Privacy Policy

Introduction

THEAX LTD (Company No. 11980590), trading as Axel Up (axel.trade) and A.X.E.L Portal (portal.axel.trade), is committed to protecting your privacy. This policy explains how we collect, use, and safeguard your personal information when you visit our website or use our services.

We are based at 3 Crompton Street, Bury, United Kingdom, BL9 0AD and operate in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Data Protection Contact

For all data protection matters, you can contact us at:

• Email: [email protected]
• General inquiries: [email protected]
• Post: Data Protection, THEAX LTD, 3 Crompton Street, Bury, BL9 0AD

Information We Collect

Information You Provide

When you use the project estimator, contact form, or engage our services, we may collect:

• Name and contact details (email address, phone number)
• Company name (if applicable)
• Project details and requirements you share
• Communications between us

Information Collected Automatically

When you visit our website, we may automatically collect:

• IP address and approximate location
• Browser type and device information
• Pages visited and time spent on site
• Referring website

A.X.E.L Portal Data

When you use A.X.E.L Portal services, we collect and process:

• Business data: Leads, quotes, invoices, expenses, timesheets
• Team data: User accounts, roles, permissions, activity logs
• Customer data: Contact details, project information, communication records
• Financial data: Payment information, transaction records, billing details
• Media files: Receipt images stored securely in Cloudflare R2
• Voice recordings: Temporarily processed for speech-to-text, then deleted
• Usage analytics: Feature usage, performance metrics, anonymized behavior patterns

HMRC and CIS Data

If you connect your HMRC Government Gateway account through A.X.E.L Portal, we access and process the following data via the HMRC CIS Deductions API:

• CIS deduction records: Gross amounts paid, materials costs, deduction amounts, and net payments for each tax period
• Contractor details: Contractor names and employer references associated with your CIS deductions
• Subcontractor verification: CIS registration status and deduction rates for subcontractors you verify through HMRC

How we handle HMRC data:

• HMRC data is accessed only when you explicitly initiate a sync or verification action
• We use OAuth 2.0 — we never see or store your Government Gateway login credentials
• Access tokens are encrypted at rest and automatically refreshed; refresh tokens are single-use
• HMRC data is stored in the same encrypted database (Cloudflare D1) as your other business data, scoped to your account
• We submit fraud prevention headers to HMRC as required by law, including your IP address, device information, and browser details
• You can disconnect your HMRC connection at any time from Settings, which revokes our access

Legal basis: We process HMRC data on the basis of contract performance (providing the CIS management features you requested) and legal obligation (CIS record-keeping requirements under the Income Tax Act).

Retention: CIS deduction records are retained for 7 years from the end of the relevant tax year, in line with HMRC record-keeping requirements. HMRC access tokens are deleted when you disconnect.

How We Use Your Information

We use your information to:

• Respond to your enquiries and provide project estimates
• Deliver the services you have engaged
• Send project updates and relevant communications
• Improve our website and services
• Comply with legal obligations

Legal Basis for Processing

We process your data based on:

• Consent: When you submit a contact form or estimator request
• Contract: To fulfil services you have engaged
• Legitimate interests: To improve our services and website
• Legal obligation: For tax and business records

Detailed Lawful Basis

Automated Decision-Making

A.X.E.L Portal uses automated systems and AI to assist with business processes. These include:

AI Lead Scoring

• Automatically evaluates and ranks leads based on conversion likelihood
• Uses factors like response time, project size, and communication patterns
• Helps prioritize follow-up efforts for better business outcomes
• You can review and override all AI scoring decisions

AI Quote Generation

• Suggests quote amounts based on project descriptions and historical data
• Considers industry standards, project complexity, and your pricing patterns
• All AI-generated quotes require human review and approval before sending

Expense Categorization

• Automatically categorizes business expenses from receipt images
• Uses OCR and AI to identify expense types and amounts
• Categorization can be reviewed and corrected at any time

Your Rights: You have the right to request human review of any automated decision and to challenge or override AI recommendations. See our AI Supplementary Terms for more details.

WhatsApp Messaging

We use the WhatsApp Business Platform (provided by Meta Platforms, Inc.) to communicate with customers. When you message us on WhatsApp:

• Your phone number, name, and profile information (as set in your WhatsApp account) are received
• Message content you send (text, images, documents) is processed to respond to your enquiry
• Messages may be handled by automated systems to provide faster responses

WhatsApp messages are processed on the basis of legitimate interest (responding to your enquiry) or consent (when you initiate contact). Messages are retained for up to 2 years from last contact for service continuity, then deleted.

Meta processes WhatsApp data in accordance with their own Privacy Policy. We do not use your WhatsApp data for marketing unless you explicitly opt in.

Data Sharing and Sub-Processors

We do not sell your personal information. We may share data with trusted third-party processors:

• Payment processing: Stripe for billing and subscription management
• Cloud infrastructure: Cloudflare for hosting, CDN, and database services
• AI processing: OpenAI for AI features, ElevenLabs for voice synthesis
• Email services: Resend for transactional emails and notifications
• Analytics: Google Analytics for website usage insights (anonymized)
• Messaging platforms: WhatsApp (Meta Platforms, Inc.) for business communications
• HMRC: HM Revenue & Customs for CIS deduction submissions and verification (when you connect your Government Gateway account)
• Legal requirements: If required by law or court order

For a complete list of sub-processors, their purposes, and data protection measures, see our Sub-Processor List.

International Data Transfers

Some of our sub-processors are located outside the UK and EU. When personal data is transferred internationally, we ensure appropriate safeguards:

Transfer Mechanisms

• Standard Contractual Clauses: Approved by UK and EU authorities for transfers to third countries
• Adequacy decisions: Where the UK has determined adequate data protection exists
• Additional safeguards: Technical measures like encryption, access controls, and audit requirements

Key Transfer Locations

• United States: OpenAI (AI processing), Resend (email), Google (analytics), Meta (WhatsApp)
• Global: Cloudflare (with data residency controls where available)

Data Retention

We retain personal information only as long as necessary for the purposes outlined in this policy. Our detailed retention schedule:

Your Rights

Under UK GDPR, you have the right to:

• Access: Request copies of your personal data
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion of your data (subject to legal obligations)
• Restriction: Limit how we process your data
• Object: Object to processing based on legitimate interests
• Data portability: Receive your data in structured, machine-readable format
• Withdraw consent: For processing based on consent
• Lodge complaints: With the Information Commissioner's Office (ICO)

Data Portability and Export

A.X.E.L Portal users can export their data in standard formats:

• CSV format: Leads, quotes, invoices, expenses, timesheets
• JSON format: Complete data export including metadata
• PDF reports: Formatted business reports and summaries
• Receipt images: Downloadable via secure links

Children's Privacy

Our services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us immediately.

Data Breach Notification

In the event of a personal data breach:

• Authority notification: We will notify the ICO within 72 hours where required
• Individual notification: We will inform affected individuals without undue delay if the breach poses high risk
• Mitigation measures: We will take immediate steps to contain and remedy any breach
• Transparency: We may publish general information about significant incidents

Security

We implement appropriate technical and organisational measures to protect your data. However, no internet transmission is 100% secure, and we cannot guarantee absolute security.

Changes to This Policy

We may update this policy from time to time. Significant changes will be noted on this page with an updated revision date.