Privacy Policy
Last updated: May 28, 2026
1. Introduction
Axiomatic Financial, Inc. (“Axiomatic,” “we,” “our,” or “us”) operates the Axiomatic platform at axiomatic.financial and app.axiomatic.financial (the “Service”). This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you use our Service. It should be read together with our Terms of Service.
2. Information We Collect
Account Information
When you create an account, we collect your name, email address, and authentication credentials. If you purchase prepaid credits or other paid offerings, we collect billing information through our payment processor, Stripe.
Financial Data
You may upload or enter financial data including transactions, journal entries, account balances, and related information. This data is encrypted at rest using AES-256-GCM with entity-specific data encryption keys.
Luca and AI inputs
When you use Luca or other AI-assisted features, we process the prompts you submit, conversation content, optional file attachments you provide for analysis, and limited contextual data from the Service needed to respond (for example, identifiers and metadata required to run tools within your permissions). Saved chat threads may be stored in your tenant environment like other application data.
Usage Data
We automatically collect information about how you interact with the Service, including transaction counts, proof generation events, API call volume, AI assistant usage for metering and billing, and aggregated feature usage. We use this data to operate the Service, enforce limits, invoice or debit credits, and understand reliability and adoption—we do not use this activity to train machine learning models on the content of your financial records or Luca conversations (see Section 4).
Technical Data
We collect standard technical information such as IP address, browser type, device information, and access timestamps for security and operational purposes.
We also use cookies and similar technologies for site operation and, where permitted, analytics. See our Cookie Policy for details and consent options.
Sales inquiries and contact form
When you submit our contact form or book a call about onboarding, we collect the information you provide — including your name, work email, company name and website, role, industry, company size, annual revenue band, entity count, current accounting and tooling stack, timeline, and any free-text message — and use it to qualify and respond to your inquiry. Personal fields (name, email, message) are encrypted at rest in our internal systems. We also record standard request metadata (IP address, user-agent, referrer, and UTM parameters) to attribute the lead and prevent abuse.
Sales-relevant submissions are loaded into our internal CRM — the same Axiomatic instance customers use — so our team can follow up. If you check the “send me product updates” box, your email is also added to our Resend marketing audience; every email contains a one-click unsubscribe link, and you can opt out at any time. We never sell or share contact-form data with third parties for their own marketing.
You can request deletion of any contact-form submission by emailing privacy@axiomatic.financial.
3. How We Use Your Information
- To provide, maintain, and secure the Service
- To process transactions, meter usage, and manage billing and credits
- To operate Luca and other AI features you invoke, including sending necessary inputs to model providers solely to generate responses for your session
- To generate zero-knowledge proofs over your financial data when you use those features
- To send service-related communications
- To detect and prevent fraud, abuse, or security incidents
- To comply with legal obligations
4. Luca, AI, and model providers
No training on your data for our models. We do not use your personal information, financial data, or Luca conversations to train generalized machine learning models for our own products.
Third-party inference. We use commercial AI model providers (for example, large language model APIs) to power natural-language features. Those providers receive prompts and related context needed to produce a response. Their processing is governed by our agreements with them and their published policies. We configure available business-appropriate settings where the provider offers them.
For a current list of key subprocessors relevant to hosting and AI inference, contact privacy@axiomatic.financial. The same commitments in this Section are reflected in substance in our Terms of Service regarding Luca.
5. Zero-Knowledge Proofs and Privacy
A core feature of Axiomatic is the generation of zero-knowledge proofs (ZK proofs) over your financial data. ZK proofs allow you to demonstrate the correctness of financial statements without revealing the underlying transaction data. When you share a proof with a third party, they can verify the mathematical correctness of your statements without accessing your raw financial data.
ZK proofs are generated on our infrastructure. Your financial data is encrypted at rest and only decrypted in memory during proof computation. We do not share your raw financial data with any third party unless you explicitly authorize it through the bilateral counterparty protocol.
6. Data Encryption
All financial data is encrypted using AES-256-GCM with unique data encryption keys (DEKs) per entity. DEKs are themselves encrypted with key-encryption keys (KEKs) derived from a master key. Data is encrypted at rest and in transit (TLS 1.3).
7. Connected third-party services
The Service can connect to external systems you authorize — for example accounting software, bank feeds, email, and payment providers. You choose whether to connect each integration and which entity it applies to. This section describes how we handle data when you enable those connections.
Authorization and storage
When you connect a third-party service, we store OAuth access and refresh tokens (or equivalent API credentials), connection metadata such as company or account identifiers, and configuration you set in the Service. Credentials are encrypted at rest in your tenant environment using the same entity-specific encryption described in Section 6. We use tokens only to perform actions you request — such as importing a chart of accounts, syncing transactions, or sending email on your behalf.
You can disconnect an integration from the connection screen for that service — for example Settings → Email or Ads → Ad accounts for Google connections, or Settings → Integrations for other connectors. When you disconnect, we stop using that connection for new sync operations. Revoke access in the third-party service as well when their product provides that control.
Gmail (Google)
If you connect Gmail, an authorized user of your organization completes Google's OAuth consent flow for the Axiomatic application. We receive and store an OAuth access token, refresh token, and granted scope list so the Service can call the Gmail API on your behalf for the features you enable.
Depending on the scopes you approve and the features you use, we may:
- Read your inbox (
gmail.readonly) — sync inbound messages into the Service's email inbox for classification, proposed receipt extraction, and task suggestions you review before posting to your ledger. - Send email (
gmail.send) — send outbound messages from CRM, invoicing, and other workflows using your connected Gmail address when you choose Send. - Update processed threads (
gmail.modify) — after you process a message in our inbox UI, apply a Gmail label (for example “Axiomatic/Processed”) to that thread so triaged mail is visible in Gmail.
