Privacy Policy
Effective: April 29, 2026
1. Introduction and scope
This Privacy Policy explains how Axolotl Army (“Axolotl Army”, “we”, “us”, “our”) collects, uses, shares, and protects personal data when you use the Axolotl Army Portal at https://portal.axolotlarmy.net, our marketing site at https://www.axolotlarmy.net, or any related product, API, integration, or communication (together, the “Service”).
The Service is an AI video generation, social distribution, and lead generation platform aimed at small businesses and creators. We operate from the United States and accept customers from the European Economic Area (EEA), the United Kingdom, Switzerland, and globally.
This policy covers people who sign up for an account, team members invited to a customer's account, prospective customers who contact us, and visitors to our public pages. It does not cover end-users of our customers' own websites or marketing campaigns; for those people, our customer is the data controller and we act as a processor.
2. What data we collect
The table below lists every category of personal data we hold, why we hold it, how long we keep it, and the lawful basis we rely on under the GDPR. We do not collect more than we need to run the Service.
| Category | What it includes | Retention | Lawful basis (GDPR) |
|---|---|---|---|
| Account data | Email address, display name, hashed password (never plaintext), portal role, login timestamps. | Kept for the life of the account. When your last active subscription cancels you enter a 30-day grace period; if you do not re-subscribe, content is hard-deleted by an automated daily sweep and the account row is left as a tombstone with PII nulled. You can also submit a deletion request from Settings → Privacy & Data to remove the data sooner. | Performance of the contract (GDPR Art. 6(1)(b)). |
| Billing data | Stripe customer ID, subscription tier, invoice history, payment status. We do not store full card numbers — Stripe holds them under PCI-DSS. | Seven (7) years after final invoice (US tax / SOX retention). Retained even after account deletion to satisfy the legal-hold exception. | Performance of the contract and legal obligation (GDPR Art. 6(1)(b) and (c)). |
| Generated and uploaded content | Prompts you write, videos you generate, images you upload, social captions, brand profile, lead lists, contact records, outbound emails sent through connected mailboxes. | Kept while the account is active. When your last active subscription cancels, content remains on the account for a 30-day grace period (so re-subscribing within that window restores access). If you do not re-subscribe, content is hard-deleted by the automated daily sweep at the end of the grace period. | Performance of the contract (GDPR Art. 6(1)(b)). |
| Operational logs | Request logs, error reports, audit trails (who did what when), rate-limit counters, security events. | Retained per the configuration of our log aggregator (Vercel) and error monitor (native error reporter / Sentry); typical retention is 30–90 days. AuditLog rows recording security-sensitive actions are retained for the life of the account. | Legitimate interest in security and reliability (GDPR Art. 6(1)(f)). |
| Google Workspace data (when connected) | OAuth refresh tokens (encrypted at rest with AES-256-GCM), calendar events you create through the portal, outreach email metadata, Drive folder IDs. | Until you disconnect the Google account or delete the related portal record. Token revocation is immediate; mirrored events on Google's side stay there until you delete them. | Consent (GDPR Art. 6(1)(a)) granted via Google's OAuth consent screen. |
We do not knowingly collect special categories of data (race, religion, political opinions, biometric data, health, sexual orientation) or children's data. If you submit such data through prompts or uploads, you represent that you have a lawful basis to do so.
3. How we use your data
We use personal data only for these purposes:
- Operate the Service. Authenticate you, render the portal, generate video and audio you request, deliver leads and outreach, sync calendars and mailboxes you connect.
- Process payments. Stripe handles card data under PCI-DSS; we receive the customer ID, last-4, brand, and transaction metadata. We never see or store full card numbers.
- Provide support. Reply to email, investigate bug reports, ship security and reliability fixes.
- Protect the Service and our users. Detect abuse, prevent fraud, rate-limit, retain audit trails, respond to security incidents.
- Improve the product. Aggregate, de-identified usage metrics to understand which features matter and to debug regressions.
- Send transactional and account communications. Welcome, security, billing, and onboarding email. You can opt out of non-essential email at any time.
We never sell your personal data and we never use it for advertising. We do not run third-party tracking pixels or advertising cookies on the portal.
