Privacy Policy
Last updated: 2026-05-15
This Privacy Policy describes how Apexium ("we", "us", or "Apexium") collects, uses, and shares information when you use our service at apexium.team.
Information we collect
- Account information: name, email address, company name, billing address, and payment method (held by Stripe; we do not store card numbers).
- Customer data you upload: contacts, conversations, deals, and any other records you create or import. We process this data on your behalf as a data processor.
- Usage data: API request volume, feature usage, error logs, IP addresses, and browser/device metadata used for analytics, billing, and abuse prevention.
- Communications: support tickets, in-app messages, and emails you send us.
How we use information
- To provide, operate, and maintain the Apexium service
- To process payments and prevent fraud
- To improve and develop new features
- To communicate with you about your account, support, and product updates
- To comply with legal obligations
Sub-processors (GDPR Article 30)
We share information only with sub-processors strictly necessary to operate the service:
| Sub-processor | Purpose | Jurisdiction | |---|---|---| | Supabase | Database hosting + auth + storage | US | | Vercel | Web application hosting | US | | Railway | Worker process hosting | US | | Stripe | Payment processing | US (PCI-compliant) | | Resend | Transactional email delivery | US | | AWS SES | Broadcast email delivery | US | | Twilio | SMS + voice messaging | US | | Anthropic | AI features (Claude API) | US | | Sentry | Error monitoring | US | | Inngest | Async job orchestration | US | | LiveKit | Voice agent infrastructure | US | | Upstash | Rate limiting | US (Cloudflare edge) |
We do not sell your data. The list updates as we add or replace sub-processors; customers are notified via email 30 days before any material sub-processor change.
Customer data ownership
You retain ownership of all customer data you upload. We process it solely to provide the service and per your instructions. On account termination we delete your data within 30 days (or earlier on request — see Right to Erasure below).
Security
All data is encrypted at rest and in transit. Tenant isolation is enforced at the database level via Postgres Row Level Security + a per-tenant JWT claim that drives every policy. Independent backup channels protect against data loss. Incident response: see Terms of Service.
Your rights
You can access, export, correct, or delete your data at any time:
- Right to access (GDPR Article 15): workspace settings → Members + Account view
- Right to data portability (GDPR Article 20): admin can request a complete data export (JSON bundle, 7-day signed-URL delivery) via support
- Right to rectification (GDPR Article 16): edit your account info in workspace settings; contact support for corrections beyond self-service
- Right to erasure (GDPR Article 17): email privacy@apexium.team for immediate hard-delete; otherwise 30-day grace period applies via standard termination
- California Consumer Privacy Act (CCPA): California residents may exercise equivalent rights via the same channels; "Do Not Sell My Personal Information" link in footer (we don't sell data; the link is for compliance)
For any GDPR/CCPA/other regulatory request, email privacy@apexium.team. We respond within statutory time limits (typically 30 days for GDPR).
Cookies
Apexium uses cookies in three categories:
- Strictly necessary (always on): authentication session tokens, security
enforcement (CSRF protection), referral attribution (
apexium_refcookie set when visitors arrive via affiliate links), error tracking (Sentry; no PII transmitted by design — sanitized at the SDK layer). - Analytics (opt-in via banner): anonymized usage metrics. NOT active at v1; reserved for future analytics integration with consent gating in place.
- Marketing (opt-in via banner): personalized content + ad targeting. NOT active at v1; reserved for future marketing integration with consent gating.
You can manage your cookie preferences via the footer "Manage cookie preferences" link (available on all marketing/public pages).
Data retention
- Active accounts: data retained for the duration of your subscription.
- Soft-deleted workspaces: 30-day grace period for restoration; admin-initiated via support.
- Hard-deleted workspaces: data permanently removed after grace period; audit log entries persist (with NULL tenant reference) for forensic compliance.
- Account-level deletion request: immediate hard-delete on customer request (waives 30-day grace).
- Backup retention: 30 days encrypted backup; rotated.
Changes
We'll notify customers via email at least 30 days before any material change to this policy. Continued use of the service after the effective date constitutes acceptance.
Contact
Questions: privacy@apexium.team
Note: This is a starting-point policy. Before public launch we'll have this document reviewed by counsel for compliance with applicable laws (GDPR, CCPA, etc.) and updated if needed. Tracked as D-C8 in the launch checklist.