AxiomTrak – Privacy Policy

Effective date: 14 January 2026

Version: 1.0

Data Controller: RRS MB (company registration No. 306360136)

Registered address: V. Nagevičiaus g. 3, 08237 Vilnius, Lithuania

Contact e‑mail: privacy@axiomtrak.com

Data Protection Officer (DPO): privacy@axiomtrak.com

AxiomTrak (the “Platform”, “Service”, “we”, “us”, “our”) is a Vilnius‑based compliance‑automation solution.

This Privacy Policy explains how we collect, use, store, share, and protect personal data in accordance with the EU General Data Protection Regulation (GDPR), the EU AI Act, the Brazilian LGPD, the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), the Utah Consumer Privacy Act (UCPA), and any other applicable law.

1. Definitions

Term Definition (plain English)
Personal DataAny information relating to an identified or identifiable natural person (e.g., name, email, IP address, AI‑model metadata).
ProcessingAny operation performed on personal data, whether or not automated (collection, storage, use, disclosure, erasure, etc.).
ControllerThe natural or legal person that determines the purposes and means of processing. Here, RRS MB.
ProcessorA natural or legal person that processes personal data on behalf of the controller.
Sub‑processorA processor engaged by another processor.
Data SubjectThe individual whose personal data is processed.
Legitimate InterestA lawful basis where the controller’s interest does not override the data subject’s rights.
ConsentFreely given, specific, informed, and unambiguous indication of wishes.
Data BreachA breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data.
Automated Decision‑MakingProcessing that produces legal or similarly significant effects without human involvement.
ProfilingAny form of automated processing of personal data to evaluate personal aspects.
EU‑U.S. Data Privacy Framework (DPF)The EU‑U.S. mechanism that allows lawful transfers of personal data to the United States.
Standard Contractual Clauses (SCCs)Model contract clauses approved by the European Commission for international transfers.

Legal frameworks referenced: GDPR (EU/EEA/UK/CH), EU AI Act, LGPD (Brazil), CCPA/CPRA (California), VCDPA (Virginia), CPA (Colorado), CTDPA (Connecticut), UCPA (Utah).

2. Roles

Role Entity Relationship Location
Controller RRS MB Determines purposes & means Vilnius, Lithuania
Primary Processor Amazon Web Services (AWS) – Stockholm region Hosts the platform, stores logs & backups EU (Sweden)
Other Processors None at present (future processors will be added to the Sub‑processor Register)

3. What Data We Collect

Category Examples Source
User Account Data Name, business e‑mail, company name, job title, user‑chosen password (hashed) Registration / account‑management forms
Technical Compliance Data AI‑model metadata (model name, version, parameters), uploaded documentation drafts, compliance‑scan results, technical logs API uploads, platform UI
Metadata & Usage Logs IP address, device type, browser, timestamps, error logs, feature‑usage events Automatic collection
Cookies & Tracking Session ID, preference cookie, security cookie Browser
AI‑Training Data Never used for training without explicit, separate consent. User‑uploaded data is solely used to generate compliance documentation for that user.
Communications Support tickets, chat transcripts (if any) Support portal (optional)

4. Legal Basis & Purpose

Processing Activity Legal Basis (GDPR Art. 6) Justification
Account creation & management (b) Performance of a contract Required to provide the service.
Compliance‑scan & documentation generation (b) Performance of a contract Core service.
Continuous policy‑update delivery (b) Performance of a contract Service improvement.
Storage of logs for security & fraud prevention (c) Legal obligation (e.g., anti‑money‑laundering) Statutory requirement.
Sending security alerts & service notices (b) Performance of a contract Contractual communication.
Responding to lawful requests (law enforcement) (c) Legal obligation Legal compliance.
Legitimate‑interest analytics (e.g., performance metrics) (f) Legitimate interests Platform optimisation, provided it does not override user rights (see LIA).
Optional marketing communications (if user opts‑in) (a) Consent Explicit opt‑in required.

Legal‑Basis Matrix (see Section 5 table).

Specific Purposes

  • Provision of Automated Compliance Documentation – generate, store, and deliver compliance reports for each AI model.
  • Continuous Dynamic Policy Updates – push regulatory changes to the user dashboard; require manual “User Acceptance” before integration.
  • Compliance with the EU AI Act & other sectoral regulations – maintain records, audit trails, and evidence of compliance.
  • Security & Fraud Prevention – detect abnormal activity, protect accounts, and safeguard platform integrity.
  • Service Improvement & Product Development – analyse aggregated, anonymised usage statistics to enhance features (no personal data used for AI‑training without consent).
  • Legal & Regulatory Obligations – retain records for tax, accounting, and possible litigation (up to six years).
  • Customer Support – answer queries, troubleshoot issues, and provide technical assistance.
  • Communications – send service‑related announcements, security alerts, and, where consented, marketing material.

