the Ask feature (only when Ask is enabled and used)

We may disclose data if required by law, court order, or regulatory authority, and will notify you where legally permitted to do so.

7. Data retention

Active account data — retained for the duration of your subscription
Audit logs — retained for 24 months from creation, then automatically purged
Ask usage logs — retained for 24 months, then purged
Billing records — retained for 7 years to comply with financial record-keeping obligations (UK and AU)
Account data after cancellation — retained for 90 days after subscription ends, then permanently deleted. You may request earlier deletion.
Backups — encrypted backups are retained for 30 days, then automatically overwritten

8. Your rights

Under GDPR (UK and EU users)

You have the right to:

Access — request a copy of personal data we hold about you
Rectification — request correction of inaccurate data
Erasure — request deletion of your personal data ("right to be forgotten")
Restriction — request that we restrict processing of your data
Portability — receive your data in a structured, machine-readable format
Object — object to processing based on legitimate interests
Withdraw consent — where processing is based on consent, withdraw it at any time

UK users may lodge complaints with the Information Commissioner's Office (ICO) at ico.org.uk. EU users may contact their national data protection authority.

Under the Australian Privacy Act

You have the right to access personal information we hold about you and to request correction of inaccurate information. You may lodge complaints with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

How to exercise your rights

Contact us at hello@axishq.app. We will respond within 30 days. We may need to verify your identity before processing requests.

Note: most personal data held in Axis (name, role, allocations) was entered by your organisation's administrator, not collected directly from you. For deletions or corrections, we recommend first contacting your Org Admin, who can make changes directly in the platform.

9. Security

We take security seriously. Our measures include:

Encryption in transit (TLS 1.2+) and at rest (AES-256)
Role-based access controls — platform operators can only access customer data with a logged, justified reason
Multi-factor authentication required for all platform operator access
Regular security reviews and penetration testing
Automatic purging of logs and old data per retention schedules

In the event of a data breach affecting your organisation, we will notify you without undue delay and within 72 hours where required by GDPR.

10. Cookies

Axis uses essential cookies only — session tokens required for authentication. We do not use advertising cookies, tracking pixels, or analytics cookies. No cookie consent banner is required as we use only strictly necessary cookies.

11. Children's data

Axis is a B2B service intended for use by professional services organisations. We do not knowingly collect data from or about individuals under the age of 18.

12. Changes to this policy

We will notify you of material changes to this policy by email and by displaying a notice in the Axis platform at least 14 days before changes take effect. The current version is always available at axishq.app/privacy.

13. Contact

For privacy-related and general enquiries: hello@axishq.app

Axis HQ · axishq.app