Astrix Beta Privacy Policy
Quick Summary
- We collect data you provide and some automatic data to deliver our service
- We do NOT sell your data or use it for advertising
- We retain emails after account termination for fraud prevention
- You have rights to access, correct, and delete your data
- We comply with Malaysia PDPA, UK GDPR, Singapore PDPA, US CCPA, and other applicable privacy laws
1 Introduction & Controller Information
1.1 About This Privacy Policy
This Privacy Policy explains how Astrix2u ("Company," "we," "us," "our") collects, processes, stores, and protects personal data from users ("User," "you," "your") of the Astrix Beta assessment tool ("Service").
This policy applies to all use of the Service, whether online via our website or through direct engagement with our team.
1.2 Data Controller & Processors
Astrix2u is the data controller responsible for your personal data, meaning we determine how and why your personal data is processed.
Key Data Processors We Use:
| Processor | Function | Location |
|---|---|---|
| Cloudflare | CDN, DDoS protection, DNS, analytics | Global (EU/US) |
| Resend | Transactional email delivery | Global (US) |
| Brevo | Primary email delivery, marketing automation | Global (EU) |
| EngineMailer | Email delivery infrastructure | Global |
| Amazon SES | High-volume email delivery (failover) | Global (US/EU) |
| Microsoft Clarity | User experience analytics, session recordings, heatmaps | Global (US/EU) |
All processors are bound by Data Processing Agreements (DPAs) requiring data protection compliance.
1.3 Data Protection Officer
Astrix2u may appoint a Data Protection Officer (DPO) if required under Malaysia PDPA 2024 or UK GDPR regulations. For data protection inquiries, contact us through https://astrix2u.com/contact
1.4 Applicable Privacy Laws
This Privacy Policy complies with:
- Malaysia: Personal Data Protection Act 2010 (PDPA) and Personal Data Protection (Amendment) Act 2024
- United Kingdom: UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018
- Singapore: Personal Data Protection Act 2012 (PDPA) – where applicable
- United States: California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) – for California residents; state privacy laws where applicable
- Canada: Personal Information Protection and Electronic Documents Act (PIPEDA)
- Australia: Privacy Act 1988 and Australian Privacy Principles (APPs)
1.5 Geographic Availability
The Service is currently available only in the following Covered Countries:
Users from other regions may join our waitlist to be notified when we expand. Waitlist data (email and country) is processed under legitimate interest to facilitate service expansion.
2 Data We Collect
2.1 Information You Provide Directly
Account Registration & Profile Information
- • Full name, email address, phone number (optional)
- • Job title, company/organization name
- • Profile photo or avatar (optional)
- • Account preferences and settings
Input Data ("Inputs")
- • Information you input into Astrix for assessment generation
- • This is the primary data processed to provide the Service
Communication Data
- • Messages, feedback, support inquiries, complaint details
- • Responses to surveys or user research
- • Participation in beta testing feedback
Payment Information (if applicable)
- • Billing name, address, payment method details
- • Transaction history and invoices
2.2 Information We Collect Automatically
Access & Connection Data
- • IP address, device type, operating system, browser type
- • Pages visited, time of access, referral source
Cookies & Local Storage
- • Session cookies for authentication and functionality
- • Analytics cookies (with consent)
- • Persistent cookies to remember preferences
Usage Analytics
- • Features accessed, assessments generated
- • Interaction patterns, session duration
- • Error logs and debugging information
2.3 Geographic & Waitlist Data
Location & Waitlist Information
We collect the following data for geographic availability and service expansion:
- • Country code – Detected via Cloudflare's geo-IP service
- • Waitlist signup – Email address if you join our expansion waitlist
- • Access logs – Country and timestamp for regional access patterns
This data helps us comply with regional regulations, plan service expansion, and notify users when we become available in new regions.
2.4 Data from Third Parties
We may receive personal data from service providers, analytics platforms, payment gateway providers, and referral partners.
