Privacy Policy

Apexkit Ltd, registered in England & Wales, is the data controller for personal data processed via Apexkit.

Reach our privacy contact at privacy@apexkit.pro.

Three categories of data, each for a specific purpose:

• Account data — email, optional name, optional avatar URL, password hash (managed by Clerk on our behalf). We use this to authenticate you and contact you about your account.
• Billing data — Stripe customer ID, subscription state, invoice history, country + VAT ID for tax compliance. Card numbers never touch our servers; Stripe processes them directly.
• Usage data — which tool you ran, when, how many bytes / tokens it consumed, and whether it succeeded. We use this to enforce tier limits, bill fairly, and decide which tools to invest in. We do not store the content of your inputs in this usage log.

We also drop a small number of technical cookies (see /cookies). We do not run advertising-tracking cookies on the marketing site.

Files and text you upload to a tool are processed for the requested action, then handled according to the lifecycle below. We do not train AI models on your inputs.

• Free tier: uploads auto-delete after 24 hours.
• Paid tiers: uploads auto-delete after 7 days, or stay indefinitely if you tag a file as “saved.”
• Browser-side tools (PDF Compress, PDF Merge, Image Compressor, JSON Formatter, QR Code, Regex Tester, PDF text extraction for Summarizer and Chat-with-PDF) process content entirely in your browser. The file never reaches our servers — only an anonymous usage event does.
• Server-side AI tools(AI Summarizer, Resume Tailor, Cover Letter, Background Remover, AI Headshot, Subtitle Generator) send the relevant text or file to a model provider (OpenAI, Replicate). See “Sub-processors” below for what each provider does with the data.

We rely on different bases for different purposes:

• Contract (Art. 6(1)(b)) — providing you the service you signed up for: account, billing, tool processing.
• Legitimate interests (Art. 6(1)(f)) — security monitoring, fraud prevention, product improvement via aggregate usage stats.
• Legal obligation (Art. 6(1)(c)) — tax records, financial reporting, complying with a valid legal order.
• Consent (Art. 6(1)(a)) — marketing emails outside of essential service messages. You can withdraw consent at any time.

Primary data residency is UK & EU:

• App + DB: Azure Container Apps + Supabase Postgres (UK South / EU regions).
• File uploads: Cloudflare R2 (EU region).
• Auth: Clerk (US-based; sub-processor — see below).
• Payments: Stripe (US/IE).
• Transactional email: Resend (US-based; appropriate safeguards in place).
• AI inference: OpenAI (US), Replicate (US).

Where data leaves the UK / EEA, we rely on UK's International Data Transfer Agreement or the EU's Standard Contractual Clauses, plus the provider's own supplementary measures (encryption in transit + at rest, role-restricted access).

We use these providers to deliver the service. Each is contractually obligated to handle data per our instructions:

• Microsoft Azure — hosting (UK South region).
• Supabase — Postgres database (EU region).
• Cloudflare — R2 storage + DNS (EU).
• Clerk — authentication.
• Stripe — payments + tax.
• Resend — transactional email.
• OpenAI — GPT-4o-mini for AI text tools + Whisper for transcription. Inputs are not used to train OpenAI models (per their API terms).
• Replicate — image models (background removal, photo restoration, AI headshot). Inputs are deleted from Replicate's servers within 1 hour of processing.
• Upstash — Redis for rate-limit counters (EU region).
• Sentry — error tracking (EU region). User identifiers in stack traces are pseudonymised.
• Plausible — privacy-friendly analytics (no cookies, no personal identifiers).

We hold data only as long as we need it:

• Account data: until you delete your account, plus 30 days for backup expiry.
• Billing data: 7 years from the last invoice (UK tax retention requirements).
• Usage events: 13 months (rolling) for analytics + tier auditing.
• Uploads: 24h / 7d auto-delete as described under “Uploads.”
• Audit log: 24 months for security investigations.

Under UK / EU GDPR you can request: access to your data, correction, erasure (“right to be forgotten”), restriction of processing, objection to processing on legitimate-interests basis, and data portability. To exercise any of these, email privacy@apexkit.pro — we respond within one month.

You also have the right to complain to a supervisory authority. In the UK that's the Information Commissioner's Office (ICO); in the EU it's the data protection authority in your country of residence.

We use TLS 1.3 in transit, encryption at rest for all stored data, signed + rotated secrets, time-bounded signed URLs for file access, and role-restricted production access. Webhooks are verified via cryptographic signatures (svix for Clerk, HMAC for Stripe).

If we ever experience a personal-data breach that may risk your rights, we'll notify you and the relevant supervisory authority within 72 hours, per GDPR Article 33.

Apexkitis not directed at children under 16. We don't knowingly collect data from anyone under 16. If you believe a child has created an account, please email privacy@apexkit.pro.

Material changes are notified by email and shown as a banner inside the app at least 30 days before they take effect. Minor clarifications (typos, structural edits) are made without notice; the “Effective date” at the top always reflects the current version.