Privacy Policy

Last updated: March 8, 2026

1. Introduction

AxSentinel ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains what data we collect, how we use it, and your rights regarding that data. AxSentinel is designed as a local-first security tool—your files, code, and messages are scanned entirely on your device and are never transmitted to our servers.

2. Data We Do NOT Collect

This is the most important section of our privacy policy. AxSentinel never collects:

  • The content of your files, source code, messages, or prompts
  • The actual PII or secrets detected by the scanner (names, SSNs, API keys, etc.)
  • The text you type into AI chat interfaces
  • The responses you receive from AI providers
  • Screenshots, clipboard contents, or keystrokes

All scanning is performed locally by the scanner binary or browser extension running on your device. Detected content never leaves your machine.

3. Data We Collect

We collect the minimum data necessary to operate the Service:

3.1 Account Information

When you create an account: organization name, work email address, and a hashed password. We never store your password in plaintext.

3.2 Detection Metadata (Telemetry)

When telemetry is enabled, the scanner reports metadata only to your organization's dashboard:

  • Detection type (e.g., "SECRET", "PII") and subtype (e.g., "AWS_KEY", "EMAIL")
  • Count of detections per type
  • Source (proxy, CLI, daemon)
  • Timestamp
  • AI provider, IDE, and model (auto-detected from HTTP traffic in proxy mode)

This data never includes the actual detected content. For example, we record "1 AWS_KEY detected via Cursor"—never the key itself. You can disable telemetry entirely with --no-telemetry.

3.3 Billing Information

Payment processing is handled entirely by Paddle, our Merchant of Record. We do not store credit card numbers, bank account details, or other payment credentials. Paddle provides us with transaction IDs and subscription status only. See Paddle's Privacy Policy for details on their data handling.

3.4 Usage Analytics

We may collect basic usage analytics for the web dashboard (pages visited, feature usage) using privacy-respecting tools. We do not use third-party advertising trackers.

4. How We Use Your Data

  • Account information: to authenticate you and manage your subscription
  • Detection metadata: to populate your compliance dashboard and generate audit reports
  • Billing data: to process payments and manage subscriptions through Paddle
  • Usage analytics: to improve the Service and fix bugs

We do not sell, rent, or share your data with third parties for advertising purposes.

5. Data Storage and Security

  • Account and telemetry data is stored in AWS DynamoDB with encryption at rest
  • Compliance reports are stored in S3 with Object Lock (immutable, 7-year retention)
  • All data in transit is encrypted via TLS 1.2+
  • Client tokens are write-only credentials—they can submit detection events but cannot read any data
  • Passwords are hashed using bcrypt with appropriate work factors

6. Data Retention

  • Detection events: configurable TTL per organization (default: 90 days)
  • Compliance reports: 7 years (immutable storage, required for audit compliance)
  • Account data: retained while your account is active, deleted within 30 days of account deletion
  • Billing records: retained as required by applicable tax and financial regulations

7. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access: Request a copy of the data we hold about you
  • Correction: Request correction of inaccurate data
  • Deletion: Request deletion of your account and associated data
  • Export: Request your data in a portable format
  • Objection: Object to certain processing of your data
  • Opt-out: Disable telemetry entirely using --no-telemetry

To exercise any of these rights, contact us at privacy@ax-sentinel.com. We will respond within 30 days.

8. Cookies

The AxSentinel dashboard uses essential cookies for authentication (session tokens). We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

9. Third-Party Services

We use the following third-party services:

  • Paddle: Payment processing and subscription management (Merchant of Record)
  • AWS: Infrastructure hosting (DynamoDB, S3, Lambda, API Gateway)
  • Vercel: Web dashboard hosting

Each provider operates under their own privacy policy. We select providers that meet high security and privacy standards.

10. Children's Privacy

The Service is not directed to individuals under 16 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 16, we will delete it promptly.

11. International Data Transfers

Your data may be processed in jurisdictions outside your country of residence, including the United States (where our AWS infrastructure is located). We ensure appropriate safeguards are in place for any international transfers in compliance with applicable data protection laws.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or through the Service with at least 30 days' notice. The "Last updated" date at the top of this page indicates when the policy was last revised.

13. Contact

For privacy-related questions or requests, contact us at privacy@ax-sentinel.com.