1. Introduction and Scope

This Privacy Policy ("Policy") describes how AffixIO ("we", "us", "our") collects, uses, stores, and protects your personal information when you use our API connector and compliance verification services (the "Service").

We are committed to protecting your privacy and ensuring compliance with the General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, and other applicable data protection laws. This Policy applies to all users of our Service, including website visitors, registered users, and subscribers.

By using our Service, you consent to the collection and use of your information in accordance with this Policy. If you do not agree with any part of this Policy, please do not use our Service.

2. Information We Collect

2.1 Personal Information You Provide

When you create an account or use our Service, we collect:

• Account Information: Username, email address, and encrypted password
• Profile Information: Any additional information you choose to provide in your profile
• Communication Data: Messages, support tickets, and feedback you send to us
• Subscription Information: Billing details, payment preferences, and subscription history

2.2 API and Service Data

When you use our API connector service, we process:

• API Requests: URLs, headers, and payloads (all encrypted with JWT and Bitcoin-style SHA256 hashing)
• Response Data: API responses and status codes (temporarily processed and immediately deleted)
• Configuration Data: API keys, endpoints, and connector settings (encrypted at rest)
• Compliance Data: Verification results, audit logs, and compliance reports

2.3 Technical and Usage Information

We automatically collect technical information to provide and improve our Service:

• Device Information: IP addresses, browser type, operating system, and device identifiers
• Usage Analytics: Pages visited, features used, session duration, and performance metrics
• Log Data: Server logs, error reports, and system performance data
• Security Data: Login attempts, suspicious activities, and security events

2.4 Cookies and Similar Technologies

We use essential cookies and similar technologies for:

• Authentication: Maintaining your login session and security
• Security: Preventing fraud, detecting suspicious activities, and protecting against attacks
• Functionality: Remembering your preferences and providing personalized features
• Performance: Monitoring service performance and optimizing user experience

3. How We Use Your Information

3.1 Service Provision

We use your information to:

• Provide, maintain, and improve our API connector and compliance services
• Process your API requests and generate compliance reports
• Authenticate your identity and secure your account
• Provide customer support and respond to your inquiries
• Send important service notifications and updates

3.2 Billing and Payment Processing

For subscription management, we:

• Process payments through our secure payment processor (Stripe)
• Manage your subscription and billing information
• Generate invoices and maintain financial records
• Handle payment disputes and refund requests (where applicable)

3.3 Compliance and Legal Obligations

We process your data to comply with:

• Online Safety Act requirements for digital identity verification
• GDPR and UK Data Protection Act obligations
• DWP (Department for Work and Pensions) compliance requirements
• Legal and regulatory requirements in the UK and EU
• Court orders, legal processes, and law enforcement requests

3.4 Service Improvement and Analytics

We analyze aggregated, anonymized data to:

• Improve our service performance and reliability
• Develop new features and enhance existing functionality
• Monitor service usage patterns and optimize resource allocation
• Conduct security research and threat analysis

4. Data Security and Protection

4.1 Encryption and Cryptographic Protection

We employ multiple layers of encryption:

• JWT Encryption: All PII data is encrypted using JSON Web Tokens with Bitcoin-style SHA256 hashing
• Transport Encryption: All data transmission is protected with TLS 1.3 and HTTPS
• Storage Encryption: Data at rest is encrypted using AES-256 encryption
• API Key Protection: API keys are encrypted using advanced cryptographic protocols

4.2 Infrastructure Security

Our security infrastructure includes:

• Secure data centers with 24/7 physical security monitoring
• Network segmentation and firewalls to prevent unauthorized access
• Regular security audits and penetration testing by third-party experts
• Compliance with ISO 27001, SOC 2 Type II, and other industry standards
• Automated threat detection and incident response systems

4.3 Access Controls and Monitoring

We maintain strict access controls:

• Role-based access controls with principle of least privilege
• Multi-factor authentication for all administrative access
• Comprehensive audit logging of all data access and modifications
• Regular access reviews and permission audits
• Employee background checks and security training

5. Data Sharing and Third-Party Services

5.1 Service Providers and Partners

We may share your information with trusted third-party service providers who assist us in:

• Payment Processing: Stripe (subject to their privacy policy) for secure payment processing
• Cloud Infrastructure: AWS, Google Cloud, or similar providers for hosting and storage
• Security Services: Security monitoring, threat detection, and incident response services
• Analytics: Service performance monitoring and usage analytics (anonymized data only)
• Customer Support: Help desk and customer communication tools

5.2 Legal and Regulatory Requirements

We may disclose your information when required by law or to:

• Comply with court orders, subpoenas, or legal processes
• Respond to law enforcement requests or government investigations
• Protect our rights, property, or safety, or that of our users
• Enforce our Terms of Service or other agreements
• Prevent fraud, security threats, or illegal activities

5.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the new entity, subject to the same privacy protections outlined in this Policy.

6. Your Rights Under GDPR and UK Data Protection Law

6.1 Right of Access

You have the right to request a copy of all personal data we hold about you, including:

• Categories of personal data we process
• Purposes of processing and legal basis
• Recipients of your data (if any)
• Retention periods and your rights

6.2 Right to Rectification

You can request correction of inaccurate or incomplete personal data. We will update your information promptly upon verification of your identity.

6.3 Right to Erasure ("Right to be Forgotten")

You may request deletion of your personal data when:

• The data is no longer necessary for the original purpose
• You withdraw consent and there's no other legal basis
• The data has been unlawfully processed
• Deletion is required to comply with legal obligations

6.4 Right to Restrict Processing

You can request that we limit the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or object to processing.

6.5 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and transmit it to another controller.

6.6 Right to Object

You can object to the processing of your personal data for direct marketing purposes or when processing is based on legitimate interests.

6.7 Right to Withdraw Consent

Where processing is based on consent, you can withdraw your consent at any time. This will not affect the lawfulness of processing before withdrawal.

7. Data Retention and Deletion

7.1 Retention Periods

We retain your data only as long as necessary for the purposes outlined in this Policy:

• Account Data: Until account deletion or 3 years of inactivity
• API Logs: 12 months for security monitoring and compliance
• Billing Records: 7 years for tax and legal compliance (UK requirement)
• Encrypted API Data: Deleted immediately after processing (no permanent storage)
• Security Logs: 2 years for threat analysis and incident response
• Support Communications: 3 years for service improvement and dispute resolution

7.2 Secure Deletion

When data is deleted, we use secure deletion methods that make recovery impossible, including:

• Cryptographic erasure of encryption keys
• Multiple overwrites of storage media
• Physical destruction of storage devices when necessary
• Verification of deletion through audit processes

8. International Data Transfers

Your data is primarily processed within the UK and EU. When transfers to third countries are necessary, we ensure adequate protection through:

• Adequacy decisions by the European Commission
• Standard Contractual Clauses (SCCs) approved by the EU
• Binding Corporate Rules for multinational service providers
• Certification schemes and codes of conduct

9. Children's Privacy

Our Service is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete such information promptly.

10. Data Breach Notification

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours
• Inform affected individuals without undue delay
• Provide clear information about the nature of the breach
• Explain the measures taken to address the breach
• Offer guidance on steps you can take to protect yourself

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by:

• Posting the updated Policy on our website
• Sending you an email notification (if you have an account)
• Displaying a prominent notice on our Service
• Providing at least 30 days' notice for material changes

12. Contact Information and Data Protection Officer

For any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

12.1 Supervisory Authority

If you are not satisfied with our response to your privacy concerns, you have the right to lodge a complaint with the UK's Information Commissioner's Office (ICO) or your local data protection authority.