Privacy
Policy

Scope: This policy covers freezealert.app (the web application and API) and axiron.group (the company website). Both are operated by Axiron, Corp., a Delaware C Corporation. References to "Site" below apply to both domains unless otherwise noted.

Axiron, Corp. ("Company," "we," "us," or "our") operates FreezeAlert — a B2B SaaS early-warning platform for payment provider risk monitoring (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard information when you access freezealert.app or axiron.group (collectively, the "Site") or use the Service. By accessing the Site or using the Service, you agree to this Privacy Policy and our Terms of Service.

---

Definitions

---

I. Our Role: Controller and Processor

FreezeAlert operates in two distinct capacities depending on the context of data processing:

When Axiron is a Data Controller: We determine the purposes and means of processing when we handle your account registration data, billing information, marketing communications, product analytics, and customer support records. In this capacity, we are the Controller of your Personal Information.

When Axiron is a Data Processor: When you connect your PSP accounts (e.g., Stripe) and we process transaction metadata, account signals, and risk indicators on your behalf to provide the Service, we act as a Processor of that data. You, as our Customer, remain the Controller of your end-user and business data.

Data Processing Addendum (DPA): For customers who require a DPA (e.g., to comply with GDPR Article 28), we provide one upon request. Contact [email protected] to request a signed DPA. Our DPA incorporates Standard Contractual Clauses (SCCs) and our current Subprocessor List.

---

II. Information We Collect

1. Information Collected Automatically via Technology

When you visit the Site or use the Service, we automatically collect:

• Browser type, version, and device/operating system information
• IP address and approximate geographic location (country/region level)
• Pages visited, time spent, referring URLs, and navigation paths
• Session identifiers and interaction events (clicks, feature engagement)
• Performance diagnostics and application error logs
• Cookie identifiers and consent preferences (see Section III)

2. Information You Provide

To register for and use the Service, you provide Personal Information including:

• Full name and business email address
• Company name, role/title, and team size
• Billing information — processed by Paddle.com Market Limited ("Paddle"), our Merchant of Record, under their own PCI-DSS compliance; we do not store raw payment card data
• PSP credentials or restricted-scope API keys you voluntarily connect to our platform (see Section V for how these are handled)
• Alert preferences and notification channel configurations (Telegram, Slack, Discord, email, SMS, webhook endpoints)
• Support communications, feedback, and survey responses

3. Information from Third-Party Integrations

When you authorize a PSP connection (e.g., Stripe), we receive:

• Transaction volume and frequency metadata
• Account status and restriction signals
• Risk indicators returned by the PSP's API within the scope of your authorization

We do not access, store, or process end-customer payment card numbers, CVVs, or full bank account details.

4. Sensitive Personal Information (SPI)

We do not intentionally collect SPI categories such as racial or ethnic origin, religious beliefs, health data, biometric data, or government ID numbers. If any SPI is incidentally submitted via support communications or free-text fields, we delete it upon discovery. PSP API credentials are treated as sensitive and subject to the enhanced security controls described in Section V.

5. Children's Privacy

The Site and Service are directed exclusively to business users aged 18 and older. We do not knowingly collect Personal Information from individuals under 18. If we discover that a minor has provided Personal Information, we will delete it promptly and terminate any associated account.

---

III. Cookies and Tracking Technologies

Cookie Classification

We use cookies and similar tracking technologies on the Site. The following table describes each category, its purpose, and its default retention period:

Cookie Consent (EEA / UK)

If you access the Site from the EEA or UK, we obtain your explicit opt-in consent before setting analytics or marketing cookies, in compliance with the ePrivacy Directive and UK PECR. A cookie consent banner is displayed on first visit, offering granular controls by category. You may update your preferences at any time via Cookie Preferences in the Site footer.

Do Not Track / Global Privacy Control (GPC)

We recognize and respect Global Privacy Control (GPC) signals as a valid opt-out of data sharing for cross-context behavioral advertising, in compliance with CCPA/CPRA for California residents. If your browser sends a GPC signal, we will treat it as a request to opt out of any data "sharing" as defined under CPRA. We do not currently alter our practices based on generic "Do Not Track" (DNT) browser signals, as no universal DNT standard exists; however, we honor GPC as described above.

