Privacy Policy

Last updated: 7 April 2026

This Privacy Policy describes how SOFTASY – Digital Thrill (“we”, “us”) processes personal data when you use the AKOX AI website, dashboard, and related services (the “Service”). We are committed to protecting your privacy and complying with the EU General Data Protection Regulation (“GDPR”) and applicable Romanian law.

1. Data controller

The controller of your personal data is SOFTASY – Digital Thrill, operating the AKOX AI brand. Contact details are published on our website and in the Service (e.g. support email). For data protection requests, use the same channel or the contact indicated in our GDPR information page.

2. Categories of personal data

Depending on how you use the Service, we may process:

• Account and identity: name, email address, authentication identifiers (including from Google OAuth if you choose it), profile details;
• Organisation and workspace: company/workspace name, role, invitations, team membership;
• Service usage and content: brand settings (e.g. colours, fonts, prompts), tasks, posts, schedules, channel connections, generated or uploaded media metadata and storage references;
• AI interactions: prompts, instructions, and outputs processed by our systems to provide generation features;
• Technical data: IP address, device/browser type, logs, timestamps, security signals;
• Billing: where applicable, billing contact, plan, payment status; payment card data is handled by our payment provider (e.g. Stripe), not stored on our servers;
• Communications: messages you send to support.

3. Purposes and legal bases (GDPR)

We process data for:

• Providing the Service — performance of a contract (Art. 6(1)(b) GDPR);
• Security, abuse prevention, and legal compliance — legitimate interests and/or legal obligation (Art. 6(1)(c) and (f));
• Analytics and product improvement — legitimate interests, where not overridden by your rights;
• Marketing — only with your consent where required (Art. 6(1)(a));
• Cookies — as described in our Cookie Policy.

4. AI processing

When you use AI features, your prompts and related context may be sent to or processed by our backend systems and, where applicable, third-party model providers configured for the Service. We implement the Service to minimise unnecessary retention of prompts. You should not submit special categories of data (e.g. health, political opinions) unless strictly necessary and lawful; avoid including third-party personal data without a valid basis.

5. Recipients and subprocessors

We use trusted infrastructure and service providers, including for example:

• Supabase — authentication, database hosting, and serverless functions (typically EU or configured regions);
• Stripe — payment processing where you subscribe to paid plans;
• Cloudflare R2 (or compatible object storage) — storage of brand assets and media you upload;
• Meta / Facebook — only when you connect your account for publishing, subject to OAuth permissions you grant;
• Email providers (e.g. for transactional or invite emails).

These providers process data on our instructions and under data processing terms. Their privacy notices apply to their own portals where relevant.

6. International transfers

Where data is transferred outside the European Economic Area, we rely on appropriate safeguards such as Standard Contractual Clauses or adequacy decisions, as required by GDPR Chapter V.

7. Retention

We retain personal data only as long as necessary for the purposes above: for the lifetime of your account and a reasonable period thereafter for backups, legal claims, or compliance; shorter retention may apply to logs. Upon deletion of your account, we will delete or anonymise data subject to legal retention requirements.

8. Security

We implement technical and organisational measures appropriate to the risk (encryption in transit, access controls, RLS on databases where applicable). No method of transmission over the Internet is 100% secure.

9. Your rights

Under GDPR, you may have the right to access, rectify, erase, restrict processing, data portability, and object, as well as to withdraw consent where processing is consent-based. You may lodge a complaint with a supervisory authority. See our GDPR page for details.

10. Children

The Service is not directed at individuals under 16. We do not knowingly collect children’s data.

11. Changes

We may update this Privacy Policy by posting a new version and changing the “Last updated” date.

12. Contact

For privacy requests, contact us via the support or legal email shown on our website or in the Service.

This policy is provided for transparency. It does not constitute legal advice. A qualified professional can help interpret obligations for your organisation.