Legal & Compliance
Privacy Policy
Who We Are
AxioPlan (“AxioPlan”, “we”, “us”, or “our”) provides probabilistic project estimation software accessible at axioplan.io. Our platform enables engineering teams and project managers to plan projects using statistical modelling, T-shirt sizing, Gantt charts, dependency mapping, and resource capacity analysis.
We act as a data controller for personal data processed through our platform. Where we process personal data on behalf of our business customers, we act as a data processor.
Scope of This Policy
This Policy applies to:
- All visitors to axioplan.io
- Registered users of the free tier and Pro subscription
- Members of teams invited to AxioPlan by an account owner
- Individuals whose information is entered into the platform by a registered user (e.g., team roster entries)
This Policy does not apply to third-party websites or services that may be linked from our platform. We encourage you to review the privacy policies of any third-party services you use.
Personal Data We Collect
3.1 Account and Identity Data
When you create an account or sign in, we collect:
- Full name and email address
- Google OAuth authentication token
- Account preferences and notification settings
3.2 Project and Work Data
To deliver our service, we store the project information you enter, including:
- Project names and target deadlines
- Task and epic data: titles, descriptions, start dates, durations, progress, and status
- Task dependencies and sequencing
- T-shirt size estimates and confidence levels (low, medium, or high)
- Team member entries: names, roles, and billing rates
Delivery timelines, cost estimates, and allocation outputs are calculated in real time and are not stored separately in our database.
3.3 Billing and Payment Data
For Pro subscribers, billing is handled by our third-party payment processor (Stripe). We do not store full payment card numbers on our servers. We retain:
- Subscription tier and status
- Billing email address and country
- Invoice history and transaction references
3.4 Usage and Technical Data
We automatically collect technical and usage data when you use our service. Some of this data is collected directly by our infrastructure provider (Vercel) and analytics tools (Vercel Analytics and Google Tag Manager) and may include:
- Approximate geographic location (country/city level)
- Browser type and operating system
- Pages visited and session duration
- Referral source (how you arrived at axioplan.io)
We also log product usage events such as project creation, features used, and export actions to understand how the service is being used. These events are associated with your user account, not your device. We do not independently collect raw IP addresses or device identifiers beyond what is captured by our infrastructure and analytics providers.
3.5 Communications Data
When you contact us via email or a support channel, we retain your name and email address, the contents of your message and any attachments, and our responses and the history of the correspondence.
How We Use Your Personal Data
We use the personal data described above for the following purposes:
| Purpose | Examples | Legal Basis (GDPR) |
|---|---|---|
| Service delivery | Creating accounts, running estimation models, generating Gantt charts | Contract performance (Art. 6(1)(b)) |
| Account management | Login, password reset, subscription management, team invitations | Contract performance (Art. 6(1)(b)) |
| Billing & payments | Processing subscriptions, issuing invoices, managing renewals | Contract performance (Art. 6(1)(b)) |
| Customer support | Responding to enquiries, resolving technical issues | Legitimate interests (Art. 6(1)(f)) |
| Service improvement | Analysing usage patterns, fixing bugs, developing new features | Legitimate interests (Art. 6(1)(f)) |
| Security & fraud prevention | Detecting abuse, preventing unauthorised access, rate limiting | Legitimate interests (Art. 6(1)(f)) |
| Legal compliance | Responding to lawful requests, maintaining financial records | Legal obligation (Art. 6(1)(c)) |
| Marketing communications | Product updates and newsletters (opt-in only) | Consent (Art. 6(1)(a)) |
Data Sharing and Disclosure
We do not sell, rent, or trade your personal data. We share data only in the following circumstances:
5.1 Service Providers (Data Processors)
- Cloud Infrastructure - Hosting and database services (e.g., AWS, Vercel, or equivalent)
- Payment Processing - Stripe (card data processed under PCI-DSS compliance)
- Email Delivery - Transactional email providers (e.g., Postmark, Resend, or equivalent)
- Analytics - Aggregated usage analytics tools (configured with IP anonymisation)
- Error Monitoring - Application performance tools (e.g., Sentry)
5.2 Business Transfers
If AxioPlan undergoes a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will notify you before your data is transferred and becomes subject to a different privacy policy.
5.3 Legal Requirements
We may disclose your information where required to do so by law, court order, or regulatory authority - or where we believe in good faith that disclosure is necessary to protect our legal rights, prevent fraud, or protect the safety of users.
International Data Transfers
AxioPlan is operated from Lithuania (European Economic Area). Some of our service providers process data outside the EEA, including in the United States. Where this occurs, we ensure appropriate safeguards are in place, including:
- EU Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions where applicable
- Binding corporate rules or equivalent mechanisms
You may request a copy of the relevant transfer mechanisms by contacting privacy@axioplan.io.
