Summary
Daxlate is a desktop application. It runs entirely on your machine. It does not send your model data, translations, file paths, or telemetry to us or any third party.
The only network calls the app makes are for license activation, optional update checks, and the support email you send us if you reach out. All are auditable in Wireshark, and the first two can be disabled in Settings.
This policy is written in plain English. If you only read this section, you have the gist.
I. Who we are
"We" or "us" refers to 15152038 Canada Inc., a corporation incorporated under the Canada Business Corporations Act, with its registered office in the Province of Quebec, Canada, doing business as "Daxlate". Throughout this document we refer to ourselves as "Daxlate". Daxlate publishes the Daxlate desktop application and operates the marketing website at daxlate.com.
Our registered office and full contact details are listed in section XVIII.
We are the controller of the personal data we collect about you under Quebec Law 25, PIPEDA, the EU GDPR, the UK GDPR, and the California CCPA/CPRA, to the extent each applies.
II. Privacy officer
Our privacy officer is the President of Daxlate. Reach them at privacy@daxlate.com for any question about this policy, any rights request (section VIII), or any concern about how we handle personal data.
III. What data the app handles
The desktop app reads and writes the following on your local machine only:
- Your Power BI semantic model: tables, columns, measures, hierarchies, captions, descriptions, cultures.
- Your PBIX and PBIT files at rest on disk, when you choose to open them.
- Excel and CSV files you import or export for translator round-trip.
- Application preferences and recent file lists (as JSON files), and your activated license once you enter your key, all stored under %LOCALAPPDATA%\Daxlate.
- Diagnostic logs (rolling daily files) under %LOCALAPPDATA%\Daxlate\logs. Never auto-uploaded.
None of this data is transmitted to us. There is no cloud storage, no telemetry pipeline, and no analytics SDK in the application. Everything stays on the machine where you install the app.
IV. Network calls the app makes
The desktop app makes the following network calls, and only these:
- License activation. When you first paste your license string, the app sends it to our license server (a Cloudflare Worker at api.daxlate.com) together with a device identifier and a device name, to register this machine against your license. The device identifier is the first 16 hexadecimal characters of a SHA-256 hash of your Windows machine GUID and username; the raw GUID and username never leave your machine. The device name is typically
MachineName (Username)and is shown to you in Settings so you can recognize each registered device. - Per-launch license check. On each launch, the app contacts the license server to refresh the cached license and confirm your subscription is still active. If the server is unreachable, the cached license remains valid for 7 days (offline grace).
- Device management. When you list or remove devices from Settings → License, the app makes a corresponding call to the server.
- Update check. At startup, with a 24-hour cooldown, the app may fetch a small JSON manifest to check the latest available version. Fail-silent. Disable in Settings for a fully air-gapped binary.
- No analytics, no error telemetry, no usage tracking, no crash reporting. Confirm with Wireshark.
Your Power BI model, your translations, your file paths, and the content of any file you open are never transmitted off your machine by the app.
V. What we store on our license server
Our license server runs on Cloudflare Workers backed by a small Cloudflare D1 database. It is built to hold the minimum amount of personal data needed to operate the license. The canonical customer record (your name, email address, billing address, payment instrument) lives at Stripe, not on our server.
Here is everything in D1, line by line:
- License devices. For each device you activate, we record the opaque device identifier described in section IV (16 hexadecimal characters of a SHA-256 hash), the device name as shown in Settings, the activation timestamp, and the license ID. We do not store your raw machine GUID or your raw username.
- Revoked licenses. If a subscription is cancelled or terminated, we record the license ID, the Stripe customer ID, the cancellation reason (for diagnostics), and the revocation timestamp.
- Past-due grace state. If a payment fails, we record the Stripe customer ID and the first time we observed the failure, so we can enforce a 7-day grace window before the license stops working.
- License-recovery attempts. When someone uses the license-recovery form on the website, we record an HMAC-SHA256 hash of the email address (with a server-side secret), a truncated IP prefix (the first /24 of an IPv4 address or first /56 of an IPv6 address), and a timestamp. The raw email and the raw IP never land on our server. Records older than 24 hours are deleted automatically.
- Bouncing email addresses. If an outbound email bounces or is marked as spam, we record an HMAC-SHA256 hash of the recipient address so we do not send to that address again. The raw email never lands on our server. Bounce records are deleted after 90 days; complaint records are kept indefinitely so we never accidentally email someone who marked us as spam.
