Privacy Policy
Axiad Identity Risk Report
Table of Contents
1. Introduction
Axiad IDS, Inc. ("Axiad," "we," "us," or "our") provides the Identity Risk Report (the "Tool" or "Service"), a web-based application that generates AI-powered identity risk assessments for organizations based on externally visible signals including credential exposure, email security posture, and certificate transparency data.
This Privacy Policy explains how we collect, use, disclose, and protect information when you use our Tool. By accessing or using the Tool, you agree to this Privacy Policy.
2. Information We Collect
2.1 Information You Provide
Work Email Address: When you request a report, you provide your work email address. We use this to send you a secure, time-limited magic link to access your report.
- Email addresses are used only for magic link delivery and report attribution
- We do not add your email to marketing lists unless you separately opt in
- Free email providers (Gmail, Yahoo, etc.) and disposable email services are blocked
Domain Names: The domain extracted from your work email (or specified by an internal link) is used to generate the identity risk report. Domain names are cached for up to 24 hours to improve performance.
2.2 Information Collected Automatically
When you use the Tool, we automatically collect the following information:
Technical Information:
- IP Address: Your Internet Protocol (IP) address, which may reveal your general geographic location
- Browser Information: Browser type and version, operating system, device type
- Usage Data: Pages viewed, features used, date and time of access
- Referrer URL: The website you came from before visiting our Tool
Report Data:
- Domains assessed and report results (risk grades, findings, financial impact estimates)
- Credential exposure data retrieved from third-party intelligence sources
- DNS security posture (DMARC, SPF, DKIM, MX, TLS configuration)
- Certificate transparency and subdomain discovery data
2.3 Analytics and Tracking Technologies
We use PostHog (product analytics) and Google Analytics (website analytics) to understand how the Tool is used.
When you first visit the Tool, a consent banner appears at the bottom of your screen. No client-side analytics tracking occurs until you click "Accept."
- If you click "Accept": Client-side analytics tracking begins immediately
- If you click "Decline": Client-side analytics are disabled and no tracking cookies are stored
- Your choice is saved in your browser's localStorage and remembered for future visits
- You can change your choice at any time (see Section 9.4)
Client-Side Analytics (ONLY if you click "Accept"):
- Page views and navigation paths
- Button clicks and interactions (email submission, report download, CTA clicks)
- Report generation events and outcomes
- Session duration and engagement metrics
Server-Side Analytics (collected for all users, regardless of consent):
- Your IP address (for rate limiting, abuse prevention, and operational security)
- Domains assessed and report generation metrics
- Error categories and system performance data
- Rate limiting events
Why these don't require consent: Server-side analytics are essential for preventing abuse, ensuring service availability, detecting security threats, and monitoring system performance. Legal basis: Legitimate interests (GDPR Article 6(1)(f)).
Where Data is Stored: PostHog is based in the United States (AWS). Google Analytics data is processed by Google LLC in the United States.
PostHog's Privacy Policy: posthog.com/privacy
Google's Privacy Policy: policies.google.com/privacy
3. How We Use Your Information
To Provide the Service
- Send magic link emails and verify authentication tokens
- Generate identity risk reports for your organization's domain
- Cache reports to improve performance for subsequent requests
- Rate limit excessive requests to ensure fair access
To Improve the Service
- Analyze usage patterns and identify popular features
- Identify and fix bugs and performance issues
- Measure report generation success rates and accuracy
- Optimize user experience across devices
To Ensure Security
- Detect and prevent abuse (injection attacks, enumeration)
- Monitor for unusual activity patterns
- Enforce rate limits and block malicious actors
- Investigate security incidents
4. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the following legal bases:
| Processing Activity | Legal Basis | Consent Required? |
|---|---|---|
| Sending magic link emails and generating reports | Contract (GDPR Article 6(1)(b)) | No (service provision) |
| Client-side analytics (page views, clicks, events) | Consent (GDPR Article 6(1)(a)) | Yes — must click "Accept" |
| Server-side operational analytics (IP logging, error tracking) | Legitimate Interests (GDPR Article 6(1)(f)) | No (legitimate interest) |
| Compliance with legal obligations | Legal Obligation (GDPR Article 6(1)(c)) | No (legal requirement) |
6. International Data Transfers
Data Transfer to the United States
The Tool is operated from the United States. Your information is processed and stored on servers located in the United States. Our analytics providers (PostHog, Google) are also based in the United States.