3 How We Use Your Data
3.1 Legal Bases for Processing
| Purpose | Legal Basis |
|---|---|
| Service Delivery & Account Management | Contract |
| Security & Fraud Prevention | Legitimate interests |
| Debugging & Technical Support | Contract / Legitimate interests |
| Product Improvement & Analytics | Legitimate interests |
| Legal Compliance | Legal obligation |
| Marketing & Communications | Consent |
| Anti-Fraud & Account Abuse Prevention | Legitimate interests |
We do NOT:
- ❌ Sell your Input data to third parties
- ❌ Share your Input with other users without consent
- ❌ Use Input for targeted advertising or marketing profiling
- ❌ Train commercial AI models on your Input without explicit opt-in consent
3.4 Business Account & Sub-Account Data
Business Reseller Data Processing
If you are a Business account holder or a sub-account managed by a Business, additional data processing applies.
Data Shared with Business Accounts:
If you are a sub-account managed by a Business reseller, the Business account holder may have access to:
- • Your username and email address
- • Credit balance and usage history
- • Assessment activity statistics (number of assessments, not content)
- • Account status (active, suspended)
Business Account Data We Collect:
For Business resellers, we additionally process:
- • Sub-account management activities
- • Credit distribution and approval records
- • Revenue and transaction analytics (aggregated)
- • Business performance metrics
Legal Basis:
Business account data is processed under Contract (providing reseller services) and Legitimate Interests (fraud prevention, platform integrity).
3.5 Credit Expiry Notifications
Automated Expiry Reminders
We send automated email notifications to remind you when your purchased credits are about to expire.
How Credit Expiry Notifications Work:
- When: 3 days before your credits expire
- Who: Users with packages having 33-100 day validity (not welcome credits)
- Content: Remaining balance, expiry date, and link to use credits
- Frequency: Maximum one notification per 24 hours per user
Data Processed for Notifications:
- • Email address (to send the notification)
- • Username/Full name (for personalization)
- • Credit balance and expiry date (notification content)
- • Notification history (to prevent duplicate emails)
Legal Basis:
Credit expiry notifications are sent under Contract (part of service delivery) and Legitimate Interests (helping you get value from your purchase).
3.6 Marketing Emails & Unsubscribe Rights
Your Email Preferences
We respect your communication preferences. You have full control over the marketing emails you receive from us.
Types of Emails We Send:
Transactional Emails (Cannot Unsubscribe)
- • Account verification and password reset
- • Two-factor authentication codes
- • Credit purchase confirmations
- • Credit expiry reminders (3 days before)
- • Security alerts (suspicious login, password changes)
- • Account suspension/termination notices
Marketing Emails (Can Unsubscribe)
- • Product updates and new features
- • Promotional offers and discounts
- • Newsletters and tips
- • Surveys and feedback requests
- • Beta testing invitations
How to Unsubscribe:
You can unsubscribe from marketing emails at any time through:
- One-Click Unsubscribe: Click the "Unsubscribe" link in any marketing email footer
- Email Preference Center: Visit https://astrix2u.com/unsubscribe
- Contact Us: Email us through https://astrix2u.com/contact
Unsubscribe Process (GDPR/PDPA Compliant):
- Immediate Effect: Your request is processed immediately upon confirmation
- Token-Based Security: Unsubscribe links are secured with time-limited tokens (30-day validity)
- Confirmation Page: You'll see a confirmation page after unsubscribing
- Re-subscribe Option: You can re-subscribe at any time if you change your mind
- RFC 8058 Compliance: We support one-click unsubscribe as per email standards
Data We Collect for Unsubscribe Audit:
For compliance and fraud prevention, we log:
- • Email address (to enforce unsubscribe preference)
- • Reason for unsubscribing (optional, for service improvement)
- • Timestamp of unsubscribe request
- • IP address and user agent (for security audit)
Legal Basis
Marketing emails are sent based on Consent (you can withdraw at any time). Transactional emails are sent based on Contract (necessary for service delivery). We comply with Malaysia PDPA, UK GDPR, and CAN-SPAM Act requirements.