AI inference providers.Inference is performed by third-party providers under their default API terms (the providers' published policies generally exclude API traffic from training). We have not separately negotiated zero-retention contracts. See /legal/subprocessors for each provider and the link to their policy.
4. Google API Services — Limited Use Disclosure
When you connect a Google account to the Service we request specific OAuth scopes. The disclosure below is the exact wording required by Google's API Services User Data Policy:
Axolotl Army's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data for serving ads, transfer it to third parties for purposes other than providing or improving user-facing features that are prominent in our application's user interface, allow humans to read it (except with your explicit permission, for security and legal compliance, or to comply with applicable law), or use it for any purpose unrelated to delivering the features the user signed up for.
Which Google scopes we use, and why
openid,email,profile— sign you in with Google and read your email address and display name so we can create or match your portal account.https://www.googleapis.com/auth/gmail.send— send outreach email through your own Gmail account when you enable Lead Finder. We do not read your inbox; we only send messages you compose (or ask the assistant to compose) and record delivery metadata. The scope is requested only when you connect a mailbox for outreach.https://www.googleapis.com/auth/calendar.events— write and update events on the calendar you choose so the portal can schedule posts, sync booking links, and surface conflicts. We only touch events you create through the portal.https://www.googleapis.com/auth/calendar.readonly— read free/busy information so booking links offer real availability. Used only when you turn on calendar sync.https://www.googleapis.com/auth/drive.file— upload generated video, image, and audio assets to a folder you select. We only see files you create or open through the portal; we cannot list or read the rest of your Drive.
Human review of Google user data
We do not let humans read your Google user data, except (a) with your explicit permission (for example, when you ask support to reproduce a bug), (b) for security investigations limited to what is strictly necessary, or (c) to comply with applicable law or valid legal process. Engineering access is gated by single sign-on, scoped to job role, and every read is logged.
You can disconnect your Google account at any time from the Portal (Settings → Connected accounts), or revoke access directly at myaccount.google.com/permissions. When you disconnect a Google or Microsoft account, we delete the stored OAuth refresh token immediately and stop calling those APIs on your behalf.
5. Sub-processors
We use the third-party sub-processors below to deliver the Service. Each one is contractually bound to confidentiality, security, and (for EEA/UK transfers) Standard Contractual Clauses or an equivalent adequacy mechanism. We update this list when vendors change; Enterprise customers receive 30 days' notice of material additions.
| Vendor | Purpose | Location | Data categories | Privacy policy |
|---|---|---|---|---|
| Neon | Managed PostgreSQL hosting (primary database). | United States (AWS us-east region). | Account data, Billing metadata, Generated content metadata, Audit logs | Link |
| Vercel | Application hosting, edge runtime, and CDN. | United States and global edge network. | Request logs, IP addresses, Account session cookies | Link |
| Cloudflare (R2 + Workers) | Object storage for generated media and uploaded assets. | United States and global edge network. | Generated videos, Uploaded images, Generated audio | Link |
| Stripe | Payment processing, subscription billing, invoicing. | United States, Ireland. | Name, Billing email, Card last-4 / brand, Transaction history | Link |
| Resend | Transactional email delivery (account, billing, security notifications). | United States. | Recipient email, Email content, Delivery logs | Link |
| Anthropic | Large-language-model inference for AXY, Axo, and content generation features (Claude API). | United States. | Prompts you submit, Content you ask the assistants to draft, Brand profile context | Link |
| OpenAI | Fallback text-to-speech for AXY voice and slideshow narration when ElevenLabs is unavailable. | United States. | Text to be spoken (no audio retention beyond synthesis) | Link |
| ElevenLabs | Primary text-to-speech provider for AXY chat voice and slideshow narration. | United States, United Kingdom. | Text to be spoken, Voice ID selection | Link |
| Kie.ai | Veo 3 video generation (8-second portrait clips with native audio). | United States. | Generation prompts, Generated video output | Link |
