Privacy Notice

Last updated May 20, 2026

What We Collect

• Account data you provide, such as email address and profile details.
• Authentication and security data required to operate the service.
• Rate-limit identifiers derived from IP address or email using one-way hashes.
• Optional app improvements only after explicit consent, including analytics, diagnostics, direct account analytics, and protected-workflow session replay with masking and sanitization applied.
• Consent proof records containing your selected privacy choices, policy version, consent timestamp, and a random consent ID.
• Browser consent choices are treated as stale after six calendar months and must be confirmed again.
• Rejected or undecided visitors are not tracked by PostHog.

Purposes And Legal Bases

• Provide the service and account features: contract or requested service.
• Security, abuse prevention, and operational error logging: legitimate interest.
• App improvements, including PostHog product events, client-side diagnostics, direct account analytics, and protected-workflow session replay: explicit consent that can be withdrawn.
• Rejected or undecided PostHog tracking: not performed.
• Legal compliance and rights handling: legal obligation where applicable.

Processors And Subprocessors

We use Supabase for database/authentication, Upstash for rate limiting, PostHog EU Cloud for optional app improvements and analytics, and Vercel for hosting, web analytics, and speed insights. These providers may use their own subprocessors under their data processing agreements.

Retention

Account data is retained while the account is active. Security and operational logs are retained only as long as needed for reliability, fraud prevention, debugging, and legal obligations. Optional app improvements and analytics follow the retention settings in the relevant vendor tools.

International Transfers (Cross-Border Data Transfer)

Our primary servers are hosted through secure cloud providers, including Vercel and Supabase. While browser analytics through PostHog are isolated to European Union (EU) ingestion servers, processing data through these industry-standard subprocessors may involve transferring data outside your home country, including transfers from Turkey to the EU or US. These transfers are conducted under contractual safeguards, such as Standard Contractual Clauses (SCCs) and Data Processing Agreements, or through explicit consent provided through our privacy settings where required.

Your Rights (GDPR & KVKK Article 11)

In accordance with GDPR and Article 11 of the KVKK (Law No. 6698), you hold the right to:

• Learn whether your personal data is being processed and request information if it has been.
• Learn the purpose of the processing and whether data is used in accordance with that purpose.
• Know the third parties to whom your personal data is transferred domestically or abroad.
• Request rectification if your data is incomplete or inaccurately processed.
• Request the erasure or destruction of your personal data under legal frameworks.
• Object to negative consequences arising exclusively from automated analysis of your data.
• Demand compensation for damages suffered due to unlawful processing.

To exercise these rights, you may submit your request to our data controller contact at hello@axiomforge.com using your registered email address, or via written notice to our official physical corporate address. We will respond to your requests free of charge within 30 days as mandated by KVKK.

Consent Withdrawal

Use the Privacy preferences control in the footer to reject optional app improvements at any time. Withdrawing optional consent stops future full PostHog capture and direct account identity on this device. Each saved choice creates a compliance proof record with the selected categories, policy version, timestamp, and random consent ID. Saved browser choices expire after six calendar months, and we ask you to confirm your choice again. If you reject optional consent, have not made a choice yet, or your saved choice has expired, PostHog tracking does not run.

PostHog Identity And Replay

If you enable account analytics, PostHog may receive your account identifier, email, name, username, role, account status, and identity verification status. If you enable protected-workflow replay, replay is limited to approved protected routes such as job management and country management. Authentication pages, privacy pages, user administration, PostHog administration, tokenized URLs, network bodies, network headers, sensitive form values, visible text, and element attributes are excluded or masked.