APIWORX LLC — Privacy Policy

Effective Date: April 6, 2026
Last Updated: April 6, 2026

Table of Contents

  1. Introduction and Scope
  2. Personal Information We Collect
  3. How We Collect Personal Information
  4. Legal Bases for Processing (GDPR)
  5. How We Use Personal Information
  6. How We Share Personal Information
  7. Cookies and Tracking Technologies
  8. Data Retention
  9. Data Security
  10. International Data Transfers
  11. Your Privacy Rights
  12. Data Processing Agreement
  13. Sub-Processors
  14. Children’s Privacy
  15. Third-Party Links
  16. Changes to This Policy
  17. Contact Information
  18. Dispute Resolution

1. Introduction and Scope

1.1 Who We Are

APIWORX LLC (“APIWORX,” “we,” “us,” or “our”) is an Integration Platform as a Service (iPaaS) company headquartered at 1401 Lavaca Street, Suite 241, Austin, TX 78701. We provide API integration services that connect enterprise systems — including HubSpot, Sage Intacct, Shopify, Brightpearl, Amazon FBA, SPS Commerce, BigCommerce, and others — through our proprietary integration platform and customer portals.

1.2 What This Policy Covers

This Privacy Policy explains how APIWORX collects, uses, discloses, retains, and protects personal information in connection with:

  • Our website at apiworx.com
  • Any APIWORX product, including customer portals and integration tools accessible at APIWORX-operated URLs
  • All APIWORX products, services, and communications

This policy applies to all individuals who interact with us, including website visitors, prospective customers, registered customers, and contacts at customer organizations.

1.3 Two Roles — Controller and Processor

Understanding how data flows at APIWORX requires distinguishing two distinct roles we play:

APIWORX as Data Controller: When we collect and use personal information about our website visitors, marketing contacts, prospective customers, and our customers’ authorized users for our own business purposes — such as running our website, sending marketing communications, managing customer accounts, and providing customer support — APIWORX determines the purposes and means of that processing and acts as a data controller (or “business” under the CCPA). This Privacy Policy governs that processing.

APIWORX as Data Processor: When APIWORX processes data on behalf of our customers as part of delivering integration services — for example, when the APIWORX platform routes, transforms, or synchronizes data between a customer’s connected systems — APIWORX acts as a data processor (or “service provider” under the CCPA). In that capacity:

  • We process data only in accordance with the customer’s documented instructions.
  • The customer’s own privacy policy governs the rights of their end users.
  • Our processing of customer data as Processor is governed by the APIWORX Data Processing Agreement (DPA), available at apiworx.com/dpa, which is incorporated into our Terms of Service.
  • This Privacy Policy does not govern customer data processed in our Processor role except to the extent we describe our security, sub-processor, and transfer practices.

If you are an end user of an APIWORX customer and have questions about how your data is processed through that customer’s system integrations, please contact that customer directly.

1.4 Applicability of Other Laws

Where required by applicable law, this policy also serves as our “Notice at Collection” under the California Consumer Privacy Act (CCPA/CPRA), our transparency disclosure under the EU and UK General Data Protection Regulations (GDPR/UK GDPR), and our notice under the Texas Data Privacy and Security Act (TDPSA) and other applicable U.S. state privacy laws.

2. Personal Information We Collect

2.1 Personal Information Collected — APIWORX as Controller

The table below describes the categories of personal information we collect about individuals when APIWORX acts as a data controller, using the categories defined by the California Civil Code § 1798.140.

Category (Cal. Civ. Code § 1798.140) Examples Collected Source Primary Business Purpose
A. Identifiers Full name, email address, business phone number, company name, job title, IP address, account username, device identifiers Yes Directly from you; automatically via your use of our services Account creation and management; service delivery; customer support; security
B. Customer Records (Cal. Civ. Code § 1798.80) Name, address, telephone number, credit/debit card number (tokenized), billing address Yes Directly from you Billing and payment processing; contract performance
C. Commercial Information Service subscription history, transaction records, records of products or services purchased or considered Yes Directly from you; from our systems Account management; billing; service improvement
D. Internet or Other Electronic Network Activity Browsing history on apiworx.com and other APIWORX-operated sites, clickstream data, log files, cookie identifiers, device and browser type, page interactions, referral URLs Yes Automatically, via cookies and logging technologies Analytics; security and fraud prevention; service improvement; marketing
E. Geolocation Data Approximate geolocation derived from IP address (city/region level) — we do not collect precise GPS location Yes (IP-derived, approximate only) Automatically Security; fraud prevention; regulatory compliance
F. Professional or Employment-Related Information Employer/company name, job title, industry, professional role Yes Directly from you; from public sources and business partners Sales and account management; communications; marketing
G. Inferences Profiles drawn from the above categories to reflect preferences, interests, likelihood to purchase, or product usage patterns Limited Derived from your interactions with us Product improvement; marketing personalization
H. Sensitive Personal Information Payment account credentials (processed through tokenized payment gateways — we do not store full card numbers) Limited Directly from you via payment processor Billing

We do not collect the following categories of sensitive personal information within the meaning of CPRA § 1798.140(ae): Social Security numbers, driver’s license or state identification card numbers, passport numbers, financial account credentials (beyond tokenized payment), precise geolocation (GPS-level), racial or ethnic origin, religious beliefs, union membership, contents of personal communications, genetic data, biometric data, health information, or sex life/sexual orientation information.

