Q2 2026 · Category-exclusive retainer slots open · reviewed weekly
DOXIA AXIS
BOOK
LEGAL · PRIVACY POLICY

Privacy Policy

Last updated · 03 May 2026 · Version 2.0

At-a-glance summary

We are HVX SYNDICATE LLC, doing business as Doxia Axis. We collect only what we need to evaluate fit, deliver our Services, run our business, and meet our legal obligations. We do not sell personal information. We honour the rights given to you by the EU and UK General Data Protection Regulations (GDPR / UK GDPR), India's Digital Personal Data Protection Act, 2023 (DPDPA), the California Consumer Privacy Act, as amended by the CPRA (CCPA/CPRA), and other applicable laws. This page tells you, in detail, what we do and how to exercise your rights. If anything is unclear, email contact@doxiaaxis.com.

1. Who we are (controller identity)

The data controller (and, under DPDPA, the Data Fiduciary) responsible for personal information processed in connection with doxiaaxis.com and the Services is:

HVX SYNDICATE LLC (d/b/a Doxia Axis), a limited liability company organised under the laws of the State of Wyoming, United States of America. We operate as a remote, globally distributed services business with primary delivery from India.

Registered agent for legal service of process in the United States: FormLLC, 30 N Gould St, Sheridan, WY 82801, USA. (This is our registered agent of record and is not a place of business.)
Privacy and data-protection contact: contact@doxiaaxis.com.
Postal address for grievance redressal under Indian law is available on request — please email us first to arrange.

Where we act on behalf of a client (for example, when configuring, processing, or analysing data inside the client's systems), we act as a data processor / Data Processor under the GDPR / DPDPA, and the client is the controller / Data Fiduciary. Our processing in that role is governed by a separate data-processing addendum (DPA) in the Engagement Agreement.

2. Scope

This Privacy Policy applies to personal information we process in connection with: (a) your visit to doxiaaxis.com; (b) any form, intake, audit request, scheduling link, or download we offer; (c) our marketing, sales, prospecting, and outreach; (d) the operation of our business (vendor management, billing, accounting, recruiting); and (e) any free pre-engagement work. It does not apply to personal information we process only on behalf of a client under a DPA (in which case the client's privacy notice governs the data subject relationship).

3. Information we collect

3.1 Information you provide

  • Identifiers and business contact details: name, business email, business phone (optional), job title, company name, company website, LinkedIn URL.
  • Audit and intake content: your description of the problem, revenue band, current toolset, bottleneck, referral source, and any documents or links you choose to attach.
  • Communications: emails, messages, scheduling requests, call notes, recordings (only with your consent or as allowed by law), and any feedback you send.
  • Engagement and billing information: entity name, tax ID, billing address, signatory name, and (where used) Stripe or other processor identifiers; we do not store full payment-card numbers ourselves.
  • Recruiting information (if you apply to work with us): CV, cover letter, references, and similar.

3.2 Information we collect automatically

  • Server and access logs: IP address, user-agent, referer, request URL, response status, timestamp. Logs are kept for up to thirty (30) days unless required longer for security or legal reasons.
  • Analytics: page views, sessions, device class, and country (city-level resolution where supported), collected via privacy-friendly analytics that does not use third-party tracking cookies for advertising.
  • Cookies and similar technologies: see Section 8.

3.3 Information from third parties

  • Enrichment data (e.g., company size, industry, funding signals) sourced from B2B data vendors and from publicly available business sources, used to qualify prospects and tailor outreach.
  • Referrals and introductions from our network or partners.
  • Authentication and integration providers when you connect a tool (e.g., Google, Calendly, GitHub) for the limited purpose of the integration.

We do not knowingly collect special categories of data (such as health, biometric, religion, or political opinion data) for our own purposes through the Site. Please do not include such data in intake submissions unless explicitly invited.

4. How we use personal information

We use personal information for the following purposes:

  • To respond to your inquiry, run an audit, schedule a discovery call, and evaluate engagement fit;
  • To deliver, support, and improve the Services and to invoice and collect payment for them;
  • To operate, secure, monitor, and maintain the Site, including preventing fraud, abuse, and unauthorised access;
  • To send transactional and engagement-related emails (e.g., audit delivery, invoice, scheduling confirmation);
  • To send carefully scoped marketing communications about our Services, where permitted by law and where you have not opted out;
  • To conduct outbound prospecting where we have a legitimate business interest and the contact is professional in nature, in compliance with applicable law (e.g., Article 6(1)(f) GDPR; B2B outreach norms; the DPDPA);
  • To prepare anonymised case studies, marketing assets, and internal training materials, on the rights granted in the Terms of Service;
  • To comply with applicable laws, court orders, and legitimate regulatory requests;
  • To establish, exercise, or defend legal claims and to enforce our agreements.

5. Legal bases for processing (GDPR / UK GDPR)

Where the GDPR or UK GDPR applies to our processing as a controller, we rely on one or more of the following legal bases. Where a single activity engages more than one basis, the most specific basis applies.

  • Performance of a contract (Article 6(1)(b)) — to deliver Services and to take steps at your request before entering a contract (e.g., responding to your intake);
  • Legitimate interests (Article 6(1)(f)) — to operate and improve our business, for security and fraud prevention, for B2B prospecting that is professionally relevant and not unduly intrusive, and for anonymised marketing-asset development;
  • Legal obligation (Article 6(1)(c)) — to comply with tax, accounting, sanctions, and other regulatory requirements;
  • Consent (Article 6(1)(a)) — for non-essential cookies, marketing emails to natural persons in jurisdictions requiring opt-in, and for any other purpose that requires your specific consent. You can withdraw consent at any time without affecting prior lawful processing.

6. Indian Digital Personal Data Protection Act, 2023

For Data Principals in India, the DPDPA applies. We process personal data on the following grounds:

  • Consent for purposes that you specifically agree to (e.g., subscribing to a newsletter, opting in to marketing communications);
  • Legitimate uses as defined in Section 7 of the DPDPA — including processing necessary to perform a service or provide a benefit you have requested, processing for employment-related purposes, and processing for compliance with judgments or legal obligations.

We honour the rights of Data Principals under the DPDPA, including the rights to information, correction, completion, updating, erasure, grievance redressal, and nomination. Our Grievance Officer is identified in Section 17 below.

7. AI, automation, and model providers

Many of our Services use artificial intelligence and large language models, including third-party AI APIs (such as those provided by OpenAI, Anthropic, Google, or comparable providers). When we send your information to a model provider for the purpose of running the Services:

  • We use enterprise or zero-retention modes where available, so that the provider does not train its general-purpose models on your content;
  • We disclose the categories of personal data processed and the providers used in our DPA on engagement;
  • We do not use your personal information or Client Materials to train our own foundational models, and we do not contribute your personal information or Confidential Information to public model training corpora;
  • We may use anonymised, aggregated, or de-identified information and lessons learned to improve our internal prompts, configurations, and methodologies (“Improvement Data”), per Section 11.4 of the Terms of Service.

When you interact with an AI feature on the Site (for example, an AI assistant or chatbot), the inputs you submit may be transmitted to model providers under their terms. Avoid pasting sensitive data into such features.

8. Cookies and similar technologies

We take a minimal-cookie approach. The Site uses only what is needed to function and to understand aggregate traffic, and avoids consent-required tracking by design.

  • Strictly necessary cookies — required for the Site to function (e.g., session security, CSRF protection, load balancing). Under EU/UK GDPR (ePrivacy Directive Article 5(3)) and comparable laws, strictly necessary cookies do not require consent.
  • Cookieless analytics — we use privacy-friendly, aggregated traffic measurement (such as Vercel Analytics or comparable products) that does not set tracking cookies and does not perform cross-site tracking. Most regulators and supervisory authorities accept that this category does not require user consent.
  • No third-party advertising cookies, no cross-site tracking, no “sale” or “sharing” for advertising — under any definition used in the GDPR, DPDPA, CCPA/CPRA, or comparable laws.

If we ever introduce cookies or technologies that require consent under applicable law, we will deploy a compliant consent banner before doing so and update this Section. You can also control cookies via your browser settings; doing so may affect Site functionality.

Where supported, we honour Global Privacy Control (GPC) signals as a valid opt-out under the CCPA/CPRA and comparable laws.

9. Sharing and disclosure

We share personal information only as described below. We do not sell personal information for monetary consideration, and we do not share personal information for cross-context behavioural advertising.

  • Service providers (processors / sub-processors) who help us run the business — for example: hosting and CDN (Vercel), email delivery (Resend, Google Workspace), domain and DNS (Hostinger), scheduling (Cal.com / Calendly), payments (Stripe), CRM and outreach (e.g., HubSpot, Apollo, Clay, or comparable), analytics (Vercel Analytics or comparable), AI providers (OpenAI, Anthropic, Google, or comparable), accounting and invoicing (QuickBooks, Wise, or comparable), and customer-support tooling. They process information under written agreements, only on our instructions, and for the limited purposes we authorise.
  • Professional advisors — lawyers, accountants, auditors, insurers — under confidentiality.
  • Authorities — when required by law, court order, or legitimate regulatory request, or to protect rights, safety, and security.
  • Successors and acquirers — in connection with a merger, acquisition, financing, reorganisation, sale of assets, or similar transaction; we will give reasonable notice of any change in control affecting your information.

A current list of categories of sub-processors is available on request to contact@doxiaaxis.com.

10. International data transfers

We are a US-organised entity with operations in India and a remote delivery model. Personal information may be transferred to, stored in, and processed in countries other than your country of residence, including the United States, India, and any country where our service providers operate. We rely on the following transfer mechanisms, adapted to the recipient and the data:

  • From the EU/EEA, UK, or Switzerland:the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Agreement / Addendum, as applicable), supplemented where appropriate by transfer impact assessments and additional safeguards.
  • From India: processing and transfer is undertaken in compliance with the DPDPA, including any country-restriction notice issued by the Government of India.
  • From other jurisdictions: the mechanisms required by the laws of that jurisdiction, where applicable.

To request a copy of the transfer mechanism we use for your data, email contact@doxiaaxis.com.

11. Retention

We retain personal information only as long as needed for the purposes described in this Policy and for any longer period required by law. Indicative retention periods (subject to extension where law, litigation hold, or legitimate business need requires):

  • Audit and intake submissions (no engagement): up to twenty-four (24) months from submission, then deleted or anonymised.
  • Active engagement records: for the duration of the engagement plus seven (7) years for tax, accounting, and audit purposes (or longer where required by law).
  • Marketing and prospecting data: up to thirty-six (36) months from last engagement signal (e.g., open, reply, meeting), then minimised or deleted.
  • Server logs and security telemetry: up to thirty (30) days, with extended retention where required for security investigation.
  • Recruitment data of unsuccessful candidates: up to twelve (12) months, unless you ask us to retain longer for future opportunities.

12. Security

We use organisational and technical safeguards designed to protect personal information against unauthorised access, loss, or destruction. Measures include access control with least-privilege principles, multi-factor authentication on administrative accounts, encryption in transit (TLS) and at rest where supported by the provider, environment isolation, secret management, vendor due diligence, security logging, and regular review of practices. No system is perfectly secure, and we cannot guarantee absolute security; you submit information to us at your own risk. Where law requires, we will notify you and the relevant authorities of a personal-data breach within the timelines mandated by the applicable law (e.g., 72 hours under the GDPR; the timelines specified under DPDPA rules; comparable timelines under other regimes).

13. Your rights

Subject to applicable law and verifying your identity, you may have the following rights. Where the law of your jurisdiction is more protective, that law applies.