For EEA, UK, and Swiss Users:
We transfer personal data based on the following safeguards:
- Standard Contractual Clauses (SCCs): European Commission-approved clauses for transfers to countries without an adequacy decision
- EU-U.S. Data Privacy Framework: For transfers to certified U.S. organizations
- UK Extension to EU SCCs: UK International Data Transfer Agreement or UK Addendum
- Swiss-U.S. Data Privacy Framework: For transfers from Switzerland
You may request a copy of the safeguards we use by contacting us at privacy@axiad.com.
7. Data Retention
| Data Type | Retention Period | Notes |
|---|---|---|
| Report cache (by domain) | 24 hours | Automatically deleted |
| JWT authentication tokens | 24 hours (self-service) / 7 days (internal) | Stateless; expire automatically |
| Email addresses | Not stored server-side after link delivery | Embedded in JWT only |
| Analytics data (PostHog) | 90 days | Can request earlier deletion |
| Analytics data (Google Analytics) | 14 months | Google default retention |
| Application logs | 30 days | For debugging/security |
| Access logs | 90 days | For security/abuse detection |
8. Data Security
We implement reasonable and appropriate technical and organizational measures to protect your information from unauthorized access, disclosure, alteration, and destruction.
Technical Safeguards
- Encryption in transit (TLS 1.3)
- Encryption at rest
- HMAC-SHA256 signed authentication tokens
- Rate limiting and input validation
- Content Security Policy (CSP) headers
Organizational Safeguards
- Limited access on need-to-know basis
- Confidentiality agreements
- Security training
- Incident response plan
Security Limitations: While we implement strong security measures, no method of transmission or storage is 100% secure. We cannot guarantee absolute security of your information.
Data Breach Notification: In the event of a data breach, we will notify affected individuals within 72 hours of becoming aware of the breach (as required by GDPR).
To report a security vulnerability: security@axiad.com
9. Your Privacy Rights
Depending on your location, you may have certain rights regarding your personal information.
9.1 Rights for EEA, UK, and Swiss Users (GDPR)
9.2 Rights for California Residents (CCPA/CPRA)
- Right to Know: Request disclosure of personal information collected
- Right to Delete: Request deletion of personal information
- Right to Correct: Request correction of inaccurate information
- Right to Opt-Out: We do not sell or share your personal information
- Right to Non-Discrimination: No discriminatory treatment for exercising rights
9.3 How to Exercise Your Rights
To exercise any of the rights described above, contact us at:
- Email: privacy@axiad.com
- Response Time: Within 1 month (GDPR) or 45 days (CCPA)
- No Fee: We will not charge a fee unless the request is manifestly unfounded or excessive
9.4 Managing Your Analytics Preferences
How Consent Works
When you first visit the Tool, a consent banner appears at the bottom of your screen asking you to choose:
- "Accept": Enables client-side analytics tracking (page views, clicks, interactions)
- "Decline": Disables client-side analytics tracking; no tracking cookies are stored
Your choice is binding:
- Tracking does NOT start automatically
- We only collect client-side analytics data after you explicitly click "Accept"
- Your preference is saved in your browser's localStorage
- The banner will not appear again unless you clear your browser data
To Change Your Consent Choice:
-
Clear your browser's localStorage:
- Chrome/Edge: DevTools → Application → Local Storage → Delete
analytics_consent - Firefox: DevTools → Storage → Local Storage → Delete
analytics_consent - Safari: DevTools → Storage → Local Storage → Delete
analytics_consent
- Chrome/Edge: DevTools → Application → Local Storage → Delete
- Refresh the page: The consent banner will reappear
- Make a new choice: Click "Accept" or "Decline"
Alternative method: Clear all browsing data for this site in your browser settings.
Server-Side Analytics
Server-side operational analytics (IP addresses, domains assessed, report metrics, error logs) are collected for all users regardless of your consent choice. These are necessary for:
- Preventing abuse and denial-of-service attacks
- Ensuring service availability and performance
- Detecting and responding to security threats
- Monitoring system health and error rates
If you object to this processing, you may contact us at privacy@axiad.com. We will assess your objection under GDPR Article 21.
10. Children's Privacy
The Tool is not intended for individuals under 16 years of age. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us at privacy@axiad.com and we will promptly delete it.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Last Updated" date at the top of this page
- Post the revised Privacy Policy on this page
- For significant changes, display a notice on the Tool
Your continued use of the Tool after any changes indicates your acceptance of the updated Privacy Policy.
12. Contact Information
Axiad IDS, Inc.
- Privacy Inquiries: privacy@axiad.com
- Security Reports: security@axiad.com
- Website: www.axiad.com
If you are located in the EEA and are not satisfied with our response, you have the right to lodge a complaint with your local Data Protection Authority (DPA).
