This Privacy Policy explains how Axidus LLC (“Axidus”, “we”, “us”) collects, uses, shares, and safeguards information when you use axidus.io and any product or service we offer (together, the “Services”). It also explains your rights and choices regarding that information.
If you do not agree with this Policy, please do not use the Services.
1. Who we are
Axidus LLC is a software company registered in the State of New Jersey, United States. We build creative utilities for designers, developers, and game developers. You can reach us at legal@axidus.io.
2. Information we collect
Information you provide
- Account information. When you create an Axidus account, we collect your email address, a hashed password, and an optional display name.
- Content you create. Hexcalibur and other Axidus apps store the art, packs, palettes, and project files you make. On free tiers this stays in your browser. If you subscribe to a plan with cloud sync (such as Hexcalibur Pro), your packs are uploaded to our cloud file storage (Supabase) so they are backed up and available across your devices. Our staff can access synced content as needed to operate, back up, secure, and support the Services. We never sell it, and we do not use it to train machine-learning models.
- Communications. If you contact support, respond to a survey, or sign up for our launch list, we keep your message and any details you choose to share. When you submit an in-app bug report, you can choose to include technical diagnostics - your browser and device information (such as browser version, screen size, and graphics hardware) and basic context about the project you are working on (such as canvas size and layer count) - to help us reproduce and fix the issue. No artwork or file contents are included, and you can opt out of attaching these details before sending.
Information collected automatically
- Authentication and session data. Cookies set by Supabase (our auth provider) keep you signed in. These are essential to operating the Services.
- Theme preference. A small
localStoragevalue records your light or dark mode choice. It never leaves your browser. - Usage and device information. We use Google Analytics 4 to collect anonymized usage data including pages viewed, referring URL, approximate location (country and region), browser type, and device class. GA4 does not store your IP address, we have not enabled Google Signals or advertising features, and we do not allow GA data to be used for advertising.
- Server logs. Our hosting provider (Vercel) records standard request logs (IP address, user agent, timestamp, path) for short periods, used for security and debugging.
- Security and abuse prevention. To protect sign-in, sign-up, and password-reset endpoints from credential-stuffing and email-flooding, we process your IP address through our rate-limiting provider (Upstash) as short-lived counters. These expire automatically and are not used to build a profile of you. Our contact form is additionally protected by Cloudflare Turnstile, a privacy-friendly bot check that does not set tracking cookies.
- Error and performance monitoring. When something breaks, our monitoring provider (Sentry) records diagnostic context - stack traces, the URL, and browser / device type - so we can fix it. We disable personal-data capture and session replay, so these reports do not include your IP address or the contents of forms you fill in.
Information from third parties
- Sign-in with Google.If you choose to sign in with Google, Google shares your email address, name, and profile picture with us (through our auth provider Supabase) to create or access your account. Your use of Google sign-in is also subject to Google's privacy policy.
- Billing information. When you purchase a subscription, our payment processor Polar (Polar.sh) collects and processes your payment details. Polar shares back with us a customer identifier, your billing email, subscription status, plan, currency, amount, and renewal or cancellation events. We never see, store, or have access to your full card number, CVC, or bank credentials.
3. How we use information
We use the information described above to:
- Provide, operate, and maintain the Services
- Authenticate you and protect your account
- Process payments and manage subscriptions through Polar
- Send transactional emails (sign-up confirmation, password reset, billing receipts) via our email delivery provider Resend
- Respond to your support requests and inquiries
- Understand how the Services are used so we can improve them
- Detect, prevent, and respond to fraud, abuse, and security incidents
- Comply with legal obligations
We do not sell your personal information. We do not use your information to train machine-learning models. We do not show third-party advertising on the Services.
4. Legal bases (EEA / UK users)
If you are in the European Economic Area or the United Kingdom, we process your information under one or more of these legal bases:
- Performance of a contract (operating your account, providing paid features)
- Legitimate interests (improving the product, securing the Services, communicating with users), provided those interests are not overridden by your rights
- Consent (where required, such as for non-essential analytics cookies)
- Compliance with legal obligations
You can withdraw consent at any time without affecting the lawfulness of prior processing.