---

IV. How We Use Your Information

Purpose and Legal Basis Table (GDPR Art. 13/14)

We do not sell, rent, or trade Personal Information to third parties for their independent marketing purposes.

---

V. PSP Credentials and API Key Security

Because FreezeAlert handles PSP API keys and credentials on your behalf, we apply enhanced controls beyond our standard security baseline:

• Encryption at rest: All API keys and credentials are encrypted at rest using AES-256 with key management via a dedicated secrets manager (e.g., AWS Secrets Manager or equivalent). Plaintext credentials are never written to logs or databases.
• Encryption in transit: All credential transmission occurs over TLS 1.3.
• Access control (RBAC): API keys are accessible only to the specific service processes that require them. No human employee has access to plaintext credentials in production without a documented, auditable break-glass procedure.
• Minimal scope: We request and store only the minimum-privilege API key scopes needed to retrieve risk signals (read-only where supported by the PSP).
• OAuth: Where the PSP supports OAuth 2.0 authorization flows (e.g., Stripe Connect), we prefer OAuth over raw API key storage.
• Rotation: We recommend and support periodic key rotation. If you revoke or rotate a key, you can update it in your FreezeAlert account settings immediately.
• Audit logs: All programmatic accesses to credential stores are logged and retained for 90 days.

Security Contact: To report a security vulnerability or concern, contact [email protected]. We acknowledge reports within 48 hours and aim to provide a remediation timeline within 5 business days. We follow a responsible disclosure model and will not take legal action against good-faith security researchers.

---

VI. How We Share Information

We share Personal Information only as described below. We maintain a current Subprocessor List at freezealert.app/legal/subprocessors.

Sub-processors

We will provide 30 days' advance notice of any material addition or replacement of sub-processors via email and the Subprocessor List page. You may object to a new sub-processor by contacting [email protected].

Legal Requirements

We may disclose Personal Information if required by law, court order, subpoena, or regulatory authority, or if we have a good-faith belief that disclosure is necessary to: (a) comply with a legal obligation; (b) protect the rights, property, or safety of Axiron, Corp., our customers, or the public; or (c) detect or prevent fraud.

Business Transfers

In the event of a merger, acquisition, financing, or asset sale, Personal Information may be transferred as part of the transaction. We will provide notice via email and on the Site at least 30 days before any such transfer, and will describe any choices available to you.

Aggregated and De-identified Data

We may share aggregated, de-identified data (e.g., industry-level PSP restriction trends) that cannot reasonably be used to identify any individual, with partners or publicly for research and marketing purposes.

---

VII. How We Protect Your Information

We maintain an information security program that includes:

• Encryption of all data in transit (TLS 1.3) and at rest (AES-256)
• Role-based access controls (RBAC) with least-privilege enforcement
• Secure credential storage with secrets management (no plaintext credentials in code or logs)
• Automated dependency vulnerability scanning and patching
• Regular internal security reviews
• Incident response plan with defined roles, escalation paths, and communication timelines
• Data breach notification: in the event of a breach affecting your Personal Information, we will notify affected users within 72 hours of discovery (as required under GDPR) or as required by applicable law, and no later than 30 days in all cases

No method of transmission or storage is 100% secure. You are responsible for protecting your account credentials. Report suspected unauthorized access immediately to [email protected].

---

VIII. Automated Decision-Making and Risk Scoring

FreezeAlert's core feature is a risk scoring engine that analyzes PSP signals and produces a risk score and early-warning alerts for your account.

• Nature of processing: Risk scoring is performed algorithmically using rule-based heuristics and statistical signal analysis applied to PSP account metadata you have connected.
• Output is informational: Risk scores and alerts are provided to you as informational outputs to support your own business decisions. FreezeAlert does not make automated decisions that produce legal or similarly significant effects on your business or on your end-customers. You retain full decision-making authority over how to act on any alert or score.
• No profiling of end-customers: We process signals at the account/merchant level. We do not profile or score your end-customers.
• Human in the loop: All significant product scoring logic changes are reviewed by human engineers before deployment. There is no fully autonomous AI system making binding determinations.
• Right to explanation: If you have questions about why a particular score or alert was generated, you may contact [email protected] and we will provide a plain-language explanation of the primary contributing signals.

---

IX. Your Rights and Choices

We honor the following rights for all users regardless of jurisdiction, to the extent operationally feasible. Requests may be submitted to [email protected].

