Privacy Policy

We collect the minimum data we need to operate, secure, and improve the Service:

• Account data: name, email, password hash, workspace, role, and avatar.
• Billing data: company name, billing address, VAT ID, and the last four digits of your card. Full card numbers are processed by Stripe — we never see or store them.
• Customer content: leads, contacts, messages, notes, and any other data you submit to the Service. You retain ownership of this content at all times.
• Product telemetry: pages visited, features used, errors encountered, and device metadata (browser, OS, IP). Used solely to operate and improve the Service.
• Support communications: emails, chats, and tickets you send us.

We process your data for the following purposes:

• Provide, maintain, and secure the Service.
• Authenticate you, process payments, and prevent fraud or abuse.
• Respond to your support requests and send service-related notices.
• Improve the product, fix bugs, and prioritize features (always in aggregated, de-identified form for analytics).
• Send product updates or marketing communications — only with a clear unsubscribe link, and never to your own customers.

We do not sell your personal data, and we do not use customer content to train AI models.

We use a small number of strictly necessary cookies (for login and security), analytics cookies (to understand feature usage in aggregate), and — with your consent — marketing cookies on our public marketing pages. You can review and manage all categories at any time from our Cookie Policy.

We share data only with vetted subprocessors who help us operate the Service, including:

• Cloud infrastructure (AWS, Cloudflare) — hosting and content delivery.
• Payment processing (Stripe) — billing and subscription management.
• Email and SMS delivery (Postmark, Twilio) — transactional and customer messaging.
• Customer support tooling (Linear, Slack) — handling tickets and product feedback.

Every subprocessor is bound by a data processing agreement that meets or exceeds GDPR requirements. A current list is available on request.

All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). We enforce least-privilege access internally, require SSO and hardware keys for all employees, run continuous vulnerability scanning, and undergo annual third-party penetration testing. We will notify affected customers of any confirmed personal-data breach within 72 hours of discovery.

Depending on your location, you may have the right to:

• Access, correct, or delete the personal data we hold about you.
• Export your data in a portable format.
• Object to or restrict certain processing activities.
• Withdraw consent at any time where processing relies on it.
• Lodge a complaint with your local supervisory authority.

To exercise any of these rights, email privacy@awenox.com. We respond within 30 days.

For users in the EEA, UK, and Switzerland, Awenox acts as the data controller for account data and as a data processor for customer content. Cross-border transfers are governed by the European Commission's Standard Contractual Clauses (2021) and, where applicable, the UK Addendum and the Swiss FDPIC equivalent. EU customers can opt to host their workspace in our Frankfurt region from Settings → Workspace.

We retain account and customer content for as long as your workspace is active. After cancellation, content is retained for 30 days (for restoration) and then permanently deleted within a further 60 days, except where we are legally required to keep certain records (e.g. tax invoices, for 7 years).

Awenox is not intended for individuals under 16. We do not knowingly collect personal data from children. If you believe a child has provided us data, please contact us immediately and we will delete it.

If we make material changes, we will notify you at least 30 days before they take effect via email and an in-app banner. Continued use of the Service after the effective date constitutes acceptance of the updated policy.