3.7 Telegram Bot Data Processing
Telegram Bot Service (@Astrix2u_bot)
When you use our Telegram Bot service, we collect and process additional data specific to this integration.
Data Collected via Telegram:
Account Linking Data
- • Telegram User ID (unique identifier)
- • Telegram Username (if available)
- • First Name (as registered on Telegram)
- • Language preference (from Telegram settings)
- • Link timestamp and status
Message & Analysis Data
- • Names submitted for analysis (processed, not permanently stored)
- • Command history (help, balance, slot requests)
- • Analysis results and timestamps
- • Credit transactions via Telegram
Technical Data
- • Chat ID (for message delivery)
- • Message IDs (for response tracking)
- • Callback query data (for inline interactions)
- • Last activity timestamp
How We Use Telegram Data:
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Account Linking | Telegram ID, Username | Contract |
| Service Delivery | Messages, Analysis requests | Contract |
| Credit Management | Transaction history | Contract |
| Language Localization | Language preference | Legitimate Interests |
| Fraud Prevention | Telegram ID, Activity patterns | Legitimate Interests |
| Service Improvement | Usage analytics (aggregated) | Legitimate Interests |
Data Retention for Telegram:
| Data Type | Retention Period |
|---|---|
| Telegram User ID | Until account unlink + 30 days |
| Link Code | 10 minutes (auto-expire) |
| Message Content | Not stored (processed in real-time) |
| Analysis Results | Same as web application (30 days) |
| Transaction Logs | 3-7 years (tax compliance) |
Third-Party Data Sharing (Telegram):
When using the Telegram Bot, data flows through Telegram's infrastructure:
- • Telegram: Receives and delivers messages between you and our bot
- • Telegram may collect: Metadata, IP addresses, device info per their Privacy Policy
- • We receive from Telegram: User ID, username, message content, chat ID
- • We do NOT share: Your analysis results or credit balance with Telegram
Your Rights (Telegram Data):
- Unlink: Use /unlink command or web app to disconnect Telegram
- Access: Request a copy of your Telegram-related data via contact form
- Deletion: Request deletion of Telegram linking data
- Portability: Export your linked account information
Legal Basis
Telegram Bot data is processed under Contract (providing the linked service) and Legitimate Interests (fraud prevention, service improvement). You consent to this processing when linking your Telegram account.
4 Anti-Fraud & Email Retention Policy
Important Notice
When you terminate your account, we retain your email address in our system for fraud prevention and abuse mitigation purposes, even after account deletion.
Why We Retain Emails After Account Termination:
- You received welcome credits upon registration
- We must prevent re-registration using the same email to claim duplicate credits
- This protects our system integrity and other legitimate users
Retention Periods:
- Email address: Retained indefinitely (until re-registration risk has diminished)
- Account data and Inputs: Deleted after 30 days following termination
- All other personal data: Deleted as per Section 7
What This Means for Users:
- ✓ Your account profile, Inputs, and Outputs will be deleted
- ✓ Your personal information (name, phone, company) will be deleted
- ✓ Your email address will be retained for fraud prevention
- ✓ You cannot re-register using the same email address
- ✓ You can register using a different email address
5 Automated Decision-Making & Profiling
Important Notice: Automated Assessments
Astrix generates assessments using fully automated decision-making without human intervention.
What This Means:
- Nature: Astrix applies pre-defined, deterministic algorithmic rules to your Input to produce Outputs.
- No Machine Learning: Astrix does NOT use machine learning, neural networks, or AI models. It is rule-based and deterministic.
- No Profiling: Astrix does NOT create user profiles or build persistent behavioral models about you.
- Significant Effects: Assessments are informational only and do not have legal or similarly significant effects on you.