2.2 Customer Data — APIWORX as Processor

When APIWORX acts as a Processor on behalf of customers, we may process personal data contained within the data flows configured by the customer — for example, customer contact records in HubSpot, order data in Shopify, financial records in Sage Intacct, or fulfillment data in Amazon FBA.

APIWORX does not determine the purposes or means of processing for Customer Data. The nature, categories, and volume of personal data within those data flows depend entirely on the customer’s systems and configurations. Customers remain data controllers (or equivalent) with respect to their end users’ data, and are responsible for:

  • Ensuring they have a valid legal basis for sharing that data with APIWORX for processing.
  • Ensuring their own privacy disclosures adequately inform their end users.
  • Providing data subject rights assistance to their end users (with APIWORX’s support as required by the DPA).

For more information about how we protect Customer Data as Processor, see Sections 9 (Data Security), 10 (International Data Transfers), 12 (Data Processing Agreement), and 13 (Sub-Processors).

3. How We Collect Personal Information

3.1 Directly From You

We collect personal information directly from you when you:

  • Create an account or register for any APIWORX product or service
  • Complete forms on our website, including contact forms, demo request forms, or newsletter sign-up forms
  • Communicate with us by email, phone, chat, or through our support portal
  • Enter into a contract with us, including signing our Terms of Service or Master Subscription Agreement
  • Attend events we organize or sponsor, including webinars
  • Respond to surveys or participate in research we conduct

3.2 Automatically, Through Your Use of Our Services

When you visit apiworx.com or use any APIWORX product, we automatically collect certain information through:

  • Cookies and similar tracking technologies — including session cookies, persistent cookies, and pixel tags. See Section 7 for a detailed description and instructions for managing your cookie preferences.
  • Log files and server data — our servers automatically record information including IP address, browser type and version, operating system, referring URLs, pages visited, time and date of visit, and time spent on pages.
  • Usage and diagnostic data — information about how you interact with APIWORX products, including features used, integrations configured, and error events.
  • Analytics platforms — we use third-party analytics services to help us understand how our website and platform are used. See Section 7 for details.

3.3 From Third Parties and Public Sources

We may also receive personal information about you from:

  • Business partners and resellers who refer customers to us or collaborate with us on joint offerings
  • Publicly available sources such as LinkedIn, company websites, business directories, and public databases, for the purpose of identifying and reaching potential business customers
  • Data enrichment providers who supplement information we already hold with professional profile data (company size, industry, job title)
  • Integrated platforms — if you connect a third-party platform (such as HubSpot or Shopify) to an APIWORX product, we may receive information about your account on that platform to the extent needed to establish and operate the integration

4. Legal Bases for Processing (GDPR)

This section applies to individuals located in the European Economic Area (EEA), the United Kingdom (UK), and Switzerland, where a lawful basis for processing personal data is required under the GDPR, UK GDPR, or Swiss Federal Act on Data Protection (nFADP).

We rely on the following legal bases:

4.1 Contract Performance (GDPR Art. 6(1)(b))

We process personal information where necessary to enter into or perform a contract with you. This includes:

  • Creating and managing your APIWORX account
  • Providing, maintaining, and supporting APIWORX products and services
  • Processing payments and managing billing
  • Communicating about your account status, renewals, and service changes

4.2 Legitimate Interests (GDPR Art. 6(1)(f))

We process personal information where necessary for our legitimate interests, provided those interests are not overridden by your rights and freedoms. We have conducted Legitimate Interests Assessments (LIAs) for each reliance on this basis. Copies are available upon request by contacting privacy@apiworx.com. We rely on legitimate interests for:

  • Security and fraud prevention — monitoring for unauthorized access, detecting and preventing fraudulent activity, and protecting our systems and customers
  • Service improvement and analytics — understanding how our products are used to improve features, fix bugs, and develop new capabilities
  • Business-to-business marketing to existing customers and warm prospects — communicating about additional products, features, or services relevant to individuals who have engaged with us in a business context
  • Maintaining accurate business records — keeping records of contracts, customer interactions, and correspondence necessary for our business operations
  • Network and information security — maintaining the security and integrity of our infrastructure

You have the right to object to processing based on legitimate interests. See Section 11 for details.