| Runway ML | Gen-4.5 video generation (multi-clip stories up to 60 seconds). | United States. | Generation prompts, Reference images you upload, Generated video output | Link |
| Deepgram | Speech-to-text for auto-captions on generated and uploaded video. | United States. | Audio you submit for transcription, Resulting transcripts | Link |
| Google (Workspace APIs) | OAuth login, Google Calendar bidirectional sync, Gmail send (outreach), Drive upload (assets), Google Maps geocoding (Lead Finder). | United States, European Union (per Google's regional data centers). | Account email + display name, Calendar events you create on the portal (when sync is enabled), Outreach emails sent through your connected mailbox, Free/busy availability for booking links, Place lookups for Lead Finder (no end-user data leaves your client account) | Link |
| Microsoft (Graph) | Outlook calendar read sync (free/busy lookup) when an Outlook account is connected. | United States, European Union (per Microsoft's regional data centers). | Calendar event subjects, start/end, attendees, busy/free status | Link |
| Blotato | Cross-posting helper for Threads + Instagram (other platforms publish via direct platform APIs). | United States. | Social post text + media, Linked social account identifiers | Link |
| Upstash | Rate-limit counters and ephemeral session/cache state. | United States, European Union. | Hashed account identifiers, Counter values | Link |
| Sentry (optional) | Error tracking and exception aggregation. Native error monitor is preferred; Sentry runs alongside. | United States, European Union. | Stack traces, Hashed user IDs, Request URLs (sanitized) | Link |
| Cloudinary | Legacy media-asset CDN used as a fallback path during the Phase 71 migration to native Cloudflare R2 storage. New uploads go to R2; Cloudinary still hosts some historical assets and is consulted when an R2 fetch fails. | United States, European Union. | Generated and uploaded media (images, video frames) | Link |
| Creatomate | Server-side video rendering fallback. New rendering jobs prefer the native Remotion-based renderer; Creatomate is the documented fallback when the native worker is unavailable. | United States, European Union. | Source video clips, Render templates, Rendered output | Link |
6. International data transfers
Axolotl Army is based in the United States and most of our sub-processors operate in the United States. When personal data of people in the EEA, UK, or Switzerland is transferred to the United States or another third country, we rely on:
- EEA → US (and other third countries):the European Commission's Standard Contractual Clauses (Module 2 / Module 3, Implementing Decision (EU) 2021/914 of 4 June 2021), executed with each sub-processor.
- UK → third countries:the UK International Data Transfer Addendum (IDTA) issued by the Information Commissioner's Office, layered on top of the EU SCCs.
- Switzerland: the Swiss Federal Data Protection Act (revFADP) read together with the SCCs, with the Swiss Federal Data Protection and Information Commissioner (FDPIC) as the competent authority.
We perform transfer impact assessments before onboarding any new sub-processor and apply supplementary technical measures (encryption in transit, encryption at rest, key separation) to mitigate residual risk.
7. Your rights
Depending on where you live, you have one or more of the rights below. We will respond within 30 days of receiving a verifiable request and without charge unless your request is repetitive or manifestly unfounded. Email privacy@axolotlarmy.net to exercise any right.
EEA, United Kingdom, and Switzerland (GDPR / UK GDPR / FADP)
- Access — receive a copy of the personal data we hold about you.
- Rectification — correct inaccurate or incomplete data.
- Erasure (“right to be forgotten”) — ask us to delete your data, subject to legal retention duties.
- Portability — receive your data in a structured, commonly-used, machine-readable format.
- Restriction — limit how we process your data while a dispute is resolved.
- Objection — object to processing based on legitimate interest, including profiling.
- Withdraw consent — where we rely on consent (for example, Google Workspace OAuth), withdraw it at any time without affecting prior processing.
- Automated decision-making — we do not subject you to decisions that produce legal effects based solely on automated processing. AI-generated suggestions in the portal are advisory and you remain in control.
- Lodge a complaint — with your supervisory authority (for example, the ICO in the UK, the CNIL in France, the Datenschutzbehörde in Austria, or the FDPIC in Switzerland).
California (CCPA / CPRA)
California residents have the rights to know what personal information we collect, to delete it, to correct it, to opt out of any sale or sharing, and to limit our use of sensitive personal information. You will not be denied service or charged a different price for exercising these rights.
