Axos CRM
Sign InGet Started
policyLegal

Privacy Policy

Last updated: January 1, 2025

This Privacy Policy explains how Axos CRM (“Axos,” “we,” “us,” or “our”) collects, uses, and protects the personal information you provide when you use our platform. By using Axos CRM, you agree to the practices described in this policy.

Information We Collect

We collect information you provide directly to us, information generated through your use of the service, and in some cases, information from third parties.

Account Information

When you register, we collect your name, work email address, firm name, and a hashed password. We do not store plaintext passwords.

Firm and Client Data

To provide our service, you will upload documents, client records, and other data (“Firm Data”). This data belongs exclusively to your firm. We access it only to deliver and support the service.

Usage Data

We collect anonymized telemetry — page views, feature usage counts, error rates — to improve reliability. This data cannot be linked to individual users or clients.

Payment Information

Billing is handled by our PCI-DSS Level 1 certified payment processor. We store only a payment method token and the last four digits of your card. Full card numbers never touch our servers.

How We Use Your Information

We use collected information strictly to:

  • Provide, maintain, and improve the Axos CRM service
  • Process your subscription and billing
  • Send transactional emails (receipts, password resets, security alerts)
  • Respond to support requests and communications
  • Enforce our Terms of Service and prevent abuse
  • Comply with legal obligations

We do not use your Firm Data or your clients' personal information for advertising, profiling, product training, or any purpose other than delivering the service you paid for.

Data Sharing and Disclosure

We do not sell, rent, or share your data with third parties for commercial purposes. We share data only in the following limited circumstances:

Service Providers

We engage sub-processors (cloud infrastructure, payment processing, email delivery) who are contractually bound to process data only as we direct and under equivalent data protection obligations.

Legal Requirements

We may disclose information when required by law, court order, or governmental authority. We will notify you of such requests unless prohibited by law.

Business Transfers

In the event of a merger, acquisition, or sale of assets, customer data would be transferred subject to the same privacy commitments. You will be notified in advance.

Data Retention

Tax documents and associated records are retained for a minimum of 7 years from upload to satisfy IRS record-keeping requirements (IRC § 6001). You may request earlier deletion of personal data outside the mandatory retention window subject to our Right to Erasure process.

Account information is retained for the duration of your subscription and for up to 90 days after termination to allow for account recovery. Anonymized aggregated usage statistics are retained indefinitely.

Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access — Request a copy of the personal data we hold about you
  • Rectification — Correct inaccurate or incomplete information
  • Erasure — Request deletion of personal data outside mandatory retention windows
  • Portability — Receive your data in a machine-readable format
  • Objection — Object to processing in certain circumstances
  • Restriction — Request we limit how we process your data

To exercise any of these rights, contact us at privacy@axoscrm.com. We will respond within 30 days.

Security Measures

We implement industry-leading technical and organizational measures to protect your data:

  • AES-256-GCM encryption for all data at rest
  • TLS 1.3 for all data in transit, with HSTS enforced
  • Encryption keys isolated per tenant and rotated on a scheduled cycle
  • SOC 2 Type II certified infrastructure, audited annually
  • Role-based access control with complete audit logging
  • Annual third-party penetration testing
  • 24/7 security monitoring with a documented incident response plan

In the event of a data breach affecting personal data, we will notify affected customers within 72 hours as required by GDPR Article 33 and applicable US state breach notification laws.

International Transfers

Axos CRM operates infrastructure in the United States. If you are located in the European Economic Area, the United Kingdom, or another jurisdiction with data transfer restrictions, your data may be transferred to and processed in the US.

We ensure such transfers comply with applicable law through Standard Contractual Clauses (SCCs) or equivalent mechanisms. Enterprise customers may request geographic data residency restrictions.

Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email at least 30 days before they take effect. Continued use of the service after the effective date constitutes acceptance of the updated policy.

A history of previous policy versions is available upon request.

Contact Us

For privacy inquiries, data subject requests, or to report a concern:

Email: privacy@axoscrm.com

Response time: Within 30 days for data subject requests, 72 hours for breach notifications