AXS
AlphaXSender
Get started
Legal

Privacy Policy

Last updated: May 5, 2026.

AlphaXSender (“we”, “us”) cares about how personal data is handled. This Privacy Policy explains what data we collect when you use our website, customer dashboard, and license-issuance API; why we collect it; who we share it with; and the rights you have over your data. It applies in addition to our Terms & Conditions.

In one paragraph

We are a license desk. We collect the minimum we need to sell you a lifetime licence and let you manage it: your account fields, your order history, the License Key we issued you, and the contact-form messages you send us. We do not see, store, or relay any of the emails, recipients, SMTP credentials, Microsoft 365 tokens, or sending domains you configure inside the desktop application — all of that lives on machines you control.

1. Who is the data controller?

AlphaXSender is the data controller for the personal data described in this policy. For privacy questions, data-subject requests, or to reach our privacy contact, write to support@alphaxsender.local.

When you use the desktop application to send email, you are the controller of the recipient and content data you process. AlphaXSender is not a processor of that data because we never receive it.

2. What data we collect

2.1 Account data

  • First name, last name, organisation (optional), email address.
  • A bcrypt hash of the password you choose. We never see or store the plaintext password.
  • The timestamp at which you accepted these Terms.
  • An “email-verified” flag and account-creation timestamp.

2.2 Order data

  • The plan you bought, the price in USD, the cryptocurrency you selected, the NowPayments invoice ID and on-chain status.
  • The wallet address NowPayments issued for the invoice (we do not have access to your funding wallet, only the destination address shown by NowPayments).
  • Timestamps of order creation, status updates, and license issuance.

2.3 License data

  • The License Key string we issued and its status (active / revoked).
  • JWT activation tokens we sign when the desktop application calls our license API; tokens are short-lived (24h) and not retained server-side.

2.4 Communication data

  • Messages you send via the contact form, including the subject, body, and the email address you supply.
  • Email correspondence with our support address.

2.5 Technical data

  • Server logs from your visits — IP address, request URL, response status, timestamp, user-agent. Used to diagnose errors and detect abuse. Retained for up to 30 days.
  • A first-party session cookie used to keep you logged in, plus a CSRF token used to protect form submissions. We do not run third-party analytics, advertising trackers, or fingerprinting scripts on the website.

2.6 What we DO NOT collect

  • Your recipient lists, mail-merge fields, or campaign content.
  • Your SMTP server credentials or hostnames.
  • Your Microsoft 365 / Outlook OAuth tokens or harvested contacts.
  • Your sending domains, DKIM keypairs, or DNS configuration.
  • The URLs you target with your tracker scripts or the click / open data they capture.
  • Any campaign telemetry from the desktop application.

All of the above lives in the local SQLite (or your configured MySQL / MariaDB / PostgreSQL) database that the desktop application reads and writes on machines you control. The desktop never transmits these to AlphaXSender servers.

3. Why we use it (purposes & lawful bases)

Under the GDPR and UK GDPR, every act of processing must rely on a lawful basis. Ours are:

  • Performance of a contract (Art. 6(1)(b) GDPR). Account registration, login, processing your order, issuing your License Key, validating it from the desktop application, customer support — these are all necessary to deliver the Service you bought.
  • Legitimate interests (Art. 6(1)(f) GDPR). Fraud detection, abuse prevention, securing our infrastructure, debugging server errors, calculating aggregate usage statistics, defending legal claims. We balance these against your rights and freedoms; you can object — see Section 7.
  • Legal obligation (Art. 6(1)(c) GDPR). Retaining order and tax records for the period required by applicable accounting law, responding to lawful requests from authorities.
  • Consent (Art. 6(1)(a) GDPR). Where we ask for explicit opt-in (e.g. a future newsletter). You may withdraw consent at any time without affecting prior processing.

4. Who we share data with

We share the minimum needed and only with vetted sub-processors. Currently:

Sub-processor What we share Purpose
NowPayments Your order ID, plan name, price in USD, your selected cryptocurrency, the success / cancel / IPN callback URLs. Process the cryptocurrency payment, issue an invoice, return the on-chain status.
Hosting provider Server logs, the database file, every byte of HTTP traffic. Run the website. We choose hosts that comply with applicable data-protection law.
Transactional email provider Your email address and the body of any service email we send (e.g. License Key delivery, password reset). Deliver mandatory transactional email reliably. We do not run marketing email through this channel.

