Legal · themeBASE

Privacy Policy

Effective April 15, 2026 Operator Axiom Tech Inc.

In plain English

We are Axiom Tech Inc., the company behind themeBASE. We collect the data we need to run the marketplace (your email and account info, what you do on the site, the payments you make), we use it to give you the service and improve it, we share it only with the vendors who help us run it (Stripe, our AI and hosting providers, our analytics), and we never sell it. You can ask us to show you, correct, or delete your data at any time.

01

Who we are

Axiom Tech Inc. ("Axiom", "we", "us") is the operator of themeBASE, a closed-beta theme marketplace available at themebase.ai. Axiom is a Delaware C Corporation (Delaware file number 10529560, US EIN 30-1484738), incorporated on March 2, 2026, with its principal place of business c/o Legalinc Corporate Services Inc., 131 Continental Dr, Suite 305, Newark, DE 19713, United States.

themeBASE is offered to customers globally, including in the European Economic Area and the United Kingdom. For the purposes of the EU General Data Protection Regulation (GDPR) and the UK GDPR, Axiom is the data controller of the personal data described in this policy.

If you have questions, you can reach us at privacy@themebase.ai.

02

Data we collect

You give us

  • Account data: email address, name (optional), password hash, and any profile fields you fill in.
  • Waitlist data: your email address and, optionally, what kind of site you are building. Used only to onboard you in waves and to send you the one notification when your slot opens.
  • Purchase data: when you buy a theme, your billing details and license type. Payment card details go directly to Stripe and never touch our servers (see §5).
  • Communications: messages you send to support, content you share in customer-support chats, files you upload for diagnostics.
  • AI prompts: the natural-language briefs you give the AI concierge ("portfolio for a wedding photographer in pastel colors") and the customization instructions you give a theme preview. These may be processed by our AI subprocessors (see §5) and retained to improve the service.

We collect automatically

  • Usage data: pages viewed, themes searched and previewed, customization actions, timestamps, referring URL.
  • Device data: IP address, browser type and version, operating system, device identifiers, approximate location derived from IP.
  • Cookies: see §7.

We do not collect

  • Special-category data (health, biometric, religious, political).
  • Payment card numbers, CVVs, or full PANs (held by Stripe).
  • Government-issued IDs (held by Stripe Identity if used for KYC).
03

How we use it

  • To operate the marketplace: search, preview, customize, purchase, deploy, support.
  • To improve the service: aggregate usage analytics to refine the AI concierge, ranking, and quality review.
  • To run the AI features: prompts you give the concierge or customization layer are sent to our AI subprocessors (Anthropic, OpenAI, Google) to generate responses.
  • To prevent fraud and abuse: Stripe Radar plus our own velocity rules.
  • To comply with the law: tax reporting, sanctions screening, lawful requests from authorities.
  • To communicate with you: transactional emails (receipts, wave notifications, support replies). We do not run marketing drips. We only send the emails you would expect from a marketplace you signed up for.

We do not use personal data to train third-party large language models. Our AI subprocessors are contractually prohibited from training their own models on our customer data (see §5).

04

Legal bases (GDPR)

If you are in the European Economic Area, the UK, or Switzerland, we rely on the following legal bases under Article 6 of the GDPR:

ActivityLegal basis
Running your account, processing your purchasesPerformance of a contract (Art. 6(1)(b))
Fraud prevention, network securityLegitimate interest (Art. 6(1)(f))
Analytics, product improvementLegitimate interest (Art. 6(1)(f)) or consent where required
Marketing communications (when applicable)Consent (Art. 6(1)(a)) you can withdraw at any time
Tax, accounting, regulatory complianceLegal obligation (Art. 6(1)(c))
05

Who we share it with

We share personal data only with the vendors we need to run the service, under written data-processing agreements. As of the effective date:

SubprocessorWhat it handlesWhere
Stripe, Inc.Payments, Connect payouts, Tax, Identity (KYC), Radar (fraud)US / EU
Anthropic, PBCClaude models (AI concierge, customization, code review, Suppilot)US
OpenAI, Inc.GPT models and text embeddings (originality, search)US
Google LLCGemini models (visual critique, fallback inference)US / EU
Cloudflare, Inc.CDN, WAF, DDoS protection, edge compute, R2 object storageGlobal
Snyk LimitedDependency security scanning of theme uploadsUS / EU
r2c, Inc. (Semgrep)Static analysis of theme codeUS

The current list of subprocessors is maintained at this URL and updated when it changes. We will notify registered customers at least 30 days before adding a new subprocessor that handles personal data.