Data Minimisation Principles

  • Review Cycle – Every 12 months we audit each data field against the purpose list. Unused fields are removed.
  • Deletion on Request – Data subjects may request erasure of any data that is no longer necessary for the original purpose.
  • Purpose‑Specific Storage – Data collected for a specific purpose is stored in a dedicated database schema that is not reused for unrelated processing.

5. How We Collect Data

Method What is Collected How it is Collected
Web Forms Account data, consent flags Secure HTTPS POST
API Uploads AI‑model metadata, documentation drafts Authenticated API calls (OAuth 2.0)
Cookies Session ID, preference settings Browser storage (first‑party)
Automatic Logs IP, device, timestamps, error details Server‑side logging (TLS‑encrypted)
Support Portal (optional) Ticket content, chat logs Secure web interface (user‑initiated)

All transmissions use TLS 1.2 or higher.

6. Cookies & Tracking Technologies

Cookie Name Purpose Type Duration Provider Consent Required?
session_id Maintain logged‑in session Strictly necessary Session AxiomTrak (first‑party) No
pref_lang Store UI language preference Functional 1 year AxiomTrak (first‑party) No
csrf_token CSRF protection Strictly necessary Session AxiomTrak (first‑party) No
analytics_id Not used – placeholder for future analytics (currently disabled)
marketing_opt Record user’s opt‑in for marketing e‑mails Consent Until withdrawal AxiomTrak (first‑party) Yes
  • Consent Management – A banner appears on first visit, describing the strictly necessary cookies.
  • Users can open the “Cookie Settings” panel to enable/disable the optional marketing_opt cookie.
  • Consent choices are stored in a consent‑receipt log (date, scope, method).

7. Processors & Sub-processors

Provider Service Data Categories Processed Location of Processing Contractual Safeguards
Amazon Web Services (AWS) – Stockholm Cloud hosting, object storage, backup, logging All platform data (account data, compliance data, logs, backups) EU (Sweden) Data Processing Agreement (DPA) incorporating SCCs & EU‑U.S. DPF where applicable
None – Analytics
None – Communication

Future sub‑processors will be added to the Sub‑processor Register (Section 11).

  • Due Diligence – Before onboarding, each sub‑processor signs a GDPR‑compliant DPA and provides evidence of adequate security (ISO 27001, SOC 2, etc.).
  • DPAs – All DPAs contain clauses on: purpose limitation, data security, breach notification within 72 hours, audit rights, prohibition of onward transfers without our consent.
  • Register – The current register is shown below; it is published on our website and updated promptly when new sub‑processors are added.

Sub‑processor Register

Sub‑processor Service Country DPA Status
AWS (Stockholm) Hosting & storage Sweden (EU) Signed (effective 14 Jan 2026)

8. International Data Transfers

Transfer Mechanism When Used Safeguards
EU‑U.S. Data Privacy Framework (DPF) Transfers to AWS US‑based services (e.g., S3 cross‑region replication) Certification, annual compliance review
Standard Contractual Clauses (SCCs) Any future non‑EU sub‑processor Model SCCs + supplemental technical measures
Adequacy Decision Transfers to countries with EU adequacy (e.g., UK, Norway) No additional measures required
Supplemental Safeguards High‑risk transfers (e.g., to US where DPF not applicable) Encryption (AES‑256) + pseudonymisation + contractual clauses

Cross‑Border Transfer Impact Assessment Checklist

  1. Identify destination country & legal regime.
  2. Verify adequacy or DPF certification.
  3. If none, apply SCCs + supplemental safeguards (encryption, limited access).
  4. Document residual risk (Low/Medium/High).
  5. Obtain DPO sign‑off before transfer.