- Processed Stripe events. A record of which Stripe webhook events we have already handled, so retries do not produce duplicate license emails. Records are deleted after 30 days.
What is not on our license server: your name, your email address in plain text, your country, your raw IP address, session identifiers, or any tracking data. If you cancel your subscription and remove your devices, the only durable record on our server is a revocation entry tied to your Stripe customer ID, which contains no other personal data.
VI. Website analytics
Our marketing website does not set any cookies and runs no third-party tracking scripts. We do not use Google Analytics, Meta Pixel, Hotjar, or any advertising tracker.
We record minimal first-party server-side data to understand which pages bring people in and to measure conversions on the download and contact flows. Per request we store: the page path, the host of any referring URL (not the full URL, never the query string), the country derived from your IP at request time, a five-bucket user-agent family (Chrome, Firefox, Safari, Edge, Other), and a session identifier.
The session identifier is a short SHA-256 hash computed from your IP, a server-side secret, and the current UTC date. It rotates at midnight UTC and cannot be used to re-identify visitors across days. Your raw IP address is never written to the analytics store.
When you submit the contact, demo, or download form, we additionally record the type of submission and an opaque submission ID so we can measure conversion rates. The full form payload (your email and any message you wrote) is held by the form-submission pipeline described in section X, not the analytics store.
All of this data is stored on infrastructure we operate via Cloudflare (see section X) and is never shared with third parties for marketing or advertising. The website itself makes no third-party network calls of any kind from your browser.
VII. Purposes and legal bases
We process personal data for the following purposes only, on the legal bases shown:
- Licensing and activation, to issue and validate your license. Legal basis: performance of the contract you entered when you purchased a license.
- Billing and tax records, to charge you, refund you, and comply with Canadian tax law. Legal basis: performance of the contract and compliance with a legal obligation.
- Support, to answer the email you send and resolve issues you report. Legal basis: performance of the contract and our legitimate interest in supporting our customers.
- Website analytics (described in section VI), to understand how the website performs and improve it. Legal basis: our legitimate interest in running a useful website, which we balance against your privacy by collecting minimal first-party data and never sharing it.
- Security, to detect and prevent abuse, fraud, and security incidents. Legal basis: our legitimate interest in protecting the service and our customers.
- Marketing (only if you opt in), to send product updates and release notes. Legal basis: your consent. Withdraw at any time via the unsubscribe link.
VIII. Your rights
Wherever you live, you can write to <a href="mailto:privacy@daxlate.com">privacy@daxlate.com</a> to exercise any of the following rights. We respond within 30 days.
- Access: a copy of the personal data we hold about you (typically your license-key record and any support tickets).
- Rectification: correct inaccurate or incomplete data.
- Erasure: delete your records, subject to retention obligations we are legally required to meet (section IX).
- Portability: receive your data in a structured, machine-readable format.
- Restriction or objection: ask us to stop processing your data for a specific purpose, including marketing.
- Withdraw consent: at any time, where processing relies on your consent.
If you live in Quebec, you also have the right to be informed when an automated decision is made about you using your personal data (see section XII) and to designate a person to exercise these rights on your behalf after your death.
If you live in the EU or UK, you have the right to lodge a complaint with your local data protection authority. If you live in California, you have the right to know, delete, correct, and opt out of the sale or sharing of personal information. We do not sell or share personal information for cross-context behavioral advertising.
If you live in Quebec and we have not addressed your concern satisfactorily, you can file a complaint with the Commission d’accès à l’information du Québec (CAI).
IX. Retention
- Billing records at Stripe: retained while your subscription is active and for seven years after termination, for tax and audit purposes (Canadian law requires up to six years; we keep seven as a buffer). Held by Stripe, not us.
- License-server data (section V): license-device rows are kept until you remove the device or the license is terminated; revocation rows are kept indefinitely so a revoked license cannot be re-activated; past-due-grace rows are cleared when payment resumes; recovery-attempt rows are pruned after 24 hours; bounce rows after 90 days (complaints kept indefinitely); processed-event rows after 30 days.
- Support tickets: retained for two years from the last interaction.
- Marketing-list subscriptions: retained until you unsubscribe, plus an unsubscribe record indefinitely so we do not re-add you accidentally.