Your Rights:
You have the right to request human intervention, express your views, and challenge the decision. Contact us at https://astrix2u.com/contact with the subject line "Request for Human Review of Automated Assessment"
6 Who We Share Your Data With
6.1 Third-Party Service Providers
| Processor | Category | Purpose |
|---|---|---|
| Cloudflare | Infrastructure / Security | CDN, DDoS protection, analytics |
| Resend | Email Infrastructure | Transactional email delivery |
| Brevo | Email Infrastructure | Primary email delivery, marketing campaigns |
| EngineMailer | Email Infrastructure | Email delivery (failover) |
| Amazon SES | Email Infrastructure | High-volume email delivery |
| Amazon Cognito | Authentication | User identity management and authentication |
| Payment Processor | Payment | Processing payments |
| Cloud Hosting | Infrastructure | Storage, backup, availability |
We do NOT:
- ❌ Sell your personal data to third parties
- ❌ Disclose personal data to marketing partners without consent
- ❌ Share Input data with competitors or business partners
6.4 International Data Transfers
Astrix2u operates in Malaysia, UK, and Singapore. Your data may be transferred internationally with appropriate safeguards including Standard Contractual Clauses (SCCs), encryption, and access controls.
7 Data Retention & Deletion
| Type of Data | Retention Period | Reason |
|---|---|---|
| Account Information | During use + 2 years after closure | Audit trail, legal compliance |
| Email Address | Indefinite (terminated accounts) | Anti-fraud prevention |
| Input & Output Data | During use + 30 days after termination | Troubleshooting, support |
| Credit Expiry Notifications | 90 days after sending | Service records, audit trail |
| Email Communications | 1 year from last interaction | Legal disputes, service history |
| Unsubscribe Records | Indefinite | Compliance, preference enforcement |
| Email Campaign Data | 2 years | Analytics, compliance audit |
| Payment Information | 3-7 years per tax law | Tax compliance, accounting |
| Access Logs / IP | 90 days | Security, abuse detection |
| Analytics Data | 26 months | Usage patterns, trends |
Right to Erasure
You have the right to request deletion of your personal data. Submit a request through https://astrix2u.com/contact
Response Timeline: Malaysia PDPA: 30 days | UK GDPR: 30 days (extendable to 90 days)
8 Your Data Protection Rights
Malaysia PDPA Rights
- • Right of Access
- • Right of Correction
- • Right of Deletion
- • Right to Opt-Out
- • Right to Restrict Processing
- • Right to Lodge Complaint (PDPC)
UK GDPR Rights
- • Right of Access (SAR)
- • Right of Rectification
- • Right to Erasure
- • Right to Data Portability
- • Right to Object
- • Right to Lodge Complaint (ICO)
How to Exercise Your Rights
Contact us at https://astrix2u.com/contact
Include: Your name, account details, which right you're exercising, and description of the data involved.
9 Data Security & Protection Measures
Encryption
HTTPS/TLS 1.2+ in transit, AES-256 at rest
Access Control
Role-based access control (RBAC)
MFA
Multi-Factor Authentication available
Network Security
Firewalls, IDS, DDoS protection (Cloudflare)
Backups
Regular encrypted backups with DR plan
Training
Annual security awareness training
Data Breach Notification
We comply with Malaysia PDPA (72 hours to PDPC, 7 days to affected individuals) and UK GDPR (72 hours to ICO) notification requirements.
10 Cookies & Tracking Technologies
| Cookie Type | Purpose | Consent Required? |
|---|---|---|
| Essential/Technical | Session management, authentication, security | No – required for function |
| Analytics | Tracking page views, user behavior | Yes – requires consent |
| Functional | Remembering preferences, settings | Yes – requires consent |
| Marketing | Retargeting, conversion tracking | Yes – requires consent |
You can manage cookie preferences via our cookie consent banner or browser settings.
10.5 Microsoft Clarity Analytics
User Experience Analytics
We use Microsoft Clarity to understand how users interact with our Service and improve the user experience.