Synced message metadata and content needed for these features are stored in your tenant database with application-layer encryption. We use Gmail data only to provide or improve the user-facing email and CRM features described above. We do not sell Gmail data, use it for advertising or retargeting, transfer it to data brokers, use it to determine creditworthiness, or use it to train machine learning models. Our personnel do not read your Gmail content except where you explicitly request support for specific messages, where necessary for security or abuse investigation, or where required by law.
Each organization connects its own Gmail mailbox; connections are not shared across tenants. Google's collection and use of information during OAuth and within Gmail is governed by Google's Privacy Policy and the Google API Services User Data Policy. Questions about Axiomatic's handling of Gmail connection data may be sent to privacy@axiomatic.financial.
Google Ads (Google)
If you connect Google Ads, an authorized user completes Google's OAuth consent flow for the Axiomatic application. We receive and store an OAuth access token, refresh token, and related connection metadata so the Service can call the Google Ads API on your behalf.
Depending on the features you use, we may read Google Ads account, campaign, and daily performance data — including spend, clicks, impressions, and conversions — to display reporting in the Ads module and to import advertising expense into your ledger. We do not resell Google Ads data, use it for advertising or retargeting outside the Service, or use it to train machine learning models. Campaign creation and bidding remain in Google Ads; our integration is focused on sync and accounting visibility.
Imported metrics and connection credentials are stored in your tenant database with application-layer encryption. Each organization connects its own Google Ads accounts. Google's policies govern OAuth and data within Google Ads; see Google's Privacy Policy. Questions about Axiomatic's handling of Google Ads connection data may be sent to privacy@axiomatic.financial.
QuickBooks Online (Intuit)
If you connect QuickBooks Online, an authorized administrator of your QuickBooks company completes Intuit's OAuth consent flow for the Axiomatic application. We receive and store an access token, refresh token, and QuickBooks company identifier (realm ID) so the Service can call Intuit's accounting API on your behalf.
Depending on the features you use, we may read or write accounting data in QuickBooks Online, including chart of accounts, trial balance and opening balances for migration, customers, vendors, invoices, bills, payments, journal entries, and related metadata needed to map that data into your Axiomatic ledger. Imported data is stored in your tenant database with application-layer encryption. We do not sell QuickBooks data or use it to train machine learning models.
Intuit's collection and use of information during OAuth and within QuickBooks Online is governed by Intuit's Privacy Policy. Questions about Axiomatic's handling of QuickBooks connection data may be sent to privacy@axiomatic.financial.
Other integrations
Bank connectivity (for example Plaid), outbound email through Resend, card and treasury providers, and other connectors follow the same authorization and encryption pattern described above: you authorize the connection, we store encrypted credentials and sync only the data needed for the feature you enabled. Provider-specific subprocessors and scopes are disclosed in-product when you connect. For a current list, contact privacy@axiomatic.financial.
8. Data Sharing
We do not sell your personal information. We may share information with:
- Service Providers: Stripe (payments), Neon (database hosting), Vercel (application hosting), Resend (email), and AI inference providers (for example, large language model APIs used by Luca). These providers are bound by their own privacy policies and, where applicable, data processing agreements with us.
- Bilateral Counterparties: When you initiate or accept a bilateral proposal, limited transition data is shared with the specified counterparty entity as part of the protocol.
- Legal Compliance: When required by law, subpoena, or regulatory requirement.
9. Data Retention
We retain your data for as long as your account and organizations are active. When you close an organization from Admin → Data & privacy, team access ends immediately. You can export organization data for 30 days after closure. Recoverable data is cryptographically destroyed by day 30; the isolated database is removed by day 90. Some billing and audit records may be retained longer where required by law.
Luca conversation history stored in the Service follows the same retention approach as your other tenant data unless a shorter deletion period is offered in-product.
10. Your Rights
Depending on your jurisdiction, you may have the right to:
- Access the personal information we hold about you
- Correct inaccurate information
- Delete your personal information
- Export your data in a portable format
- Object to or restrict processing of your information
- Withdraw consent where processing is based on consent
Export and organization closure are available in the product under Admin → Data & privacy. Account deletion is under Settings → Profile. To exercise rights by email or through an authorized agent, contact privacy@axiomatic.financial.
We will verify your request and respond within legally required timelines. You may also designate an authorized agent where permitted by law.
11. Regional privacy notices
Depending on your jurisdiction, Axiomatic may act as a controller or processor of personal data. For U.S. state privacy laws (including CCPA/CPRA), you may request access, deletion, correction, and data portability and may opt out of certain data sharing where applicable.
For data originating outside the United States, we use contractual and technical safeguards for cross-border transfers. Contact privacy@axiomatic.financial for transfer-mechanism details relevant to your account.
12. Security
We implement industry-standard security measures including encryption at rest and in transit, role-based access controls, key rotation without downtime, and regular security reviews. No system is perfectly secure, and we cannot guarantee absolute security.
For additional controls and regulatory-risk disclosures, see Security and Compliance Disclosures.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service at least thirty (30) days before they take effect. Continued use of the Service after changes constitutes acceptance of the updated policy.
14. Contact
If you have questions about this Privacy Policy, contact us at privacy@axiomatic.financial.
For compliance-related escalation, contact compliance@axiomatic.financial.