- Website analytics rows (described in section VI): retained for 180 days, then deleted by an automated job. Aggregated, non-identifying counts may be retained longer for trend analysis.
- Form submissions (contact, demo, download): retained for two years from submission, then deleted unless they have led to an active customer relationship.
X. Sub-processors
We use a small number of trusted third parties to operate the service. Each is bound by a data processing agreement and processes data only on our instructions. Listed alphabetically:
- Cloudflare, Inc. (United States, global edge network): hosts the marketing website at daxlate.com, the license worker that issues and validates license blobs (see section V for what the worker stores in its D1 database), the form-submission backend, and the inbound email routing for contact@daxlate.com, privacy@daxlate.com, and security@daxlate.com. Receives device identifiers and device names from license activations, server-side analytics rows (described in section VI), form submissions, and the content of any email you send us.
- Resend, Inc. (United States): sends transactional emails on our behalf, including license activation, renewal notices, and support replies. Receives your name, your email address, and the body of each transactional email at the time of delivery.
- Stripe, Inc. (United States): processes payments. Receives your name, billing email, billing address, and payment instrument details when you purchase a license. We never see your card number.
We do not share personal data with advertisers, data brokers, or analytics providers. We do not sell personal data, and we do not share personal data for cross-context behavioral advertising.
XI. International transfers
All of our sub-processors are based in the United States. Cloudflare operates a global edge network, which means requests are routed to the data center closest to you before reaching Cloudflare infrastructure in the US.
In practice, personal data we collect may be processed in the United States by Cloudflare, Resend, and Stripe. It may also transit through Cloudflare edge locations near you depending on where you are when you reach our service.
For Quebec residents: before transferring personal information outside Quebec, we assess whether the destination provides adequate protection, taking into account the legal framework and the contractual safeguards in place. For our US-based sub-processors, we rely on their data processing agreements, including Standard Contractual Clauses and, where applicable, certification under the EU-US Data Privacy Framework.
For EU and UK residents: transfers to the United States are governed by Standard Contractual Clauses incorporated in each sub-processor’s data processing agreement, supplemented by technical measures (encryption in transit, encryption at rest).
We do not transfer personal data to any country subject to comprehensive Canadian or EU sanctions.
XII. Automated decision-making
We do not use your personal data to make automated decisions that produce legal or similarly significant effects on you. There is no algorithmic credit decision, no automated denial of service, and no profiling for marketing.
License validation is automated, but it is a deterministic check against your license key, not a decision about you as a person.
XIII. Confidentiality incidents
If we become aware of a confidentiality incident (a breach involving your personal data) that creates a risk of serious injury, we notify you and the Commission d’accès à l’information du Québec promptly. For EU and UK residents, we notify the relevant supervisory authority within 72 hours where the GDPR applies.
We keep an internal register of all confidentiality incidents, regardless of severity, for five years.
XIV. Children’s privacy
Daxlate is a business tool aimed at enterprise BI teams. It is not intended for, marketed to, or designed for individuals under the age of 14, and we do not knowingly collect personal data from anyone under 14.
If you believe a child has provided us with personal data, write to privacy@daxlate.com and we will delete it.
XV. Security
License records and support tickets are stored encrypted at rest and accessible only to a small set of authorized personnel. Access is logged.
Payment data is never stored on our infrastructure; it is handled by Stripe under PCI DSS Level 1.
The desktop app verifies our license blob against an embedded Ed25519 public key on every launch, so a tampered license cannot impersonate a valid one.
If you discover a security vulnerability, please report it under our Security Policy.
XVI. Language
The English and French versions of this policy are intended to have the same meaning. If you spot a discrepancy, write to privacy@daxlate.com and we will correct it.
XVII. Changes to this policy
We may update this policy. The "last updated" date below will reflect any change. Material changes (a new sub-processor, a new purpose of processing, a change to your rights) will be announced on our changelog and, where required, by email to active customers at least 30 days before they take effect.
XVIII. Contact
- Privacy questions and rights requests: privacy@daxlate.com.
- General contact: contact@daxlate.com.
- Security disclosures: security@daxlate.com (see our Security Policy).
- Postal address: 15152038 Canada Inc., 11 Avenue Ste Brigitte, B, Sainte-Brigitte-de-Laval, QC G0A 3K0, Canada.
Document version 1.2 · last updated May 2026