4.3 Consent (GDPR Art. 6(1)(a))

Where we rely on consent as our legal basis, we will request it through a clear, specific, and unambiguous mechanism before commencing the relevant processing. We rely on consent for:

  • Non-essential cookies and tracking technologies (analytics, marketing) — managed through our Cookie Consent Management Platform. See Section 7.
  • Direct marketing to individuals not in an existing business relationship — managed through explicit opt-in at sign-up and unsubscribe mechanisms in every marketing communication.
  • Any other processing where we have indicated consent is the basis

You may withdraw consent at any time by updating your cookie preferences, clicking “unsubscribe” in any marketing email, or contacting us at privacy@apiworx.com. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

4.4 Legal Obligation (GDPR Art. 6(1)(c))

We process personal information where necessary to comply with legal obligations, including:

  • Tax reporting and financial record-keeping obligations
  • Responding to lawful requests from regulatory authorities and courts
  • Complying with data breach notification obligations under applicable law

4.5 Processor Role

When APIWORX acts as a data processor on behalf of a customer, we process personal data under the customer’s instructions. The customer, as data controller, is responsible for establishing and disclosing the applicable legal bases. APIWORX’s DPA governs this processing.

5. How We Use Personal Information

When acting as a data controller, APIWORX uses personal information for the following purposes:

5.1 Providing and Maintaining Services

We use personal information to deliver APIWORX products, configure and operate integrations, authenticate your account, process transactions, and provide technical functionality. This is fundamental to our service delivery.

5.2 Account Management

We use your information to create and manage your account, communicate about account updates, process renewals and subscription changes, verify your identity, and maintain our contractual relationship with you.

5.3 Customer Support

We use personal information to respond to support requests, troubleshoot integration issues, resolve billing disputes, and generally assist with your use of our services. Support interactions may be recorded to improve service quality.

5.4 Product Improvement and Analytics

We analyze usage patterns, feature adoption, and technical performance to improve APIWORX products, develop new features, and enhance the overall product experience. Where possible, we use aggregated or pseudonymized data for this purpose.

5.5 Marketing and Communications

We use contact information to send you:

  • Transactional and service communications — updates about your account, service availability, security notices, and policy changes. These are not optional for active customers.
  • Marketing communications — product news, feature announcements, webinar invitations, and other promotional content, where you have opted in or where we have a legitimate interest based on our existing business relationship.

You may opt out of marketing communications at any time by clicking “unsubscribe” in any email or contacting privacy@apiworx.com. Opting out of marketing does not affect transactional communications.

5.6 Security and Fraud Prevention

We use personal information — particularly log data, IP addresses, and usage patterns — to detect, investigate, and prevent unauthorized access, fraud, abuse, and other security incidents. This is a legitimate interest essential to protecting our customers and systems.

5.7 Legal Compliance and Enforcement

We use personal information to comply with applicable laws, respond to legal processes, enforce our Terms of Service, and defend or assert legal claims.

5.8 Aggregated and De-Identified Data

We may create aggregated or de-identified data derived from personal information — for example, statistics about platform usage, integration performance benchmarks, or industry trend reports. De-identified data is processed in a manner that cannot reasonably be used to re-identify any individual and does not constitute “personal information” under applicable law, including the CCPA’s de-identification standard (Cal. Civ. Code § 1798.140(m)). We maintain technical and organizational measures to prevent re-identification and do not attempt to re-identify de-identified data.

6. How We Share Personal Information

APIWORX does not sell your personal information, and we do not share your personal information with third parties for cross-context behavioral advertising purposes, as those terms are defined under the CCPA/CPRA. We share personal information only in the following circumstances:

6.1 Service Providers and Sub-Processors

We engage third-party service providers who process personal information on our behalf to support our operations. These providers are contractually bound to use personal information only as directed by APIWORX, in accordance with this policy and applicable law. Categories of service providers include:

  • Cloud infrastructure and hosting providers — to host our platform and store data securely
  • Payment processors — to process subscription payments (we do not store full payment card numbers)
  • Customer support and ticketing platforms — to manage support interactions
  • Email and marketing automation platforms — to send transactional and marketing emails
  • Analytics providers — to analyze website and product usage
  • Security and monitoring tools — to detect threats and ensure platform availability
  • Customer relationship management (CRM) tools — to manage our sales and customer relationships

A current list of APIWORX sub-processors, including the name, location, and processing activity for each, is available at apiworx.com/sub-processors. See also Section 13.

6.2 Business Transfers

If APIWORX is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of company assets, personal information may be transferred to the successor entity as part of that transaction. We will provide notice of any such transfer as required by applicable law, and any successor will be bound by this Privacy Policy or provide notice of a new policy.

6.3 Legal Requirements and Protection of Rights

We may disclose personal information when we believe in good faith that disclosure is necessary to:

  • Comply with a legal obligation, court order, or lawful government request
  • Enforce our Terms of Service or other agreements
  • Protect the rights, property, or safety of APIWORX, our customers, or the public
  • Detect, prevent, or address fraud, security incidents, or technical issues

We will notify affected individuals of legal disclosure requests where permitted by law and where doing so would not compromise security or an ongoing investigation.

