Draxion Privacy Policy
1. Introduction
Draxion (“Draxion,” “we,” “our,” or “us”) is an enterprise AI governance platform operated by Draxion Inc. This Privacy Policy explains how we collect, use, disclose, and protect information when you use our platform at app.draxion.io, our website at draxion.io, and our browser extension (“Draxion Monitor”).
By using our services, you agree to the practices described in this Privacy Policy. If you are using Draxion on behalf of an organization, you represent that you have the authority to bind that organization to this policy.
2. Information We Collect
2.1 Information You Provide
- Account information: Name, work email address, organization name, job title
- Organization information: Company name, industry, size, domain
- Payment information: Billing address, payment method (processed by Stripe — we do not store card numbers)
- Communications: Support requests, feedback, and correspondence with us
2.2 Information Collected Automatically — Platform
- Usage data: Features used, pages visited within the platform, actions taken
- Detection events: AI tool domains accessed by employees within monitored organizations
- Device information: Browser type, operating system, IP address, device identifiers
- Log data: Server logs, error reports, performance data
- Cookies and similar technologies: Session tokens, authentication cookies, preference data
2.3 Information Collected — Chrome Extension
The Draxion Monitor Chrome extension collects the following data on behalf of the deploying organization:
- AI tool domain visits: URLs of known AI tool platforms visited (e.g., chat.openai.com, claude.ai). Only visits to a predefined list of approximately 50 known AI tool domains are recorded. Full browsing history is never collected.
- Employee identity: Name and work email address from the active Draxion session
- Device name: Hostname of the employee’s device as reported by the browser
- Timestamps: Date and time of AI tool visits
- Data volume indicators: Approximate byte count of data transmitted to AI tools (not content)
- DLP signals: Whether submitted text matched sensitive data patterns (pattern categories only, not the actual text)
The extension does NOT collect:
- Full browsing history outside AI tool domains
- Content of AI tool prompts or conversations
- Passwords or authentication credentials
- Personal communications (emails, messages)
- Financial information
- Precise location data
2.4 Information from Third Parties
- Identity providers: If your organization uses SSO (Okta, Azure AD, Google Workspace), we receive basic profile information upon authentication
- Payment processors: Stripe provides transaction confirmation data
3. How We Use Your Information
We use collected information to:
- Provide the platform: Deliver AI governance monitoring, risk scoring, compliance reports, and all platform features
- Process detections: Analyze AI tool usage events and generate risk assessments
- Send alerts and notifications: Email and Slack notifications for policy violations and compliance events
- Improve our services: Analyze usage patterns to improve platform performance and features
- Provide customer support: Respond to inquiries and resolve technical issues
- Ensure security: Detect and prevent unauthorized access, fraud, and abuse
- Comply with legal obligations: Meet applicable legal requirements and respond to lawful requests
- Billing and administration: Process payments and manage subscriptions
4. Legal Basis for Processing (GDPR)
For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we process personal data under the following legal bases:
- Contract performance: Processing necessary to deliver our services under our Terms of Service
- Legitimate interests: Security monitoring, fraud prevention, service improvement — where our interests do not override your rights
- Legal obligation: Compliance with applicable laws and regulations
- Consent: Where you have explicitly consented, such as for marketing communications
5. Data Sharing and Disclosure
5.1 Within Your Organization
Detection and governance data collected by the extension is shared with authorized administrators of your organization’s Draxion account. Employees whose AI usage is monitored should be notified by their employer per applicable employment law.
5.2 Service Providers
We share data with trusted service providers who assist in operating our platform:
| Provider | Purpose | Data Shared |
|---|---|---|
| Supabase | Database hosting | All platform data |
| Vercel | Application hosting | Usage logs |
| Clerk | Authentication | Email, name |
| Stripe | Payment processing | Billing info |
| Anthropic | AI analysis features | Anonymized content |
| Resend | Email delivery | Email address |
| Sentry | Error monitoring | Error logs |
All service providers are contractually bound to process data only as instructed and to maintain appropriate security standards.
