Axively

Privacy Policy

Last updated: June 7, 2026

This Privacy Policy explains how DEBRUSK s.r.o. ("we", "us", Axively operator) collects, uses and protects your personal data when you use the Axively service. We comply with the EU General Data Protection Regulation (GDPR, Regulation 2016/679).

1. Data controller

The data controller for your personal data is DEBRUSK s.r.o., Marešova 643/6, Černý Most, 198 00 Praha 9, Czech Republic, ID 09999973. For privacy questions, contact us at privacy@axively.com.

2. What data we collect

Account data: email, name, organisation. We use passwordless e-mail login codes, so we do not store a password. Scan data: URLs you submit, publicly available HTML content of scanned pages, violation reports. Usage data: IP address (hashed), user agent, scan volume, billing events. Payment data: processed by Polar; we never see full card numbers.

3. Legal basis

We process data on three legal bases: (a) contract performance, to provide scans and reports you requested; (b) legitimate interest, fraud prevention, rate limiting, product improvement; (c) legal obligation, tax records, accounting.

4. How long we keep data

Account data: kept for the life of your account; after closure we delete it within 90 days — only data needed to defend legal claims is kept for the 3-year limitation period. Audit data: within 90 days after account closure, or immediately on request. Inactive accounts: after 24 months without a sign-in we notify you and then delete or anonymize the account. Billing and tax records: 10 years (legal obligation). Logs: 90 days.

5. Where your data is stored

All personal data is stored in the European Union. Our application servers and the PostgreSQL database run on a single dedicated server located in the Czech Republic; we do not use a separate managed database or object-storage provider. No data leaves the EU except transient API calls to our AI provider (OpenAI or Anthropic, USA) to generate fix suggestions from the HTML snippets of the flagged elements.

6. Who we share data with

We use the following processors under GDPR Article 28 contracts: our hosting provider Huko.net (Czech Republic, application servers and PostgreSQL database), OpenAI (active) and Anthropic (standby) (USA, generating and translating accessibility fix suggestions from the HTML snippets of flagged elements), Polar (payment processing) and efik.cz (transactional e-mail delivery). We never sell your data.

7. Your rights

Under GDPR you have the right to: access your data, correct inaccurate data, delete your data (right to erasure), restrict processing, data portability, object to processing, and lodge a complaint with your national data protection authority. To exercise these rights, email privacy@axively.com. We respond within 30 days.

8. Cookies

We use only essential cookies (authentication session, CSRF protection). We do not use advertising or tracking cookies. We do not need a cookie banner for essential-only use.

9. Security

All traffic is encrypted in transit (TLS 1.3). Passwords are never stored in plaintext. Access to production systems is limited to the operator and protected by 2FA. Incidents involving personal data are reported to the relevant DPA within 72 hours.

10. Changes

Material changes to this policy will be announced by email to account holders at least 30 days in advance. The current version is always available at this URL.

Data Protection Officer

For questions on personal data processing, incidents or supervisory authority contacts, reach our DPO at dpo@axively.com.