13.1 GDPR / UK GDPR rights

  • Access to a copy of personal data we hold about you;
  • Rectification of inaccurate or incomplete personal data;
  • Erasure (“right to be forgotten”), subject to exceptions;
  • Restriction of processing in certain circumstances;
  • Objection to processing based on legitimate interests, including for direct marketing;
  • Data portability for data we process by automated means on consent or contract;
  • Withdrawal of consent (without affecting prior lawful processing);
  • Right not to be subject to a decision based solely on automated processing producing legal or similarly significant effects, except as permitted by law;
  • Right to lodge a complaint with your data-protection authority (e.g., the Irish Data Protection Commission, the UK Information Commissioner's Office, or the supervisory authority in your EU Member State).

13.2 DPDPA rights (India)

  • Right to information about processing of your personal data;
  • Right to correction, completion, updating, and erasure of personal data;
  • Right of grievance redressal — see Section 17;
  • Right to nominate another individual to exercise your rights in the event of death or incapacity;
  • Right to withdraw consent and to refuse or limit further processing based on consent.

13.3 California rights (CCPA/CPRA)

  • Right to know what personal information we collect, use, and disclose, and the categories of sources and recipients;
  • Right to delete personal information, subject to exceptions;
  • Right to correct inaccurate personal information;
  • Right to limit use and disclosure of sensitive personal information;
  • Right to opt out of any “sale” or “sharing” (we do not sell or share for cross-context behavioural advertising);
  • Right to non-discrimination for exercising your rights.

Authorised agents may submit requests on your behalf with proof of authorisation. We do not charge a fee unless requests are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse, as permitted by law.

13.4 How to exercise your rights

Email contact@doxiaaxis.com with a clear description of your request and the jurisdiction whose rights you are invoking. We will verify your identity using information already in our records or, where necessary, by requesting limited additional information. We will respond within the timeline required by your law (typically 30 days under GDPR; up to 45 days under CCPA, with one 45-day extension where reasonably necessary; the timelines under DPDPA rules).

14. Children's data

The Site and the Services are intended for business users and are not directed at children. We do not knowingly collect personal information from children under the age of 18 (or such higher age as applicable law may require, such as 18 in India under the DPDPA for processing of children's data subject to parental consent). If you believe a child has provided us with personal information, contact us and we will delete it.

15. Do Not Track and global signals

Browsers may send “Do Not Track” signals; there is no universally adopted standard for responding to these. Where the law requires (e.g., the CCPA/CPRA), we honour Global Privacy Control (GPC) signals as a valid opt-out of any “sale” or “sharing.”

16. Changes to this Policy

We may update this Privacy Policy from time to time. The “Last updated” date and version above will reflect any changes. For material changes, we will provide reasonable notice — for example, by posting on the Site or by email to known contacts — before the change takes effect.

17. Grievance Officer (India) and contact

As required under the DPDPA and the Information Technology Act, 2000 (and the rules thereunder), our Grievance Officer is:

Dhruva Kumar
HVX SYNDICATE LLC (d/b/a Doxia Axis)
Email: contact@doxiaaxis.com
Postal address for grievance redressal: available on request to data principals exercising rights under the DPDPA — please email us first to arrange.
Response timeline: within the period required by applicable law, generally not exceeding fifteen (15) days for IT Act grievances and thirty (30) days for DPDPA rights requests.

For all other privacy questions, complaints, or requests, email contact@doxiaaxis.com.

18. EU / UK representative

[If we offer services to or monitor the behaviour of individuals in the EU or UK at a scale that triggers Article 27 GDPR / Article 27 UK GDPR, we will appoint an EU representative and a UK representative and disclose them here. As of the “Last updated” date above, no representative is appointed. Where you wish to contact a representative and none is listed, contact us at contact@doxiaaxis.com.]

19. Notice on data breaches

We maintain documented procedures for detecting, evaluating, responding to, and notifying personal-data breaches. Where required, we will notify the relevant supervisory authority and affected individuals within the timelines set by applicable law.

This Privacy Policy is intended to give you a clear, complete picture of how we handle personal information. It is not legal advice. If you have questions, contact contact@doxiaaxis.com and we will help.