We do not sell personal data, and we do not share it for cross-context behavioural advertising as those terms are defined under the California Consumer Privacy Act.

06

International transfers

Our subprocessors are primarily US-based. When we transfer personal data from the EEA, the UK, or Switzerland to a country outside, we rely on:

  • European Commission Standard Contractual Clauses (SCCs), plus the UK Addendum where applicable, with each subprocessor.
  • Supplementary technical measures (encryption in transit and at rest, access controls).
  • The EU-US Data Privacy Framework where the receiving organization is certified.

Copies of these safeguards are available on request at privacy@themebase.ai.

07

Cookies & tracking

We use a small set of cookies:

TypeWhat it doesLifetime
EssentialLogin session, security tokens, CSRF protectionSession / 30 days
FunctionalRemembering preferences (e.g. dark mode), waitlist state1 year

During the closed beta, the Service uses only essential and functional cookies. We do not run third-party analytics, advertising, or behavioural-tracking cookies. If we add analytics in a future release, we will update this policy and (where required) display a consent banner before any non-essential cookies are set.

08

How long we keep it

  • Account data: while your account is active, then 30 days after closure (so you can reverse a deletion) and then deleted, except where retention is required by law.
  • Purchase records: 7 years (tax and accounting obligations).
  • Waitlist email: until your wave opens and you either join or opt out; we delete on request.
  • Support conversations: 2 years, then deleted or anonymised.
  • Server and access logs: 90 days.
  • AI prompts and responses: 30 days for debugging and quality review, then anonymised or deleted.
09

Your rights

Depending on where you live, you may have the following rights over your personal data:

  • Access: a copy of what we hold about you.
  • Rectification: correction of inaccurate data.
  • Erasure: deletion, subject to retention obligations.
  • Restriction of processing.
  • Portability: your data in a structured, machine-readable format.
  • Objection to processing based on legitimate interest.
  • Withdraw consent at any time where processing is based on consent.
  • Lodge a complaint with your local supervisory authority (e.g. the relevant national data-protection authority (we expect the Irish Data Protection Commission to act as our lead supervisory authority once an EU representative is appointed) in the EU, the ICO in the UK).

For California residents, the CCPA gives you the right to know, to delete, to correct, and to opt out of "sale" or "sharing". We do not sell or share personal information for cross-context behavioural advertising.

To exercise any of these rights, email privacy@themebase.ai. We respond within 30 days.

10

Security

  • All data in transit is encrypted with TLS 1.2 or higher.
  • Sensitive data at rest is encrypted using AES-256.
  • Access to production systems is restricted, logged, and protected by multi-factor authentication.
  • Payment card data is handled exclusively by Stripe under PCI DSS Level 1; it never touches our infrastructure.
  • Theme uploads are scanned by deterministic security tooling (Snyk, Semgrep) and run in isolated sandboxes before being made available to buyers.
  • We follow the principle of least privilege and review access quarterly.

No system is perfectly secure. If you believe you have found a vulnerability, please contact security@themebase.ai.

11

Children

themeBASE is intended for users aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us personal data, please contact privacy@themebase.ai and we will delete it.

12

Changes to this policy

We may update this policy from time to time. The "Effective" date at the top reflects the latest revision. For material changes we will notify registered users by email at least 14 days before the change takes effect.

13

Contact

Axiom Tech Inc.
Delaware C Corporation · file no. 10529560 · EIN 30-1484738
c/o Legalinc Corporate Services Inc.,
131 Continental Dr, Suite 305, Newark, DE 19713, United States

Privacy inquiries: privacy@themebase.ai
Security disclosure: security@themebase.ai
General contact: hello@themebase.ai

Residents of the European Economic Area or the United Kingdom may contact our designated Article 27 representative via privacy@themebase.ai. The current representative's contact details will be provided on request.