Privacy Policy

1.Introduction

COM Consulting Group, LLC d/b/a Anixiv operates the Anixiv platform (the "Platform"), a marketplace connecting clients with independent beauty service providers. We are committed to protecting your privacy and being transparent about how we handle your data.

This Privacy Policy applies to all users of the Platform, including clients, providers, and visitors. It describes:

• What information we collect and why
• How we use and share your information
• How long we keep your data
• Your rights and choices
• How to contact us with questions or requests

2.Information We Collect

Information you provide directly

• Account registration: name, email address, phone number, password (hashed, never stored in plaintext)
• Provider profile: bio, specialties, service area, languages spoken, license information, years of experience, portfolio photos, Instagram handle, availability preferences
• Client profile: name, email address, phone number, service location address
• Service requests: service type, date and time preferences, budget range, inspo photos, written notes and descriptions
• Bids: pricing, estimated duration, intro notes to clients
• Reviews: star ratings, written feedback about services received
• In-app messages: messages exchanged between clients and providers through the Platform
• Payment information: billing details are processed and stored by Stripe. We do not store credit card numbers, CVVs, or full bank account numbers on our servers.
• Provider client management data: client names, phone numbers, email addresses, service history, product formulas, and notes entered by providers through the "My Clients" feature. This data is owned by the provider and is not shared with Anixiv or other users.

Information collected automatically

• Device information: browser type, operating system, device identifiers, screen resolution
• Usage data: pages visited, features used, click patterns, session duration, referral source
• Location data: approximate location based on IP address or zip code provided during registration. We do not use GPS tracking or precise real-time location tracking.
• Log data: IP addresses, access timestamps, error logs, request/response sizes
• Cookies: session cookies for authentication, preference cookies for UI settings. See Section 9 for details.

Information from third parties

• Google Calendar: event titles, start/end times, and all-day status for events in the provider's connected calendar. We do not access event descriptions, attendees, locations, or any other event details.
• Stripe: payment confirmation status, payout status, and connected account identifiers. We do not receive credit card numbers from Stripe.
• Twilio: call and message metadata including timestamps, direction (inbound/outbound), and call duration. We do not receive or store the content of phone calls.
• Background check providers: verification status, flagged categories (if applicable). We do not store the underlying background check reports.

3.How We Use Your Information

We use the information we collect to:

• Provide, operate, and improve the Anixiv Platform and its features
• Process bookings, payments, and provider payouts
• Match clients with appropriate providers based on service type, location, and availability
• Send service-related notifications (booking confirmations, bid updates, appointment reminders, scope change requests)
• Facilitate masked proxy communication between clients and providers during active bookings
• Verify provider identity and conduct background checks as part of the onboarding process
• Detect, investigate, and prevent fraud, abuse, and violations of our Terms of Service
• Respond to customer support requests and resolve disputes
• Analyze usage patterns to improve platform performance, user experience, and feature development
• Comply with applicable legal obligations and respond to lawful government requests
• Communicate service updates, policy changes, or security alerts

We do not use your information for targeted advertising or sell your data to advertising networks.

4.How We Share Your Information

With other users on the platform

• Provider profiles (name, bio, specialties, service area, portfolio photos, average rating, and reviews) are visible to authenticated clients browsing the Platform.
• Client information shared with bidding providers is limited to: first name, service type, general location (city/neighborhood), appointment date, budget range, and inspo photos.
• Client address is shared with the assigned provider ONLY after booking confirmation and payment authorization.
• Phone numbers are never shared directly. All phone communication is routed through masked proxy numbers provided by Twilio.

With service providers (third parties we use)

• Stripe: payment processing, payout disbursement, and identity verification for providers
• Twilio: masked phone and SMS communication between clients and providers
• Google: calendar data sync when a provider explicitly connects their Google Calendar
• Resend: transactional email delivery (booking confirmations, notifications, etc.)
• Vercel: website and API hosting and edge network
• Supabase: database hosting and authentication services

All third-party service providers are contractually required to use your information only as necessary to provide services to us and in accordance with applicable law.

With authorities and in legal proceedings

• We may disclose your information when required by law, subpoena, court order, or valid government request.
• We may disclose information when we believe in good faith that disclosure is necessary to protect the safety of users, the public, or the Platform, or to prevent fraud or abuse.