6.4 With Your Consent

We may share personal information with third parties where you have given us explicit consent to do so.

6.5 Aggregated and De-Identified Data

We may share aggregated or de-identified data — data that cannot reasonably be used to identify you — with partners, for research purposes, or in publicly released analyses. See Section 5.8.

6.6 No Sale or Sharing for Advertising

APIWORX does not sell personal information, and does not share personal information for cross-context behavioral advertising, as defined under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). We have not done so in the past 12 months. California residents may nevertheless exercise their opt-out rights as described in Section 11c.

7. Cookies and Tracking Technologies

7.1 What Are Cookies?

Cookies are small text files placed on your device when you visit a website. We also use similar technologies including pixel tags, web beacons, and local storage. Collectively, we refer to these as “cookies” in this section.

7.2 Categories of Cookies We Use

Cookie Category Description Required?
Strictly Necessary Essential for the website and APIWORX products to function. Includes session management, authentication, and security cookies. These cannot be disabled. Always active
Functional / Preference Remember your preferences and settings (e.g., language, region, cookie consent choices) to provide a more personalized experience. Consent required
Analytics / Performance Help us understand how visitors use our website and platform — which pages are visited, how long users spend, and where errors occur. We use this data to improve performance and usability. Consent required
Marketing / Targeting Used to deliver advertisements and marketing content relevant to your interests, and to measure the effectiveness of marketing campaigns. Consent required

7.3 Managing Your Cookie Preferences

When you first visit apiworx.com or any APIWORX product, you will be presented with a layered cookie consent banner through our Cookie Consent Management Platform (CMP). The first layer summarizes your choices; a second layer lets you set preferences by category. Non-essential cookies are off by default pending your consent. You can:

  • Accept all cookies
  • Reject all non-essential cookies
  • Customize your preferences by category

You can update your preferences at any time by clicking the “Cookie Preferences” link in the footer of our website. Changes take effect immediately.

Note: Disabling certain cookies may affect the functionality of our website or platform.

7.4 Global Privacy Control (GPC)

APIWORX recognizes and honors the Global Privacy Control (GPC) browser signal as a valid opt-out request for the sale and sharing of personal information under the CCPA/CPRA and the TDPSA. If your browser or extension transmits a GPC signal, we will treat this as a request to opt out of any sale or sharing of your personal information from that browser. You do not need to submit a separate opt-out request.

7.5 Third-Party Cookies

Some cookies on our site are set by third-party services we use (such as analytics or marketing platforms). These third parties may use cookies to collect information about your online activities across different websites over time. We list the third-party services we use and the purposes of their cookies in our Cookie Policy, available at apiworx.com/cookies. Third-party services operate under their own privacy policies, which we encourage you to review.

7.6 Do Not Track

Some browsers offer a “Do Not Track” (DNT) signal. Because there is no consistent industry standard for responding to DNT signals, we do not currently modify our practices based on DNT signals. We do, however, honor GPC signals as described above.

8. Data Retention

We retain personal information only for as long as necessary for the purposes described in this policy, or as required by law. The table below describes our standard retention periods by data category.

Data Category Standard Retention Period Basis for Retention Period
Account data (name, email, contact details, account credentials) Duration of active account + 90 days after account closure Necessary for contract performance; 90-day period allows for account reactivation and dispute resolution
Transaction and integration data (data flowing through the APIWORX platform during active integrations) 30 days from processing date, unless the customer’s configuration or DPA specifies otherwise Platform architecture; data minimization principle; processor instructions
Customer account records and contracts Duration of the customer relationship + 7 years Legal obligation (tax and financial record-keeping); statute of limitations for contract claims
Marketing and prospecting data Until opt-out or withdrawal of consent + 30 days; or 3 years from last meaningful engagement if consent-based processing has lapsed Consent withdrawal; proportionality
Financial and billing records 7 years from the date of the transaction Legal obligation (U.S. tax law, IRS regulations)
Support tickets and correspondence 3 years from ticket resolution Legitimate interest in maintaining service history and resolving recurring issues
Security and access logs 12 months from the date of creation Security monitoring; incident response; fraud detection
Cookie and analytics data Varies by cookie type; analytics aggregates retained up to 26 months Analytics and product improvement; see Cookie Policy
De-identified or aggregated data Indefinitely (does not constitute personal information) Business analytics and reporting

When retention periods expire, we securely delete or anonymize personal information. Where deletion is not immediately practicable (for example, data stored in backup archives), the data is isolated from active processing and deleted when the backup cycle permits.

Customer-directed retention: For Customer Data processed in our Processor role, retention is governed by the terms of the applicable DPA and customer instructions. Unless the DPA specifies otherwise, APIWORX will delete or return Customer Data within 30 days following termination of the applicable service agreement.

