Privacy Policy
This Privacy Policy explains how AXIOMA processes personal data when you visit axiomagdpr.com, request a demonstration of our platform, or contact us. It is provided to satisfy the information obligations under Articles 13 and 14 of the General Data Protection Regulation (Regulation (EU) 2016/679, the "GDPR").
Last updated: [TO BE ADDED: date].
1. Who we are (the controller)
The controller responsible for the processing described here is:
- Legal entity: [TO BE ADDED: registered company name]
- Registered address (EU establishment): [TO BE ADDED: EU establishment address]
- Company / registration number: [TO BE ADDED: company registration number]
- VAT number: [TO BE ADDED: VAT number]
- Contact: info@axiomagdpr.com
Where we determine the purposes and means of processing your personal data, we act as a controller. Where we process personal data on behalf of our customers under their instructions (for example, data within their compliance records), we act as a processor; that processing is governed by the data processing terms agreed with the relevant customer and is not the subject of this notice.
2. Data protection contact
For any question about this policy or about how we handle your personal data, contact us at info@axiomagdpr.com.
Our Data Protection Officer (where appointed under Art. 37 GDPR) can be reached at: [TO BE ADDED: DPO contact].
3. What personal data we collect
We keep data collection to the minimum needed for the purposes set out below (Art. 5(1)(c), data minimisation). Depending on how you interact with us, we process:
3.1 Website visitors
- Server log data generated automatically when you load a page: IP address, date and time of the request, the page or resource requested, HTTP status, referring URL, and browser/user-agent string. This is standard technical metadata that a web server records to operate and protect the site.
For information about cookies and similar technologies, and for any consent we ask for under the ePrivacy rules, see our Cookie Policy.
3.2 Demo requesters
- The identifying and contact details you submit so we can arrange and run a demonstration: typically your name, work email address, company name, and any message or details you choose to provide about your use case.
3.3 Email and other contacts
- The contact details and content of any message you send us by email or through a contact form: your name, email address, and the content of your enquiry.
We do not seek to collect special categories of data (Art. 9 GDPR). Please do not include sensitive personal data in messages you send us.
4. Why we process your data and our legal bases
We process personal data only where Article 6 GDPR provides a lawful basis. The table below sets out each purpose and the corresponding basis.
| Purpose | Data used | Legal basis (Art. 6 GDPR) |
|---|---|---|
| Operating, securing and maintaining the website; detecting and preventing abuse, fraud and attacks; ensuring availability and diagnosing faults | Server log data | Legitimate interests (Art. 6(1)(f)) — our interest in network and information security and in keeping the site running. Recital 49 recognises security as a legitimate interest. |
| Responding to a demo request and preparing/running the demonstration | Demo requester details | Performance of a contract or steps taken at your request prior to entering into a contract (Art. 6(1)(b)). |
| Answering general enquiries and correspondence | Contact details and message content | Legitimate interests (Art. 6(1)(f)) — our interest in responding to people who contact us; or, where you initiate a pre-contractual exchange, Art. 6(1)(b). |
| Sending marketing or product updates by email, where applicable | Email address and name | Your consent (Art. 6(1)(a)), which you may withdraw at any time without affecting prior processing. |
| Complying with our own legal obligations and establishing, exercising or defending legal claims | The relevant data above | Legal obligation (Art. 6(1)(c)) and/or legitimate interests (Art. 6(1)(f)). |
Where we rely on legitimate interests, we have carried out a balancing exercise to confirm that those interests are not overridden by your interests or fundamental rights. You can object to such processing at any time (see Section 8).
5. Recipients and processors
We do not sell personal data. We disclose it only to:
- Service providers acting as processors who help us run the site and our business — for example EU-hosted cloud infrastructure and IT services. They process personal data only on our documented instructions under a written data processing agreement that meets Article 28 GDPR.
- Professional advisers (such as legal or accounting advisers) where necessary.
- Public authorities or courts where we are required to disclose data by law, or to establish, exercise or defend legal claims.
We do not name individual sub-processors in this notice; a current list of processors used for a given service is available on request at info@axiomagdpr.com.
6. International transfers
Our default position is EU data residency: the personal data described in this notice is hosted on infrastructure located within the European Union / European Economic Area, and we do not transfer it to a third country.
If a specific sub-processor ever required a transfer of personal data outside the EEA, we would only permit it where a valid transfer mechanism under Chapter V GDPR (Art. 44–49) is in place — in particular an adequacy decision under Art. 45, or the European Commission's Standard Contractual Clauses under Art. 46(2)(c) together with any supplementary measures shown to be necessary by a transfer impact assessment. You can ask us for a copy of the relevant safeguards at info@axiomagdpr.com.
7. How long we keep your data (retention)
We keep personal data only for as long as necessary for the purpose for which it was collected, and in line with the storage-limitation principle (Art. 5(1)(e)):
- Server logs: retained for a short period for security and diagnostics, then deleted or aggregated into non-identifying statistics. [TO BE ADDED: server log retention period]
- Demo requests: retained for the duration of the pre-contractual exchange and any resulting relationship, then deleted or archived. [TO BE ADDED: demo enquiry retention period]
- General correspondence: retained for as long as needed to handle the matter and any follow-up. [TO BE ADDED: correspondence retention period]
- Marketing consent records: retained until you withdraw consent or unsubscribe, plus a period needed to evidence that the processing was lawful.
Where data is needed to comply with a legal obligation or to defend legal claims, we retain it for the applicable limitation period.
8. Your rights
Subject to the conditions in the GDPR, you have the following rights in relation to your personal data:
- Access — to obtain confirmation of whether we process your data and a copy of it (Art. 15).
- Rectification — to have inaccurate data corrected and incomplete data completed (Art. 16).
- Erasure — to have your data deleted in the circumstances set out in the GDPR (Art. 17).
- Restriction — to restrict our processing in certain cases (Art. 18).
- Data portability — to receive data you provided to us, in a structured, commonly used, machine-readable format, where processing is based on consent or contract and carried out by automated means (Art. 20).
- Objection — to object, on grounds relating to your particular situation, to processing based on legitimate interests, and to object at any time to processing for direct marketing (Art. 21).
- Automated decisions — not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects (Art. 22). We do not take such decisions about visitors, demo requesters or email contacts.
- Withdraw consent — where we rely on consent, to withdraw it at any time, without affecting the lawfulness of processing before withdrawal (Art. 7(3)).
To exercise any of these rights, use our data-subject request process or email info@axiomagdpr.com. We respond within one month of receiving a request, extendable by two further months where necessary given the complexity and number of requests (Art. 12(3)). Exercising your rights is free of charge unless a request is manifestly unfounded or excessive (Art. 12(5)).
9. Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage, taking into account the state of the art and the risk to individuals (Art. 32). These measures include encryption in transit, access controls on a least-privilege basis, logging and monitoring, and EU data residency. No system can be guaranteed perfectly secure, but we work to keep our safeguards aligned with the risk.
If a personal data breach occurs, we will assess it and, where required, notify the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of it (Art. 33), and inform affected individuals where the breach is likely to result in a high risk to their rights and freedoms (Art. 34).
10. Complaints to a supervisory authority
If you believe our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or the place of the alleged infringement (Art. 77). We would, however, appreciate the chance to address your concern first — please contact us at info@axiomagdpr.com.
Our lead supervisory authority is: [TO BE ADDED: competent supervisory authority].
11. Changes to this policy
We may update this Privacy Policy to reflect changes in our processing, our services, or the law. When we make material changes, we will update the "Last updated" date above and, where appropriate, take additional steps to inform you. Please review this page periodically.