Privacy policy.

Summary

Daxlate is a desktop application. It runs entirely on your machine. It does not send your model data, translations, file paths, or telemetry to us or any third party.

The only network calls the app makes are for license activation, optional update checks, and the support email you send us if you reach out. All are auditable in Wireshark, and the first two can be disabled in Settings.

This policy is written in plain English. If you only read this section, you have the gist.

I. Who we are

"We" or "us" refers to 15152038 Canada Inc., a corporation incorporated under the Canada Business Corporations Act, with its registered office in the Province of Quebec, Canada, doing business as "Daxlate". Throughout this document we refer to ourselves as "Daxlate". Daxlate publishes the Daxlate desktop application and operates the marketing website at daxlate.com.

Our registered office and full contact details are listed in section XVII.

We are the controller of the personal data we collect about you under Quebec Law 25, PIPEDA, the EU GDPR, the UK GDPR, and the California CCPA/CPRA, to the extent each applies.

II. Privacy officer

Quebec Law 25 requires us to designate a person responsible for personal information. That person is the President of Daxlate. You can reach them at privacy@daxlate.com.

Write to the privacy officer for any question about this policy, any request related to your rights (section VII), or any concern about how we handle personal data.

III. What data the app handles

The desktop app reads and writes the following on your local machine only:

• Your Power BI semantic model: tables, columns, measures, hierarchies, captions, descriptions, cultures.
• Your PBIX and PBIT files at rest on disk, when you choose to open them.
• Excel and CSV files you import or export for translator round-trip.
• Application preferences and recent file lists (as JSON files), and your activated license once you enter your key, all stored under %LOCALAPPDATA%\Daxlate.
• Diagnostic logs (rolling daily files) under %LOCALAPPDATA%\Daxlate\logs. Never auto-uploaded.

None of this data is transmitted to us. There is no cloud storage, no telemetry pipeline, and no analytics SDK in the application. Everything stays on the machine where you install the app.

IV. Network calls the app makes

• License activation: once at purchase, the app contacts our license server (a Cloudflare Worker) with your license key and receives a signed license blob, which is cached locally. Verification happens offline against an embedded Ed25519 public key on every launch thereafter. On each subscription renewal the server re-issues a fresh blob, delivered by email and picked up at next launch.
• Update check: at startup (24-hour cooldown), the app may fetch a small JSON manifest to check the latest available version. Fail-silent. Disable in Settings for a fully air-gapped binary.
• No analytics, no error telemetry, no usage tracking, no crash reporting. Confirm with Wireshark.

V. Website analytics

Our marketing website does not set any cookies and runs no third-party tracking scripts. We do not use Google Analytics, Meta Pixel, Hotjar, or any advertising tracker.

We record minimal first-party server-side data to understand which pages bring people in and to measure conversions on the download and contact flows. Per request we store: the page path, the host of any referring URL (not the full URL, never the query string), the country derived from your IP at request time, a five-bucket user-agent family (Chrome, Firefox, Safari, Edge, Other), and a session identifier.

The session identifier is a short SHA-256 hash computed from your IP, a server-side secret, and the current UTC date. It rotates at midnight UTC and cannot be used to re-identify visitors across days. Your raw IP address is never written to the analytics store.

When you submit the contact, demo, or download form, we additionally record the type of submission and an opaque submission ID so we can measure conversion rates. The full form payload (your email and any message you wrote) is held by the form-submission pipeline described in section VI, not the analytics store.

All of this data is stored on infrastructure we operate via Cloudflare (see section IX) and is never shared with third parties for marketing or advertising. The website itself makes no third-party network calls of any kind from your browser.

VI. Purposes and legal bases

We process personal data for the following purposes only, on the legal bases shown:

• Licensing and activation, to issue and validate your license. Legal basis: performance of the contract you entered when you purchased a license.
• Billing and tax records, to charge you, refund you, and comply with Canadian tax law. Legal basis: performance of the contract and compliance with a legal obligation.
• Support, to answer the email you send and resolve issues you report. Legal basis: performance of the contract and our legitimate interest in supporting our customers.
• Website analytics (described in section V), to understand how the website performs and improve it. Legal basis: our legitimate interest in running a useful website, which we balance against your privacy by collecting minimal first-party data and never sharing it.
• Security, to detect and prevent abuse, fraud, and security incidents. Legal basis: our legitimate interest in protecting the service and our customers.
• Marketing (only if you opt in), to send product updates and release notes. Legal basis: your consent. Withdraw at any time via the unsubscribe link.

VII. Your rights

Wherever you live, you can write to <a href="mailto:privacy@daxlate.com">privacy@daxlate.com</a> to exercise any of the following rights. We respond within 30 days.

• Access: a copy of the personal data we hold about you (typically your license-key record and any support tickets).
• Rectification: correct inaccurate or incomplete data.
• Erasure: delete your records, subject to retention obligations we are legally required to meet (section VIII).
• Portability: receive your data in a structured, machine-readable format.
• Restriction or objection: ask us to stop processing your data for a specific purpose, including marketing.
• Withdraw consent: at any time, where processing relies on your consent.

If you live in Quebec, you also have the right to be informed when an automated decision is made about you using your personal data (see section XI) and to designate a person to exercise these rights on your behalf after your death.