Data Retention
We retain personal data for as long as necessary to provide our services and comply with legal obligations:
| Data Category | Retention Period | Reason |
|---|---|---|
| Account & identity data | Duration of account + 30 days post-deletion | Service delivery; recovery window |
| Project & work data | Duration of account + 30 days post-deletion | Service delivery |
| Billing records | 7 years from transaction | Legal/tax obligation |
| Support correspondence | 3 years from last interaction | Legitimate interests (dispute resolution) |
| Usage & technical logs | Up to 13 months | Service improvement; security monitoring |
| Marketing consent records | Until consent withdrawn + 3 years | Legal compliance (demonstrating consent) |
When we no longer need your data, we securely delete or anonymise it. You may request earlier deletion under your right to erasure (see Section 8).
Your Rights
8.1 GDPR Rights (EEA Residents)
If you are located in the European Economic Area, you have the following rights under the GDPR:
Submit a request to privacy@axioplan.io with your name, email address, and a description of the right you wish to exercise. We may need to verify your identity before acting on the request.
8.2 CCPA Rights (California Residents)
If you are a California resident, you have the following rights under the CCPA as amended by the CPRA:
- Right to Know - The categories and specific pieces of personal information we collect, use, disclose, and sell
- Right to Delete - Request deletion of your personal information, subject to certain exceptions
- Right to Correct - Request correction of inaccurate personal information
- Right to Opt-Out of Sale/Sharing - AxioPlan does not sell personal information or share it for cross-context behavioural advertising
- Right to Limit Sensitive PI Use - We do not use sensitive personal information beyond what is necessary to provide our service
- Right to Non-Discrimination - Exercising your rights will not result in denial of service or different pricing
To exercise CCPA rights, contact us at privacy@axioplan.io. Response time: 45 days (extendable by a further 45 days with notice).
Security
We implement technical and organisational measures proportionate to the risk associated with your data:
- All data in transit is encrypted using TLS 1.2 or higher
- All data at rest is encrypted at the infrastructure level by our database provider
- We authenticate users exclusively via Google OAuth 2.0 - we do not store passwords
- Sessions are managed using short-lived, HttpOnly, secure cookies
- Access to project data is restricted to the account owner and users explicitly invited to share a project
- Access to production systems is restricted to authorised personnel
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay, as required by GDPR Articles 33 and 34.
Cookies and Tracking Technologies
We use cookies and similar technologies to operate and improve our service. You can manage preferences via the cookie banner on your first visit or through your browser settings.
Children's Privacy
AxioPlan is a business tool intended for users aged 18 and over. We do not knowingly collect personal data from individuals under the age of 16. If you believe a minor has provided us with personal data, please contact privacy@axioplan.io and we will delete the information promptly.
Automated Decision-Making
AxioPlan uses statistical algorithms (Monte Carlo simulations, PERT calculations, and critical-path analysis) to generate project estimation outputs. These outputs are tools to assist human decision-makers and do not constitute automated decisions that produce legal or similarly significant effects on individuals within the meaning of GDPR Article 22.
Third-Party Links and Integrations
Our platform may contain links to third-party websites or may integrate with external services. These third parties have their own privacy policies, and we are not responsible for their data practices. We encourage you to review their policies before sharing data with them.
Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will:
- Update the “Last Updated” date at the top of this document
- Display a notice on axioplan.io for material changes
- Send an email notification to registered users for significant changes
Your continued use of AxioPlan after the effective date of any update constitutes your acceptance of the revised Policy.
Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
If you are an EEA resident and we are unable to resolve your concern, you have the right to lodge a complaint with your local supervisory authority. In Lithuania, this is the State Data Protection Inspectorate (VDAI): www.vdai.lrv.lt.
Legal Bases for Processing (GDPR Reference)
The following table summarises the legal basis relied upon for each category of processing activity, as required by GDPR Articles 13 and 14:
| Processing Activity | Data Categories | Legal Basis | GDPR Article |
|---|---|---|---|
| Account creation & login | Identity, credentials | Contract performance | Art. 6(1)(b) |
| Providing the software service | All account & project data | Contract performance | Art. 6(1)(b) |
| Billing & subscription management | Billing, identity | Contract performance | Art. 6(1)(b) |
| Customer support | Identity, communications | Legitimate interests | Art. 6(1)(f) |
| Service analytics & improvement | Usage, technical data | Legitimate interests | Art. 6(1)(f) |
| Security monitoring | Usage, technical data | Legitimate interests | Art. 6(1)(f) |
| Financial record keeping | Billing, identity | Legal obligation | Art. 6(1)(c) |
| Marketing emails (opt-in) | Identity, preferences | Consent | Art. 6(1)(a) |
| Cookie analytics (non-essential) | Cookie, technical data | Consent | Art. 6(1)(a) |