Do Not Sell or Share My Personal Information. We do not sell or share personal information for cross-context behavioral advertising. The 'Do Not Sell or Share My Personal Information' link in our footer is provided as required by California law.
We use sensitive personal information (account credentials, OAuth tokens for connected accounts) only to provide the Service you requested. We do not infer characteristics from this data.
We have not sold or shared personal information for cross-context behavioral advertising in the preceding 12 months and have no plans to do so. We do not sell personal information of consumers under 16. The CCPA categories of information we collect map to the data categories in section 2; the business purposes map to section 3.
Other US states (Virginia, Colorado, Connecticut, Utah, Texas)
Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and Texas (TDPSA) have rights similar to the California rights above, including the right to access, delete, correct (where provided by state law), obtain a portable copy, and opt out of targeted advertising and certain types of profiling. Texas and other 2024+ regimes are covered as they take effect.
To exercise any of the rights in this section, email privacy@axolotlarmy.net. You may also designate an authorized agent to act on your behalf; we may ask the agent for written authorization and may verify your identity directly. If we deny a request, you have the right to appeal — reply to our decision and we will review.
8. Children's privacy
The Service is not directed to children under 16. We do not knowingly collect data from anyone under 16. If you believe a child has given us personal data, contact privacy@axolotlarmy.net and we will delete the data and close the account promptly.
9. Security
We protect personal data with administrative, technical, and physical safeguards proportionate to the risk:
- Encryption in transit. TLS 1.2 or higher for every connection between your browser, the portal, and our sub-processors.
- Encryption at rest. OAuth refresh tokens for connected Google and Microsoft accounts are encrypted with AES-256-GCM before they hit the database; the encryption key is held outside the database and rotated. Database-at-rest encryption is provided by Neon.
- Access controls.Role-based access for engineering (OWNER, ADMIN, MEMBER), single sign-on, and per-action audit logs. Multi-factor authentication on production-engineering access at our cloud providers (Vercel, Neon, Cloudflare, Stripe) is enforced through those providers' own 2FA controls. Customer-facing 2FA on the Portal application is on our roadmap; until then we mitigate credential-stuffing with a 5-failure / 15-minute login-attempt lockout per email address (see
lib/loginAttempts.ts) and require email verification at signup. - Vendor due diligence. We require SOC 2 Type II, ISO 27001, or equivalent attestations from sub-processors that handle significant personal data, where commercially available.
- Incident response.We will notify affected customers and, where required, supervisory authorities within the timelines required by law — within seventy-two (72) hours of confirmation for GDPR notifications (Article 33). Report suspected vulnerabilities to security@axolotlarmy.net.
10. Retention
Retention periods per category are listed in section 2. In summary:
- Account data — life of the account plus 30 days.
- Billing records — 7 years after final invoice (US tax and SOX).
- Generated and uploaded content — while the account is active; deleted within 30 days of closure.
- Operational logs — 90 days for verbose logs; permanent for security audit trails.
- Google Workspace data — until you disconnect or delete the related portal record.
Where law requires longer retention (for example, defending a legal claim, anti-money-laundering checks, or a litigation hold) we keep the minimum data needed for the minimum period needed.
11. Changes to this policy
We may update this Privacy Policy when laws, vendors, or product features change. The “Effective” date at the top of this page reflects the most recent revision. For material changes that affect your rights or the categories of data we collect we will email every account at least 30 days before the change takes effect, so you have time to review and, if you wish, close your account before the new terms apply.
12. How to contact us
Privacy questions, DSARs, or complaints: privacy@axolotlarmy.net.
General support: support@axolotlarmy.net.
Postal address (service of legal process):
Axolotl ArmyAttn: Legal[Street address — fill in via env or update this constant][City, State, ZIP, Country]13. EU/UK representative
We do not currently maintain an Article 27 representative in the European Union or United Kingdom. Until one is appointed, EEA and UK data subjects may exercise every GDPR/UK GDPR right by contacting us directly at privacy@axolotlarmy.net. We will respond in English; let us know in your message if you need a response in another EU/UK official language and we will arrange translation.