5.3 Legal Requirements
We may disclose information when required by law, court order, or governmental authority, or when we believe disclosure is necessary to protect the rights, property, or safety of Draxion, our users, or others.
5.4 Business Transfers
In the event of a merger, acquisition, or sale of assets, user data may be transferred as part of the transaction. We will notify affected users prior to data transfer.
5.5 We Do Not Sell Data
We do not sell, rent, or trade personal information to third parties for their marketing purposes.
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Duration of account + 30 days |
| Detection events | 30–365 days (org-configurable) |
| Audit logs | 1–7 years (org-configurable) |
| Payment records | 7 years (legal requirement) |
| Support tickets | 3 years |
| Extension cache | 24 hours locally |
Organizations can configure retention periods within the platform up to the maximum stated above.
7. Data Security
We implement industry-standard security measures:
- Encryption in transit: TLS 1.3 for all data transmission
- Encryption at rest: AES-256 for database storage
- Access controls: Role-based access control with principle of least privilege
- Authentication: Multi-factor authentication support via Clerk
- Infrastructure: SOC 2-compliant hosting via Vercel and Supabase
- Monitoring: Continuous security monitoring via Sentry
8. Your Rights
8.1 All Users
- Access: Request a copy of personal data we hold about you
- Correction: Request correction of inaccurate data
- Deletion: Request deletion of your personal data
- Portability: Request your data in a machine-readable format
8.2 EEA, UK, and Switzerland (GDPR/UK GDPR)
In addition to the above:
- Object to processing: Object to processing based on legitimate interests
- Restrict processing: Request we limit how we use your data
- Withdraw consent: Where processing is based on consent
- Lodge a complaint: With your local supervisory authority
8.3 California Residents (CCPA/CPRA)
California residents have the right to:
- Know what personal information is collected
- Know whether personal information is sold or disclosed
- Opt out of the sale of personal information (we do not sell personal information)
- Non-discrimination for exercising CCPA rights
To exercise any of these rights, contact us at: privacy@draxion.io
We will respond within 30 days (45 days for complex requests with notice).
9. International Data Transfers
Draxion operates primarily in the United States. If you are located outside the United States, your data may be transferred to and processed in the United States and other countries.
For transfers from the EEA, UK, or Switzerland, we use:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Data Processing Agreements with all sub-processors
Enterprise customers may request region-specific data residency (EU, UK, APAC) for an additional fee.
10. Children’s Privacy
Our services are not directed to individuals under 16 years of age. We do not knowingly collect personal information from children under 16. If you believe we have inadvertently collected such information, contact us immediately at privacy@draxion.io.
11. Cookie Policy
We use the following types of cookies:
| Cookie Type | Purpose | Duration |
|---|---|---|
| Essential | Authentication, security | Session |
| Functional | Preferences, settings | 1 year |
| Analytics | Usage analytics | 2 years |
You can control cookies through your browser settings. Disabling essential cookies will prevent you from using the platform.
12. Chrome Extension — Employee Notice
The Draxion Monitor extension is deployed by employers to monitor AI tool usage. If this extension has been installed on your work device by your employer:
- Your employer has configured Draxion to monitor AI tool usage within your organization
- Your AI tool activity on work devices may be visible to your organization’s IT and security administrators
- This monitoring is subject to your employer’s policies and applicable employment law in your jurisdiction
- For questions about your organization’s monitoring policy, contact your IT department
13. Changes to This Policy
We may update this Privacy Policy periodically. We will notify you of material changes by:
- Posting the updated policy on this page with a new effective date
- Sending an email notification to account administrators
- Displaying a notice in the Draxion platform
Continued use of our services after changes constitutes acceptance of the updated policy.
14. Contact Us
Data Controller: Draxion Inc.
Privacy inquiries: privacy@draxion.io
General inquiries: hello@draxion.io
Website: https://draxion.io