We may need to verify your identity before processing a request. We will not discriminate against you for exercising any of these rights.

Account Deletion: To close your account and request deletion of your Personal Information, navigate to Account Settings → Delete Account, or contact [email protected]. Upon closure, we will delete or anonymize your Personal Information within 30 days, except where retention is required by law (see Section X).

---

X. Data Retention

---

XI. International Data Transfers

Axiron, Corp. is incorporated in Delaware, USA. Our primary infrastructure resides in the United States. When we transfer Personal Information from the EEA, UK, or Switzerland to the USA or other third countries, we rely on the following safeguards:

• Standard Contractual Clauses (SCCs): We execute the EU Commission's approved SCCs (2021) with applicable sub-processors and, where required, customers.
• Supplementary Measures: In addition to SCCs, we apply technical and organizational supplementary measures including end-to-end encryption in transit and at rest, strict access controls, and pseudonymization of analytics data where feasible.
• Transfer Risk Assessments: We conduct or obtain Transfer Impact Assessments (TIAs) for transfers to high-risk third countries where required by our legal assessment.
• UK IDTA: For transfers from the United Kingdom, we use the UK International Data Transfer Addendum (IDTA) to the EU SCCs.

If you require our SCC package or a TIA summary for your own compliance records, contact [email protected].

---

XII. EEA and UK Residents — GDPR / UK GDPR

In addition to the rights described in Section IX, EEA and UK residents have the right to lodge a complaint with their local supervisory authority.

EU Supervisory Authority directory: edpb.europa.eu/about-edpb/about-edpb/members_en

UK Supervisory Authority (ICO): ico.org.uk

EU / UK Representative: As of the Effective Date of this policy, Axiron, Corp. is a startup primarily serving business customers and is assessing its obligation to appoint a formal EU/UK representative under GDPR Art. 27 / UK GDPR Art. 27. If we determine that appointment is required based on the scale and nature of our EEA/UK processing, we will update this section with the representative's name and contact address and notify affected users. In the interim, EEA and UK privacy inquiries should be directed to [email protected].

---

XIII. California Privacy Rights (CCPA / CPRA)

California residents have the rights described in Section IX and the following additional CCPA/CPRA-specific rights.

CCPA Data Categories Table

Sale or Sharing of Personal Information: We do not sell Personal Information. We do not share Personal Information for cross-context behavioral advertising as defined under CPRA. No opt-out mechanism for sale/sharing is required; however, we provide one as a best practice at freezealert.app/legal/privacy-choices.

Sensitive Personal Information: We collect PSP API credentials, which may constitute Sensitive Personal Information under CPRA. We use this data solely to provide the Service and apply the enhanced security controls described in Section V. We do not use SPI for inferring characteristics unrelated to the Service. California residents may request limitation of SPI use at [email protected].

Submitting a CCPA/CPRA Request: Contact us at [email protected] or (302) 469-1145. We will respond within 45 days (extendable by an additional 45 days with notice). We will not discriminate against you for exercising CCPA/CPRA rights.

---

XIV. Links to Third-Party Services

The Service integrates with and may link to third-party platforms (e.g., Stripe, Slack, Telegram, Discord). Each third party operates under its own privacy policy and data practices. We are not responsible for the privacy or security practices of third parties. We encourage you to review their privacy policies before authorizing integrations or sharing Personal Information with them.

---

XV. Changes to This Privacy Policy

We reserve the right to update this Privacy Policy at any time. For material changes, we will:

1. Send an email notification to the primary address on your account
2. Post a prominent banner on the Site
3. Provide at least 14 days' notice before the changes take effect

For non-material changes (e.g., formatting, typographical corrections, contact updates), we will update the "Last Updated" date at the top of this policy without individual notification.

Your continued use of the Service after the effective date of any change constitutes your acceptance of the updated policy. We maintain an archive of previous policy versions at freezealert.app/legal/privacy-archive.

---

XVI. Contact Us

---

© 2026 Axiron, Corp. All rights reserved. FreezeAlert is a product of Axiron, Corp., a Delaware C Corporation incorporated February 16, 2026. This Privacy Policy does not constitute legal advice. Axiron, Corp. recommends that all customers consult qualified legal counsel for jurisdiction-specific compliance advice.