Legal

Privacy Policy

Effective date: 22 March 2026

APEX Automata ("Company", "we", "us", "our") is committed to protecting your privacy and processing your personal data in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the ePrivacy Directive 2002/58/EC, and all applicable data protection laws within the European Economic Area ("EEA").

This Privacy Policy explains how we collect, use, store, and share personal data when you visit our website, use our platform-as-a-service ("Platform"), or otherwise interact with us.

1. Data Controller

The data controller for the processing activities described in this Privacy Policy is:

APEX Automata
Email: privacy@apex-automata.com
Website: apex-automata.com

2. Our Dual Role — Controller and Processor

As Data Controller: We act as data controller when we collect and process personal data for our own purposes, such as managing your account, processing payments, communicating with you, operating our website, and improving our services. This Privacy Policy governs these processing activities.

As Data Processor:When our Customers use the Platform to process personal data of their own end users, employees, or other data subjects, we act as a data processor on behalf of the Customer (the data controller). In this capacity, we process personal data solely in accordance with the Customer's documented instructions and the applicable Data Processing Agreement (DPA). If you are an end user of a Customer's solution deployed on our Platform, please contact the Customer directly regarding their privacy practices.

3. Personal Data We Collect

3.1. Data you provide directly:

  • Account registration data: name, email address, company name, job title, phone number, billing address.
  • Payment data: payment method details (processed by our payment processor; we do not store full payment card numbers).
  • Communications: content of emails, contact form submissions, support requests, and any other communications with us.
  • Profile data: preferences, settings, and configuration choices within the Platform.

3.2. Data collected automatically:

  • Usage data: pages visited, features used, actions taken within the Platform, session duration, click patterns, scroll depth, and interaction data.
  • Device and technical data: IP address, browser type and version, operating system, device type, screen resolution, language preferences, referring URL, and unique device identifiers.
  • Log data: server logs including access times, error logs, and API call metadata.
  • Cookie and tracking data: information collected through cookies, pixels, web beacons, and similar technologies as described in our Cookie Policy.
  • Location data: approximate geographic location derived from IP address.

3.3. Data from third parties:

  • Authentication providers: data received when you sign in using Microsoft Entra ID or other identity providers (name, email, organizational affiliation).
  • Analytics and advertising partners: aggregated and individual-level data about your interactions with our marketing materials and advertising campaigns.
  • Publicly available sources: business contact information from public registries, company websites, and professional networking platforms.

4. Purposes and Legal Bases for Processing

We process personal data for the following purposes and legal bases under Article 6(1) GDPR:

  • Performance of contract (Art. 6(1)(b)): account creation and management, provision of the Platform, processing payments, providing customer support, workspace provisioning, and service communications.
  • Legitimate interests (Art. 6(1)(f)): improving and optimizing the Platform and website, analytics and usage analysis, preventing fraud and ensuring security, direct marketing to existing customers (with opt-out), enforcing our Terms of Service, and protecting our legal rights.
  • Consent (Art. 6(1)(a)): marketing communications to prospective customers, placement of non-essential cookies and tracking technologies, processing for advertising and remarketing purposes, and any other processing for which we have obtained your explicit consent. You may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.
  • Legal obligation (Art. 6(1)(c)): compliance with tax, accounting, and financial regulations, responding to lawful requests from public authorities, and retention of data as required by applicable law.

5. Data Sharing and Recipients

We may share personal data with the following categories of recipients:

  • Infrastructure providers: cloud hosting providers (Microsoft Azure) for Platform operation, with all data processed within the EEA.
  • AI model providers: third-party AI model providers (e.g., OpenAI, Anthropic, Google) solely to process Customer-initiated requests. By default, these providers are contractually prohibited from using Customer Data for model training. Customers may explicitly opt in to model fine-tuning or training on their data through a Platform setting or written consent.
  • Payment processors: for processing subscription payments.
  • Analytics and marketing tools: providers of analytics, advertising, session recording, and marketing automation services, as described in our Cookie Policy.
  • Professional advisors: lawyers, accountants, auditors, and insurers where necessary.
  • Law enforcement and regulators: where required by applicable law, regulation, or legal process.
  • Corporate transactions: in connection with a merger, acquisition, or sale of assets, subject to confidentiality obligations.

We do not sell personal data.

6. International Transfers

6.1. Customer Data is processed and stored exclusively within the EEA. Our primary infrastructure is hosted on Microsoft Azure in EU data centers.

6.2. Certain third-party service providers (analytics, marketing, AI model providers) may process limited personal data outside the EEA. Where such transfers occur, we ensure appropriate safeguards are in place, including: (a) European Commission adequacy decisions; (b) Standard Contractual Clauses (SCCs) approved by the European Commission; (c) binding corporate rules of the recipient; (d) other lawful transfer mechanisms under Chapter V GDPR.

6.3. You may request information about the specific safeguards applied to any international transfer by contacting us at privacy@apex-automata.com.

7. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, unless a longer retention period is required by law:

  • Account data: retained for the duration of the Customer relationship and for 30 days after account termination (to enable data export), after which it is securely deleted.
  • Customer Data (processor role): retained in accordance with the Customer's instructions and the applicable DPA. Deleted within 30 days of termination unless the Customer requests earlier deletion.
  • Billing and transaction data: retained for the period required by applicable tax and accounting regulations (typically 10 years).
  • Marketing data: retained until you withdraw consent or opt out.
  • Log and analytics data: retained for up to 26 months.
  • Cookie data: retained in accordance with the retention periods specified in our Cookie Policy.

8. Your Rights Under GDPR

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access (Art. 15): request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16): request correction of inaccurate or incomplete personal data.
  • Right to erasure (Art. 17): request deletion of your personal data, subject to legal retention obligations.
  • Right to restriction (Art. 18): request that we restrict processing of your personal data in certain circumstances.
  • Right to data portability (Art. 20): receive your personal data in a structured, commonly used, machine-readable format.
  • Right to object (Art. 21): object to processing based on legitimate interests or for direct marketing purposes.
  • Right to withdraw consent (Art. 7(3)): withdraw consent at any time for processing based on consent.
  • Right to lodge a complaint: file a complaint with a supervisory authority in the EEA member state of your habitual residence, place of work, or place of the alleged infringement.

To exercise your rights, contact us at privacy@apex-automata.com. We will respond within 30 days in accordance with Article 12(3) GDPR.

9. Security Measures

We implement appropriate technical and organizational measures to protect personal data, including: encryption in transit (TLS 1.2+) and at rest, multi-tenant workspace isolation with strict access controls, regular security assessments and penetration testing, access logging and audit trails, employee access controls on a need-to-know basis, and incident response procedures.

10. Data Protection Officer

For questions about data protection or to exercise your rights, contact our data protection team at privacy@apex-automata.com.

11. Children's Privacy

The Platform is not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete such data promptly.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to you at least 30 days before they take effect, via email or in-Platform notification. The "Effective date" at the top of this policy indicates when it was last updated.

13. Contact Us

For any questions or concerns about this Privacy Policy or our data practices, contact us at:

APEX Automata
Email: privacy@apex-automata.com
Website: apex-automata.com