5. How we share information
We share information only with the third-party service providers (sub-processors) listed below, under contract to process it on our behalf, and where required by law.
| Provider | Purpose | Region |
|---|---|---|
Supabase Database hosting, authentication, session storage, and file storage for synced packs and avatars | Database hosting, authentication, session storage, and file storage for synced packs and avatars | United States |
Polar Subscription billing, payment processing, merchant of record | Subscription billing, payment processing, merchant of record | United States / EU |
Resend Transactional email delivery (sign-up, password reset, receipts) | Transactional email delivery (sign-up, password reset, receipts) | United States |
Vercel Web hosting, edge network, request logs | Web hosting, edge network, request logs | United States / global edge |
Sentry Error and performance monitoring (personal-data capture and session replay disabled) | Error and performance monitoring (personal-data capture and session replay disabled) | United States |
Upstash Rate limiting for auth endpoints (transient IP-based throttling to prevent abuse) | Rate limiting for auth endpoints (transient IP-based throttling to prevent abuse) | United States |
Cloudflare Bot and abuse protection on the contact form (Turnstile; no tracking cookies) | Bot and abuse protection on the contact form (Turnstile; no tracking cookies) | Global |
Google (Sign-in with Google) OAuth authentication when you choose to sign in with Google | OAuth authentication when you choose to sign in with Google | United States / global |
Google Analytics 4 Aggregate, anonymized website analytics | Aggregate, anonymized website analytics | Global |
We may also share information:
- With law enforcement, regulators, or other parties when required by valid legal process
- In connection with a merger, acquisition, financing, or sale of assets, where personal information is one of the assets transferred (we will notify you of any such change)
- With your explicit consent
Polar acts as our Merchant of Record. That means Polar is the legal seller for your purchase, owns the customer relationship for tax and compliance purposes, and is a separate data controller for the billing data it collects directly. Polar's privacy policy is available at polar.sh/legal/privacy.
6. International data transfers
Most of our sub-processors are located in the United States. If you access the Services from outside the United States, your information will be transferred to and processed in the United States and other countries that may have different data-protection laws than your own. Where required, we rely on Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms.
7. Data retention
We keep your information for as long as your account is active and as long as needed to provide the Services. Specifically:
- Account data: retained until you delete your account, then permanently removed within 30 days, except where we must retain records to comply with legal obligations or resolve disputes
- Billing records: retained as required by tax and accounting law (typically 7 years)
- Server logs: typically retained 30 days
- Support communications: retained for up to 2 years from last contact
8. Your privacy rights
Subject to your jurisdiction, you may have the right to:
- Access the personal information we hold about you
- Correct inaccurate or incomplete information
- Deleteyour information (the “right to be forgotten”)
- Export your information in a portable format
- Restrict or object to certain processing
- Withdraw consent where we rely on it
- Lodge a complaint with your local data-protection authority
If you are a California resident, the California Consumer Privacy Act (CCPA / CPRA) gives you specific rights, including the right to know what personal information we collect, to delete it, to correct it, and to opt out of any “sale” or “sharing” (we do neither). We do not discriminate against you for exercising these rights.
To exercise any right, email legal@axidus.io with “Privacy request” in the subject line. We will respond within 30 days (45 for complex requests). We may need to verify your identity before acting on a request.
9. Cookies and similar technologies
We use the smallest set of cookies that lets the Services work:
- Essential cookies (set by Supabase) keep you signed in. Without these, you cannot use the authenticated parts of the site.
- Analytics cookies (Google Analytics 4). GA4 sets cookies (
_ga,_ga_*) to measure aggregate, anonymized usage. We configure GA4 without IP storage and with Google Signals and advertising features disabled. If you are in a jurisdiction that requires prior consent for non-essential cookies (such as the EEA, UK, or Switzerland), GA4 does not load until you accept it on the consent banner shown on your first visit. You can change your choice at any time from the “Cookie settings” link in the site footer. - Theme preference (
localStorage) stores your light or dark choice client-side. - Cookie-consent choice (
localStorage) remembers whether you accepted or declined analytics cookies, so we do not ask again on every visit. It stays in your browser.
Most browsers let you refuse or delete cookies through their settings. Refusing essential cookies will prevent you from signing in.
10. Children
The Services are not directed to children under 13, and we do not knowingly collect personal information from children under 13 (or under 16 in the EEA / UK). If you believe a child has provided us information, please email legal@axidus.io and we will delete it.
11. Security
We use industry-standard safeguards: TLS in transit, encryption at rest where supported by our providers, hashed passwords, row-level security on our database, and principle-of-least-privilege access for staff. No system is perfectly secure, and we cannot guarantee absolute security. If a breach affects your information, we will notify you and the relevant authorities as required by law.
12. Third-party links
The Services may include links to third-party sites or services. This Policy does not apply to those, and we are not responsible for their practices. Review their privacy policies before sharing information.
13. Changes to this Policy
We may update this Policy from time to time. When we do, we will revise the “Last updated” date at the top, and for material changes we will notify you by email or by an in-product notice before the change takes effect. Continued use of the Services after changes take effect means you accept the updated Policy.
14. Contact us
Questions about this Policy or our privacy practices? Email legal@axidus.io and we will get back to you.
Axidus LLC
New Jersey, United States
Mailing address available on request.