9. Data Security

9.1 Technical Measures

APIWORX implements industry-standard technical safeguards to protect personal information, including:

  • Encryption in transit: All data transmitted between your browser and our servers, and between integrated systems via the APIWORX platform, is encrypted using TLS 1.2 or higher.
  • Encryption at rest: Personal information stored on our systems is encrypted at rest using AES-256 or equivalent.
  • Access controls: Access to personal information and customer data is restricted on a least-privilege basis. We use role-based access controls, multi-factor authentication, and regular access reviews.
  • Network security: Our infrastructure is protected by firewalls, intrusion detection systems, and continuous security monitoring.
  • Secure development practices: Our engineering team follows secure development lifecycle (SDLC) practices, including regular code reviews and security testing.

9.2 Organizational Measures

  • Employee training: All APIWORX personnel with access to personal information receive privacy and security training appropriate to their role.
  • Confidentiality obligations: Employees and contractors are bound by confidentiality obligations as a condition of engagement.
  • Vendor security assessment: Service providers and sub-processors are assessed for security compliance before engagement and are contractually required to maintain appropriate safeguards.
  • Data Protection Impact Assessments (DPIAs): For processing activities that present a high risk to individuals, APIWORX conducts DPIAs prior to commencing processing and maintains a DPIA register.

9.3 SOC 2 Type II

APIWORX undergoes regular independent audits of its security controls. Our SOC 2 Type II report is available to customers upon request under a mutual non-disclosure agreement. Contact your account manager or email privacy@apiworx.com to request a copy.

9.4 Incident Response and Breach Notification

No security system is impenetrable. In the event of a personal data breach, APIWORX will:

  • Investigate promptly — contain the incident, assess its scope and impact, and remediate the vulnerability.
  • Notify EU/EEA supervisory authorities within 72 hours of becoming aware of a breach that is likely to result in risk to the rights and freedoms of individuals, as required by GDPR Article 33.
  • Notify affected data subjects without undue delay where a breach is likely to result in high risk to their rights and freedoms, as required by GDPR Article 34.
  • Notify affected customers (in our Processor role) within 48 hours of discovery to enable customers to meet their own 72-hour regulatory notification obligations.
  • Comply with applicable U.S. state breach notification laws, including the Texas Business & Commerce Code § 521.053 (notice within 60 days), California Civil Code § 1798.82 (notice within 30–45 days depending on scope), and other applicable state statutes.

We maintain an incident response plan and conduct periodic tabletop exercises to ensure readiness.

10. International Data Transfers

10.1 APIWORX’s Location

APIWORX is headquartered in Austin, Texas, United States. Personal information collected by APIWORX is processed in the United States. The United States has not received a general adequacy decision from the European Commission under GDPR Article 45.

10.2 Transfers from the EEA, UK, and Switzerland

If you are located in the European Economic Area (EEA), the United Kingdom (UK), or Switzerland, the transfer of your personal information to the United States constitutes a “restricted transfer” requiring an appropriate safeguard under GDPR Chapter V, UK GDPR, or the Swiss nFADP.

APIWORX relies on the following transfer mechanisms:

EU Standard Contractual Clauses (SCCs): For transfers of personal data from the EEA to the US, APIWORX relies on the Standard Contractual Clauses approved by the European Commission in Implementing Decision 2021/914 of June 4, 2021. We apply the appropriate module depending on the data flow:
Module 2 (Controller-to-Processor): For APIWORX acting as Processor on behalf of EEA-based customers.
Module 1 (Controller-to-Controller): Where applicable for direct data exchanges.

UK International Data Transfer Addendum (IDTA): For transfers of personal data from the UK to the US, we rely on the UK IDTA issued by the UK Information Commissioner’s Office (ICO), supplementing the EU SCCs.

Swiss Data Transfers: For transfers of personal data from Switzerland, we apply equivalent safeguards consistent with the Swiss Federal Act on Data Protection (nFADP).

10.3 Transfer Impact Assessments

APIWORX conducts Transfer Impact Assessments (TIAs) to evaluate whether the legal frameworks of recipient countries provide adequate protection, and implements supplementary technical and organizational measures where required.

10.4 Data Privacy Framework

APIWORX monitors the status of the EU-US Data Privacy Framework (DPF) and applicable transfer mechanisms and will update its transfer practices as required to maintain compliance. Please contact privacy@apiworx.com for the current status of our transfer safeguards.

10.5 Data Processing Locations

APIWORX’s primary data processing occurs in the United States. Customer data processed through specific integrations may involve third-party sub-processors located in other jurisdictions. Our sub-processor list at apiworx.com/sub-processors includes the processing location for each sub-processor.

10.6 Copies of SCCs

A copy of the applicable Standard Contractual Clauses is incorporated into the APIWORX DPA, available at apiworx.com/dpa. You may also request a copy by contacting privacy@apiworx.com.

11. Your Privacy Rights

11.1 Rights Available to All Users

Regardless of your location, you may exercise the following rights with respect to personal information APIWORX holds about you in its capacity as a data controller:

  • Right to Access: Request a copy of the personal information we hold about you, including the categories of information, sources, purposes, and recipients.
  • Right to Correction: Request that we correct inaccurate or incomplete personal information. Some information can be updated directly in your account settings within applicable APIWORX products.
  • Right to Deletion: Request that we delete your personal information, subject to legal retention obligations and other applicable exceptions (such as information needed to complete a transaction or comply with a legal obligation).
  • Right to Data Portability: Request a copy of certain personal information in a structured, commonly used, machine-readable format, where technically feasible.
  • Right to Object: Object to certain processing activities, particularly direct marketing (which we will stop upon request) and processing based on legitimate interests.
  • Right to Restrict Processing: Request that we limit the processing of your personal information in certain circumstances, such as while we verify a correction request.
  • Right to Withdraw Consent: Where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please submit your request to privacy@apiworx.com. See Section 17 for contact details. We will respond within the timeframes specified in the applicable subsection below.

We will not discriminate against you for exercising any privacy rights — you will not be denied services, charged different prices, or provided a different quality of service solely because you exercised a right described in this policy.

11.2 EEA and UK Residents (GDPR / UK GDPR)

In addition to the rights in Section 11.1, if you are located in the EEA or UK, you have the following additional rights:

Response timeframe: We will respond to verified requests within 30 calendar days. Where we need additional time due to complexity or volume, we may extend this by up to 60 additional days and will notify you of the extension within the initial 30-day period.

Right to lodge a complaint: You have the right to lodge a complaint with the data protection supervisory authority in your country of residence or place of work. A directory of EEA supervisory authorities is available at https://www.edpb.europa.eu/about-edpb/about-edpb/members_en. UK residents may contact the Information Commissioner’s Office (ICO) at https://ico.org.uk/make-a-complaint.

Privacy lead contact: APIWORX has designated a privacy lead responsible for data protection matters. You may contact our privacy team at privacy@apiworx.com. APIWORX has assessed its processing activities and has determined that appointment of a formal Data Protection Officer (DPO) under GDPR Article 37 is not currently required based on the nature and scale of our processing. We will reassess this determination as our business grows and if the regulatory landscape changes. If you have concerns about our DPO assessment, please contact privacy@apiworx.com.

Automated decision-making: APIWORX does not make decisions about you based solely on automated processing — including profiling — that produce legal or similarly significant effects on you, within the meaning of GDPR Article 22. If this changes, we will update this policy and, where required, obtain your consent or provide notice.

Data Protection Impact Assessments: For high-risk processing activities, we conduct DPIAs in accordance with GDPR Article 35. Summaries are available on request.

Children (GDPR): APIWORX’s services are designed for business use and are not directed at individuals under the age of 16. If you are between 13 and 15 years of age and located in the EEA, processing of your personal data requires verifiable parental or guardian consent under GDPR Article 8. See Section 14.

11.3 California Residents (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), Cal. Civ. Code §§ 1798.100 et seq.:

Right to Know: You may request that we disclose:
– The specific pieces of personal information we have collected about you
– The categories of personal information collected, the sources, the business or commercial purposes, and the categories of third parties with whom we disclosed that information
– Whether we have sold or shared your personal information (we have not)

Right to Delete: You may request that we delete personal information we have collected about you, subject to certain exceptions (such as completing a transaction, complying with a legal obligation, or exercising a legal right).

Right to Correct: You may request that we correct inaccurate personal information.

Right to Opt-Out of Sale/Sharing: Although APIWORX does not sell or share personal information as defined under the CCPA/CPRA, you may submit an opt-out request via the Do Not Sell or Share My Personal Information link on our website or homepage footer. We also honor GPC signals as described in Section 7.4.

Right to Limit Use of Sensitive Personal Information: You may request that APIWORX limit its use of your sensitive personal information to purposes permitted under Cal. Civ. Code § 1798.121. To exercise this right, use the Limit the Use of My Sensitive Personal Information link on our homepage or contact privacy@apiworx.com. Note that APIWORX collects very limited sensitive personal information as described in Section 2.1.

Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

Authorized Agent: You may designate an authorized agent to make requests on your behalf. We will require written proof of the agent’s authorization and may verify your identity directly.

Verification Process: To protect your information, we will verify your identity before processing requests to know, delete, or correct. Verification typically involves confirming your name and email address associated with your account or relationship with APIWORX. For requests involving sensitive information or deletion, we may require a higher standard of verification.

Response Timeframe: We will acknowledge your request within 10 business days and respond fully within 45 calendar days. If we need additional time, we may extend the response period by an additional 45 days and will notify you of the extension and reason.

Financial Incentive Disclosures: APIWORX does not currently offer any financial incentives, price differences, or service differences in exchange for the retention of personal information.

Metrics Disclosure: We will publish our annual CCPA/CPRA metrics report at apiworx.com/privacy/metrics, including the number of requests received, fulfilled, and denied by category, and average response times.

No Sale of PI of Minors: APIWORX does not sell or share personal information of consumers we know to be under 16 years of age.

11.4 Texas Residents (TDPSA)

If you are a Texas resident, you have the following rights under the Texas Data Privacy and Security Act (TDPSA), Tex. Bus. & Com. Code § 541.051 et seq.:

  • Right to confirm whether APIWORX is processing your personal data
  • Right to access a copy of your personal data that we process
  • Right to correction of inaccurate personal data
  • Right to deletion of personal data you have provided or that we have collected about you
  • Right to data portability — a copy of your data in a portable, readily usable format
  • Right to opt out of the processing of your personal data for purposes of: (1) targeted advertising; (2) the sale of personal data; or (3) profiling in furtherance of a decision that produces a legal or similarly significant effect

GPC Recognition: Consistent with TDPSA requirements, APIWORX recognizes the Global Privacy Control (GPC) signal as a valid opt-out request for applicable processing activities.

How to exercise: Submit requests to privacy@apiworx.com or by mail to APIWORX LLC, 1401 Lavaca Street, Suite 241, Austin, TX 78701.

Response timeframe: We will respond within 45 days. If we cannot fulfill your request, we will provide a written explanation.

Appeals process: If we decline to take action on your request, you may appeal our decision by notifying us in writing at privacy@apiworx.com with the subject line “TDPSA Appeal.” We will respond to your appeal within 60 calendar days with a written explanation of our decision. If your appeal is denied and you believe your rights have been violated, you may contact the Texas Attorney General at: https://www.texasattorneygeneral.gov.

11.5 Other U.S. State Residents

Residents of additional states have similar privacy rights under their respective state laws. APIWORX will honor requests from residents of these states consistent with applicable requirements:

Virginia (Consumer Data Protection Act — CDPA): Rights to access, correct, delete, data portability, and opt out of targeted advertising, sale of personal data, and profiling with legal or significant effects. Appeals must be responded to within 60 days.

Colorado (Colorado Privacy Act — CPA): Rights to access, correct, delete, data portability, and opt out of targeted advertising, sale, and profiling. APIWORX recognizes GPC as a universal opt-out mechanism.

Connecticut (Connecticut Data Privacy Act — CTDPA): Rights to access, correct, delete, data portability, and opt out of targeted advertising, sale, and profiling. Appeals responded to within 60 days.

Utah (Utah Consumer Privacy Act — UCPA): Rights to access, delete (for data provided by you), data portability, and opt out of sale and targeted advertising.

To exercise any of these rights, contact privacy@apiworx.com. We will acknowledge requests promptly and provide substantive responses within the timeframes required by applicable state law.

12. Data Processing Agreement

12.1 When a DPA Applies

Where APIWORX processes personal data on behalf of a customer as a data processor (or service provider under CCPA), the APIWORX Data Processing Agreement (DPA) governs that processing. The DPA is incorporated into and forms part of the APIWORX Terms of Service for all customers whose use of the Services involves the processing of personal data subject to GDPR, UK GDPR, CCPA/CPRA, or other applicable privacy laws.

12.2 DPA Contents

The APIWORX DPA addresses all required elements under GDPR Article 28(3), including:

  • Subject matter, duration, nature, and purpose of processing
  • Types of personal data and categories of data subjects
  • APIWORX’s obligations as Processor, including confidentiality, security, sub-processor controls, data subject rights assistance, breach notification, deletion/return obligations, and audit rights
  • Customer’s obligations as Controller, including ensuring a valid legal basis for processing
  • Cross-border transfer mechanisms (SCCs and UK IDTA, as applicable)
  • Breach notification obligations: APIWORX will notify customers within 48 hours of becoming aware of a security incident affecting Customer Data

12.3 Accessing the DPA

The current version of the APIWORX DPA is available at apiworx.com/dpa. To request a signed DPA or discuss DPA terms, contact legal@apiworx.com.

13. Sub-Processors

13.1 Sub-Processor List

APIWORX uses third-party sub-processors to support the delivery of our services. All sub-processors are bound by data processing agreements that impose security and confidentiality obligations at least as protective as those in our customer DPAs. A current list of APIWORX sub-processors, including their names, locations, and the processing activities they perform, is maintained at:

apiworx.com/sub-processors

13.2 New Sub-Processors and Changes

APIWORX will notify customers of any intended additions to or replacements in our sub-processor list via email to the account’s designated contact and/or through a notice on apiworx.com/sub-processors. Notification will be provided at least 30 calendar days before the new sub-processor begins processing Customer Data.

13.3 Right to Object

Customers have the right to object to the addition of a new sub-processor within the 30-day notice window by notifying APIWORX in writing at legal@apiworx.com. If a customer objects and APIWORX is unable to provide the services without the new sub-processor, APIWORX will work with the customer to identify an alternative solution or, if no resolution can be reached, allow the customer to terminate the affected services with a pro-rata refund of prepaid fees.

