← Garmo Labs

AXIOM — Privacy Policy


Garmo Labs, LLC | Version 1.0 | Effective March 25, 2026

1. Introduction

This Privacy Policy describes how Garmo Labs, LLC ("Company," "we," "us") collects, uses, stores, and protects information when you use the AXIOM AI compliance verification platform ("Service") at axiom.garmolabs.com. By using the Service, you consent to the data practices described in this policy.

2. Data We Collect

### 2.1 Account Data

  • Email address: Provided at registration (axiom.garmolabs.com/signup). Used for account identification, billing communications, and service notifications.

  • Plan selection: Your chosen subscription tier (Free, Starter, Professional, or Enterprise).

  • Billing information: Processed and stored by Stripe, Inc. We do not store credit card numbers on our servers.

    • ### 2.2 Authentication Data

  • API keys: Generated upon account creation (format: `axm_...`). Stored as cryptographic hashes — we cannot recover your plaintext API key after initial issuance.

  • Customer ID: A UUID assigned to your account for internal identification.

    • ### 2.3 Service Data (Data You Submit)

  • Agent IDs: Identifiers you assign to your AI agents when registering them for compliance monitoring.

  • Agent state dicts: JSON objects you submit for compliance verification. These contain the operational state of your AI agents as defined by you.

  • Action contexts: Contextual data submitted with gate-check requests.

  • Custom properties: Any custom compliance properties you define.

  • Policy rules: Custom policies you configure in the policy engine.

    • ### 2.4 Generated Data

  • Compliance reports: Verification results including verdicts, findings, signatures, and timestamps. Generated by the Service from your submitted data.

  • Compliance certificates: Signed certificates generated from compliance reports.

  • Safety test results: Results from bias, hallucination, toxicity, privacy, and drift tests.

  • Monitoring logs: Runtime monitoring events, alerts, and violations.

    • ### 2.5 Technical Data (Automatically Collected)

  • API call logs: Timestamp, endpoint path, HTTP method, status code, response latency, and client IP address for each API request.

  • Rate limit data: Request counts per IP address within 60-second windows (held in memory, not persisted to disk).

    • ### 2.6 Data We Do NOT Collect

  • We do not collect browser cookies, tracking pixels, or analytics data on the API.

  • We do not collect device fingerprints or advertising identifiers.

  • We do not require personally identifiable information (PII) in agent state dicts. Do not include names, Social Security numbers, financial account numbers, health records, or other sensitive personal data in agent states unless your compliance workflow specifically requires it and you have appropriate legal basis to process such data.

    • 3. How We Use Your Data

    We use your data exclusively to:

  • Provide the Service: Process verification requests, generate compliance reports and certificates, evaluate policies, run safety tests, and serve the dashboard.

  • Authenticate requests: Validate API keys against stored hashes.

  • Enforce billing limits: Track verification counts against your plan limits.

  • Maintain security: Monitor for unauthorized access, abuse, and anomalous usage patterns.

  • Send service communications: Account confirmations, billing receipts, usage alerts, and critical service notifications via email.

  • Improve reliability: Analyze API performance data (latency, error rates) to improve system reliability.

    • ### We Do NOT:

  • Sell, rent, or share your data with third parties for their own purposes.

  • Use your submitted agent states, compliance reports, or any Service output to train, fine-tune, or improve machine learning models.

  • Use your data for advertising, profiling, or behavioral targeting.

  • Transfer your data outside the United States except as required for Enterprise on-premises deployments that you control.

    • 4. Data Storage and Security

    ### 4.1 Infrastructure

  • Cloud hosting: The Service runs on Fly.io infrastructure in the IAD (Ashburn, Virginia, USA) region.

  • Database: SQLite with WAL (Write-Ahead Logging) mode, stored on encrypted persistent volumes.

  • Enterprise on-premises: Data is stored entirely within your infrastructure. No data is transmitted to our servers except license key validation requests (which contain only the license key, not your data).

    • ### 4.2 Security Measures

  • Encryption in transit: All connections use TLS 1.2+ (HTTPS enforced).

  • API key hashing: API keys are hashed before storage. Plaintext keys are shown once at creation and never stored.

  • Report integrity: All compliance reports are signed with SHA-256 hashes for tamper detection.

  • Access controls: API endpoints require valid authentication. Rate limiting prevents brute force attacks.

  • Isolation: Each customer's agents and reports are isolated by customer ID.

    • ### 4.3 Data Breach Response
    In the event of a data breach affecting your personal information, we will:

  • Notify affected users via email within 72 hours of discovery

  • Notify relevant authorities as required by applicable law

  • Provide a description of the breach, data affected, and remediation steps

    • 5. Data Retention

    | Data Type | Retention Period |
    |-----------|-----------------|
    | Account data (email, plan) | Duration of account + 30 days after deletion |
    | API keys | Until revoked or account deleted |
    | Agent registrations | Duration of account |
    | Compliance reports and certificates | Duration of account + 30 days |
    | API call logs | 90 days rolling |
    | Rate limit data | In-memory only, not persisted |
    | Billing records | 7 years (legal requirement) |

    After account deletion, all data except legally required billing records is permanently deleted within 30 days.

    6. Your Rights

    ### 6.1 All Users

  • Access: Request a copy of all data associated with your account.

  • Deletion: Request permanent deletion of your account and data by emailing support@garmolabs.com. Processed within 30 days.

  • Portability: Export your compliance reports and certificates in JSON format via the API at any time.

  • Key Rotation: Rotate your API key at any time via the API.

  • Correction: Request correction of inaccurate account data.

    • ### 6.2 EU/EEA Residents (GDPR)
    In addition to the rights above, you have the right to:

  • Object to processing of your data.

  • Restrict processing in certain circumstances.

  • Withdraw consent at any time.

  • Lodge a complaint with your local data protection authority.

    • Our legal basis for processing: (a) performance of a contract (providing the Service); (b) legitimate interest (security, reliability); (c) legal obligation (billing record retention).

    ### 6.3 California Residents (CCPA/CPRA)

  • You have the right to know what personal information we collect and how it is used.

  • You have the right to request deletion of your personal information.

  • We do not sell personal information.

  • We do not use personal information for cross-context behavioral advertising.

    • 7. Sub-Processors

    We use the following third-party services to operate the Service:

    | Sub-Processor | Purpose | Data Shared |
    |--------------|---------|-------------|
    | Fly.io | Cloud infrastructure hosting | All Service data (encrypted at rest) |
    | Stripe, Inc. | Payment processing | Email, plan, billing information |

    We do not share your agent states, compliance reports, or verification data with any sub-processor except Fly.io for hosting purposes. Stripe receives only billing-related data.

    We will update this list and notify you before adding new sub-processors that access your data.

    8. International Data Transfers

    The Service is hosted in the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States. For EU/EEA users, such transfers are governed by Standard Contractual Clauses. Enterprise customers may deploy on-premises to keep data within their jurisdiction.

    9. Children's Privacy

    The Service is not directed at individuals under 18 years of age. We do not knowingly collect personal information from children. If we learn we have collected data from a child under 18, we will delete it promptly.

    10. Changes to This Policy

    We may update this Privacy Policy from time to time. We will post the updated policy at axiom.garmolabs.com/privacy and notify you via email of material changes at least 30 days before they take effect. The "Effective" date at the top indicates the latest revision.

    11. Contact

    For privacy-related inquiries, data access requests, or data deletion requests:

    Garmo Labs, LLC
    Email: privacy@garmolabs.com
    Support: support@garmolabs.com
    Web: https://garmolabs.com