Privacy Policy
This page reflects the Axora policy suite updated on 30 March 2026. For questions, contact support@axorastack.com or privacy@axorastack.com where applicable.
This PRIVACY POLICY (the “Policy”) describes how Axora, a technology/API brand owned by Axora Payments LLC, Delaware, USA (“Axora”, “we”, “us”, “our”), collects, processes, shares, and protects personal data in the course of providing technology and API infrastructure for financial services. Axora operates as an internal data processor and technology provider across multiple jurisdictions, including the EU, UK, US, and Canada, supporting licensed financial entities and partners.
We are committed to safeguarding the privacy of all data subjects whose personal data is processed by us, including corporate customers, their authorized signers, vendors, prospective clients, and employees/contractors (where applicable) (collectively referred to as “Users”, “Data Subjects”, “you”, your”). Our privacy framework is aligned with GDPR, UK-GDPR, PIPEDA, and CCPA obligations. Where Axora processes data for AML/KYC, transaction monitoring, or fraud-prevention purposes, it does so as a processor on behalf of regulated entities (including Codepulse Innovations Sp. z o.o.) under Article 28 GDPR.
Scope And Applicability
This Policy applies to personal data collected and processed by Axora in relation to the provision of B2B financial infrastructure and API services.
As Axora does not onboard retail customers directly, this Policy focuses on data processed for clients, their representatives, vendors, partners, and staff.
Axora does not intentionally collect consumer data or data relating to minors. All personal data processed by Axora relates to individuals acting in a professional or business capacity.
Personal Data Collected
We Collect The Following Personal Data
Identity/KYC Data - Name, government-issued IDs, proof of address (PoA), proof of beneficial ownership (PoB), and company registration documents. Axora does not intentionally collect any consumer or minor data. All information processed relates to business users, partners, or vendor staff acting in a professional capacity.
Corporate Customer Data - KYB documents, Ultimate Beneficial Owner (UBO) information, authorized signers/signatory details, and sanctions screening results.
Transaction Metadata - Details related to transactions, digital wallet addresses, transaction risk scores.
Contact Details - Email address, phone numbers, business address, communications and support logs.
Usage Logs - API/device logs, limited metadata, and vendor user access data.
Special Category Data - Liveness/biometric templates, only processed by our KYC provider. We do not store raw biometric data.
Data Sources And Collection Channels
We Collect Personal Data Via
Web platforms and onboarding forms, which are filled on behalf of licensed entities.
API integrations facilitated through Axora middleware.
Third-party KYC provider SDKs and verification flows.
Email, support channels, and partner referrals.
Direct provision by clients and their authorized representatives in the course of business.
Purpose And Legal Basis For Processing
We Process Personal Data To
Deliver and manage API and technology services for our clients
Support licensed financial entities with KYC/AML orchestration and compliance operations
Maintain communications with clients, vendors, and partners
Implement transaction monitoring and ensure business security
Comply with applicable legal obligations (AML, sanctions, financial recordkeeping)
Respond to authorized data subject requests and maintain operational oversight
Our Legal Bases Include
Performance of a contract — where processing is necessary to deliver the Services under an agreement with you or your organization;
Compliance with a legal obligation — where processing is required by applicable law, including AML, sanctions, and financial reporting obligations;
Legitimate interests — where processing is necessary for the legitimate interests of Axora or its clients, provided such interests are not overridden by your rights and freedoms. Our legitimate interests include operating and improving our platform, ensuring security and fraud prevention, and maintaining business continuity; and
Consent — where explicitly obtained, including for processing of special category data such as biometric data.
Automated Decision-Making And Profiling
Axora's technology infrastructure facilitates automated transaction monitoring and risk-scoring on behalf of its regulated controller clients. Such processes may produce automated outputs that inform compliance decisions (including transaction flagging or account restriction) made by the relevant licensed entity.
Where such automated processing has legal or similarly significant effects on individuals, the relevant controller (not Axora) is responsible for ensuring compliance with Article 22 GDPR and equivalent provisions, including providing appropriate human review mechanisms. If you are an individual affected by such a decision, please contact the relevant controller or contact us at privacy@axorastack.com and we will direct your query accordingly.
Rights Of Data Subjects
The Data Subjects covered by GDPR, UK-GDPR, and other laws have the following rights regarding their personal data:
Right to access information about processing
Right to rectification for incorrect or incomplete data
Right to erasure (“right to be forgotten”), subject to legal requirements
Right to restrict or object to processing
Right to data portability (where applicable)
Right to withdraw consent at any time (if processing is based on consent)
To exercise any of these rights, please contact privacy@axorastack.com. We will acknowledge your request within five (5) business days and respond within thirty (30) days, subject to identity verification and any applicable legal exceptions. Where Axora acts as a processor, requests will be routed to the relevant controller for handling in accordance with the applicable Data Processing Agreement.
