Privacy, Consent & Compliance

AXO ships two dedicated compliance surfaces: Consent Management controls what visitors are asked and when tracking runs, and the HIPAA Privacy Shield controls what data leaves the browser toward ad and analytics platforms.

Consent banner

The banner is off by default (implicit-consent mode). When enabled, you choose the consent mode (opt_in, opt_out, or auto), the position (top or bottom), and the banner text, accept/deny labels, and privacy-policy link. One-click region presets configure the right defaults for GDPR (EU), UK-GDPR, CCPA/CPRA (California), and LGPD (Brazil) – including localized labels.

Google Consent Mode & external CMPs

Google Consent Mode integration is a separate toggle with per-category control (analytics storage, ad storage, personalization storage, ad user data, ad personalization). Already running a consent platform? Set the CMP option to OneTrust, CookieBot, Osano, or Custom – the Consent page provides a copy-paste snippet for each that wires your CMP's decision into AXO via the window.vt_consent flag, so AXO respects the choice your CMP collected instead of showing a second banner.

HIPAA Privacy Shield

For healthcare and other PHI-sensitive sites, the Privacy Shield turns AXO into the forwarding layer for your ad and analytics trackers. Browser-side fbq() and gtag() calls are intercepted and routed server-side through AXO, where configurable scrub rules strip sensitive data before anything is forwarded: visitor IP address, user agent, clinical URL paths (e.g. /oncology, /mental-health), and query parameters – all on by default, individually toggleable.

  • Keep or remove your pixels. Existing Meta Pixel / GA4 snippets keep working (every call is intercepted), or you can remove them entirely and rely on AXO as the single tracking endpoint.
  • Shielded destinations. Meta CAPI, Google Ads, GA4 Measurement Protocol, TikTok, Pinterest, Reddit, and LinkedIn conversion APIs – credentials come from the same Integrations you've already configured.
  • Preview before go-live. Paste a URL pattern into the preview tool to see exactly what will be scrubbed, and review the audit log of scrubbed fields per destination after launch.

Important: AXO is not a BAA-eligible vendor today. The Privacy Shield reduces tracker-surface risk in line with HHS guidance on clinical URLs and IP addresses as potential disclosures, but it does not by itself make your site HIPAA-compliant – review your full stack with your compliance team.

PII handling elsewhere in AXO

Independent of the Shield: server-side ad integrations SHA-256 hash email and phone before transmission, integration credentials are envelope-encrypted at rest, and the Pulse REST API only returns PII fields to keys that carry the explicit profile:read:pii scope.