If you live in the EU or UK, you have the right to lodge a complaint with your local data protection authority. If you live in California, you have the right to know, delete, correct, and opt out of the sale or sharing of personal information. We do not sell or share personal information for cross-context behavioral advertising.

If you live in Quebec and we have not addressed your concern satisfactorily, you can file a complaint with the Commission d’accès à l’information du Québec (CAI).

VIII. Retention

• License records: retained while your license is active and for seven years after termination, for tax and audit purposes (Canadian law requires up to six years; we keep seven as a buffer).
• Support tickets: retained for two years from the last interaction.
• Marketing-list subscriptions: retained until you unsubscribe, plus an unsubscribe record indefinitely so we do not re-add you accidentally.
• Website analytics rows (the data described in section V): retained for 180 days, then deleted by an automated job. Aggregated, non-identifying counts may be retained longer for trend analysis.
• Form submissions (contact, demo, download): retained for two years from submission, then deleted unless they have led to an active customer relationship.

IX. Sub-processors

We use a small number of trusted third parties to operate the service. Each is bound by a data processing agreement and processes data only on our instructions. Listed alphabetically:

• Cloudflare, Inc. (United States, global edge network): hosts the marketing website at daxlate.com, the license worker that issues and validates license blobs, and the form-submission backend. Receives license records (your name, email, and license key), server-side analytics rows (described in section V), and form submissions (contact, demo, and download forms).
• Proton AG (Switzerland): operates the inbound mailboxes for contact@daxlate.com, privacy@daxlate.com, and security@daxlate.com. Receives the email you send us and its full content.
• Resend, Inc. (United States): sends transactional emails on our behalf, including license activation, renewal notices, and support replies. Receives your name, your email address, and the body of each transactional email at the time of delivery.
• Stripe, Inc. (United States): processes payments. Receives your name, billing email, billing address, and payment instrument details when you purchase a license. We never see your card number.

We do not share personal data with advertisers, data brokers, or analytics providers. We do not sell personal data, and we do not share personal data for cross-context behavioral advertising.

X. International transfers

Several of our sub-processors are based outside Quebec. Cloudflare, Resend, and Stripe are US companies; Cloudflare operates a global edge network, which means requests are routed to the data center closest to you. Proton AG is based in Switzerland.

In practice, personal data we collect may be processed in the United States (Cloudflare, Resend, Stripe) and Switzerland (Proton). It may transit through additional Cloudflare edge locations depending on where you are when you reach our service.

For Quebec residents: before transferring personal information outside Quebec, we assess whether the destination provides adequate protection, taking into account the legal framework and the contractual safeguards in place. Switzerland is recognized as offering an adequate level of protection. For our US-based sub-processors, we rely on their data processing agreements, including Standard Contractual Clauses and, where applicable, certification under the EU-US Data Privacy Framework.

For EU and UK residents: transfers to the United States are governed by Standard Contractual Clauses incorporated in each sub-processor’s data processing agreement, supplemented by technical measures (encryption in transit, encryption at rest). Switzerland benefits from adequacy decisions under both EU and UK frameworks.

We do not transfer personal data to any country subject to comprehensive Canadian or EU sanctions.

XI. Automated decision-making

We do not use your personal data to make automated decisions that produce legal or similarly significant effects on you. There is no algorithmic credit decision, no automated denial of service, and no profiling for marketing.

License validation is automated, but it is a deterministic check against your license key, not a decision about you as a person.

XII. Confidentiality incidents

If we become aware of a confidentiality incident (a breach involving your personal data) that creates a risk of serious injury, we notify you and the Commission d’accès à l’information du Québec promptly, as required by Law 25. For EU and UK residents, we notify the relevant supervisory authority within 72 hours where required by the GDPR.

We keep an internal register of all confidentiality incidents, regardless of severity, for five years.

XIII. Children’s privacy

Daxlate is a business tool aimed at enterprise BI teams. It is not intended for, marketed to, or designed for individuals under the age of 14, and we do not knowingly collect personal data from anyone under 14.

If you believe a child has provided us with personal data, write to privacy@daxlate.com and we will delete it.

XIV. Security

License records and support tickets are stored encrypted at rest and accessible only to a small set of authorized personnel. Access is logged.

Payment data is never stored on our infrastructure; it is handled by Stripe under PCI DSS Level 1.

The desktop app verifies our license blob against an embedded Ed25519 public key on every launch, so a tampered license cannot impersonate a valid one.

If you discover a security vulnerability, please report it under our Security Policy.

XV. Language

Because we operate from Quebec, we comply with the Charter of the French Language. The English and French versions of this policy are intended to have the same meaning. If you spot a discrepancy, write to privacy@daxlate.com and we will correct it.

XVI. Changes to this policy

We may update this policy. The "last updated" date below will reflect any change. Material changes (a new sub-processor, a new purpose of processing, a change to your rights) will be announced on our changelog and, where required, by email to active customers at least 30 days before they take effect.

XVII. Contact

• Privacy questions and rights requests: privacy@daxlate.com.
• General contact: contact@daxlate.com.
• Security disclosures: security@daxlate.com (see our Security Policy).
• Postal address: 15152038 Canada Inc., 11 Avenue Ste Brigitte, B, Sainte-Brigitte-de-Laval, QC G0A 3K0, Canada.