← All posts 20 min read

Privacy Policy — AxonFlow

AxonFlow is a source-available runtime control layer for production AI systems.

Privacy Policy

Last updated: May 9, 2026

This policy applies to AxonFlow Plugin Pro, the AxonFlow telemetry heartbeat, the Community SaaS endpoint, and the AxonFlow marketing and documentation websites.

Overview

AxonFlow is a self-hosted platform. Your data stays on your infrastructure. We do not operate a cloud service for primary use, and we do not have access to your data, policies, audit logs, or LLM traffic when you self-host.

We do operate one optional hosted endpoint, try.getaxonflow.com (Community SaaS), offered in two tiers: a Free tier (no payment, 3-day audit retention, 200 events/day) and Plugin Pro ($9.99 for 90 days of service, 30-day retention, 1,000 events/day). Both tiers are suitable for individual use within their documented per-tier limits, but neither is designed for regulated industries (HIPAA, financial services, government), real user data of third parties processed without their consent, or any context requiring contractual SLOs, security certifications, or data residency. For those use cases we recommend, in order of increasing capability and commitment: self-host AxonFlow Community Edition, self-host with an Evaluation License for piloting on real users on the open core, or AxonFlow Enterprise for regulated industries (see Community SaaS below for the full breakdown, including the Plugin Pro commitments).

Data Controller and EU Representative

AxonFlow Inc., a Delaware C-Corporation with registered office at 131 Continental Dr, Suite 305, Newark, Delaware 19713, USA, is the data controller for personal data processed in connection with AxonFlow Plugin Pro and the try.getaxonflow.com endpoint. For data-protection inquiries: [email protected].

Under GDPR Article 27, AxonFlow Inc. has designated AxonFlow B.V. (Selde Rust 23, 1181 MJ Amstelveen, The Netherlands; KvK 99762870) as its representative within the European Union. EU residents may contact the representative directly at [email protected] regarding their rights under EU data-protection law.

Legal Basis for Processing (GDPR Article 6)

  • Telemetry heartbeat (anonymous version pings): legitimate interest under Article 6(1)(f) for product improvement and security monitoring.
  • Plugin Pro purchase processing (Stripe data flow, license issuance, refund handling): performance of contract under Article 6(1)(b).
  • Tax-record retention (typically 7 years): compliance with legal obligation under Article 6(1)(c).
  • Email delivery via Resend: performance of contract under Article 6(1)(b).
  • Community SaaS registration (cs_<uuid>, bcrypt cred, hashed IP): performance of contract under Article 6(1)(b) for service operation; legitimate interest under Article 6(1)(f) for abuse prevention.
  • Community SaaS usage analytics (aggregated request-header metadata, audit-log roll-ups, plan-data and workflow-state aggregates derived from operational data we already lawfully process under the Community SaaS registration bullet above): legitimate interest under Article 6(1)(f) for product improvement, capacity planning, and platform health monitoring. Aggregated to non-identifying form where feasible; rows that retain a tenant identifier are subject to the same right-to-deletion process as other tenant-scoped data.
  • Website analytics (Google Analytics, Scarf): legitimate interest under Article 6(1)(f) for traffic analysis (pseudonymous, no profiling).

Your Rights Under EU GDPR

  • Right of access (Article 15) — request a copy of personal data we hold about you
  • Right to rectification (Article 16) — correct inaccurate data
  • Right to erasure / "right to be forgotten" (Article 17) — subject to tax-retention exception under Article 17(3)(b)
  • Right to restriction of processing (Article 18)
  • Right to data portability (Article 20)
  • Right to object to processing based on legitimate interest (Article 21)
  • Right to lodge a complaint with a supervisory authority — you may contact the supervisory authority of your home EU member state, or the Dutch Autoriteit Persoonsgegevens via our EU representative

To exercise any of these rights, email [email protected] or, for EU residents, [email protected]. Include the email you used at checkout, your tenant identifier (cs_<uuid>), or your Stripe order ID. We respond within 30 days per Article 12(3).

