Privacy Policy
Effective: April 21, 2026
1. Introduction
Apex, Inc. (“Apex,” “we,” “us”) respects your privacy. This Privacy Policy describes how we collect, use, and share information when you use the Apex platform, including the web dashboard, API, MCP server, and apex.js snippet (collectively, the “Service”).
2. Information We Collect
2.1 Account Information
When you create an account, we collect your name, email address, company name, and password.
2.2 Experiment & Assumption Data
You create and manage assumptions, experiments, and results within the Service. This data is stored on your behalf and remains under your ownership as described in our Terms of Service.
2.3 Visitor Data (via apex.js)
When you install the apex.js snippet on your website, it collects the following about your website visitors:
- Visitor ID: A pseudonymous identifier stored in a first-party cookie (
apex_vid) - Attribution data: UTM parameters, referrer, and campaign information (
apex_attr) - Session data: Page URL, timestamp, viewport size
- Experiment assignment: Which variant was served to the visitor
- Form submissions: If form interception is enabled, form field values submitted on your site
This visitor data is collected on your behalf and processed solely to deliver the Service. We do not use your visitors’ personal data for our own marketing or sell it to third parties.
2.4 Usage Data
We collect data about how you use the Service, including pages viewed, features used, actions taken, and performance metrics. This helps us improve the Service.
2.5 MCP Server Telemetry
The MCP server communicates with the Apex API to provide experimentation tools in your IDE. It transmits experiment data, assumption data, and tool invocations. It does not transmit source code, file contents, or any proprietary code from your development environment.
4. How We Use Information
- Provide the Service: Deliver experiments, track results, update assumption certainty, generate AI recommendations
- Improve the Service: Anonymized, aggregated experiment outcome data is used to improve AI recommendation quality and generate benchmarks (see Section 6)
- Communicate: Send product updates, security alerts, and support messages (not marketing unless you opt in)
- Prevent abuse: Detect and prevent fraud, spam, and Terms violations
5. What We Share
We do not sell personal information. We share data only in these circumstances:
- Service providers: Vercel (hosting), Stripe (payments). These providers process data solely on our behalf under data processing agreements.
- Legal requirements: If required by law, regulation, or legal process
- Business transfers: In connection with a merger, acquisition, or sale of assets, with notice to you
- With your consent: For any other purpose with your explicit permission
6. Anonymized Data
We create anonymized, aggregated datasets from experiment outcomes to improve AI recommendations and generate industry benchmarks. This data is stripped of all identifying information:
- No company names, URLs, or account identifiers
- No raw text content or creative assets
- No personal data of any kind
- Only structural patterns: element type, change type, outcome direction, magnitude bucket
You may opt out of anonymized data collection in your account settings. Opting out disables certain AI features that rely on aggregate data.
7. Cookies
| Cookie | Purpose | Duration |
|---|---|---|
apex_vid | Pseudonymous visitor identifier for experiment assignment | 1 year |
apex_attr | Attribution data (UTM params, referrer) for conversion tracking | 30 days |
apex_session | Session identifier | Session |
The apex.js snippet uses first-party cookies only. No third-party tracking cookies are used.
8. Data Retention
- Active accounts: Data is retained for the life of your account
- Closed accounts: Data is available for export for 30 days, then permanently deleted within 90 days
- Anonymized data: Retained indefinitely as it contains no personal information
9. Your Rights (GDPR / CCPA)
Depending on your location, you may have the right to:
- Access: Request a copy of all data we hold about you
- Deletion: Request deletion of your personal data
- Export: Export your data in a machine-readable format (JSON)
- Correction: Request correction of inaccurate data
- Opt out: Opt out of anonymized data collection
- Do not sell: We do not sell personal information (CCPA)
To exercise these rights, contact privacy@apex.inc. We will respond within 30 days.
10. Legal Basis for Processing (GDPR)
- Contract: Processing necessary to provide the Service you requested
- Legitimate interest: Service improvement, security, fraud prevention
- Consent: Marketing communications, anonymized data collection (you may withdraw at any time)
11. International Data Transfers
The Service is hosted in the United States. If you access the Service from outside the US, your data will be transferred to and processed in the US. We rely on Standard Contractual Clauses for transfers from the EEA/UK.
12. Security
We implement industry-standard security measures including encryption in transit (TLS), encryption at rest, access controls, and regular security reviews. No system is 100% secure, and we cannot guarantee absolute security.
13. Children
The Service is not directed to children under 18. We do not knowingly collect data from children. If we learn that we have collected data from a child, we will delete it promptly.
14. Changes
We may update this Privacy Policy periodically. We will notify you of material changes by posting the updated policy with a new effective date. Your continued use of the Service constitutes acceptance.
15. Contact
Questions about this Privacy Policy? Contact us at privacy@apex.inc.
3. Social Platform Integrations (Partner Network)
When you connect an Instagram, YouTube, or TikTok account to your Apex Partner profile, Apex requests access to a narrow set of information from that platform. You stay in control — you can revoke access at any time from your Apex Partner portal under Settings → Social accounts, or directly on the platform.
3.1 Instagram (Meta Graph API)
Scopes:
instagram_business_basicandinstagram_business_manage_insights. Apex reads:3.2 YouTube (YouTube Data API v3)
Scope:
youtube.readonly. Apex reads:Apex does not request the YouTube Analytics API scope (
yt-analytics.readonly) and therefore does not receive viewer-level demographic data from YouTube. When you enter audience demographics on a YouTube account, those figures are self-reported and labelled as such.3.3 TikTok (Login Kit)
Scopes:
user.info.basic,user.info.profile,user.info.stats,video.list. Apex reads:TikTok does not expose viewer-level demographics to third-party developers. When you enter audience demographics on a TikTok account, those figures are self-reported and labelled as such.
3.4 How we store what we fetch
Access tokens and refresh tokens are encrypted at rest using AES-256-GCM with a key held by Apex in AWS. Tokens are never returned to the browser, never written to logs, and never shared with merchants. Audience counts, demographics, and content metadata are stored on your Apex Creator profile so merchants browsing the Creator Directory can see them. You can delete this data any time by disconnecting the account.
3.5 Refresh + retention
Apex refreshes your connected-account stats approximately weekly so merchants see current numbers. When you disconnect an account, Apex marks the stored record as inactive and stops refreshing. Records are retained for 12 months for audit purposes and then hard-deleted on schedule. You can request immediate deletion by emailing privacy@apex.inc.
3.6 What merchants actually see
Merchants who discover you via the Apex Creator Directory see only your public profile data: category, handle, follower counts, engagement rate, audience demographics, and a “Verified Creator” badge when all four criteria below are met:
Merchants never see your OAuth tokens, your email address until you accept their partner program invitation, or any data that isn’t already visible on your public profile on the source platform.