Privacy Policy

Staxio ("we", "us") is the data controller for personal data processed in connection with our website and creator-asset submission and review platform (the "Service"). Staxio is operated from Greece, in the European Union. This policy explains what we collect, why, how we protect it, and what rights you have.

Roles. When a Studio (organization) uses Staxio to collect submissions from Creators, Staxio acts as a processor for that Studio with respect to the submission contents — the Studio is the controller of the data its Creators submit. For account-level data (your name, email, billing info, login activity) and for our website analytics, Staxio is the controller.

We collect the following categories of personal data:

• Account data: name, email address, password (hashed), profile picture, organization name and slug, plan, role.
• Billing data: a Stripe customer and subscription identifier, the plan you're on, and the workspace it belongs to. Under Stripe Managed Payments, Stripe acts as the merchant of record and collects card numbers, billing address, country, and any tax IDs (e.g. VAT number) directly from you at checkout — Staxio never sees or stores raw card data and only receives the identifiers needed to associate a transaction with your workspace. Stripe is the independent data controller for that payment-related personal information; their handling of it is governed by the Stripe Privacy Policy.
• Workspace content: forms you create, submissions you receive, comments, files uploaded by Creators, library assets, project metadata, integration settings.
• Creator submission data: data submitted to a Studio through a public form — name, email, files, and any custom fields the Studio defines. This data is collected on behalf of the Studio that owns the form.
• Usage and device data: IP address, browser type and version, operating system, pages viewed, feature interactions, request timestamps. Collected through Vercel Analytics in an aggregated and largely anonymous form.
• Diagnostic data: error reports and stack traces collected by Sentry to help us identify and fix bugs.
• Cookies and similar technologies: see Section 12.

We use your information to:

• provide, maintain, and secure the Service;
• create and manage your account, authenticate you, and keep your workspace data isolated;
• process submissions, reviews, comments, and integrations;
• manage subscriptions, reflect their status in your workspace, and apply plan limits. Payment capture, tax calculation, invoicing, and receipts are handled by Stripe under Stripe Managed Payments (see Section 5);
• send transactional emails (account verification, submission updates, billing receipts, deadline reminders, daily digests, system alerts);
• monitor performance and reliability, detect and prevent fraud or abuse;
• improve the Service through analytics on how features are used;
• comply with legal obligations and respond to lawful requests.

We do not sell, rent, or share your personal data with third parties for advertising or marketing purposes.

Where the GDPR or equivalent law applies, we rely on the following legal bases:

• Performance of a contract (Art. 6(1)(b)) — for processing strictly necessary to provide the Service to you, including account creation, billing, submission handling, and customer support.
• Legitimate interests (Art. 6(1)(f)) — for security monitoring, abuse prevention, error diagnostics, internal analytics, and improving the Service. We weigh these interests against your rights and freedoms before relying on them.
• Consent (Art. 6(1)(a)) — for any optional processing where consent is required, including any future marketing communications. You can withdraw consent at any time.
• Legal obligation (Art. 6(1)(c)) — for retaining tax records, responding to lawful requests from authorities, and similar.

Your data is stored on Supabase (PostgreSQL with row-level security) and Supabase Storage (private buckets for submission files and library assets; a public-readable bucket for profile avatars only). All data is encrypted in transit with TLS 1.2+ and at rest. We restrict access to production data to a small number of authorized personnel, log administrative actions, and apply the principle of least privilege.

Security measures include: row-level security enforced at the database, role-based access control for team workspaces, signed URLs with short expiry for file downloads, HMAC signing for outbound webhooks, rate limiting on authentication and submission endpoints, and continuous error monitoring through Sentry.

No system is perfectly secure. If you discover a vulnerability, please report it to security@staxio.io.

We engage the following sub-processors to deliver the Service. Each has its own privacy policy and security measures:

• Supabase — database, authentication, file storage.
• Stripe — payment processing, billing, tax calculation, invoicing, fraud prevention, and dispute handling. Under Stripe Managed Payments, Stripe is the merchant of record for transactions on the Service and an independent data controller for payment-related personal information collected at checkout (card details, billing address, tax IDs, transaction history). For that data, Stripe is not acting as our processor — its terms govern. Stripe also acts as our processor for the limited subscription metadata we send to maintain billing state; the Stripe Data Processing Agreement is auto-incorporated into our Stripe relationship and governs that processing.
• Resend — transactional email delivery.
• Upstash — Redis for rate limiting and caching.
• Vercel — application hosting, edge delivery, anonymous analytics.
• Sentry — error monitoring and stack-trace collection.

We may engage additional sub-processors as the Service evolves. We will notify customers of material changes via email or in-app notification with a reasonable opportunity to object. If you require a Data Processing Agreement (DPA) for your compliance program, contact privacy@staxio.io.