9. Data Retention

Data Category Retention Period Legal Basis Deletion Method
Account data (name, email, company, job title) Until account termination + 1 year Contractual & legal obligation Secure erase (cryptographic deletion)
Compliance documentation & AI‑model metadata Duration of subscription + 6 years (legal defence) Contractual & legal obligation Secure erase; backups shredded after retention
Technical logs & access logs 12 months (operational) + 6 years (security) Legal obligation (e‑discovery) Log rotation; encrypted archival; final deletion via secure wipe
Cookies (session, preferences) Session / 1 year (as per table) Legitimate interest / consent Browser‑side expiration; server‑side purge
Consent records 3 years after withdrawal Contractual & legitimate interest Encrypted archive, then deletion
Backup copies 6 years Legal defence Encrypted, then secure destruction

All deletions are performed using industry‑standard cryptographic erasure and verification logs.

10. Security Measures

Measure Description
Transport Encryption TLS 1.2 or higher for all network traffic.
At‑Rest Encryption AES‑256 for databases, S3 objects, and backups.
Access Controls Role‑based access (RBAC); least‑privilege principle; MFA for all privileged accounts.
Physical Security AWS Stockholm data centre: biometric entry, 24/7 monitoring, fire suppression, ISO 27001 certified.
Penetration Testing External pen‑test annually; internal vulnerability scans monthly.
Monitoring & Logging SIEM collects security events; alerts routed to DPO.
Incident Response Plan Documented IRP with defined severity levels, escalation matrix, and communication templates (see Section 15).
Key Management Keys stored in Hardware Security Modules (HSMs); rotation every 12 months.
Backup & Disaster Recovery Daily encrypted backups; tested quarterly restore drills.

11. Personal Data Breach Notification

  • Detection & Containment – Security team isolates affected systems.
  • Internal Escalation – Notify DPO within 4 hours; DPO convenes Incident Response Team.
  • Risk Assessment – Determine likelihood of harm, categories of data, number of affected subjects.
  • Regulatory Notification – If risk is “high”, notify the Lithuanian Data Protection Authority (VDA) within 72 hours of becoming aware.
  • Data‑Subject Notification – If high risk, inform affected users no later than 30 days after breach discovery, using the template below.
  • Media Notification – If public interest is high, issue a press release (template provided).
  • Post‑Incident Review – Update security controls, document lessons learned, and report to senior management.

Breach‑Notification Templates (excerpt)

To the Lithuanian Data Protection Authority

Subject: Notification of Personal Data Breach – AxiomTrak (RRS MB)

Date: [Insert]

Description: On [date] a security incident resulted in unauthorized access to [categories of data].

Number of records: [approx.]

Measures taken: Immediate containment, password resets, forensic analysis.

Contact: privacy@axiomtrak.com, +370 5 123 4567

To Affected Data Subjects

Dear [Name],

We regret to inform you that on [date] a security incident exposed your personal data (email, company name).

We have contained the incident and taken steps to prevent recurrence.

We recommend you change your password and monitor your accounts. For assistance, contact privacy@axiomtrak.com.

Press Release (optional) – follows the same factual structure, adds reassurance about remedial actions.

12. Your Rights

Right How to Exercise Typical SLA
Access Submit a request to privacy@axiomtrak.com Within 30 days (extendable 2 months)
Rectification Request correction via the same channel Same SLA
Erasure (“Right to be forgotten”) Request deletion of personal data Same SLA
Restriction of Processing Ask to limit use (e.g., during dispute) Same SLA
Data Portability Receive data in JSON or CSV, encrypted Same SLA
Object to Processing Object to profiling or direct marketing Same SLA
Withdraw Consent Click “Withdraw consent” in account settings or email us Immediate effect on future processing

Verification – We will request at least two forms of identification (e.g., government ID + email confirmation) before fulfilling any request.

13. Jurisdiction-Specific Rights

Jurisdiction Rights & How to Exercise
Lithuania (VDA) Same as GDPR; supervisory authority: Valstybinė duomenų apsaugos inspekcija, 1 A Maironio g., Vilnius, Lithuania, tel. +370 5 268 5555.
Brazil (LGPD) Confirmation, access, correction, anonymisation, deletion, data portability, revocation of consent. Contact privacy@axiomtrak.com.
California (CCPA/CPRA) Right to know, delete, opt‑out of sale/sharing, non‑discrimination. Use the “Do Not Sell or Share My Personal Information” link on our website or email us.
Virginia (VCDPA) Access, correct, delete, data portability, opt‑out of targeted advertising. Same contact channel.
Colorado (CPA) Access, correct, delete, opt‑out of targeted advertising, profiling.
Connecticut (CTDPA) Access, correct, delete, opt‑out of targeted advertising, profiling.
Utah (UCPA) Access, delete, data portability, opt‑out of targeted advertising or sale.