Data Sharing And Transfers
Personal Data May Be Shared With
Licensed financial entities, such as Codepulse Innovations Sp. z o.o., Poland, for regulated service delivery
Group affiliates in USA, Canada, and EU, where necessary
Third-party processors/vendors for specific functions, such as KYC, analytics, custody, banking etc.
Regulatory authorities, in compliance with applicable law
Cross-border transfers of personal data between the EEA or UK and the US, Canada, or other third countries are conducted using legally recognized transfer mechanisms, including Standard Contractual Clauses (SCCs), UK International Data Transfer Addendum, and Transfer Impact Assessments (TIAs) and Data Protection Impact Assessments (DPIAs) where required. Details of applicable transfer mechanisms are available upon request.
Third-Party Processors
Axora engages third-party service providers to deliver compliance, financial infrastructure, and operational support services.
All processors are bound by written Data Processing Agreements (DPAs) that impose strict confidentiality and security obligations. These providers have access to personal data only as necessary to perform their designated functions and are prohibited from using such data for their own purposes.
All processors maintain appropriate technical and organizational security measures and comply with applicable data protection laws. Where processors transfer data internationally, we implement Standard Contractual Clauses (SCCs), UK Addensum, or other appropriate legal mechanisms.
A detailed list of current processors is maintained and available upon request.
Security Measures
Axora employs comprehensive technical and organizational controls commensurate with the risk of the personal data handled, including:
Single sign-on (SSO) and multi-factor authentication (MFA)
Role-based access controls, least privilege principles
Encryption in transit and at rest at vendor level
IP allow-listing, where available
Audit logging and access review across SaaS environments
Incident/breach escalation, which includes immediate containment, log preservation, and preliminary assessments.
Our formal Incident Response Policies are under development.
Security And Breach Notification
Axora implements security measures aligned with standards, including encryption in transit and at rest, MFA, access control, and continuous monitoring. In the event of a personal data breach likely to result in risk to individuals, Axora will notify the controller and, if applicable, the relevant supervisory authority within seventy-two (72) hours of becoming aware of the breach.
Data Retention
Personal Data Is Retained According To Interim Schedules
KYC/KYB and AML Records — Retained for eight (8) to ten (10) years following termination of the relevant business relationship, in accordance with EU and Polish AML directives and applicable law;
Transaction Records — Retained for ten (10) years post-completion, to support audit trails, reconciliation, and regulatory reporting;
Client Contracts and Processor Agreements — Retained for the full duration of the engagement plus six (6) years, to evidence Article 28 GDPR compliance;
Incident Response and Breach Records — Retained for five (5) years post-resolution;
Communications and Support Logs — Retained for twenty-four (24) months from last interaction, subject to dispute-related exceptions;
B2B Marketing and Partner Communication Data — Retained until consent withdrawal or a maximum of twenty-four (24) months from last active engagement; and
Website and System Access Logs — Retained for twelve (12) months on a data-minimization basis.
Data subject to a legal hold, regulatory investigation, or active litigation will be preserved until the obligation has fully expired or the matter is formally closed.
Cookies And Analytics
Cookies are small files stored on your device that help us maintain security, manage sessions, and improve our services. Axora uses cookies and similar tracking technologies to enable core platform functionality, enhance user experience, and analyze usage patterns.
We deploy strictly necessary cookies (required for platform operation) and, where applicable, performance and analytics cookies (to understand how users interact with our services). We may also use functional cookies for preferences and third-party cookies for operational purposes. All third-party providers maintain appropriate data protection standards and are bound by DPAs.
You can control cookie usage through your browser settings. Disabling certain cookies may limit access to some platform features. For specific information about the cookies we use, their purpose, and duration, please contact privacy@axorastack.com.
Data Protection Officer (DPO)
Axora engages an external DPO as part of its privacy governance program.
Data subjects may contact sapna.sarda@novapayx.com. for privacy-related queries or to lodge complaints. You also have the right to contact your supervisory authority regarding data protection matters.
Policy Updates
This Policy will be reviewed and updated periodically as our operations and legal requirements evolve.
Significant changes will be communicated to you via the website or direct notifications.
Your continued use of Axora following any update to this Policy constitutes your acceptance of the updated terms. We encourage you to review this Policy periodically to remain informed about how we handle your personal data.
Contact Us
Email - privacy@axorastack.com