Several of our sub-processors operate infrastructure outside the European Economic Area (EEA), primarily in the United States. When personal data is transferred outside the EEA, we rely on the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, supplementary measures consistent with the Schrems II decision, to ensure that the data receives an adequate level of protection. Stripe also operates under EU adequacy mechanisms relevant to payment processing.

You can request a copy of the relevant transfer mechanism by emailing privacy@staxio.io.

We retain your data for as long as your account is active and for the periods described below once you ask us to stop:

• Workspace cancellation: 30 days after access ends, your workspace is permanently deleted. During those 30 days the workspace is read-only — you can still export data or reactivate. You can also trigger immediate deletion from the Danger Zone in your workspace settings.
• Per-user deletion requests (GDPR Article 17): we soft-delete account data immediately and permanently purge it after 90 days. This window allows recovery from accidental requests and accommodates any legal holds.
• Billing records: retained as long as required by Greek and EU tax law (currently 5 years from the end of the relevant fiscal year).
• Backups and operational logs: short-lived encrypted backups are retained on a rolling basis (typically 30 days) for disaster recovery. Operational logs are retained for up to 90 days for security and debugging purposes.

You can request a full data export at any time from your workspace settings (Billing → Data Export) or from the Data & Privacy section of your profile.

If we become aware of a personal data breach that affects you, we will notify the competent supervisory authority within 72 hours where required by Article 33 of the GDPR, and we will notify affected users without undue delay where the breach is likely to result in a high risk to your rights and freedoms (Article 34). Notifications will describe the nature of the breach, the categories and approximate number of records affected, the likely consequences, and the measures taken or proposed to address it.

Where the GDPR or equivalent law applies, you have the right to:

• access the personal data we hold about you;
• request correction of inaccurate or incomplete data;
• request deletion of your data (right to erasure);
• request restriction of processing or object to processing based on legitimate interests;
• receive your data in a portable, machine-readable format (right to data portability);
• withdraw consent for any processing based on consent, at any time, without affecting prior lawful processing.

To exercise these rights, use the Data & Privacy section in your profile settings or contact us at privacy@staxio.io. We will respond within one month, extendable by two further months for complex requests as permitted by Article 12(3) of the GDPR.

You also have the right to lodge a complaint with the Hellenic Data Protection Authority (www.dpa.gr) or with the data protection authority in your country of residence within the EEA.

If your data was submitted to a Studio through a public submission form, that Studio is the controller for the contents of your submission. To exercise rights against the Studio (for example, to ask them to delete your submission), contact the Studio directly. We will assist on reasonable request.

Stripe Link data deletion. If you paid for Staxio through Stripe Link, you can also exercise data-deletion rights directly with Stripe. When Stripe processes such a request, it cancels any active subscription tied to that Stripe customer and deletes the payment-related data from its systems; we are notified through a webhook and immediately clear the cached Stripe identifiers on our side. This path only deletes your payment data — your Staxio account and any workspaces you own remain (and enter the standard 30-day read-only window described in Section 7 from the cancellation). To also delete your Staxio account, use the Data & Privacy section in your profile settings or email privacy@staxio.io.

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA): the right to know what personal information we collect and how we use it, the right to delete personal information, the right to correct inaccurate information, the right to limit the use of sensitive personal information, and the right to opt out of the "sale" or "sharing" of personal information.

We do not sell or share your personal information as those terms are defined in the CCPA. To exercise California rights, email privacy@staxio.io. We will not discriminate against you for exercising any of these rights.

Staxio does not engage in automated decision-making or profiling that produces legal or similarly significant effects on users (within the meaning of Article 22 of the GDPR). Decisions about your submissions, your account, or your subscription are made by you and by your workspace's human administrators.

We use a small number of cookies and similar technologies, grouped into three categories:

• Strictly necessary — authentication, session management, CSRF protection, and your cookie-consent choice itself. These cannot be disabled without breaking core functionality and do not require consent under EU law.
• Functional — to remember your preferences (active workspace, theme).
• Analytics & diagnostics (consent required) — Google Analytics 4 (aggregated usage measurement) and Sentry Session Replay (recording browser interactions to help us debug issues). These only load if you click Accept all on the cookie banner. Vercel Analytics also runs in this category but uses anonymous, aggregated measurements without cookies and is therefore exempt from consent under ePrivacy guidance — it always loads.

You will see a banner at the bottom of the page on your first visit asking you to accept or reject the analytics & diagnostics group. You can change your choice at any time from the "Cookie preferences" link in our footer. Rejecting only disables non-essential tracking — the rest of Staxio works exactly the same. We do not use third-party advertising or marketing cookies.

Staxio is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided personal information to Staxio, contact privacy@staxio.io and we will delete it.

We may update this Privacy Policy from time to time. We will notify you of material changes by email or in-app notification at least 30 days before they take effect, and we will update the "Last updated" date at the top of this page. Continued use of the Service after a change becomes effective constitutes acceptance.

For privacy questions or to exercise your rights, contact us at privacy@staxio.io. For security reports, use security@staxio.io. For other inquiries, use contact@staxio.io.