Privacy Policy

1. Introduction

AERYA IT SOLUTIONS SRL ("we", "us", "our") operates the Axis ERP platform (axiserp.com). We are committed to protecting your personal data and respecting your privacy in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Romanian data protection legislation, including Law No. 190/2018 implementing the GDPR in Romania. This Privacy Policy explains how we collect, use, store, and protect your personal information when you visit our website or use our services.

2. Data Controller & Data Protection Contact

For all data protection inquiries, requests to exercise your rights, or complaints, please contact our data protection contact at info@axiserp.com.

3. Our Role: Controller and Processor

Axis ERP acts in two capacities depending on the context. When you visit our website, create an account, or interact with us directly, we act as the data controller and determine the purposes and means of processing your personal data. When you use Axis ERP to store and manage your own business data (e.g., your customers, employees, invoices), we act as a data processor on your behalf. In this capacity, you are the data controller for the personal data you enter into the platform, and we process it solely according to your instructions. The terms governing our role as data processor are set out in the Data Processing section of our Terms of Service.

4. Data We Collect

We collect the following categories of personal data:

Account Information

• Full name
• Email address
• Company name and business details
• Phone number (optional)
• Billing address and payment information (processed by Stripe)

Usage Data

• Features and modules accessed
• Timestamps of interactions
• User preferences and settings
• Marketing attribution data (UTM parameters from URLs, stored temporarily in your browser's session storage and submitted with contact or demo request forms)

Technical Data

• IP address (collected during website visits and form submissions, including for Cloudflare Turnstile anti-spam verification)
• Browser type and version
• Device type and operating system
• Referring URLs and page URLs visited

Analytics Data (with your consent)

• Pages viewed and navigation paths (via Google Analytics 4, loaded only after you consent to analytics cookies)
• Session duration and engagement metrics
• Approximate geographic location (country/city level, derived from IP address by Google Analytics)

5. How We Use Your Data

• To provide and maintain the Axis ERP service (contract performance)
• To process your subscription and payments (contract performance)
• To communicate with you about your account, including support requests (contract performance)
• To send service updates and important notices (contract performance / legitimate interest)
• To improve our platform and develop new features (legitimate interest)
• To ensure the security and integrity of our services (legitimate interest)
• To analyze website usage and improve user experience, where you have consented to analytics cookies (consent)
• To comply with legal obligations (legal obligation)

6. Legal Basis for Processing

Under GDPR Article 6, we process your personal data on the following legal bases:

• Contract performance (Art. 6(1)(b)): Processing your account data, subscription, payments, and providing the ERP service as agreed in your subscription
• Legitimate interest (Art. 6(1)(f)): Improving our services, ensuring platform security, preventing fraud, and sending service-related communications. You may object to processing based on legitimate interest at any time
• Legal obligation (Art. 6(1)(c)): Compliance with applicable tax, accounting, and regulatory requirements under Romanian and EU law
• Consent (Art. 6(1)(a)): Analytics cookies (Google Analytics 4) and marketing communications. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal

7. Data Storage & Security

Your data is stored on secure servers provided by Hetzner Online GmbH, located within the European Union (Germany and Finland). We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include encryption of data in transit (TLS) and at rest, role-based access controls, regular security audits, and employee training on data protection.

8. Data Access

Your business data stored in Axis ERP belongs to you. Our staff does not access your data unless explicitly requested by you (e.g., for technical support, troubleshooting, or data migration assistance). Any access by our team is logged, limited in scope, and performed only for the purpose you have authorized.

9. Data Retention

We retain your personal data for as long as your account is active and as needed to provide you our services. After account termination, we retain your data for 30 days to allow for reactivation, after which it is permanently deleted. Technical and browser data (IP addresses, browser information) is retained for a maximum of 12 months. Analytics data collected via Google Analytics is retained according to Google's data retention settings (default: 14 months). Certain data may be retained longer where required by law — specifically, invoicing records are retained for 10 years as required by Romanian fiscal legislation (Legea contabilității nr. 82/1991, as amended).

10. Third-Party Services

We share personal data with the following third-party processors, all of whom are GDPR-compliant:

• Stripe (Stripe, Inc., USA) – Payment processing. Stripe processes your payment card information directly; we do not store your card details. Stripe is certified under the EU-US Data Privacy Framework. See stripe.com/privacy.
• Cloudflare (Cloudflare, Inc., USA) – Website delivery, DDoS protection, and the Turnstile anti-spam widget. Cloudflare participates in the EU-US Data Privacy Framework. See cloudflare.com/privacypolicy.
• Hetzner (Hetzner Online GmbH, Germany) – Server infrastructure within the EU for hosting your ERP data and our self-hosted business systems.
• Google Analytics 4 (Google Ireland Limited / Google LLC) – Website analytics, loaded only after you consent to analytics cookies via our cookie consent banner. Google is certified under the EU-US Data Privacy Framework. See policies.google.com/privacy.
• Cookie Script (Cookie Script Ltd) – Cookie consent management. Manages your cookie preferences on our website. See cookie-script.com/privacy-policy.

11. International Data Transfers

Your ERP data is processed and stored exclusively within the European Economic Area (EEA) on Hetzner servers. Some third-party processors transfer data outside the EEA: Stripe, Cloudflare, and Google have operations in the United States and are certified under the EU-US Data Privacy Framework (adequacy decision adopted by the European Commission on 10 July 2023). Where the Data Privacy Framework does not apply, we rely on EU Standard Contractual Clauses (SCCs) as an additional safeguard. We regularly review these transfer mechanisms to ensure ongoing compliance.

12. Your Rights Under GDPR

As a data subject, you have the following rights under GDPR Articles 15–22:

• Right of access (Art. 15) – Request a copy of the personal data we hold about you, free of charge for the first request
• Right to rectification (Art. 16) – Request correction of inaccurate or incomplete data
• Right to erasure (Art. 17) – Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations
• Right to restrict processing (Art. 18) – Request limitation of how we process your data
• Right to data portability (Art. 20) – Receive your data in a structured, commonly used, machine-readable format (e.g., CSV, JSON)
• Right to object (Art. 21) – Object to processing based on legitimate interests or for direct marketing purposes
• Right to withdraw consent (Art. 7(3)) – Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing

To exercise any of these rights, please contact us at info@axiserp.com. We will respond to your request without undue delay and in any event within one month, as required by GDPR Article 12(3). This period may be extended by two further months for complex or numerous requests, in which case we will inform you within the first month.

13. Automated Decision-Making & Profiling

We do not use automated decision-making or profiling as defined by GDPR Article 22. No decisions with legal or similarly significant effects are made about you solely by automated means.

14. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Romanian National Supervisory Authority (ANSPDCP) within 72 hours of becoming aware of the breach, as required by GDPR Article 33. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you without undue delay, as required by GDPR Article 34, providing details of the breach and the measures taken to address it.

15. Children's Data

Axis ERP is a business-to-business service and is not intended for use by individuals under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that information promptly.

16. Right to Lodge a Complaint

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) at www.dataprotection.ro, or with the supervisory authority in your EU member state of residence. This right is without prejudice to any other administrative or judicial remedy.

17. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will notify you of any material changes by posting the updated policy on our website and, where appropriate, by email. We encourage you to review this page periodically.

18. Contact Us

If you have any questions about this Privacy Policy or our data protection practices, please contact us: