ABX Privacy Policy

**ABX is a website redesign and experimentation service** that lets you generate, preview, and run A/B tests and AI‑powered redesigns on your sites and apps.

**You (our customer) are generally the "controller" of your site‑visitor data; ABX is your "processor/service provider."** We process end‑user data only to deliver the Services and your instructions, except where we separately act as an independent controller (e.g., to secure and improve ABX, comply with law, or run aggregated analytics).

**Account, billing, support, and marketing data about you (our customer contacts)** are processed by ABX as a controller.

**Cookies & similar tech:** Our dashboard uses cookies and local storage for authentication and product functionality; the ABX Snippet may set first‑party storage to manage experiment bucketing, goal tracking, fraud prevention, and other uses essential to providing the service. It is crucial that You verify that ABX is appropriate to be used in the jurisdictions in which You operate and implement appropriate safeguards and processes to comply with relevant regulations, such as GDPR.

**Privacy rights:** Depending on residency, your end users (and you) may have rights to access, delete, correct, or opt out of certain data uses (sale/sharing, targeted advertising, profiling). You can always enact these rights by writing to **privacy@abxplatform.com** or using the privacy web‑form on our site.

**Robust data isolation & audit logging** help keep customer data separate and secure.

**AI features (Smart Experiments, Redesign, Synthetic Testing)** may process crawled site HTML/CSS, screenshots, and metadata you provide; where enabled, these data are sent to our AI model providers (including, but not limited to, OpenAI) under strict data‑processing terms.

2.1 Terminology

Under **UK GDPR**, a **controller** determines the purposes and means of processing personal data; a **processor** processes personal data on behalf of the controller and only on its documented instructions. US State Privacy Laws use similar but not identical terms (e.g., California "business"/"service provider"/"contractor"; Colorado & Virginia "controller"/"processor").

2.2 When You Are the Controller and ABX Is Your Processor / Service Provider

You (the customer organisation that registers an ABX account and installs the ABX Snippet on your digital properties) typically determine *why* and *how* data about your end users will be collected for experimentation, analytics, and conversion optimisation. Accordingly, you are the controller (UK) / business (CA) / controller (CO, VA) for that end‑user data, and ABX acts as your processor / service provider, subject to a Data‑Processing Addendum ("**DPA**).

2.3 When ABX Acts as an Independent Controller

We act as a controller for:

• **Account administration & authentication data** collected during onboarding (email, password, name, etc.).
• **Subscription/billing, support communications, marketing lists** (inherent to providing SaaS).
• **Product telemetry & security logging** necessary to maintain and improve ABX (including aggregated event metrics, service health, abuse detection).
• **Aggregated / anonymised analytics** across customers to improve statistical methods and AI models.

This Policy covers personal data we process about:

1. **Customer Admin Users** – individuals who create an ABX account or log into the dashboard.
2. **Customer‑Owned Site‑Visitor Data Processed via the ABX Snippet / SDK** – event data (page views, clicks, conversions, experiment variants shown) and related metadata.
3. **Crawled / Uploaded Site Content & Screenshots** used for analysis, experiment generation, redesign, and synthetic testing.
4. **AI‑Generated Variants & Redesign Artifacts** (HTML/CSS/JS injection code, goal selectors, site patches) stored in our systems.
5. **Support, Feedback & Communications Data** (emails, in‑product chat logs, troubleshooting information) related to operating the Services.

It does **not** cover: (a) personal data processed entirely by you outside ABX; (b) third‑party sites linked from our dashboard; (c) aggregated or anonymised data that can no longer reasonably be used to identify an individual.

4.1 Data You Provide Directly

4.2 Data We Collect Automatically Through the ABX Snippet / SDK

When installed on your site, the ABX Snippet retrieves experiment instructions and reports back pseudonymous event data to measure variant performance. Depending on your configuration, collected data can include:

• **Page‑action events** (URL, timestamp, experiment & variant IDs, site ID).
• **Click / Conversion events** automatically instrumented for configured goal selectors.
• **Experiment‑impression events** to record exposure counts.
• **Custom events** you explicitly track via the ABX API.

The ABX Snippet may use first-party cookies or local storage for experiment bucketing, variant persistence, goal tracking, and fraud prevention. Where required (e.g., under PECR/UK GDPR), Customers must obtain valid consent for any non-essential cookies or similar technologies prior to deployment of the ABX Snippet.

5.1 Where We Act as Processor / Service Provider (End‑User Data)

We process end‑user data strictly to:

1. **Deliver experiments & variants.**
2. **Measure outcomes.**
3. **Provide dashboard reporting & automated experiment management.**
4. **Support synthetic testing where enabled.**

**Legal bases (UK style):** We rely on the controller's selected lawful basis (often *legitimate interests* in optimisation, *consent* where required for cookies/analytics, or *performance of a contract* for logged‑in features). Controllers choose lawful basis; processors act only on instructions.

5.2 Where We Act as Controller

We use account and business‑contact data to:

• Provide access to the dashboard and Services.
• Communicate product updates, security notices, and billing information.
• Provide onboarding flows, troubleshooting, and customer support.
• Improve and secure the ABX Platform (usage analytics, performance tuning across micro‑services).

**Legal bases (UK):** *Performance of contract*, *legitimate interests* (service improvement, fraud prevention), and *consent* for certain marketing communications (opt‑in where required by PECR).

We do **not** sell personal information for cross‑context behavioural advertising when acting as your processor.

Custom retention schedules are available on Enterprise plans – contact us if you need a bespoke arrangement.

11.1 Rights You Have with Respect to ABX (Controller Data)

If you have an ABX account or otherwise interact directly with us, you can:

• Access, correct, or delete your account data; request export of site configuration and experiment metadata.
• Manage onboarding information and site settings in the dashboard.

To exercise, email **privacy@abxplatform.com**.

11.2 Rights Your End Users Have (You Are Controller; We Assist)

Under UK GDPR and US State Privacy Laws, your site visitors may have rights to know, access, correct, delete, port, and object/opt out of certain processing (e.g., targeted advertising, sale, profiling). Please notify us of any such request so that we may provide you with the requested information.

We employ administrative, technical, and physical safeguards designed to protect personal data, including:

• **Access controls & RBAC** with audit logging.
• **Data isolation** via tenant‑specific keys.
• **Encrypted event streaming** with retention limits.
• **Preview‑mode safeguards** that exclude test traffic from analytics.
• **Selector‑validation rules** to prevent over‑broad DOM targeting.
• **Incident response & breach notification:** If we become aware of a personal‑data breach affecting your account or end‑user data, we will notify the primary customer contact without undue delay and within 48 hours of confirmation, outlining scope, impact, and remediation steps.

While we take these steps to secure data, **no system is perfectly secure**. Please implement complementary controls (consent banners, appropriate site‑access restrictions, minimised data capture) on your properties.

Third Millennium Technology Limited

Registered address: 58 Panton Street, Cambridge, England, CB2 1HS

Registered in: England & Wales

Company number: 16338980

Privacy Contact:

Email: privacy@abxplatform.com

Web form: https://abxplatform.com/contact