What Microsoft Clarity Collects:
- Session Recordings: Anonymous recordings of user interactions (clicks, scrolls, mouse movements)
- Heatmaps: Aggregated data showing where users click and scroll
- User Behavior Metrics: Page views, session duration, bounce rates
- Device Information: Browser type, screen resolution, operating system
Privacy Protections:
- Sensitive content (passwords, payment fields) is automatically masked
- Personal data in forms is not recorded
- IP addresses are anonymized
- No cross-site tracking is performed
Where Clarity is Used:
- ✓ Landing page (astrix2u.com)
- ✓ User application (console.astrix2u.com)
- ✗ NOT used on admin pages for privacy and security
Your Choices:
You can opt out of Microsoft Clarity tracking by:
- • Using browser privacy settings to block third-party scripts
- • Installing browser extensions that block analytics (e.g., uBlock Origin, Privacy Badger)
- • Contacting us to request exclusion from analytics tracking
Legal Basis
We process this data under Legitimate Interests (improving user experience and service quality) and comply with Microsoft's data processing terms. For more information, see Microsoft's Privacy Statement.
11 Children & Minors
Age Restriction: The Service is not intended for individuals under 18 years old. We do not knowingly collect personal data from children or minors.
If you are a parent or guardian and believe a minor has provided data to us, contact us immediately at https://astrix2u.com/contact
12 Third-Party Links & Services
Our Service may contain links to external websites or services operated by third parties. We are not responsible for their privacy practices.
Before visiting external sites, review their privacy policies. We have no control over third-party data handling.
13 Changes to This Privacy Policy
We may update this Privacy Policy to reflect changes in our practices, legal requirements, or new features.
How We Notify You:
- • Website update with new "Last Updated" date
- • Email notification to registered users
- • In-app notification upon next login
- • 30-day notice period before material changes take effect
14 Special Categories of Data (Sensitive Data)
Warning
Do NOT upload sensitive personal data to Astrix unless absolutely necessary:
- • Health records, medical information, diagnoses
- • Financial statements, bank accounts, credit information
- • Identity documents (passports, driver's licenses)
- • Biometric data, criminal records, genetic information
If you MUST input sensitive data: anonymize it where possible, use only minimum data required, understand the risks, and obtain consent from all individuals whose data is included.
15 Data Protection Impact Assessment (DPIA)
For high-risk processing activities, we conduct Data Protection Impact Assessments (DPIAs) to identify risks, assess impact on individuals' rights, and implement mitigation measures.
You can request information about DPIAs relating to your data through https://astrix2u.com/contact
16 Contact Us & Data Protection Authorities
Astrix2u
- Contact: https://astrix2u.com/contact
- Service: Astrix Beta Platform
- Response Time: 30 days
Data Protection Authorities
- Malaysia: PDPC - pdp.gov.my
- UK: ICO - ico.org.uk
- ICO Phone: 0303 123 1113
17 Glossary of Terms
| Term | Definition |
|---|---|
| Personal Data | Any information relating to an identified or identifiable natural person |
| Processing | Any operation performed on personal data (collection, use, storage, deletion, etc.) |
| Data Controller | The entity that determines the purposes and means of processing (Astrix2u) |
| Data Processor | An entity that processes data on behalf of the controller (e.g., Cloudflare, Resend) |
| Consent | Freely given, specific, informed, unambiguous agreement to process personal data |
| Legitimate Interests | A legal basis allowing processing where controller has a legitimate business reason |
| Input | Personal data or information you provide to Astrix for assessment |
| Output | Assessment or results generated by Astrix based on your Input |
18 Final Provisions
Entire Agreement: This Privacy Policy, together with our Terms of Service, constitutes the entire agreement between you and Astrix2u regarding data protection and privacy.
Governing Law:
- Malaysia users: Malaysian law, including PDPA 2010 and amendments
- UK users: English law, including UK GDPR and DPA 2018
- Other jurisdictions: Laws of Malaysia, unless local law imposes stricter requirements
Severability: If any provision is found invalid, the remaining provisions continue in full effect.
Acknowledgment
By using Astrix Beta, you acknowledge that you have read, understood, and agree to this Privacy Policy. If you do not agree with our data handling practices, please discontinue use of the Service.