All requests are free of charge, unless they are manifestly unfounded or excessive; in such cases we may charge a reasonable fee.

14. Automated Decision-Making

The Platform does not perform automated decision‑making that produces legal or similarly significant effects. If a future feature introduces such processing, we will:

  1. Provide a clear description of the logic involved.
  2. Explain the significance and expected consequences.
  3. Offer the data subject the right to obtain human intervention, express their point of view, and contest the decision.

15. Legitimate Interest Assessment (LIA)

Step Description
Purpose Explain the legitimate interest (e.g., platform optimisation).
Necessity Test Show why processing is needed for that interest.
Balancing Test Identify the data subject’s interests, rights, and freedoms; assess impact.
Outcome Record “Result: Legitimate interest overrides” or “Result: Processing not permitted”.
Mitigation Measures List safeguards (pseudonymisation, limited retention, opt‑out).
DPO Sign‑off Name, date, signature.

Current legitimate‑interest processing (aggregated usage analytics) has been assessed and approved (see Appendix A).

16. Data Protection Impact Assessment (DPIA)

When required – Processing that is likely to result in a high risk to the rights and freedoms of data subjects (e.g., large‑scale profiling, processing of special categories).

Procedure

  1. Identify the processing activity.
  2. Describe the nature, scope, context, and purposes.
  3. Assess necessity and proportionality.
  4. Evaluate risks to data subjects.
  5. Identify measures to mitigate risks.
  6. Document the DPIA and obtain DPO approval.

DPIA Register (excerpt)

Project Date Risk Rating (Low/Med/High) Mitigations Review Cycle
AI‑model compliance scan (v1.0) 01‑Mar‑2025 Medium Pseudonymisation of model identifiers, limited retention Annual
New “Policy‑Push” notification engine 15‑Jun‑2025 High End‑to‑end encryption, explicit user acceptance, audit logs Bi‑annual

All DPIAs are stored securely and made available to the supervisory authority upon request.

17. Record of Processing Activities (ROPA)

Activity ID Description Data Categories Legal Basis Retention Recipients / Transfers Transfer Mechanism DPIA Ref. LIA Ref.
A‑001 User registration & account management Account data, credentials (b) Contract 1 yr after termination Internal (support team)
A‑002 Compliance‑scan upload & analysis Technical compliance data, logs (b) Contract Subscription + 6 yr AWS (hosting) SCCs + DPF DPIA‑01
A‑003 Continuous policy‑update push Policy metadata, user acceptance flag (b) Contract Subscription + 1 yr Internal LIA‑01
A‑004 Security monitoring & fraud detection IP, device, usage logs (c) Legal obligation 12 mo + 6 yr AWS (log analytics) SCCs DPIA‑02
A‑005 Optional marketing e‑mail (opt‑in) Account data, marketing consent (a) Consent Until withdrawal Mail service (none – internal)

The full ROPA is published on our corporate intranet for internal audit purposes.

18. Training & Governance

  • Frequency – Mandatory privacy & security training annually for all staff; additional onboarding training for new hires.
  • Content – GDPR fundamentals, data‑handling procedures, incident‑response, phishing awareness.
  • Record‑keeping – Training logs stored for 5 years; each employee’s completion certificate is retained in HR files.

Governance Bodies

  • Data Protection Officer (DPO): Monitor compliance, advise on DPIAs, handle DSARs, liaise with authorities.
  • Data Governance Committee (senior management): Approve privacy policies, oversee risk assessments, allocate resources.
  • Internal Audit Team: Conduct quarterly privacy audits, report findings to the Committee.
  • External Auditor: Perform an annual independent audit of GDPR compliance; results published in the Transparency Report.

19. Consent Management

  • Obtaining Consent – Clear opt‑in checkbox (unchecked by default) for any processing that relies on consent (e.g., marketing).
  • Recording Consent – Consent receipt stored with: user ID, date, scope (e.g., marketing), method (checkbox), and IP address.
  • Revoking Consent – Users can withdraw at any time via the “My Settings” page; the system automatically disables the relevant processing and logs the revocation.
  • Do Not Sell or Share My Personal Information – Visible link in the website footer; clicking opens a simple form that records the opt‑out and immediately disables any data‑sale/sharing logic.
  • Marketing Opt‑Out – Toggle in account settings; disables the marketing_opt cookie and removes the user from all promotional mailing lists.
  • Profiling / Targeted Advertising Opt‑Out – Same toggle; ensures no profiling is performed for advertising purposes.

