Effective date: 2026-04-30
Version: 1.0.0
This Privacy Policy explains how BCAX LLC ("we", "us", "Alex Spexx") collects, uses, shares, and protects personal data when you use alexspexx.com (the "Service"). It supplements our Terms of Use, Cookie Policy, and Affiliate Disclosure.
1. Who we are
The Service is operated by BCAX LLC, Wyoming, USA — see Legal Entity below.
2. What we collect
The Service is primarily a static editorial website. We collect:
- Newsletter / contact-form submissions — email address, optional name, optional message — from forms you choose to submit
- Server logs — IP, user-agent, referrer, requested URL — for security and operations
- First-party cookies — see Cookie Policy
We do not collect: payment data, biometric data, sensitive-category data, or third-party-platform OAuth tokens.
3. Why we collect (legal bases)
| Purpose | Legal basis |
| Send the newsletter to addresses that opted in | Consent — GDPR Art. 6(1)(a) |
|---|---|
| Reply to your contact-form message | Legitimate interest — Art. 6(1)(f) |
| Operate the website (security, performance) | Legitimate interest |
| Improve, secure, develop using de-identified aggregate data | Legitimate interest |
| Defend against claims, audits, regulatory inquiries | Legitimate interest + legal obligation |
| Successor-in-interest transfer | Legitimate interest |
| Comply with court orders / regulatory requests | Legal obligation |
4. Sharing
- Sub-processors — see
Sub-processors
We use the following third-party service providers ("sub-processors") to operate the Service. Each sub-processor processes only the personal data needed for its specific purpose, under contractual data-protection commitments at least as protective as the GDPR (Art. 28) Standard Contractual Clauses where required.
| Sub-processor | Function | Personal data | Region | Transfer safeguard |
| Stripe, Inc. | Payment processing | Billing & transaction data | USA | DPF-certified; SCCs |
|---|---|---|---|---|
| Mercury / Choice Financial Group | U.S. business banking | Identity, KYC, transaction | USA | Mandatory contractual safeguards |
| Wise Payments Ltd | International transfers | Identity, transaction | UK / Belgium | UK adequacy + SCCs |
| Supabase, Inc. (on AWS) | Database, auth, storage | All categories | USA (us-east-1) | DPF + SCCs |
| Anthropic, PBC | AI processing (Claude) | Prompts (no training; content-moderation only) | USA | DPF + SCCs |
| OpenAI, L.L.C. | AI processing (where used) | Prompts (no training under API terms) | USA | DPF + SCCs |
| Google LLC (Workspace, OAuth, Maps) | Email, OAuth, geo data | OAuth tokens, Google account email | USA / EU | DPF + SCCs |
| Meta Platforms, Inc. | OAuth (where used) | Meta account data | USA | DPF + SCCs |
| TikTok Pte Ltd / ByteDance | Direct-Post & developer APIs (where used) | TikTok account data | Singapore / USA | SCCs |
| Resend, Inc. | Transactional email | Email addresses, message content | EU (Ireland) | EU adequacy |
| Sinch (CLX Communications AB) | Fax & SMS | Phone, message content | EU (Sweden) | EU adequacy |
| DocuSeal (self-hosted) | E-signature | Identity & signed documents | EU (Frankfurt VPS — Hostinger) | EU hosting |
| Hostinger International Ltd | VPS hosting | Server logs | EU (Lithuania) | EU adequacy |
| Contabo GmbH | VPS hosting (browser-worker) | Server logs | EU (Germany) | EU adequacy |
| Cloudflare, Inc. | DNS, CDN, edge proxy | IP, request metadata | Global edge | DPF + SCCs |
| AdsPower (where used) | Anti-detect browser profiles | Limited (no PII forwarding) | Singapore | SCCs |
| GitHub, Inc. | Source-code hosting (no production user data) | Limited | USA | DPF + SCCs |
We may add or replace sub-processors. Material additions are announced at least 30 days in advance, by updating this page and (where required) emailing account holders. Continued use after the effective date constitutes acceptance.
To object to a new sub-processor, email [email protected] within the notice period. Objection on reasonable data-protection grounds entitles you to terminate the affected service for a pro-rated refund of unused fees.
- Successors — in any merger, acquisition, sale of assets, financing, or reorganization of BCAX LLC, your data may transfer as a regular business asset.
- Cross-promotion to other BCAX brands — content on alexspexx.com may link to BCA, Kollably, Contentko, or InsiderGuide. These links are disclosed under our Affiliate Disclosure.
We do not sell personal data, run third-party retargeting, or share with data brokers.
5. International transfers
Same as Section 5 of the BCA Privacy Policy. We rely on the EU–U.S. Data Privacy Framework, SCCs (2021/914), and your explicit consent under GDPR Art. 49(1)(a) where required.
