Affixly Inc.
Privacy Policy
This Privacy Policy describes how Affixly Inc. (“Affixly”, “we”, “us”, or “our”) collects, uses, stores, and shares information when you use our products and services. It applies to all Affixly products, including Affixly Flow, Affixly Surge, Affixly Forge, Affixly Sites, and this marketing website (collectively, the “Services”).
By using our Services, you agree to the collection and use of information in accordance with this policy.
1. Who We Are
Affixly Inc. is a software company based in Ontario, Canada. We build tools that help teams document their work, monitor AI spend, design 3D-printed parts, and host internal and external documentation.
Contact: privacy@affixly.ai
2. Information We Collect
We collect different types of information depending on which product you use.
2.1 Information You Provide Directly
Account information. When you create an account, we collect your name, email address, and (where applicable) your organisation name. We use Google OAuth for authentication — we receive only your name, email, and profile photo from Google.
Workspace content. Depending on which product you use, you may provide:
- Affixly Flow: Screen recordings (video/audio files), Loom URLs, article text, documentation steps, brand and voice settings, and any custom instructions you enter. Video files are processed to extract transcriptions and animated clips, then stored in Cloudflare R2 object storage.
- Affixly Surge: API keys for third-party AI providers (OpenAI, Anthropic, and Google). These keys are stored encrypted at rest using industry-standard symmetric encryption and are used solely to retrieve usage and billing data on your behalf. You may also submit usage events programmatically via the Surge SDK.
- Affixly Forge: Text prompts describing 3D geometry, uploaded
.scador.stlfiles, and session conversation history. Forge does not require an account and does not persistently link prompts to identifiable individuals unless you are signed in. - Affixly Sites: Email addresses submitted by visitors of private hosted documentation sites to receive a magic-link sign-in. These addresses are provided by you (the Flow tenant) when managing your site’s member list, and by the visitor when requesting access.
Integration credentials. If you connect third-party integrations (Atlassian/Jira, Atlassian/Confluence, Freshdesk, Google Drive, Figma), we store the OAuth tokens or API credentials required to operate those integrations on your behalf. These are stored encrypted and accessed only to perform actions you have explicitly authorised.
2.2 Information We Collect Automatically
Log data. Our servers automatically record information including your IP address, browser type, referring URL, pages visited, and timestamps when you use our Services.
Usage data. We record feature usage, API call counts, processing job status, and error events to operate the Services reliably and improve them.
Cookies and session tokens. We use session cookies to keep you signed in. Affixly Sites issues a JWT session cookie (affixly_session) to visitors of private documentation sites. This cookie is scoped to a specific site and expires after 30 days.
Search queries on Hosted Sites. When a visitor searches a hosted documentation site, the search query and result engagement are logged anonymously (no email, no IP stored in the search log) and aggregated to help the site owner understand what content is being searched for.
2.3 Information From Third Parties
When you connect AI provider accounts to Affixly Surge, we retrieve usage and billing data from those providers using the admin keys you supply. We do not receive raw prompts, completions, or user-level conversation content from those providers — only spend and token-count metadata.
3. How We Use Your Information
We use the information we collect to:
- Deliver the Services you have requested — processing recordings, generating documentation, fetching AI spend data, rendering 3D models, and hosting documentation sites.
- Authenticate you and maintain your session securely.
- Process AI requests on your behalf — your prompts and content are sent to AI model providers (Anthropic Claude, OpenAI GPT-4o) to generate documentation steps, 3D CAD code, and other outputs. See Section 5 for details on AI subprocessors.
- Send transactional emails — magic-link sign-in emails for Affixly Sites visitors; system notifications for your account.
- Monitor reliability and debug issues — usage logs, error traces, and performance metrics.
- Improve the Services — aggregated, de-identified usage patterns inform product decisions. We do not sell or share personal data for advertising purposes.
- Communicate with you — responding to support requests, sending product updates if you have opted in.
4. Legal Bases for Processing (for EEA/UK Users)
Where the General Data Protection Regulation (GDPR) or UK GDPR applies, we process your personal data on the following legal bases:
- Contract performance — processing your account data and workspace content is necessary to deliver the Services you have signed up for.
- Legitimate interests — operating secure, reliable infrastructure; detecting abuse; improving the Services through aggregated analytics.
- Legal obligation — retaining records where required by applicable law.
- Consent — for optional marketing communications (you may withdraw at any time).