What We Collect

AxonFlow emits an anonymous telemetry heartbeat at most once per environment every seven days when the platform, an SDK, or any of our plugins is in active use. The heartbeat is enabled by default and the payload includes:

  • Platform version
  • SDK or plugin version and language/runtime
  • Deployment mode (production or sandbox for SDKs; production, development, or community-saas for plugins)
  • Endpoint classification, one of localhost, private_network, remote, community-saas, or unknown (the SDK derives this from the configured AxonFlow URL; the URL itself is never sent or hashed)
  • Some heartbeat emitters also include the AxonFlow-issued license tier the binary is operating under (Community, Evaluation, Professional, Enterprise, EnterprisePlus, or unknown) — the same value AxonFlow itself assigned at issuance — and a coarse environment class describing where the binary runs (lambda, ecs_fargate, ecs_ec2, kubernetes, container, bare_metal, or unknown). Both are categorical only — no host names, no instance metadata, no customer-secret data.
  • An anonymous, randomly-generated instance_id, used to deduplicate pings from the same install across heartbeats
  • Country and cloud provider, derived from the source IP at receipt time
  • A SHA-256 hash of the source IP, used to deduplicate pings from the same source. We do not store the raw IP.

No prompts, API keys, policy content, audit data, or LLM traffic is transmitted.

Operational logs and operational stores

Standard internet-facing service operational logs — including API Gateway access logs and CloudWatch logs for the heartbeat ingestion service, and ALB access logs for try.getaxonflow.com — retain source IP for up to 90 days (specific retention varies by service) for service operation, security monitoring, and debugging.

The community-SaaS per-request operational ledger (an internal service-side store separate from the heartbeat analytics dataset) also retains source IP at rest for up to 30 days, bounded by the dataset's per-row TTL. This store backs rate-limit decisions, abuse detection, debugging of the hosted service, and the construction of the cross-surface aggregates described under "Synthetic and bridge events" below (those aggregates resolve each tenant's source IPs to company / country / ASN via the same enrichment path described under our third-party providers).

Where this policy says raw IP is not stored, that statement refers to the specific analytics or registration dataset being described, not to operational logs or to the operational ledger described above.

Emitter classes

Each heartbeat or synthetic ping carries a telemetry_type field that classifies which kind of binary or service produced it. The schema accepts four values; the AXONFLOW_TELEMETRY=off opt-out controls the first three classes whenever they emit.

telemetry_type What emits this Controlled by AXONFLOW_TELEMETRY=off?
sdk A language SDK on machine startup, at most once per machine every seven days. Live today. Yes
plugin An IDE or agent plugin (OpenClaw, Claude Code, Cursor, Codex), at most once per machine every seven days. Live today. Yes
platform An AxonFlow agent or orchestrator binary on first start (self-hosted deployments only). Schema accepted; binary emit-side rolling out in a future release. Yes (when emit ships)
synthetic An AxonFlow-operated server-side bridge — derived from operational data already inherent to running the hosted service, not from a user-controlled binary No (operational, not heartbeat — see Synthetic and bridge events below)

How to Opt Out

Set AXONFLOW_TELEMETRY=off to disable the heartbeat described above. This is the canonical, AxonFlow-specific opt-out and will continue to be supported.

Scope of AXONFLOW_TELEMETRY=off

AXONFLOW_TELEMETRY=off disables the anonymous SDK/plugin heartbeat described in the section above. It is honored mechanically on every deployment shape, but its actual privacy reach depends on which deployment you're on.

Self-hosted and in-VPC deployments. The heartbeat is the only data the SDK or plugin sends to AxonFlow. Setting =off means we receive nothing from your environment. The opt-out is a complete privacy lever for SDK and plugin telemetry on these deployments.

Community SaaS (try.getaxonflow.com). The hosted endpoint is, by definition, a service that AxonFlow runs on shared infrastructure on behalf of users. Beyond the heartbeat, the platform also processes operational data as part of running the service: registrations (tenant identifier, bcrypt-hashed credential, hashed source IP, optional recovery email), audit logs and policy enforcement records emitted by your governed tool calls, workflow state and plan data for any multi-agent plans you run through the hosted endpoint, and request-header metadata that we use as the basis for aggregated usage analytics (deployment mode, SDK/plugin identifiers and versions, endpoint classification, hashed source IP, geographic and corporate-network distribution derived from IP-to-organization enrichment, request-frequency and rate-limit roll-ups). This operational data flow is inherent to using a hosted service and is not controlled by AXONFLOW_TELEMETRY=off; it is governed by this policy under the legal bases stated above (specifically the Community SaaS registration bullet for the operational data and the Community SaaS usage analytics bullet for analytics derived from it) and the data lifecycle described in the Community SaaS section below.

AxonFlow's usage-analytics architecture ingests records from multiple sources: the SDK / plugin / platform anonymous heartbeat described above, server-side observations of community-SaaS request patterns, and synthetic aggregates emitted by AxonFlow-operated server-side bridges. Each row carries a stream-of-origin classifier so the ingestion source of any individual record is explicit and auditable in any data-subject-access-request response. The wire-boundary validator rejects any user-controlled binary that tries to set a non-heartbeat stream classifier with HTTP 400 before storage write — a misbehaving client cannot inject a row tagged as operationally-derived. Analytics queries reference the stream classifier to differentiate heartbeat-derived data from operationally-derived data as appropriate. Components of this architecture are rolling out incrementally through 2026; the cross-surface analytics path joining community-SaaS observations to the heartbeat store is the active rollout phase. See Synthetic and bridge events below for the operationally-derived ingestion path.

If you need no-data-leaves-network guarantees, self-host AxonFlow Community Edition. The community-saas-operational data flow does not exist on self-hosted deployments because there is no hosted service running between your SDK and the platform — the platform runs on your infrastructure.

GDPR Article 17 deletion coverage. A right-to-deletion request submitted under the process described in the Community SaaS section below covers tenant-scoped operational data (registrations, audit records, policy enforcement records, workflow state, plan data, plugin-license rows). Aggregated usage-analytics rows are treated as tenant-scoped operational data while a tenant identifier is still associated with the analytics record; once analytics rows have been aggregated to the point that they no longer carry a tenant identifier and cannot be re-linked to one through other rows we hold, they are out-of-scope for deletion as anonymized statistics. Transaction records (Stripe payment metadata, refund records) follow their own retention rules under tax and dispute law, as described elsewhere in this policy.

DO_NOT_TRACK is no longer honored as an opt-out for AxonFlow telemetry. We previously accepted DO_NOT_TRACK=1 as an alias, but DNT is commonly inherited from host tools and developer environments — host CLIs like Codex and Claude Code inject it unconditionally for hook subprocesses — which makes it unreliable as an expression of user intent. The canonical and only opt-out is AXONFLOW_TELEMETRY=off.

Synthetic and bridge events

Synthetic telemetry events represent server-derived adoption signals — for example, a weekly aggregate of community-SaaS tenant activity emitted by an AxonFlow-operated bridge. These are not user telemetry: they are derived from operational data already processed inherent to running the hosted service. The AXONFLOW_TELEMETRY=off opt-out controls heartbeat (SDK, plugin, platform) emissions only and does not affect synthetic events, because synthetic events do not originate from a user-controlled binary.

Synthetic events are tagged with an operationally-derived stream classifier server-side and are persisted alongside heartbeat rows in the unified usage-analytics store, distinguished by the stream classifier described above. AxonFlow-operated bridges send them via a separate, AWS-IAM-authenticated ingestion endpoint that is not reachable from a user-controlled binary — so even a misconfigured client cannot inject a row tagged as synthetic. Operational data flows on Community SaaS, including the data sources synthetic aggregates are derived from, are governed by the Community SaaS section of this policy.

Plugins

The AxonFlow plugins for Claude Code, Cursor, Codex, and OpenClaw all emit the same anonymous heartbeat described above, at most once per environment every seven days. The heartbeat fires from the plugin's normal entry points (the OpenClaw plugin checks at registration; the Claude Code, Cursor, and Codex plugins check at hook invocation) and is gated by a stamp file in the user's cache directory so a hot session still produces at most one ping per seven days. All four plugins respect the AXONFLOW_TELEMETRY=off opt-out for the heartbeat path; the deployment-shape scope described in How to Opt Out applies equally to plugins.

Community SaaS (try.getaxonflow.com)

Intended use. Community SaaS is the optional hosted endpoint at try.getaxonflow.com, offered in two tiers — Free (no payment, 3-day audit retention, 200 events/day) and Plugin Pro ($9.99 for 90 days of service, 30-day retention, 1,000 events/day). The endpoint is suitable for individual use within the documented per-tier limits. Neither tier is designed for regulated industries (healthcare under HIPAA, financial services, government), real user data of third parties processed without their consent, or any context that requires contractual commitments around uptime, security certifications, or data residency. For those use cases see the alternatives below.

What we commit to. For Plugin Pro purchasers, we commit to the specific items described in the Plugin Pro Terms of Service — including 30-day audit retention, 1,000 governed events per day during the active 90-day window, all read tools (audit search, decision explain, overrides), stable tenant identity with email recovery, email support with a 2-business-day response time, and a 14-day no-questions-asked refund window. For Free-tier use, we provide the limits documented on the pricing page without payment, and do not commit to a service level or incident-response timeline.

What we do not commit to. Even for paid Pro use, we do not commit to a specific uptime target, latency target, or incident-response timeline at the $9.99 / 90-day price point. We operate Community SaaS on shared infrastructure in good faith with reasonable engineering practices, but the commitments suitable for production-critical workflows (uptime SLOs, dedicated tenancy, regulatory certifications) are part of AxonFlow Enterprise, not the Community SaaS endpoint. Where applicable consumer-protection law grants you stronger statutory rights than this section, those rights are preserved and not waived.

Modification or discontinuation. We may modify, suspend, or discontinue Community SaaS with reasonable notice. If we discontinue Plugin Pro during your active 90-day window, we will refund the unused portion pro-rated to the day. Material changes that affect rights or obligations under an in-flight 90-day Pro window are governed by the change-of-Terms policy in the Plugin Pro Terms of Service.

Alternatives for workloads beyond Plugin Pro. Where your workload exceeds what Plugin Pro covers — for example because you need contractual SLOs, regulated-industry compliance, dedicated tenancy, team collaboration, or infrastructure within your own boundary — the following options are available, in order of increasing capability and commitment:

  • Self-host AxonFlow Community Edition. The recommended path for any real workload. Runs entirely on your infrastructure under the BSL 1.1 source-available license, keeps your data within your boundary, and includes the same governance engine, policy library, audit trail, and SDK surface as the hosted service.
  • Self-host AxonFlow Community Edition with an Evaluation License. For production use with real users or clients on the open core. Adds production-fit limits and license-gated features (org-wide policies, expanded audit retention, evidence export, policy simulation, HITL approval gates) on a free 90-day trial.
  • License AxonFlow Enterprise. For regulated industries that require contractual commitments. Adds production-grade governance features, regulatory-grade controls, SLOs, and the contractual commitments around uptime, support, and incident response that are typically required for regulated production deployments.

Contact [email protected] to discuss any of these paths.

What we collect at registration. When a client (SDK or plugin) registers against the endpoint, we issue an anonymous tenant identifier prefixed cs_ together with a credential. The registration record we store contains the tenant identifier, a bcrypt hash of the credential, and timestamps for creation, expiry, last-seen activity, and (where applicable) termination. We do not request or store a name, email address, organization, or other account-level identifying information at registration. The endpoint records standard HTTP request metadata customary for any internet-facing service, including a hashed form of the source IP address used for rate-limiting, abuse prevention, and aggregate product analytics (for example, weekly usage patterns, endpoint-distribution rollups, geographic and corporate-network distribution derived from IP-to-organization enrichment). We do not store the raw IP address. By using try.getaxonflow.com you accept that we observe and aggregate request patterns (endpoint, method, status, hashed IP, timing) for these purposes; the AXONFLOW_TELEMETRY=off environment variable governs the SDK and plugin heartbeat described above and does not apply to hosted-endpoint observation.

Retention of usage analytics. Individual telemetry rows are retained for up to 1 year. Aggregate statistics with no tie to an individual user (weekly rollups, k-anonymized at a minimum threshold of five distinct sources per cohort) are retained for up to 10 years for trend analysis. Aggregates that fall below the k-anonymity threshold are not written.

Data lifecycle on Community SaaS. The following describes how the service is currently designed to operate. As with any cloud service, operational realities such as backups, replication, incident response, and migrations may cause individual outcomes to differ from this description in specific circumstances; we do not guarantee adherence to these descriptions in every operational circumstance.

  • Inactivity termination. Where a tenant has been idle for approximately three months, our routine processes are designed to mark the tenant as terminated and to remove the tenant-scoped data we hold for it (such as audit logs, policy enforcement records, workflow state, and plan data) from primary storage. Backups, replicas, and operational logs may retain copies for a period thereafter as part of normal infrastructure operation.
  • Hard cap. Approximately one year after creation, regardless of activity, the same routine processes are designed to terminate the tenant and remove the same tenant-scoped data from primary storage.
  • Tombstoned identifiers. Once an anonymous tenant identifier has been issued, our system is designed to retain a tombstone of the identifier so that it is not reissued to a new registration. We take this design seriously and exercise reasonable care to preserve it, but as with any cloud service we cannot guarantee non-reissuance in every operational circumstance (for example, in the event of a recovery from backup, a defect, or a configuration change). If we become aware of a circumstance that has caused an identifier to be reissued, we will treat it as an operational issue and address it through our normal engineering processes.

Acceptance. By using try.getaxonflow.com you acknowledge and accept the scope described in this section. For Plugin Pro you receive the commitments described in the Plugin Pro Terms of Service and on the pricing page. For everything outside those commitments — most notably uptime targets, latency targets, incident-response timelines, and regulatory certifications — you accept that they are not part of Community SaaS at this price point, and you agree that AxonFlow's liability is limited as described in the Terms of Service to the maximum extent permitted by applicable law. Where applicable consumer-protection law grants you stronger statutory rights, those rights are preserved and not waived.

Payment Processing (AxonFlow Plugin Pro)

Scope. This section applies when you purchase AxonFlow Plugin Pro — the $9.99 USD one-time payment for 90 days of Pro tier service on try.getaxonflow.com. It does not apply to free use of try.getaxonflow.com or to AxonFlow Enterprise / Self-Hosted, which have their own payment arrangements (typically invoiced via AWS Marketplace or directly under contract).

Stripe is our payment processor. AxonFlow Inc. uses Stripe Inc. (and its EU and UK affiliates as applicable) to collect, process, and settle Plugin Pro payments. When you complete checkout, you provide your payment details (card number, cardholder name, billing address, CVV) directly to Stripe via Stripe-hosted Checkout. AxonFlow does not see, receive, or store your card number, expiry, or CVV. Stripe handles those fields under PCI DSS Level 1 requirements.

What we share with Stripe at the moment of purchase. When you initiate Plugin Pro checkout we share with Stripe only:

  • The product identifier (the Plugin Pro Stripe Product) and price ($9.99 USD).
  • Your AxonFlow tenant identifier (the server-generated cs_<uuid> — not personal data; it is an opaque random identifier that lets us bind the Stripe charge to your tenant so we can issue your license token after payment).
  • The customer email address you provide at checkout (so Stripe can send you a receipt and so we can deliver the license token by email).

What Stripe collects directly from you. Stripe collects the payment method details (card or other), the cardholder name, the billing address, and any tax-relevant fields needed for Stripe Tax. Stripe's own data practices — including retention, disclosure to card networks (Visa, Mastercard, etc.), and disclosure to issuing banks — are governed by Stripe's privacy policy, available at https://stripe.com/privacy.

What we receive back from Stripe. When the charge succeeds, Stripe sends us a webhook event (checkout.session.completed) containing: the customer email, the tenant identifier we passed in, the payment intent ID, the charge amount, the currency, the timestamp, and the country of the billing address (for tax-jurisdiction purposes). We do not receive or retain the card number, the cardholder name as printed on the card, or the CVV.

What we retain after the purchase. For each Plugin Pro purchase, AxonFlow retains:

  • Customer email (used to deliver the license token via Resend, and as one of the lookup keys for refund requests)
  • Tenant identifier (cs_<uuid>)
  • Stripe payment-intent ID and charge timestamp
  • Charge amount and currency, billing-country code (for tax records)
  • License-issuance metadata (token JTI, issued-at, expires-at, revoked-at if applicable, revocation reason)
  • Refund history (refund event ID, refund timestamp, refund reason)

This transaction record is retained for as long as required by applicable tax, accounting, and consumer-protection law (typically 7 years under Dutch and EU tax law) and for the resolution of any chargeback or dispute window. Tax retention obligations override the standard data-deletion processes described in the Community SaaS section above.

Cross-border data flows. AxonFlow Inc. is a Delaware corporation operating community-saas infrastructure within AWS regions selected for our deployment in the United States. Stripe is headquartered in the United States and operates infrastructure in multiple regions including the United States and the European Union. Personal data of EU residents that you provide to Stripe at checkout, and the webhook events Stripe sends back to AxonFlow, are transferred from the EU to the United States. Stripe is certified under the EU–US Data Privacy Framework (and the UK and Swiss extensions). AxonFlow Inc. relies on Standard Contractual Clauses for its own EU-to-US transfers of EU residents' personal data and provides the additional protections described in the "Data Controller and EU Representative" section above, including a designated GDPR Article 27 representative within the European Union.

Resend for license-token delivery. After a successful Plugin Pro charge, we send a license-delivery email containing your token via Resend. We share with Resend only the destination email address, the email subject and body (which contains the license token and your tenant identifier), and standard email-delivery metadata. Resend's privacy practices are governed by Resend's privacy policy. Email-delivery logs are retained by Resend per their policy; we can request deletion of those logs as part of a GDPR right-to-deletion request (see below).

Refunds and disputes. If you request a refund (per the Refund Policy) or your card issuer files a chargeback, the corresponding Stripe events (charge.refunded, charge.dispute.created) flow through Stripe and into our retained transaction record. We retain refund and dispute records for the same tax-and-dispute period described above.

Right to deletion (GDPR Article 17). You may request deletion of personal data we hold about you by emailing [email protected] with the email address you used at checkout, or your tenant identifier, or your Stripe order ID. We verify the request via an email round-trip to the address on file, then queue the deletion. Tenant-scoped data (registrations, audit records, telemetry, plugin-license rows) is deleted; transaction records (Stripe payment metadata, refund records) are retained as required for tax and dispute purposes, with personal-identifier fields (email, billing address) scrubbed where retention permits scrubbing under applicable law. We complete deletion within 30 days from a verified request, per GDPR Article 17(1). The internal runbook for this flow is maintained by AxonFlow engineering.

What we do not do. We do not sell your payment data, your email, or any other personal data. We do not use it for advertising, profiling, or training AI models. We do not transfer it to any third party other than Stripe (payment processing), Resend (license-token delivery), and our own infrastructure (AWS for storage and compute, within AxonFlow Inc.'s control).

Websites

Our marketing site (getaxonflow.com) and demo site (demo.getaxonflow.com) use Google Analytics to understand visitor traffic. Our marketing, demo, and documentation sites all include a Scarf tracking pixel. Website analytics is separate from the SDK and plugin telemetry described above.

Third Parties

We share data with the following third-party providers:

  • Scarf — receives SDK and plugin telemetry pings (including the source IP) forwarded from our servers, and page-view pings from our websites via a tracking pixel.
  • ipapi — receives the source IP transiently in-memory at receipt time for IP-to-country, IP-to-organization, and IP-to-ASN enrichment used in our aggregate analytics. The raw IP is never stored on our side; only the enrichment result (country, organization, ASN) is retained alongside the hashed IP.
  • Google Analytics — receives visitor traffic data from our marketing and demo sites.
  • Stripe — payment processor for AxonFlow Plugin Pro purchases. See the Payment Processing section above for details.
  • Resend — transactional email provider used to deliver Plugin Pro license tokens to buyers. See the Payment Processing section above for details.

We do not sell your data and we do not use it for advertising or profiling. See each provider's privacy policy for their own data practices.

Contact

For privacy questions: [email protected]