Privacy Policy
Effective: March 14, 2026
1. Introduction
Apex, Inc. (“Apex,” “we,” “us”) respects your privacy. This Privacy Policy describes how we collect, use, and share information when you use the Apex platform, including the web dashboard, API, MCP server, and apex.js snippet (collectively, the “Service”).
2. Information We Collect
2.1 Account Information
When you create an account, we collect your name, email address, company name, and password.
2.2 Experiment & Assumption Data
You create and manage assumptions, experiments, and results within the Service. This data is stored on your behalf and remains under your ownership as described in our Terms of Service.
2.3 Visitor Data (via apex.js)
When you install the apex.js snippet on your website, it collects the following about your website visitors:
- Visitor ID: A pseudonymous identifier stored in a first-party cookie (
apex_vid) - Attribution data: UTM parameters, referrer, and campaign information (
apex_attr) - Session data: Page URL, timestamp, viewport size
- Experiment assignment: Which variant was served to the visitor
- Form submissions: If form interception is enabled, form field values submitted on your site
This visitor data is collected on your behalf and processed solely to deliver the Service. We do not use your visitors’ personal data for our own marketing or sell it to third parties.
2.4 Usage Data
We collect data about how you use the Service, including pages viewed, features used, actions taken, and performance metrics. This helps us improve the Service.
2.5 MCP Server Telemetry
The MCP server communicates with the Apex API to provide experimentation tools in your IDE. It transmits experiment data, assumption data, and tool invocations. It does not transmit source code, file contents, or any proprietary code from your development environment.
3. How We Use Information
- Provide the Service: Deliver experiments, track results, update assumption certainty, generate AI recommendations
- Improve the Service: Anonymized, aggregated experiment outcome data is used to improve AI recommendation quality and generate benchmarks (see Section 5)
- Communicate: Send product updates, security alerts, and support messages (not marketing unless you opt in)
- Prevent abuse: Detect and prevent fraud, spam, and Terms violations
4. What We Share
We do not sell personal information. We share data only in these circumstances:
- Service providers: Vercel (hosting), Stripe (payments). These providers process data solely on our behalf under data processing agreements.
- Legal requirements: If required by law, regulation, or legal process
- Business transfers: In connection with a merger, acquisition, or sale of assets, with notice to you
- With your consent: For any other purpose with your explicit permission
5. Anonymized Data
We create anonymized, aggregated datasets from experiment outcomes to improve AI recommendations and generate industry benchmarks. This data is stripped of all identifying information:
- No company names, URLs, or account identifiers
- No raw text content or creative assets
- No personal data of any kind
- Only structural patterns: element type, change type, outcome direction, magnitude bucket
You may opt out of anonymized data collection in your account settings. Opting out disables certain AI features that rely on aggregate data.
6. Cookies
| Cookie | Purpose | Duration |
|---|---|---|
apex_vid | Pseudonymous visitor identifier for experiment assignment | 1 year |
apex_attr | Attribution data (UTM params, referrer) for conversion tracking | 30 days |
apex_session | Session identifier | Session |
The apex.js snippet uses first-party cookies only. No third-party tracking cookies are used.
7. Data Retention
- Active accounts: Data is retained for the life of your account
- Closed accounts: Data is available for export for 30 days, then permanently deleted within 90 days
- Anonymized data: Retained indefinitely as it contains no personal information
8. Your Rights (GDPR / CCPA)
Depending on your location, you may have the right to:
- Access: Request a copy of all data we hold about you
- Deletion: Request deletion of your personal data
- Export: Export your data in a machine-readable format (JSON)
- Correction: Request correction of inaccurate data
- Opt out: Opt out of anonymized data collection
- Do not sell: We do not sell personal information (CCPA)
To exercise these rights, contact privacy@apex.inc. We will respond within 30 days.
9. Legal Basis for Processing (GDPR)
- Contract: Processing necessary to provide the Service you requested
- Legitimate interest: Service improvement, security, fraud prevention
- Consent: Marketing communications, anonymized data collection (you may withdraw at any time)
10. International Data Transfers
The Service is hosted in the United States. If you access the Service from outside the US, your data will be transferred to and processed in the US. We rely on Standard Contractual Clauses for transfers from the EEA/UK.
11. Security
We implement industry-standard security measures including encryption in transit (TLS), encryption at rest, access controls, and regular security reviews. No system is 100% secure, and we cannot guarantee absolute security.
12. Children
The Service is not directed to children under 18. We do not knowingly collect data from children. If we learn that we have collected data from a child, we will delete it promptly.
13. Changes
We may update this Privacy Policy periodically. We will notify you of material changes by posting the updated policy with a new effective date. Your continued use of the Service constitutes acceptance.
14. Contact
Questions about this Privacy Policy? Contact us at privacy@apex.inc.