We do not sell, rent, or trade your personal data. We may disclose data to law enforcement, regulators, courts, or governmental authorities when we believe in good faith that disclosure is required by law, by a valid subpoena, or to protect against fraud or harm. Where allowed, we will notify you of the request before responding.

5. International transfers

Our hosting and sub-processors may operate outside your country of residence, including in jurisdictions where data-protection law is different from yours. Where personal data leaves the EEA / UK / Switzerland, we rely on the European Commission’s Standard Contractual Clauses (and the UK’s International Data Transfer Addendum, where applicable), the UK International Data Transfer Agreement, or any adequacy decision in force at the time. Copies of the relevant transfer mechanism are available on request.

6. How long we keep data

  • Account data: for the duration of your account, plus up to 12 months after deletion in case of dispute or legal claim.
  • License keys: retained indefinitely while active. Revoked keys are kept for fraud-prevention reference for up to 24 months and then deleted.
  • Order records: retained for 7 years to satisfy tax and accounting obligations in most jurisdictions.
  • Contact-form messages: retained for 24 months from receipt, then deleted unless they form part of an ongoing support thread.
  • Server logs: retained for up to 30 days, then rotated and deleted.

7. Your rights

Subject to local law, you have the following rights over your personal data:

  • Access a copy of your data and information about how we process it.
  • Rectification of inaccurate or incomplete data.
  • Erasure (the “right to be forgotten”) where one of the GDPR grounds in Art. 17 applies.
  • Restriction of processing where Art. 18 applies.
  • Portability in a structured, machine-readable format where Art. 20 applies.
  • Object to processing based on our legitimate interests.
  • Withdraw consent at any time where processing relies on consent.
  • Lodge a complaint with your local data-protection authority. In the EU/EEA you can find your authority via edpb.europa.eu; in the UK via the ICO (ico.org.uk).

Note: deleting your account does not invalidate License Keys we have already issued; you may continue to use them under the lifetime licence. To exercise any right, email support@alphaxsender.local from the address on file. We respond within 30 days (extendable to 90 days for complex requests, with notice).

8. California (CCPA / CPRA) rights

If you are a California resident, you have the rights described in Section 7 plus:

  • The right to know what personal information we have collected, sold, or shared in the past 12 months. We do not sell or share personal information for cross-context behavioural advertising.
  • The right to opt out of any sale or sharing (not applicable — we do neither).
  • The right to non-discrimination for exercising your rights.
  • The right to limit the use of sensitive personal information (we do not collect any, beyond what is required to deliver the Service).

9. Security

We apply technical and organisational measures appropriate to the risk: TLS in transit, bcrypt for stored passwords, HMAC-verified webhooks, CSRF tokens on every form, parameterised SQL, isolation of static assets from PHP source, and access-controlled backups. The desktop application stores credentials it holds (license JWT, SMTP passwords, OAuth tokens, API keys) DPAPI-encrypted at rest on the user’s machine. No system is perfectly secure; in the event of a breach we will notify affected users and the relevant supervisory authority within the timelines required by applicable law (typically 72 hours under GDPR / UK GDPR).

10. Cookies

We use only strictly-necessary cookies:

Name Purpose Lifetime
axs_sess Keeps you logged in to the customer dashboard or admin panel. Session (deleted on browser close).
_csrf Inside the session — protects against cross-site request forgery on form submissions. Session.

No analytics, no advertising, no third-party cookies are set by the website. Because both cookies are strictly necessary to the Service you requested, no consent banner is required under ePrivacy / PECR.

11. Children

The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact us and we will delete it.

12. Automated decisions

We do not subject you to decisions based solely on automated processing that produce legal effects concerning you. License issuance is automated by status update from NowPayments, but the underlying decision (granting the licence) follows from your explicit purchase action.

13. Changes to this policy

We may revise this Privacy Policy from time to time. The revised version takes effect on the “Last updated” date shown above. Material changes will be flagged via email or a notice on the customer dashboard at least 14 days before they take effect, where required by law.

14. Contact

Questions about this Privacy Policy, requests under your data-subject rights, or anything else privacy-related: please write to support@alphaxsender.local. You may also use the contact form; please mention “privacy” in the subject line so it routes correctly.

© 2026 AlphaXSender. All rights reserved.