Privacy Policy

Axzura ("we", "our", or "us") operates axzura.io, a GRC and compliance platform for software teams. This Privacy Policy explains how we collect, use, and protect your information when you use our service.

By using Axzura, you agree to the collection and use of information in accordance with this policy.

Account Information:

• •Name and email address
• •Company name (optional)
• •Password (hashed, never stored in plain text)

Usage Data:

• •Compliance scan results and scores
• •Findings and remediation history
• •Integration connection status
• •Feature usage and activity logs

Integration Data (when connected):

• •GitHub: repository metadata, file structure, CI/CD config — we never store your source code permanently
• •AWS: resource configurations, IAM policies, CloudTrail events — read-only by default
• •OAuth tokens are encrypted at rest using AES-256

Technical Data:

• •IP address and browser type
• •Pages visited and time spent
• •Error logs and performance data

• •To provide, operate, and improve the Axzura platform
• •To run compliance scans and generate reports
• •To send transactional emails (scan results, critical alerts)
• •To process payments via Lemon Squeezy
• •To respond to support requests
• •To comply with legal obligations
• •To detect and prevent fraud or abuse

• •Data is stored on Supabase, hosted on AWS infrastructure
• •All data is encrypted in transit using TLS 1.3
• •All data is encrypted at rest using AES-256
• •OAuth tokens are encrypted before storage
• •We conduct regular security reviews
• •Access to production data is strictly limited

If you are located in the European Union, you have the following rights regarding your personal data:

• •Right to access — request a copy of your data
• •Right to rectification — correct inaccurate data
• •Right to erasure — request deletion of your data
• •Right to portability — receive your data in a portable format
• •Right to object — object to certain processing activities
• •Right to restrict processing — limit how we use your data

To exercise any of these rights, contact us at privacy@axzura.io

• •Account data: retained while your account is active
• •Scan results: retained for 12 months
• •Audit logs: retained for 24 months
• •Deleted accounts: all data removed within 30 days
• •You can request immediate deletion by contacting us

We use the following third-party services to operate Axzura:

• •Supabase — database and authentication (AWS-hosted)
• •Lemon Squeezy — payment processing (we never store card details)
• •OpenAI — AI-powered compliance analysis (your data is not used for model training)
• •GitHub — optional integration for repository scanning
• •AWS — optional integration for cloud infrastructure scanning

• •We use essential cookies only — required for authentication and security
• •We do not use advertising or tracking cookies
• •We do not sell your data to advertisers
• •You can disable cookies in your browser, but this may affect functionality

Axzura is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If you believe we have inadvertently collected such information, please contact us immediately.

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or a notice on our website at least 30 days before the change takes effect.

For privacy-related questions or to exercise your rights, contact us at: