Axel
Sign inSign up free
← All legal documents

Privacy Policy

How rolln, Inc. collects, uses, shares, and protects the personal data of Axel account holders, authorized users, and website visitors — and how to exercise your privacy rights.

Version 1.0 · Effective 2026-06-04

This Privacy Policy explains how rolln, Inc. ("rolln", "we", "us", or "our") collects, uses, discloses, and otherwise processes Personal Data about people who create and administer accounts for the Axel webhook-ingestion service ("Axel" or the "Service"), people permitted to use the Service on a Customer's behalf, and people who visit our websites.

In this Policy, "you" and "your" generally refer to the individual whose Personal Data we process in the contexts described above — for example, a person who signs up for an account (an account holder), a workspace member ("Authorized User"), or a visitor to axelapp.ai. Where a business or organization subscribes to the Service, that organization is the "Customer", and capitalized terms not defined here have the meaning given to them in our Terms of Service / Master Subscription Agreement.

1. Who We Are and How to Contact Us

The data controller responsible for the Personal Data described in this Policy is:

rolln, Inc. A Delaware (USA) corporation, operator of the Axel service. Mailing address for privacy and legal notices: rolln, Inc., Delaware, United States (for our current postal address, contact legal@axelapp.ai)

You can reach our privacy team at privacy@axelapp.ai for any question about this Policy or to exercise the rights described in Section 11.

PurposeContact
Privacy questions / data-subject requestsprivacy@axelapp.ai
Legal noticeslegal@axelapp.ai
Security and vulnerability reportssecurity@axelapp.ai
Abuse reportsabuse@axelapp.ai
General / foundersfounders@axelapp.ai

2. Scope of This Policy — The Controller / Processor Distinction

This is important. Axel is a multi-tenant platform that ingests, queues, transforms, and delivers webhook data on behalf of our Customers. Two very different categories of personal data flow through our business, and they are governed by different rules:

  • Personal Data that we control (this Policy). This Policy applies to Personal Data for which rolln is the controller — meaning we decide why and how it is processed. This includes information about account holders, Authorized Users (workspace members), billing contacts, people who contact our support or security teams, and visitors to our websites. Section 3 lists exactly what we collect.

  • Customer Data that we process on a Customer's behalf (NOT this Policy). Axel also receives, stores, routes, and delivers Customer Data — the webhook payloads, configurations, and event data that a Customer sends to or receives from the Service. That Customer Data may itself contain personal data about the Customer's own End Users (for example, payment events, identity changes, or access grants). With respect to that data, the Customer is the controller (or business) and rolln acts only as a processor (or service provider), processing it under the Customer's instructions.

    This Privacy Policy does not govern, and you should not rely on it for, the personal data of End Users contained in Customer Data. Our processing of that data is governed by the Terms of Service / Master Subscription Agreement and the Data Processing Addendum. If you are an End User and want to understand how your personal data is handled, please contact the Customer (the business) that sends your data through Axel — they are the controller, and they are the appropriate party to honor your data-subject requests. If you contact us directly about End-User data, we will, where appropriate, refer or forward your request to the relevant Customer.

3. Personal Data We Collect

We collect the following categories of Personal Data in our capacity as controller:

3.1 Account and Profile Data

When you sign up for or are invited to a Workspace, we collect your name, your work email address, and a hashed and salted password (we never store your password in plaintext). We also store basic profile and authentication metadata, such as your role within a Workspace and your account status.

3.2 Workspace and Configuration Data

We collect information about the Workspace (tenant) you create or belong to — for example, the Workspace name, the members and their roles, invitations you send, and configuration choices you make. This information identifies which organization you are associated with and your permissions within it.

3.3 Billing and Contact Data

Paid subscriptions are billed through Stripe, Inc. We collect the billing contact details associated with your account and subscription tier. Payment is processed by Stripe; Stripe holds your payment method (e.g., card) details, and rolln does not store full payment card numbers. We receive from Stripe limited billing metadata such as subscription status, the last four digits or card brand for display, invoices, and payment outcomes. Enterprise or complimentary accounts may be billed offline using contact details you provide.

3.4 Usage, Device, and Log Data

When you use the Service or visit our websites, we automatically collect technical and usage data, including your IP address, browser/user-agent string, device and operating-system information, timestamps, pages and features accessed, referring URLs, and diagnostic events. We also maintain an append-only audit log of privileged actions in your Workspace — such as Workspace creation, member invitations, role changes, and source/destination configuration changes — which records the acting user and the time of the action.

3.5 Support and Other Communications

When you contact us (e.g., via founders@axelapp.ai, security@axelapp.ai, privacy@axelapp.ai, or abuse@axelapp.ai), we collect the contents of your message and any information you choose to provide, so we can respond and keep a record of the request.

3.6 Cookies and Similar Technologies

We use a small number of cookies and similar technologies, primarily an essential session cookie to keep you signed in and to secure your session, and a non-essential product-analytics cookie and associated device storage set via PostHog to understand how Authorized Users use the dashboard so we can improve it. Once you sign in, PostHog associates dashboard activity with your Authorized User account (email, name) and your Workspace. Where the law requires it (notably under the EU ePrivacy Directive / GDPR and the UK PECR), the analytics cookie is set only with your prior, informed consent. See Section 12 and our Cookie Policy for details.

We do not intentionally collect special categories of personal data (such as health, biometric, or political-opinion data) about account holders, Authorized Users, or visitors as part of operating the Service.

4. How We Use Personal Data

We use the Personal Data described above for the following purposes:

  • Provide and operate the Service — to create and maintain your account and Workspace, authenticate you, enforce tenant isolation and access controls, and make the Service's features available to you.
  • Authenticate and secure access — to validate sign-ins, protect against unauthorized access, and maintain the integrity of your Workspace.
  • Billing and subscription management — to process payments through Stripe, manage your subscription tier and renewals, issue invoices, and prevent payment fraud.
  • Transactional email — to send service messages such as password resets, member invitations, and important account or security notifications, delivered through Resend.
  • Product and service communications — to send you administrative notices, changes to our terms or policies, and (where permitted) information about features and updates. You can opt out of non-essential product communications at any time; we will still send essential transactional and service messages.
  • Monitoring, debugging, and reliability — to detect, diagnose, and fix errors and performance issues, including through error monitoring with Sentry, which may incidentally capture request metadata.
  • Product analytics and improvement — to understand how Authorized Users interact with the dashboard so we can measure feature usage and improve the product, using PostHog. Once you sign in, PostHog associates dashboard activity with your Authorized User account (email, name) and your Workspace. We use PostHog only as a first-party product-analytics tool for our own product improvement; we do not use it for cross-context behavioral advertising. Where the law requires consent for the associated analytics cookie and device storage (see Sections 3.6, 10, and the Cookie Policy), this processing occurs only after you give prior consent.
  • Security, fraud, and abuse prevention — to maintain audit logs, investigate suspected misuse or violations of our Acceptable Use Policy, apply rate limits, and protect rolln, our Customers, and others.
  • Legal and compliance — to comply with applicable laws, respond to lawful requests and legal process, enforce our agreements, and establish, exercise, or defend legal claims.
  • Business operations and improvement — to understand how the Service is used in aggregate, maintain records, and improve and develop the Service.

We do not use Customer Data (the contents of webhook payloads our Customers send through the Service) to develop or improve the Service, except in aggregated and de-identified form that does not identify any Customer or End User, and only as permitted by the Data Processing Addendum. Product improvement otherwise relies on controller Personal Data and on aggregated, de-identified usage information.

We do not use account-holder or visitor Personal Data to make decisions that produce legal or similarly significant effects about you through solely automated processing.

5. Legal Bases for Processing (GDPR / UK GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases under Article 6 of the GDPR (and the UK GDPR) for each purpose:

PurposeLegal Basis
Creating/maintaining your account and Workspace; authenticating you; providing the ServicePerformance of a contract (Art. 6(1)(b)) — with you or with the Customer you act for
Billing, invoicing, and subscription managementPerformance of a contract (Art. 6(1)(b)); legal obligation for tax/accounting records (Art. 6(1)(c))
Transactional email (password resets, invites, service notices)Performance of a contract (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f)) in operating the Service
Security, audit logging, fraud and abuse preventionLegitimate interests (Art. 6(1)(f)) in keeping the Service and our users safe and secure
Error monitoring, debugging, reliability, and product improvement (using controller Personal Data and aggregated, de-identified data only, never the contents of Customer Data except as permitted by the DPA)Legitimate interests (Art. 6(1)(f)) in providing a reliable, well-functioning Service
Product analytics via PostHog (dashboard usage associated with the Authorized User's account and Workspace)Consent (Art. 6(1)(a)) where the analytics cookie/device storage requires it under the ePrivacy Directive / PECR; legitimate interests (Art. 6(1)(f)) in measuring and improving the Service elsewhere, subject to opt-out
Non-essential product/marketing communicationsConsent (Art. 6(1)(a)) where required, or legitimate interests (Art. 6(1)(f)) for B2B updates, subject to opt-out
Essential session cookieLegitimate interests (Art. 6(1)(f)) / strictly necessary; consent not required
Responding to legal requests and complying with lawLegal obligation (Art. 6(1)(c)); legitimate interests (Art. 6(1)(f)) in defending claims

Where we rely on legitimate interests, we have balanced those interests against your rights and freedoms. You may object to processing based on legitimate interests, and you may withdraw consent at any time where we rely on consent (see Section 11). To request more information about our balancing assessments, contact privacy@axelapp.ai.

6. How We Share Personal Data

We do not sell your Personal Data. We share it only as described below.

6.1 Sub-processors and Service Providers

We use a small set of trusted Sub-processors to provide the Service. They process Personal Data on our behalf, under contract, only for the purposes we specify. Our current Sub-processors include Cloudflare (edge ingest, object storage, queues), Render (application compute, control database, analytics/log database), Vercel (hosting for our dashboard and marketing site), Stripe (billing and payments), Resend (transactional email), Sentry (error and performance monitoring), and PostHog (PostHog Inc., US — product analytics for the customer dashboard).

The current, authoritative list — with each provider's role and the categories of data involved — is maintained on our Sub-processors page.

6.2 Legal, Safety, and Compliance Disclosures

We may disclose Personal Data if we believe in good faith that doing so is reasonably necessary to: (a) comply with applicable law, regulation, legal process, or a lawful governmental request; (b) enforce our Terms of Service and Acceptable Use Policy; (c) detect, prevent, or address fraud, security, or technical issues; or (d) protect the rights, property, or safety of rolln, our Customers, our users, or the public.

6.3 Business Transfers

If rolln is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of its assets, Personal Data may be transferred as part of that transaction. We will use commercially reasonable efforts to ensure the recipient continues to treat your Personal Data in a manner consistent with this Policy, or provides notice of any material change, subject to applicable law. We will notify you of any transfer that materially affects your Personal Data where required by law.

6.4 No Sale; No "Sharing" for Cross-Context Behavioral Advertising

We do not sell your Personal Data, and we do not "share" it for cross-context behavioral (targeted) advertising, as those terms are defined under the California Consumer Privacy Act, as amended by the CPRA, or comparable U.S. state privacy laws. We have not done so in the preceding twelve (12) months.

7. International Data Transfers

All processing of Personal Data described in this Policy currently takes place in the United States. If you access the Service from outside the United States, your Personal Data will be transferred to, stored in, and processed in the United States and potentially other countries where our Sub-processors operate.

Where we transfer Personal Data from the European Economic Area, the United Kingdom, or Switzerland to a country that has not been deemed to provide an adequate level of data protection, we rely on appropriate safeguards, which may include the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum / Swiss addendum (as applicable), and/or the EU-U.S. Data Privacy Framework (together with its UK Extension and the Swiss-U.S. framework) where a Sub-processor is certified — together with supplementary technical and organizational measures. You may request information about the relevant safeguards by contacting privacy@axelapp.ai. We rely on the Standard Contractual Clauses (and the UK International Data Transfer Addendum and Swiss adaptations, as applicable) for transfers of Personal Data from the EEA, UK, and Switzerland.

8. Data Retention

We retain Personal Data for as long as it is needed for the purposes described in this Policy, and then delete or de-identify it, unless a longer retention period is required or permitted by law.

  • Account and profile data is retained for the life of your account. After your account or Workspace is closed, we retain associated Personal Data for a limited wind-down period 30 days to allow for reactivation, dispute resolution, and to meet legal obligations, after which it is deleted or de-identified.
  • Billing records are retained as required to meet tax, accounting, and audit obligations up to seven (7) years.
  • Usage, device, and operational log data that identifies account holders, Authorized Users, or visitors is generally retained on a rolling basis for security, debugging, and reliability purposes, after which it is deleted or de-identified up to 24 months.
  • Audit-log data of privileged actions is retained long-term (currently up to approximately 10 years) to support security, compliance, and dispute resolution.
  • Support communications are retained for as long as needed to address your request and maintain records of our correspondence.

Retention of Customer Data (for transparency only). Separately from the controller Personal Data above, Axel applies retention windows to Customer Data — the webhook payloads, delivery records, and event data we process as a processor on the Customer's instructions, not as a controller. These windows are not governed by this Policy; they are governed by the Data Processing Addendum and are stated here only so you understand how the Service behaves. They currently include an approximately 30-day default for raw payload records (configurable on higher tiers), an approximately 30-day window for delivery/event logs, up to 365 days for dead-letter records, and up to 90 days for replay-job records, each configurable within defined caps on the Scale tier.

Customers can also use in-dashboard data-reset and retention controls, and submit erasure requests, to shorten or remove Customer Data within the limits described in our documentation and the Data Processing Addendum.

9. Security

We implement technical and organizational measures designed to protect Personal Data, including the controls described on our security page (axelapp.ai/security). These measures include:

  • Credential protection — source ingest tokens are stored as SHA-256 hashes, validated in constant time, and never logged in plaintext; account passwords are stored hashed and salted.
  • Encryption in transit and at rest — TLS 1.2 or higher in transit at the edge, and encryption at rest of objects stored in our object storage (Cloudflare R2). Our PostgreSQL control database and ClickHouse analytics database are encrypted at rest.
  • Tenant isolation — every database row, analytics partition, and queue message is keyed to a Workspace, and the dashboard enforces Workspace scope on every query.
  • Sandboxed execution — customer-authored route filters and transforms run in isolated worker threads with strict resource and wall-clock limits and no network or filesystem access.
  • Auditing and rate limiting — an append-only audit log of privileged actions, per-source rate limits, body-size and depth caps, and idempotent delivery.

These are measures we implement to reduce risk; as further described in our Terms of Service, no method of transmission or storage is perfectly secure, and we cannot guarantee a specific security outcome. If you believe your account or data has been compromised, contact security@axelapp.ai immediately.

9.1 Security Incidents

If a security incident affecting the controller Personal Data described in this Policy results in unauthorized access to, or disclosure of, that data, we will notify affected individuals and the relevant supervisory authorities or regulators where required by applicable law and without undue delay. The contents and timing of any such notice will follow the requirements of the applicable law (for example, GDPR/UK GDPR breach-notification rules and U.S. state breach-notification statutes). You can report a suspected security issue to security@axelapp.ai.

This subsection concerns Personal Data for which rolln is the controller. Our handling of security incidents that affect Customer Data — including any notification to the affected Customer — is governed by the Data Processing Addendum, under which the Customer (as controller) is responsible for notifying its own End Users and regulators.

10. Cookies and Similar Technologies

We use a minimal set of cookies, primarily an essential session cookie that keeps you signed in and protects your session. Because it is strictly necessary to provide the Service, this cookie does not require consent. We also use a non-essential product-analytics cookie and device storage via PostHog to measure dashboard usage and improve the product; where the law requires it, this analytics cookie is set only with your prior, informed consent, and you can decline or withdraw consent without affecting your ability to use the Service. For a full description of the cookies and similar technologies we use, their purposes, and how to manage them, see our Cookie Policy.

11. Your Privacy Rights

Depending on where you live, you have certain rights over your Personal Data. We honor these rights for all account holders, Authorized Users, and visitors as required by applicable law.

11.1 Rights under the GDPR and UK GDPR

If you are in the EEA, the UK, or Switzerland, you have the right to:

  • Access the Personal Data we hold about you and obtain a copy of it;
  • Rectification — correct inaccurate or incomplete data;
  • Erasure — request deletion of your Personal Data ("right to be forgotten"), subject to legal exceptions;
  • Restriction — restrict our processing in certain circumstances;
  • Portability — receive certain data in a structured, commonly used, machine-readable format and have it transmitted to another controller where technically feasible;
  • Object — object to processing based on our legitimate interests, and to direct-marketing processing at any time;
  • Withdraw consent at any time, where processing is based on consent, without affecting prior processing; and
  • Lodge a complaint with your local data protection supervisory authority. We would, however, appreciate the chance to address your concerns first — please contact privacy@axelapp.ai.

11.2 Rights under the CCPA/CPRA and Other U.S. State Laws

If you are a California resident (or a resident of another U.S. state with a comparable privacy law — including, for example, under the Colorado Privacy Act, the Virginia Consumer Data Protection Act, and the Texas Data Privacy and Security Act — California, Colorado, Connecticut, Utah, Virginia, Texas, Oregon, and Montana), you have the right to:

  • Know / Access — request the categories and specific pieces of Personal Data we have collected, the sources, the purposes, and the categories of recipients;
  • Delete — request deletion of your Personal Data, subject to legal exceptions;
  • Correct — request correction of inaccurate Personal Data;
  • Opt out of sale or sharing — note that, as stated in Section 6.4, we do not sell or "share" Personal Data for cross-context behavioral advertising, so there is nothing to opt out of;
  • Opt out of profiling / automated decision-making — to the extent applicable law gives you a right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects; and
  • Non-discrimination — you will not receive discriminatory treatment for exercising any of your privacy rights.

Opt-out preference signals. Even though we do not sell or "share" Personal Data, where required by applicable law we honor recognized opt-out preference signals — such as the Global Privacy Control (GPC) — that your browser or device transmits, treating them as a valid request to opt out for the browser or device from which they are sent.

We do not process "sensitive personal information" for purposes that would trigger a right to limit its use under the CPRA. Where applicable state law provides a right to appeal a decision on your request, we will honor it. You may use an authorized agent to submit a request on your behalf, subject to verification.

11.3 How to Exercise Your Rights

To exercise any of these rights, email privacy@axelapp.ai — we action erasure and other verified requests within the timeframes set out below — or use the in-app data-reset and retention controls available in your account settings where applicable. For requests that concern End-User data within Customer Data, please contact the relevant Customer (controller), as explained in Section 2.

Verification. To protect your data, we will take reasonable steps to verify your identity before acting on a request — typically by confirming control of the account email associated with the request, and requesting additional information where needed for sensitive requests.

Timelines. We will respond within the timeframes required by applicable law — generally within one (1) month under the GDPR/UK GDPR (extendable by two further months for complex requests, with notice) and within forty-five (45) days under the CCPA/CPRA (extendable by an additional 45 days with notice). We provide our responses free of charge except where permitted by law (e.g., for manifestly unfounded or excessive requests).

12. Children's Privacy

Axel is a business (B2B) service intended for use by organizations and their personnel. The Service is not directed to anyone under 18 years of age, and we do not knowingly collect Personal Data from children. If you believe a child has provided us with Personal Data, please contact privacy@axelapp.ai and we will take appropriate steps to delete it.

13. EU/UK Representative and Data Protection Officer

For matters relating to our processing of Personal Data of individuals in the EEA or UK, you may contact us at privacy@axelapp.ai. Where we are required to designate a representative under Article 27 of the EU or UK GDPR, we will appoint one and identify them here.

We have not appointed a Data Protection Officer, as we are not required to do so under Article 37 of the GDPR; you may direct privacy questions to privacy@axelapp.ai.

In the interim, all privacy inquiries should be directed to privacy@axelapp.ai.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. When we make changes, we will revise the "Last updated" date at the top of this Policy and increase the version number. We will provide prospective notice of material changes before they take effect — for example, by email to the address associated with your account or through an in-product notice — and, where a change materially affects your rights and applicable law requires it, we will obtain your consent. Acceptance of the Terms of Service / Master Subscription Agreement governs contract formation; this Policy describes our privacy practices and is not the vehicle for binding consent to those terms.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our handling of your Personal Data, please contact us:

rolln, Inc. (operator of Axel) Privacy: privacy@axelapp.ai Legal notices: legal@axelapp.ai General: founders@axelapp.ai Mailing address: rolln, Inc., Delaware, United States (for our current postal address, contact legal@axelapp.ai)

For how we handle Customer Data on behalf of Customers, see our Terms of Service / Master Subscription Agreement and Data Processing Addendum. For our current list of Sub-processors, see the Sub-processors page. For details on cookies, see our Cookie Policy.