We do NOT

5.Data Retention

• Active account data: retained as long as your account is active.
• After account deletion request: a 30-day grace period begins, during which you can reactivate your account. After the grace period, personal identifying information (name, phone, email, address, bio) is deleted or anonymized within 30 days.
• Booking records: anonymized (personal details replaced with "[Deleted User]") and retained for 7 years for tax, financial, and dispute resolution compliance. Raw financial records are retained as required by law.
• Communication metadata: call and message timestamps and direction are retained for 1 year for safety and dispute purposes, then deleted.
• In-app message content: retained for the duration of the associated booking plus 90 days for dispute resolution, then deleted.
• Reviews: retained even after account deletion, attributed to "[Deleted User]" to preserve the integrity of the review system.
• Verification documents: identity and license documents submitted for verification are deleted within 30 days of approval or denial.

6.Data Security

We take data security seriously and implement the following measures:

• Encryption at rest: sensitive data (including OAuth tokens for connected third-party services) is encrypted using AES-256-GCM encryption.
• Encryption in transit: all data transmitted between your browser and our servers uses HTTPS/TLS 1.2 or higher.
• Database security: we use Row Level Security (RLS) on our database to ensure users can only access data they are authorized to see.
• Authentication: we use secure session management through Supabase Auth. Passwords are hashed and are never stored in plaintext.
• API security: sensitive API endpoints are rate-limited to prevent abuse and brute-force attacks.
• Security audits: we conduct regular security reviews of our codebase and infrastructure.
• Access controls: internal access to user data is restricted to authorized personnel on a need-to-know basis.

Despite these measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data, and we are not responsible for the actions of third parties who gain unauthorized access.

If we become aware of a data breach that affects your personal information, we will notify you and the appropriate authorities as required by law.

7.Your Rights

All users

• Access: you may request a copy of the personal data we hold about you by contacting privacy@anixiv.com.
• Correction: you may update your profile information directly in account settings.
• Deletion: you may delete your account through account settings. See Section 5 for retention timelines.
• Opt-out of non-essential communications: you may adjust your notification preferences in account settings to control push notifications, email, and SMS from Anixiv.
• Data portability: you may request an export of your data by contacting privacy@anixiv.com.

California residents (CCPA/CPRA)

• Right to know what personal information is collected, used, disclosed, and sold
• Right to delete personal information (subject to certain exceptions)
• Right to correct inaccurate personal information
• Right to opt out of the sale or sharing of personal information (we do not sell or share personal information for advertising purposes)
• Right to limit the use of sensitive personal information
• Right to non-discrimination for exercising your privacy rights
• To exercise these rights, email privacy@anixiv.com with the subject "CCPA Request".

Arizona and other U.S. state residents

Arizona does not currently have a comprehensive consumer data privacy law, but we extend the access, correction, and deletion rights described above to all users regardless of their state of residence. Users in other states with applicable privacy laws (Virginia, Colorado, Connecticut, Utah, etc.) may also exercise their rights under those laws by contacting us at privacy@anixiv.com.

8.Children's Privacy

• Anixiv is not intended for users under 18 years of age.
• We do not knowingly collect personal information from children under 18.
• If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@anixiv.com and we will delete it promptly.
• Services for minors must be requested by a parent or legal guardian who will be present during the appointment.

9.Cookies

• Authentication cookies: we use session cookies to keep you logged in and maintain your session securely. These are strictly necessary for the Platform to function.
• Preference cookies: we may store UI preferences (such as notification settings) in cookies or local storage to improve your experience.
• No advertising or tracking cookies: we do not use cookies for behavioral advertising, cross-site tracking, or analytics that share data with third parties.
• You may disable cookies in your browser settings, but this may prevent you from logging in or using core Platform features.

10.Third-Party Links

The Platform may contain links to third-party websites, apps, or services (for example, a provider's Instagram profile). These third-party services have their own privacy policies, and we are not responsible for their data practices.

We encourage you to review the privacy policies of any third-party services you interact with through or in connection with the Anixiv Platform.

11.Changes to This Policy

• We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or Platform features.
• Material changes will be communicated via email and in-app notification at least 14 days before taking effect.
• The updated policy will be identified by a new "Last updated" date at the top of this page.
• Continued use of the Platform after changes take effect constitutes acceptance of the updated policy.

12.Contact

For privacy-related questions, data access requests, or to exercise your rights:

• Email: privacy@anixiv.com
• General support: support@anixiv.com
• COM Consulting Group, LLC d/b/a Anixiv
• Website: anixiv.com

We aim to respond to all privacy requests within 30 days. If your request requires additional time, we will notify you.