All opt‑outs are respected without delay and logged for audit.

20. Identity Verification

  1. Identity proof – Request two of the following: government‑issued ID, recent utility bill, or a signed email from the registered address.
  2. Multi‑factor check – Send a one‑time code to the registered e‑mail or phone.
  3. Record – Log verification outcome, date, and staff member.
  4. Proceed – Only after successful verification do we fulfill the request.

21. Data Classification

Classification Definition Handling Rules
Public Information already publicly available. No restrictions.
Internal Business‑operational data, not for external release. Access limited to employees with a business need.
Confidential Personal data, compliance reports, contracts. Encrypted at rest, strict RBAC, logged access.
Restricted Sensitive personal data (if ever collected), encryption keys. Highest security, limited to senior staff, separate HSM storage.

All data are labelled in our metadata system; automated controls enforce the handling rules.

22. Data Portability

  • Formats – JSON or CSV (UTF‑8).
  • Security – Files are encrypted with AES‑256 and delivered via a secure download link that expires after 48 hours.
  • Procedure – Upon verified request, the DPO coordinates with the engineering team to extract the data and send the encrypted package.
  • Deletion – Cryptographic erasure (overwrite keys) for databases; secure wipe of backup tapes after retention expires.
  • Anonymisation for AI Training – If a user later gives explicit consent to use their data for model training, we first pseudonymise (remove identifiers) and then apply statistical anonymisation techniques. No personal data is used for training without that consent.

23. Law Enforcement & Government Requests

  1. Receipt – Log the request (date, authority, legal basis).
  2. Verification – Confirm the request is valid (court order, subpoena, etc.).
  3. Internal Approval – DPO + Legal sign‑off before any disclosure.
  4. Disclosure – Provide only the data strictly required; keep a copy of what was disclosed.
  5. Record – Maintain a register of all law‑enforcement disclosures for at least 6 years.

We publish an annual Transparency Report (available on our website) that includes:

  • Number of government requests received & complied with.
  • Number of data breaches disclosed.
  • Summary of privacy‑related complaints and resolutions.
  • Statistics on DSARs (requests received, fulfilled, average response time).

24. Contact Information & Supervisory Authorities

Authority Contact Details
Lithuanian Data Protection Authority (VDA) 1 A Maironio g., Vilnius 01128, Lithuania – Tel +370 5 268 5555 – www.ada.lt
Irish Data Protection Commission (for EU‑U.S. DPF transfers) 21 Parnell Square, Dublin 2, Ireland – Tel +353 1 402 8000 – www.dataprotection.ie
California Attorney General 130 Howard St., Sacramento 95814, USA – oag.ca.gov
Virginia Attorney General 202 North Fifth St., Richmond 23219, USA – www.oag.state.va.us
Brazilian National Data Protection Authority (ANPD) Av. Presidente Castelo Branco, 156, Brasília 70297‑900, Brazil – www.gov.br
Colorado Attorney General 1300 Grant St., Denver 80203, USA – coag.gov
Connecticut Attorney General 79 Gurley St., Hartford 06103, USA – portal.ct.gov
Utah Attorney General 350 N State St., Salt Lake City 84114, USA – attorneygeneral.utah.gov

Complaints may be filed directly with the relevant authority; we will cooperate fully.

25. Non-discrimination

We will not discriminate against any data subject for exercising their privacy rights. This includes: no denial of service, no price increase, and no reduction in the quality of the platform.

26. Disclaimer

This Privacy Policy is provided for informational purposes only and does not constitute legal advice. While we strive to comply with all applicable laws, we limit our liability to the maximum extent permitted by law.

27. Version Control

Review Date Version Reviewer Summary of Changes
14 Jan 2026 1.0 DPO (privacy@axiomtrak.com) Initial publication – full “Zero‑Uncertainty” policy.

The policy is reviewed annually or sooner if a material change to processing activities occurs. All revisions are recorded in this table.

Appendix A: LIA Record (Example)

Processing Purpose Necessity Balancing Outcome Mitigations
Aggregated usage analytics Platform optimisation Required to identify performance bottlenecks Legitimate interest overrides Pseudonymisation, opt‑out link, retention ≤12 months

See Section 19 for the full register entry.

Full templates are available in the internal incident‑response repository; excerpts are shown in Section 15.

We thank you for trusting AxiomTrak with your data. If you have any questions about this policy or wish to exercise any of your rights, please contact our Data Protection Officer at privacy@axiomtrak.com.