Privacy Policy

The data controller responsible for processing your personal data on this website is:

FANSNOW SINGLE MEMBER S.A. (trading as Kodira)
K. Kartali 64–68, 38221 Volos, Greece
Registration Number: 167050444000
VAT ID: EL801958838
Represented by its sole director, Konstantinos Bourinakis

For all privacy-related inquiries, please contact us at privacy@axilles.app.

This policy explains what personal data axilles collects, why it is processed, who it is shared with, how long it is kept, and the rights you have under the EU General Data Protection Regulation (GDPR) and Greek law.

• Account data: email address, hashed password, display name, optional avatar, OAuth provider IDs (Google, X)
• Usage data: debate questions you submit, AI model selections, agent configurations, chat history within debates, credit balance and transactions
• Billing data (only if you upgrade to a paid plan): Stripe customer ID, subscription state, payment metadata. Card details are never stored on our servers — they reside with Stripe.
• Technical data: IP address (truncated when used for analytics), user agent, error stack traces, performance metrics
• Cookies: see Section 9

• Providing the service (Art. 6(1)(b) GDPR — contract): running debates, storing your account, billing, customer support
• Security and abuse prevention (Art. 6(1)(f) GDPR — legitimate interest): rate limiting, content moderation, error tracking
• Legal compliance (Art. 6(1)(c) GDPR): tax records for billing, retention obligations
• Optional analytics (Art. 6(1)(a) GDPR — consent): only after you accept analytics cookies

We share data with the following processors, each bound by a Data Processing Agreement (DPA). Where data is transferred outside the EU/EEA, the transfer is covered by the EU Standard Contractual Clauses (SCCs) and supplementary measures where required.

• Supabase — authentication, database, file storage. Region: EU (Frankfurt).
• Vercel — hosting of the web frontend. Region: global edge network; primary contract entity: Vercel Inc., USA (SCCs in place).
• Fly.io — hosting of the API and worker processes. Region: Frankfurt.
• OpenAI — AI generation (GPT models) and content moderation. Region: USA (SCCs).
• Anthropic — AI generation (Claude models). Region: USA (SCCs).
• Google — AI generation (Gemini models). Region: global; processor: Google LLC, USA (SCCs).
• OpenRouter — gateway to additional AI providers (xAI, Meta, Microsoft, Cohere, Mistral, AI21, DeepSeek, Alibaba). Region: USA (SCCs); upstream providers operate in mixed regions.
• Perplexity — pre-debate web research. Region: USA (SCCs).
• Stripe Payments Europe Ltd. — payments processing. Region: Ireland (EU).
• Sentry — error tracking and performance monitoring. Region: EU (Germany).
• Vercel Analytics — anonymized page-view metrics. Loaded only with your consent. Region: USA (SCCs).

When you submit a question to a debate, the question text is sent to the AI providers you select. Their data retention and training policies vary — see their respective privacy notices. None of the providers above use API content to train their public models by default for our enterprise tier of usage.

Some processors are located outside the EU/EEA, primarily in the United States. We rely on the European Commission's Standard Contractual Clauses (Decision 2021/914) plus, where appropriate, supplementary technical measures (encryption in transit and at rest). For transfers to the United States, we additionally rely on the EU–US Data Privacy Framework where the recipient is certified.

• Account and debate data: stored for as long as your account is active. After account deletion, data is removed within 30 days, except for billing records retained for 10 years under Greek tax law (Art. 6(1)(c) GDPR).
• Error logs in Sentry: 90 days, then automatic purge.
• Anonymized analytics: 25 months (Vercel default).
• Cookies: see Section 9.

Under the GDPR you have the right to:

• access your data (Art. 15)
• rectify inaccurate data (Art. 16)
• erase your data (Art. 17)
• restrict processing (Art. 18)
• data portability (Art. 20)
• object to processing (Art. 21)
• withdraw consent at any time without affecting the lawfulness of prior processing (Art. 7(3))

To exercise any of these rights, email privacy@axilles.app. We respond within one month.

You also have the right to lodge a complaint with the Greek Data Protection Authority (Hellenic Data Protection Authority, www.dpa.gr) or the supervisory authority in your EU member state.

We use cookies and comparable storage in three categories:

• Essential (always active): authentication session, language preference, theme preference, CSRF protection. These cannot be disabled because the site does not function without them.
• Error monitoring (always active): Sentry sets a session storage entry to correlate errors across page loads. No advertising or tracking purposes.
• Analytics (opt-in): Vercel Analytics counts anonymized page views to help us improve the site. Loaded only after you accept the analytics category in the cookie banner.

You can change your choice at any time via the link in the footer.

We use TLS encryption for all data in transit. Passwords are hashed via Supabase's bcrypt implementation. Database access is restricted via row-level security and service-role keys are stored only in encrypted environment variables of our hosting providers. We perform regular security reviews of our codebase and dependencies.

axilles is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided personal data, contact privacy@axilles.app and we will delete it.

We may update this policy when our processing changes. The effective date at the top reflects the most recent version. Material changes are announced in-app at least 30 days before they take effect.