This Privacy Policy explains how Axiom Flux Ltd (“Axiom Flux”, “we”, “us”, “our”) collects, uses, stores and shares personal data when you use the Axiom GEO service at geo.axiomai.uk (the “Service”).
Who we are
Axiom Flux Ltd is a company registered in Scotland. For data protection enquiries we are the data controller for personal data about you and your individual users; we act as a data processor when handling personal data your organisation uploads or connects to the Service (for example Google Analytics audience data, Google Search Console query data, or customer review content from Google Business Profile).
Contact for privacy matters: privacy@axiomflux.co.uk
Data we collect
2.1 Account data (controller)
- Name, email address, hashed password
- Workspace name, slug, billing address and VAT number
- Role (owner, admin, member) and team membership
2.2 Service usage data (controller)
- Pages visited, features used, IP address, browser/device type, timestamps, error logs
- Credit consumption per action (auditable per workspace)
2.3 Customer-supplied content (processor)
- Client domains, prompts you submit, page URLs you analyse
- SEMrush exports, keyword lists, citation lists
- Logos and uploaded assets
2.4 Google API data (processor)
When you connect Google Analytics, Search Console, or Google Business Profile to a workspace, we read the following with your explicit OAuth consent:
- Google Analytics (analytics.readonly scope) — property metadata, daily traffic metrics (sessions, users, pageviews, conversions, events) for properties you select. Read-only — we never modify your GA4 properties.
- Search Console (webmasters.readonly scope) — site list, daily query/page performance (clicks, impressions, CTR, position) for sites you select. Read-only — we never modify your Search Console properties.
- Google Business Profile — public business listing data: name, address, rating, review text, photos, place_id. We do not write, reply to, or modify your GBP listings.
2.5 Payment data (processor)
Stripe processes card payments. We never store your card number, CVV or expiry. We retain Stripe payment IDs, invoice numbers and subscription status for billing reconciliation.
Limited Use of Google user data
Axiom GEO's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically we confirm:
- We use Google API data only to provide and improve user-facing features within Axiom GEO (analytics dashboards, SEO reporting, review monitoring). We do not use it for any other purpose.
- We do not transfer Google API data to third parties except as necessary to provide the Service (e.g. our hosting provider) and only to the extent disclosed in section 5 below.
- We do not use Google API data for advertising, including remarketing, personalised advertising, or interest-based advertising.
- We do not allow humans to read Google API data except (a) with the user's explicit written consent, (b) to comply with applicable law, (c) in an aggregated and anonymised form for security and performance, or (d) for narrowly-scoped support and debugging activities authorised by the user. All such access is logged.
- We do not sell Google API data under any circumstances.
- We do not use Google API data to train generative AI or large language models.
Why we use it (lawful basis)
- Contract — to deliver the Service you subscribed to (analytics dashboards, AI visibility tracking, review monitoring, billing).
- Consent — for Google OAuth connections, we rely on the explicit consent you give on Google's consent screen. You can revoke this at any time at myaccount.google.com/permissions.
- Legitimate interests — for service security, fraud prevention, analytics, and legal compliance, balanced against your privacy rights.
- Legal obligation — for tax records, accounting, and any lawful disclosure required by court order or regulator.
Sub-processors
We use the following sub-processors to deliver the Service. All are bound by data processing agreements and processing locations are within the UK or EU unless noted.
- Hetzner Online GmbH (Germany) — server hosting
- Stripe Payments UK Ltd (UK / Ireland) — payment processing
- Anthropic PBC (USA) — Claude AI engine queries
- OpenAI LLC (USA) — ChatGPT queries
- Google LLC (USA) — Gemini AI queries; OAuth-authorised access to Google Analytics and Search Console for connected workspaces
- Perplexity AI Inc (USA) — Perplexity queries
- DataForSEO (USA) — search-rank and business-listing lookups
- SerpAPI (USA) — Google AI Overview SERP data
- Sentry (USA) — error tracking (PII scrubbed)
- Resend / SMTP provider — transactional email
For US-based sub-processors we rely on Standard Contractual Clauses or the EU-US Data Privacy Framework where applicable. The current sub-processor list is also available on request to privacy@axiomflux.co.uk.
Data retention
- Account data — retained while your account is active. Deleted within 30 days of account closure (or immediately on written request, except where retention is legally required).
- Google API data (Analytics, Search Console, Business Profile) — retained for the active service period. On disconnection we delete the OAuth refresh token immediately and purge cached data within 30 days.
- AI engine query logs — kept for 12 months for trend analysis, then deleted automatically. You can request immediate deletion of any specific run.
- Billing records — kept for 6 years to comply with UK tax and accounting law.
- Backups — encrypted backups are retained for 35 days; deletion requests are honoured in active storage immediately and propagate to backups within 35 days.
Your rights under UK GDPR
You have the right to:
- Access the personal data we hold about you
- Rectify inaccurate data
- Request erasure (“right to be forgotten”)
- Restrict or object to processing
- Data portability (export of your data)
- Withdraw consent at any time (where processing relies on consent)
- Lodge a complaint with the UK Information Commissioner's Office at ico.org.uk or by calling 0303 123 1113.
To exercise any of these rights, email privacy@axiomflux.co.uk. We respond within one calendar month.
Account deletion
You can delete your account at any time from your workspace settings or by emailing privacy@axiomflux.co.uk. Deletion removes your account, all connected OAuth tokens, and associated workspace data within 30 days. Billing records required for tax and accounting purposes are retained for 6 years as noted above.
International data transfers
Some sub-processors are based outside the UK/EU (notably the AI engine providers in the USA). Where this happens, we ensure transfers are protected by Standard Contractual Clauses, the UK International Data Transfer Addendum, or equivalent safeguards under UK GDPR.
Security
We protect your data with: encrypted transport (TLS 1.3), encrypted backups, password hashing (bcrypt), strict role-based access controls, network isolation between services, and incident logging. We undergo periodic security review and run automated dependency scanning.
Children's privacy
The Service is intended for businesses and is not directed at children under 16. We do not knowingly collect personal data from children. If you believe we hold data about a child, email us and we will delete it.
Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be notified by email or in-product notice at least 30 days in advance. The “Last updated” date at the top reflects the most recent revision.
Contact
Privacy enquiries: privacy@axiomflux.co.uk
General enquiries: hello@axiomflux.co.uk
A full Data Processing Agreement (DPA) compatible with UK GDPR is available on request before contract signature.