AXON
Privacy policy

How we handle your data.

Last updated: [date]

For lawyer review: This page is a scaffold reflecting the actual data Axon collects in code. The structure follows the GDPR Article 13/14 disclosure requirements but the legal language needs review by a German Fintech-savvy lawyer before public launch. All placeholders in dashed boxes indicate gaps a lawyer should fill.

1. Who's responsible

Axon is operated by [Gereon Viktor Seifert — Gewerbe, address]. For all privacy questions: [contact email]. See also the Impressum at /impressum.

2. What we collect

We hold the minimum data needed to run the service. Specifically:

  • Account data: email, name, password (stored as a bcrypt hash, never plaintext).
  • Verification timestamps: when you verified your email, when your last session was created.
  • Plan data: the portfolio plans you build or import — bucket weights, example tickers, optional cash and total values.
  • Profile snapshot: your onboarding answers (goal, time horizon, risk behaviour, tax residency, capital range, knowledge calibration).
  • Position data: tickers, units, buy prices, current values for any positions you import or enter.
  • Lesson progress: which lessons in the Learn course you've completed and your quiz scores.
  • Session cookies: an httpOnly cookie with a random token, valid 30 days, used only to keep you signed in.

We do not collect: IP-based location, device fingerprints, your real-money broker credentials (we never ask), or any third-party tracking data.

3. Why we collect it (lawful basis)

  • Performance of a contract (GDPR Art. 6(1)(b)): account data, plan data, position data, session cookies — without these, the service can't deliver what you signed up for.
  • Consent (Art. 6(1)(a)): optional marketing emails (if any are ever sent).
  • Legitimate interest (Art. 6(1)(f)): minimal security logging to detect abuse.

4. Who we share it with

Limited third parties, all processors under a data processing agreement (DPA):

  • Anthropic / LangDock — synthesis and signal-engine LLM calls. Plan + position data is sent in the prompt when you request analysis. They retain prompts per their own retention policy.
  • Email provider ([Resend / Postmark / SMTP host]) — for verification, magic-link, and password reset emails. They see your email address and the message contents.
  • Hosting ([Vercel / Cloudflare / etc.]) — runs the application and database.
  • Stripe (when paid tier launches) — payment processing. They see your payment method and email; we never see card numbers.

We never sell your data. We never share with advertisers. We never share with brokers, and there's no affiliate kickback in our recommendations.

5. How long we keep it

  • Account data: until you delete your account, then immediately erased.
  • Sessions: 30 days from last activity, then auto-expired.
  • Verification tokens: auto-consumed; expired tokens are pruned.
  • Backups: [backup retention period — depends on hosting].
  • Aggregated, anonymous metrics: may be kept indefinitely (e.g. "X plans created last month" — no personal data).

6. Your rights

Under GDPR Articles 15-22, you can:

  • Access (Art. 15) — request a copy of everything we hold. Download it as JSON from your account page.
  • Rectify (Art. 16) — edit your profile via the onboarding redo flow or your plans directly.
  • Erase (Art. 17) — delete your account immediately from /account. Cascades through every record.
  • Restrict / object (Arts. 18, 21) — email us.
  • Portability (Art. 20) — the JSON export is machine-readable.
  • Lodge a complaint with your data protection authority (in Germany: BfDI or your state DPA).

7. Cookies

Axon sets a single essential cookie: axon_session, used to keep you signed in. It's httpOnly (not accessible to JavaScript) and SameSite=Lax (not sent on cross-site requests). No analytics, marketing, or third-party cookies.

8. International transfers

Servers are located in [EU region — TBD]. LangDock routes through EU infrastructure. If your data ever leaves the EU/EEA, we'll rely on Standard Contractual Clauses (SCCs) and update this section.

9. Children

Axon is not directed at children under 16 and we don't knowingly collect data from them. If you're a parent and believe your child has signed up, contact us and we'll delete the account.

10. Changes to this policy

We'll post material changes at least 14 days before they take effect. The "last updated" date at the top tracks the version.