6. Retention
See Data Retention Policy. Headlines:
- Newsletter list: until you unsubscribe + 12 months (suppression-list)
- Contact-form submissions: 24 months
- Server logs (raw): 90 days
- Server logs (aggregated, anonymized): indefinitely
7. Security
TLS in transit; encryption at rest where applicable; least-privilege staff access. No system is 100% secure; you provide data at your own risk; breach notification per Art. 33 GDPR (72 hours) where applicable.
8. Your rights
Your Rights
If you are in the European Economic Area, United Kingdom, or Switzerland (GDPR / UK-GDPR)
You have the right to:
- Access — request a copy of the personal data we hold about you (Art. 15 GDPR)
- Rectification — correct inaccurate or incomplete data (Art. 16)
- Erasure — request deletion of your data, also known as the "right to be forgotten" (Art. 17)
- Restriction — limit how we process your data while a dispute is resolved (Art. 18)
- Portability — receive your data in a structured, machine-readable format (Art. 20)
- Object — object to processing based on our legitimate interests, including direct marketing (Art. 21)
- Withdraw consent — at any time, where processing is based on consent (Art. 7(3))
- Lodge a complaint — with your local supervisory authority (a list is available at edpb.europa.eu)
To exercise any of these rights, email [email protected] with the subject line DSR Request. We may need to verify your identity before responding.
If you are a California resident (CCPA / CPRA)
You have the right to:
- Know what categories of personal information we have collected, the sources, the purposes, and any third parties with whom we share it
- Delete personal information we have collected from you (subject to certain exceptions)
- Correct inaccurate personal information
- Opt out of the "sale" or "sharing" of personal information (we do not sell your personal information)
- Limit use of sensitive personal information
- Non-discrimination — we will not deny service, charge different prices, or provide a different level of service because you exercised a privacy right
We do not knowingly collect personal information from California consumers under 16 years of age.
To exercise these rights, email [email protected] or use the "Do Not Sell or Share My Personal Information" link in the site footer (where applicable).
If you are in another jurisdiction
We extend the substantive rights above to all users where reasonably possible, regardless of residence. Email [email protected] for assistance.
9. Children's data
The Service is not directed to children under 16. We do not knowingly collect data from children. If you believe a child has provided us data, contact [email protected] and we will delete it.
10. Changes
Material changes are announced 30 days in advance to newsletter subscribers (where applicable) and posted with a new effective date.
11. Contact
Contacting BCA on legal matters
| Type of inquiry | Subject line | Address |
| General privacy / data-subject rights | DSR Request | [email protected] |
|---|---|---|
| Refund request | Refund Request — [Engagement Reference] | [email protected] |
| Acceptable-use violation report | AUP Report | [email protected] |
| DMCA takedown notice | DMCA — Takedown | [email protected] (designated agent: see DMCA Policy) |
| DMCA counter-notice | DMCA — Counter-Notice | [email protected] |
| Spam / abuse complaint | Spam Complaint | [email protected] |
| Law-enforcement / subpoena | Law-Enforcement Request | [email protected] |
| Sanctions / OFAC concern | Sanctions Disclosure | [email protected] |
| Legal service of process | (paper, certified mail) | BCAX LLC, c/o Registered Agent, 30 N Gould St Ste R, Sheridan WY 82801, USA |
| Security vulnerability | Security | [email protected] (we follow coordinated disclosure; we do not pay bounties) |
We acknowledge each request within 5 business days and substantively respond within the timelines required by applicable law (typically 30 days under GDPR, 45 days under CCPA, 14 days for DMCA).
Email is preferred. Mail and fax service of process is accepted but slower; electronic delivery to [email protected] is sufficient legal service of any pre-litigation notice required under these legal pages.
12. Legal Entity
Legal Entity
Alex Spexx is a service operated by:
BCAX LLC
30 N Gould St Ste R
Sheridan, WY 82801
United States of America
Employer Identification Number (EIN): 42-2153191
State of formation: Wyoming, USA
This entity is the data controller and contracting party for all users of alexspexx.com.
Governing Law & Jurisdiction
These terms are governed by the laws of the State of Wyoming, United States, without regard to its conflict-of-laws principles. The exclusive forum for any dispute shall be the state and federal courts located in Sheridan County, Wyoming, except where applicable consumer-protection law of your country of residence grants you a non-waivable right to a local forum.
Contact
Legal & data-protection inquiries: [email protected]
For data-subject-rights requests (access, deletion, portability, objection), use the same email with subject line DSR Request. We respond within 30 days as required under GDPR Article 12 and within 45 days under California CCPA §1798.130.