Privacy Policy
Last updated: May 23, 2026
This Privacy Policy explains how Axiora ("we", "us") collects, uses, and protects personal data when you visit our website, create an account, and use our API, MCP server, SDKs, and dashboard (the "Service").
Axiora provides structured financial data about publicly listed Japanese companies, sourced from public regulatory filings (EDINET, operated by Japan's Financial Services Agency). That product data describes public companies. It is not your personal data. This policy concerns the limited personal data we process to operate the Service and your account, for which we act as the data controller.
01Information we collect
We collect the following categories of personal data:
- Account data: your email address, and your name if you provide one. If you sign in with GitHub or Google, we receive basic profile information (name, email, avatar) from that provider.
- Authentication data: credentials and session identifiers managed by our authentication provider. We never store plaintext passwords.
- API key metadata: when you create an API key we store a label, a non-secret key prefix, a hash of the key, and the associated plan tier. The full secret key is shown once at creation and is not stored in recoverable form.
- Billing data: if you subscribe to a paid plan, payments are processed by Stripe. We store your plan tier and Stripe customer and subscription identifiers; we do not store full card numbers.
- Usage data: metadata about API and dashboard requests, such as timestamps, endpoints called, the API key used, IP address, and rate-limit counters.
- Communications: the content of messages you send us, for example by email.
02How we use personal data
We use personal data to:
- Provide, operate, and maintain the Service and your account;
- Authenticate you and secure your account;
- Process payments and manage subscriptions;
- Enforce rate limits, prevent abuse, and protect the security and integrity of the Service;
- Monitor reliability and improve our products;
- Communicate with you about your account, security, and service changes; and
- Comply with legal obligations, such as tax and accounting requirements.
03Legal bases (EU/UK)
Where the EU or UK GDPR applies, we rely on the following legal bases: performance of our contract with you (to provide the Service); our legitimate interests (security, abuse prevention, and improving the Service); your consent (where required); and compliance with legal obligations.
04Cookies
We use only the cookies necessary to run the Service. These include session and authentication cookies set by our authentication provider to keep you signed in, and a NEXT_LOCALE cookie that remembers your language preference.
We do not use advertising cookies or third-party tracking or analytics cookies.
05How we share personal data
We do not sell personal data. We share personal data only with service providers (processors) who help us run the Service, and only as needed:
- Supabase: authentication and database hosting (account and API key data);
- Vercel: website and frontend hosting, including request logs;
- Google Cloud: API backend hosting (Cloud Run), including request logs;
- Stripe: payment processing for paid plans;
- GitHub and Google: only if you choose to sign in with them;
- Email delivery: transactional emails such as sign-in links, password resets, and confirmations.
06International data transfers
Axiora operates from Japan, and our service providers may process personal data in countries outside your own, including the United States and the European Union. These countries may have different data protection laws than your jurisdiction.
Where required, we rely on appropriate safeguards, such as the European Commission's Standard Contractual Clauses, for international transfers of personal data.
07Data retention
We keep account data for as long as your account is active. After you close your account, we delete or anonymize personal data within a reasonable period, except where we must retain it to comply with legal obligations (for example, billing and tax records) or to resolve disputes and enforce our agreements.
Request and usage logs are kept for a limited period for security and reliability purposes.
08Security
We protect personal data using encryption in transit, hashing of credentials and API keys, access controls, and other technical and organizational measures. No method of transmission or storage is completely secure, but we work to protect your data and to respond promptly to any incident.
09Your rights
Depending on where you live, you may have the right to:
- Access the personal data we hold about you;
- Correct inaccurate or incomplete data;
- Delete your personal data;
- Export your data in a portable format;
- Object to or restrict certain processing; and
- Withdraw consent where processing is based on consent.
10Exercising your rights
These rights apply under Japan's Act on the Protection of Personal Information (APPI) and, for individuals in the EU or UK, the GDPR. To exercise any of these rights, contact us at [email protected]. You also have the right to lodge a complaint with your local data protection authority.
11Children's privacy
The Service is intended for businesses and professional users and is not directed to children. We do not knowingly collect personal data from children under 16. If you believe a child has provided us personal data, contact us and we will delete it.
12Changes to this policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through a notice on the Service. The "last updated" date below the title shows when the policy was last revised.
13Contact
If you have questions about this Privacy Policy or how we handle personal data, contact us at [email protected]. Axiora is the data controller responsible for your personal data.