14. Children’s Privacy

APIWORX’s services — are designed and intended for use by businesses and their authorized employees and representatives. Our services are not directed at, marketed to, or intended for use by children under the age of 16 (or under the age of 13 in the United States for COPPA purposes).

We do not knowingly collect personal information from children under 16. If we become aware that we have inadvertently collected personal information from a child under 16 without verifiable parental consent, we will take prompt steps to delete that information from our systems.

If you believe that a child has provided us with personal information without appropriate consent, please contact us immediately at privacy@apiworx.com so we can investigate and delete the information.

15. Third-Party Links

Our website and platform may contain links to third-party websites, services, and applications — including the platforms we integrate with (HubSpot, Shopify, Sage Intacct, Brightpearl, Amazon, SPS Commerce, BigCommerce, and others). These links are provided for convenience and informational purposes.

APIWORX does not control these third-party sites and is not responsible for their privacy practices, content, or security. When you click a link to a third-party site, you leave our controlled environment. We encourage you to review the privacy policy of every website or service you visit. This Privacy Policy applies only to information collected by APIWORX.

16. Changes to This Policy

16.1 Material Changes

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law. When we make material changes — changes that significantly affect the rights described in this policy or the way we collect, use, or share personal information — we will:

  • Provide at least 30 calendar days’ advance notice before the changes take effect, by:
  • Sending an email notification to the address associated with your APIWORX account, and
  • Posting a prominent notice on apiworx.com and within applicable APIWORX products
  • Update the “Effective Date” at the top of this page

16.2 Non-Material Changes

For minor, non-material updates (such as clarifications, formatting changes, or corrections that do not alter your rights or our practices), we will update the policy and the “Last Updated” date without prior notice.

16.3 Continued Use

Your continued use of our services after the effective date of any updated policy constitutes your acknowledgment of the changes. If you do not agree with a material change, you may contact us to close your account before the change takes effect.

16.4 Prior Versions

Previous versions of this Privacy Policy are available upon request by contacting privacy@apiworx.com.

17. Contact Information

We welcome questions, comments, and requests about this Privacy Policy and our privacy practices.

Privacy Inquiries and Data Subject Requests

Email: privacy@apiworx.com
(For all privacy questions, requests to exercise your rights, and general privacy inquiries)

Postal Mail:
APIWORX LLC — Privacy
1401 Lavaca Street, Suite 241
Austin, TX 78701
United States

DPA and Legal Inquiries

Email: legal@apiworx.com
(For Data Processing Agreement requests, legal notices, and DPA-related inquiries)

General Contact

Email: contact@apiworx.com
Website: apiworx.com

Response Timeframes

Request Type Acknowledgment Full Response
GDPR / UK GDPR (EEA / UK residents) Within 5 business days Within 30 calendar days (extensible by 60 days)
CCPA / CPRA (California residents) Within 10 business days Within 45 calendar days (extensible by 45 days)
TDPSA (Texas residents) Within 5 business days Within 45 calendar days
Other state residents Within 5 business days Within 45 calendar days (or as required by applicable state law)
General privacy inquiries Within 5 business days Reasonable time based on complexity

18. Dispute Resolution

18.1 Initial Resolution

We are committed to resolving privacy concerns directly. If you have a concern about our privacy practices, please contact us at privacy@apiworx.com first. We will investigate and respond within the timeframes set out in Section 17.

18.2 Formal Dispute Resolution

If a privacy dispute is not resolved through direct contact, it is subject to the dispute resolution provisions in the APIWORX Terms of Service, available at apiworx.com/terms, including any applicable escalation, mediation, and arbitration provisions.

18.3 Supervisory Authority Complaints (EEA/UK)

EEA and UK residents have the right to lodge a complaint with their local data protection supervisory authority at any time, independent of any dispute resolution process. See Section 11.2 for contact details. APIWORX commits to cooperating fully with supervisory authorities in the resolution of complaints.

18.4 Texas Attorney General

Texas residents who have completed the APIWORX appeals process described in Section 11.4 and whose appeal has been denied may contact the Texas Attorney General’s Consumer Protection Division for assistance.

This Privacy Policy was prepared in accordance with the requirements of the EU General Data Protection Regulation (GDPR), UK GDPR, Swiss Federal Act on Data Protection (nFADP), California Consumer Privacy Act/California Privacy Rights Act (CCPA/CPRA), Texas Data Privacy and Security Act (TDPSA), Virginia Consumer Data Protection Act (CDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), Utah Consumer Privacy Act (UCPA), and applicable industry best practices as of the effective date.

APIWORX LLC
1401 Lavaca Street, Suite 241
Austin, TX 78701
privacy@apiworx.com
apiworx.com

Effective Date: April 6, 2026
Document Version: 1.0