Privacy Policy

Last updated: March 5, 2026

1. Introduction

AXM Studio (“we,” “us,” or “our”) operates the website at ai.axmstudio.com (the “Platform”). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Platform and Shopify development services.

By accessing or using the Platform, you agree to this Privacy Policy. If you do not agree, please do not use the Platform.

2. Information We Collect

2.1 Account Information

When you create an account, we collect the information provided by your authentication method:

  • Google OAuth: Your name, email address, and profile picture as provided by Google.
  • Email & Password: Your email address and a securely hashed password.
  • Shopify SSO: Your Shopify store domain, email address, and associated account information.

2.2 Chat & Project Information

When you interact with our AI consultant, we collect:

  • Chat messages and conversation history (used to scope your project and generate quotes).
  • Project requirements, descriptions, and any files or images you share.
  • Shopify store URLs and collaborator access codes you provide for development work.
  • Feedback and review comments on delivered work, including uploaded images and videos.

2.3 Order & Payment Information

When you approve a quote, we collect order details including service type, scope, and pricing. All payment processing is handled directly by Shopify through their secure checkout. We do not collect, store, or process credit card numbers, bank account details, or other payment credentials on our servers. We only receive confirmation of payment status from Shopify via webhooks.

2.4 Automatically Collected Information

When you visit the Platform, we automatically collect:

  • Usage data: Pages visited, features used, and interaction patterns via Vercel Analytics (privacy-focused, no cookies, GDPR-compliant).
  • Device information: Browser type, operating system, and screen resolution.
  • Log data: IP address, access times, and referring URLs.

3. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Platform and our services.
  • Authenticate your identity and manage your account.
  • Facilitate AI-powered project scoping and quote generation.
  • Process and fulfill your development orders.
  • Communicate with you about orders, deliverables, and support (via email).
  • Send transactional emails (quotes, payment confirmations, delivery notifications, store access requests).
  • Generate AI requirement documents from chat history for our development team.
  • Detect, prevent, and address technical issues and security threats.

4. File Storage

Files you upload (reference materials, feedback attachments) and files we deliver to you (project deliverables) are stored securely using Vercel Blob storage. Files are organized by order ID and are only accessible to you and our team through authenticated endpoints.

5. How We Share Your Information

We do not sell your personal information. We share data only in these circumstances:

  • Service providers: We use third-party services to operate the Platform, including Vercel (hosting and file storage), Google (AI model and authentication), Supabase (database hosting), Resend (transactional emails), Shopify (payment processing and draft orders), and Slack (internal team notifications).
  • Internal notifications: Order-related events (new orders, payments, feedback) trigger internal Slack notifications to our development team. These include your email, order details, and project information.
  • Legal requirements: We may disclose information if required by law, legal process, or government request.
  • Business transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred.

6. Cookies & Tracking

The Platform uses minimal cookies:

  • Authentication cookies: Session cookies managed by NextAuth.js to keep you logged in. These are strictly necessary for the Platform to function.
  • Analytics: We use Vercel Analytics, which is cookie-free and does not track individual users across sites. No third-party tracking cookies are used.

We do not use Google Analytics, Facebook Pixel, or similar third-party tracking tools.

7. Data Retention

  • Account data: Retained while your account is active. You may request deletion at any time.
  • Chat history: Retained to support ongoing projects and for reference on follow-up work.
  • Order data: Retained for business records and legal compliance (typically 7 years for financial records).
  • Uploaded files: Deliverables and reference files are retained for the duration of the project plus 90 days. You may request earlier deletion.

8. Data Security

We implement appropriate technical and organizational measures to protect your information, including:

  • HTTPS encryption for all data in transit.
  • Secure password hashing (bcrypt) for credential-based accounts.
  • HMAC-SHA256 verification for Shopify webhook payloads.
  • Role-based access control for admin functions.
  • Content Security Policy headers to prevent XSS attacks.

No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

9. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

9.1 For All Users

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate information.
  • Deletion: Request deletion of your account and associated data.
  • Data portability: Request your data in a machine-readable format.

9.2 For EU/EEA Residents (GDPR)

In addition to the rights above, you have the right to: restrict processing of your data, object to processing based on legitimate interests, withdraw consent at any time, and lodge a complaint with a supervisory authority.

Our legal basis for processing is: contract performance (service delivery), legitimate interests (Platform improvement, security), and consent (where applicable).

9.3 For California Residents (CCPA)

You have the right to: know what personal information is collected and how it is used, request deletion of your personal information, opt out of the sale of personal information (we do not sell personal information), and not be discriminated against for exercising your rights.

10. Children's Privacy

The Platform is not intended for children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.

11. Third-Party Links

The Platform may contain links to third-party websites (e.g., Shopify, Google). We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page with an updated “Last updated” date. Your continued use of the Platform after changes constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us at: