Privacy Policy
This Privacy Policy explains how Layer Zero Studios ("Layer Zero",
"we", "us") collects, uses, stores, and shares personal information when you
use the AXIS Business Operating System ("AXIS", "the Service") through
dashboard.layerzerostudios.com, or
related properties.
This document is written to comply with the South African **Protection of
Personal Information Act, 2013 (POPIA) and the EU General Data Protection
Regulation (GDPR) where applicable. Lawyer review required before
publication.**
1. Who we are
- Operator: Layer Zero Studios
- Data controller: Layer Zero Studios — privacy@layerzerostudios.com
- General contact: hello@layerzerostudios.com
- Site: layerzerostudios.com
Layer Zero Studios is the data controller for personal information processed
through AXIS and is the single point of contact for all privacy and
data-subject-rights queries. For EU customers, the privacy contact above
serves the Data Protection Officer-equivalent role under GDPR Art. 37;
Layer Zero has not formally designated a DPO as processing scale does not
yet require one (GDPR Art. 37(1) thresholds).
2. Personal information we collect
2.1. From you directly
When you sign up for AXIS we collect:
- Your name and email address (account identity)
- Your business name, business type / industry, and country (onboarding intake)
- Your authenticator-app secret if you enable two-factor (stored encrypted)
- Free-text answers to onboarding questions (used to build your business brain)
- Billing details (handled and stored by Polar.sh, not by us)
2.2. Automatically as you use AXIS
- IP address, browser user-agent, and request timestamps (for rate limiting + abuse)
- A request log of which AXIS handlers ran on your behalf and at what cost
- Receipts for every external action AXIS executed on your behalf (provider, status, proof URL)
2.3. From third parties you connect
When you connect Slack, Google, Xero, BTCPay Server, Brevo, or another
integration to AXIS, we receive and store **only what the integration is
authorised to share**, scoped to the operations you opted in to. Examples:
- Slack: team ID, channel list, bot user ID, OAuth refresh token. We do
not read your private messages.
- Google Calendar: events you create or read via AXIS. We do not read
your full calendar history.
- Xero / BTCPay: invoices, bank balances, contact records — only those
needed to compute snapshots and chases.
- Email (IMAP): subject, sender, body, and bank-balance fields parsed
from emails sent to your monitored mailbox.
OAuth refresh tokens are stored in a Supabase Vault entry encrypted with
AES-256, namespaced as client_{your_client_id}_{provider}. They are never
written to logs.
2.4. From your customers
If you use AXIS to send communications to your own customers (campaigns,
invoice chases), we process their email address, name, opens, clicks, and
delivery state on your behalf. **You are the responsible party (POPIA) /
data controller (GDPR) for that data; we are the operator / processor.** Our
Data Processing Agreement (DPA) sets out the terms.
3. Why we collect it (lawful basis)
| Purpose | POPIA basis (s11) | GDPR basis (Art. 6) |
|---|---|---|
| Operate AXIS as you have asked us to | Performance of contract | Performance of contract |
| Bill you and prevent fraud | Legitimate interest | Legitimate interest / contract |
| Comply with tax + accounting law (SARS, etc.) | Legal obligation | Legal obligation |
| Send service emails (security, billing) | Performance of contract | Performance of contract |
| Send marketing emails | Consent (you can opt out) | Consent |
| Improve AXIS at the platform level | Legitimate interest, anonymised | Legitimate interest |
We do not sell your personal information. We do not use your data to train
foundation models.
4. AI processing — important
AXIS calls third-party AI providers (Anthropic, Google Gemini, DeepSeek)
on your behalf. When it does:
- The exact text we send is only what is needed for that handler —
e.g. the subject + body of an email when categorising your inbox.
- We send through paid API contracts that prohibit the provider from training
on your data.
- We never send **OAuth tokens, secrets, billing data, or customer payment
details** to a provider.
If any of those guarantees break we will tell you within 72 hours per
POPIA s22 and GDPR Art. 33.
5. Where it lives + who else sees it (sub-processors)
| Sub-processor | Purpose | Region |
|---|---|---|
| Supabase (Postgres + Vault) | Primary data store + secrets vault | EU (Ireland), US control plane |
| Hostinger | Application server (production VPS) | EU (France) |
| Anthropic | Claude AI calls — primary AI provider | US |
| DeepSeek | AI calls (cost-optimised, sanitised prompts only) | China — see s9 |
| Google (Gemini, Calendar, Workspace if connected) | AI calls + customer-connected integrations | US/Global |
| Brevo (Sendinblue) | Transactional + marketing email + open/click telemetry | EU (France) |
| Polar.sh | Subscription billing + payments | US |
| BetterStack | Uptime monitoring + incident alerting | EU |
| Cloudflare | DNS + DDoS protection + signup-form captcha (Turnstile) | Global |
| Cal.com | Booking and scheduling (when customer integrates) | US |
| Slack | Operator-internal notifications + customer-connected workspaces | US |
We update this list before adding a new sub-processor. If you object,
you may terminate within 30 days.
6. International transfers
If you are outside the country where your data is stored, your data may
cross borders. Specifically:
- United States: Anthropic, Google, Polar.sh. Transfers are made under
EU Standard Contractual Clauses (SCCs) where the customer is in the EU,
and the equivalent POPIA s72 protections (binding corporate rules and
contractual safeguards) where the customer is in South Africa.
- China: DeepSeek. **Layer Zero will not send personal information,
OAuth tokens, secrets, or end-customer payment data to DeepSeek.** Any
prompt routed to DeepSeek is sanitised at the platform layer before
egress. If you do not consent to any DeepSeek processing, you may
request that we disable the provider for your account; we will route
affected handlers to an alternative provider (Claude or Gemini) at no
additional cost.
If your jurisdiction does not permit transfer to a particular
sub-processor, please tell us before subscribing — we may be able to
disable that provider for your account.
7. How long we keep it
| Data | Retention |
|---|---|
| Account profile + business brain | Lifetime of the subscription + 90 days |
| OAuth tokens | Until you disconnect; deleted within 24 hours of disconnect |
| Audit + receipt logs | 7 years (tax + audit obligation) |
| Marketing engagement data | 24 months |
| Anonymised analytics | Indefinite |
After account deletion (s8), we retain only what we legally must (tax records,
audit logs) and only what we have anonymised. The 7-year retention window
runs from the year-end of the financial year in which the record was created.
8. Your rights
Under POPIA s23-25 + s71 / GDPR Art. 15-22 you have the right to:
- Access what we hold (response within 30 days, free of charge)
- Correct anything inaccurate
- Delete your account and all data tied to it (right to erasure)
- Export your data in a portable JSON format
- Object to processing, including direct marketing (POPIA s11(3))
- Object to automated decision-making that has legal or significant
effects on you (POPIA s71 / GDPR Art. 22). AXIS may make automated
recommendations (e.g. flagging an at-risk customer, suggesting a
campaign), but no automated decision is binding without operator
approval. You may request human review of any AXIS decision affecting
you by writing to privacy@layerzerostudios.com.
- Lodge a complaint with the SA Information Regulator
(inforeg@justice.gov.za, +27 12 406 4818) or your EU supervisory
authority
We expose a one-click data export from your AXIS dashboard
(Account → Privacy → Export my data) and a one-click account deletion
(Account → Danger Zone → Delete my account). Both are also available by
email to privacy@layerzerostudios.com.
9. Special categories
We do not knowingly collect:
- Health, sexual-orientation, biometric, genetic, religious, or political data
- Personal information of children under 18 / 13 (POPIA / GDPR thresholds)
If you upload such data via the meeting-notes or knowledge-base import
features, it is processed under your responsibility as the responsible
party / controller.
10. Cookies + tracking
The marketing site (layerzerostudios.com) uses only essential cookies
required for navigation. The dashboard sets a Supabase auth cookie. We do
not use Google Analytics, Facebook Pixel, or any cross-site tracker.
11. Security
- TLS 1.2+ on every endpoint, HSTS enforced (1-year max-age, includeSubDomains)
- HTTP security headers (X-Frame-Options DENY, X-Content-Type-Options nosniff,
Referrer-Policy strict-origin-when-cross-origin, Permissions-Policy)
- Two-factor authentication (TOTP) required on the operator account
- AES-256 encryption at rest in Supabase + Vault
- Row-level security on every multi-tenant table
- Rate limiting at the API edge
- Process-level error capture with operator alerting
We aim to commission an independent security review (penetration test or
external audit) once Layer Zero reaches sustained paying-customer scale.
Our security posture is reviewed internally on each release.
We will tell you within 72 hours of becoming aware of a breach affecting your
personal information, per POPIA s22 / GDPR Art. 33.
12. Changes
We will notify you by email at least 14 days before any material change to
this policy.
13. Contact
Privacy queries: privacy@layerzerostudios.com
Data controller: Layer Zero Studios — privacy@layerzerostudios.com
General: hello@layerzerostudios.com
You may also contact:
- Information Regulator (SA) · inforeg@justice.gov.za
- EU supervisory authority · the one in your country