5. Subprocessors and Third-Party Services
We share your data with the following categories of subprocessors to deliver our Services. All subprocessors are bound by data processing agreements and are required to handle data only as directed by us.
| Subprocessor | Purpose | Location |
|---|---|---|
| Supabase | Managed PostgreSQL database (account data, workspace metadata) | USA |
| Railway | Application hosting (Flask backends) | USA |
| Vercel | Frontend hosting (React/Next.js applications) | USA |
| Cloudflare R2 | Object storage (video files, GIFs, transcripts) | USA |
| Anthropic | AI model inference (documentation generation, 3D CAD code) | USA |
| OpenAI | AI model inference (documentation generation, Whisper transcription) | USA |
| Resend | Transactional email (magic-link sign-in for Affixly Sites) | USA |
| Google (OAuth) | Identity provider (sign-in) | USA |
Your content submitted to AI subprocessors (Anthropic and OpenAI) is processed subject to those companies’ respective API data usage policies. We use the API — not consumer interfaces — which typically means content is not used to train those providers’ models by default. You should review Anthropic’s and OpenAI’s API data usage policies if this is important to your use case.
6. Data Retention
We retain your data for as long as your account is active and for a reasonable period thereafter to allow account recovery and comply with legal obligations.
| Data type | Retention period |
|---|---|
| Account and workspace data | Duration of account, plus 90 days after deletion |
| Video and GIF files (R2) | Duration of account, plus 90 days after deletion |
| Processed transcripts | Duration of account, plus 90 days after deletion |
| AI usage data (Surge) | 12 months of rolling history (configurable) |
| Magic-link tokens (Sites) | 15 minutes from creation (single-use) |
| Visitor session cookies (Sites) | 30 days from sign-in |
| Search query logs (Sites) | 30 days rolling |
| Server access logs | 30 days rolling |
You may request deletion of your data at any time (see Section 8).
7. Security
We take the security of your data seriously and apply appropriate technical and organisational measures, including:
- Encryption in transit — all Services operate over HTTPS/TLS.
- Encryption at rest — sensitive credentials (third-party API keys, OAuth tokens) are encrypted at rest using Fernet symmetric encryption before being stored in the database.
- Access controls — all API endpoints require authentication. Workspace data is isolated by tenant ID at the application layer. Row-Level Security is enabled on all Supabase database tables.
- Credential handling — API keys you provide to Affixly Surge (including admin-level keys) are stored encrypted and accessed only to perform sync operations. Keys are masked in logs and UI displays. You can revoke and replace stored keys at any time from your dashboard.
- No plaintext secrets in logs — our logging infrastructure strips known credential patterns before writing to log storage.
No method of transmission or storage is 100% secure. If you become aware of a security vulnerability in our Services, please contact us at security@affixly.ai.
8. Your Privacy Rights
Depending on where you are located, you may have the following rights regarding your personal data:
- Access — request a copy of the personal data we hold about you.
- Correction — request that inaccurate or incomplete data be corrected.
- Deletion — request that we delete your personal data. Note that some data may be retained for legal compliance purposes.
- Portability — request that we provide your data in a portable machine-readable format.
- Objection / Restriction — object to or request restriction of certain processing activities.
- Withdrawal of consent — where processing is based on consent, withdraw that consent at any time.
To exercise any of these rights, contact us at privacy@affixly.ai. We will respond within 30 days. We may need to verify your identity before processing your request.
If you are located in the EEA or UK and believe we have not addressed your concern, you have the right to lodge a complaint with your local data protection authority.
Canadian residents (PIPEDA): You have the right to access your personal information and to challenge its accuracy. Contact us at privacy@affixly.ai with your request.
9. International Data Transfers
Affixly is based in Ontario, Canada. Our subprocessors are primarily located in the United States. By using our Services, you acknowledge that your personal data may be transferred to and processed in countries that may not provide the same level of data protection as your home country.
Where required by law (e.g., for EEA/UK users), we rely on appropriate safeguards such as Standard Contractual Clauses for transfers to the United States.
10. Children’s Privacy
Our Services are not directed at children under 13 years of age. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided personal data, we will delete it promptly. Contact us at privacy@affixly.ai if you believe this has occurred.
11. Third-Party Links and Integrations
Our Services integrate with third-party platforms including Atlassian, Freshdesk, Google, Figma, and AI providers. When you connect these integrations, you are also subject to those platforms’ own privacy policies. We are not responsible for the privacy practices of third-party services.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting a notice in the application or emailing the address on your account. The “last updated” date at the top of this page reflects the most recent revision. Continued use of the Services after changes become effective constitutes your acceptance of the revised policy.
13. Contact Us
If you have questions, concerns, or requests related to this Privacy Policy, contact us at:
Email: privacy@affixly.ai
We aim to respond to all privacy inquiries within 30 days.