Legal
Privacy Policy
Effective date: March 20, 2026 · Last updated: March 20, 2026
Xelurel AI, Inc. ("Xelurel AI," "we," "our," or "us") operates the Xelurel AI platform — an AI output trust and content-moderation infrastructure service (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, retain, and protect information about you when you visit our website, create an account, or use our APIs and dashboard. It also describes the choices available to you regarding your personal data and how to exercise them.
Contents
1. Scope and Applicability
2. Definitions
3. Information We Collect
4. How We Use Your Information
5. Legal Bases for Processing (EEA / UK / Switzerland)
6. How We Share Your Information
7. Data We Process on Behalf of Customers (Processor Role)
8. Cookies and Tracking Technologies
9. Data Retention
10. Security
11. International Data Transfers
12. Your Rights and Choices
13. Children's Privacy
14. Third-Party Links
15. Changes to This Policy
16. Contact Us
1. Scope and Applicability
This Policy applies to:
- Visitors to xelurel.com and any subdomain (collectively, the "Site");
- Organizations and individuals who register for and use the Xelurel AI platform ("Customers"); and
- End users whose content is processed through the Xelurel AI API on behalf of a Customer ("End Users").
If you are an End User whose data is processed by a Customer, your primary privacy relationship is with that Customer. We process End User data only as a data processor under the Customer's instructions. Please refer to the Customer's privacy policy for information about how they handle your data.
This Policy does not apply to third-party websites, services, or applications that may link to or integrate with the Service. We are not responsible for the privacy practices of those parties.
2. Definitions
| Term | Meaning |
|---|---|
| "Personal Data" | Any information relating to an identified or identifiable natural person. |
| "Customer Data" | Content, prompts, outputs, and metadata submitted to the API by Customers or End Users for evaluation by the Service. |
| "Account Data" | Information provided when creating or managing an account (e.g., name, email, billing details). |
| "Usage Data" | Technical data generated by your use of the Service (e.g., API request counts, latency, error rates). |
| "Controller" | The entity that determines the purposes and means of processing Personal Data. |
| "Processor" | An entity that processes Personal Data on behalf of a Controller. |
| "GDPR" | EU General Data Protection Regulation 2016/679. |
| "CCPA" | California Consumer Privacy Act (Cal. Civ. Code §1798.100 et seq.), as amended by CPRA. |
3. Information We Collect
3.1 Information You Provide Directly
- Account registration: name, business email address, company name, job title, password (hashed).
- Billing: payment card details (processed and stored by our PCI-DSS-compliant payment processor; we store only the last four digits, card brand, and expiration date), billing address, VAT/tax ID.
- Support communications: messages, attachments, and contact details you submit via email or support forms.
- Survey or research participation: responses you voluntarily provide.
- Marketing opt-ins: email address and communication preferences.
3.2 Information Collected Automatically
- Log data: IP address, browser type and version, operating system, referring URL, pages visited, timestamps, and HTTP status codes.
- Device identifiers: hardware model, unique device IDs, and mobile network information where applicable.
- Usage data: API call counts, latency metrics, error rates, feature interactions, and dashboard navigation patterns.
- Cookies and similar technologies: session identifiers, authentication tokens, preference cookies, and analytics identifiers (see Section 8).
3.3 Customer Data Processed Through the API
When Customers submit content to the Xelurel AI API for trust assessment (prompts, AI-generated outputs, metadata), we process that content solely to deliver the Service. This content may incidentally include Personal Data about End Users. We act as a data processor with respect to Customer Data and process it only on documented Customer instructions (see Section 7).
3.4 Information from Third Parties
- Identity and OAuth providers (e.g., Google SSO): profile name, email, and profile picture.
- Payment processors (e.g., Stripe): payment status, fraud signals, and billing address verification.
- Business intelligence tools: firmographic data (company size, industry) appended to account records for sales and support purposes.
- Publicly available sources: information you have made publicly available online that is relevant to a business relationship with us.
4. How We Use Your Information
| Purpose | Categories of Data Used |
|---|---|
| Provide, operate, and maintain the Service, including processing API requests and returning trust assessments. | Account Data, Customer Data, Usage Data |
| Authenticate users and manage sessions securely. | Account Data, Log Data |
| Process payments and manage billing. | Account Data, Billing Data |
| Send transactional communications (receipts, alerts, password resets, API key notifications). | Account Data |
| Send product updates, feature announcements, and marketing emails (opt-out available). | Account Data |
| Provide customer support and respond to inquiries. | Account Data, Support Communications |
| Monitor service health, debug issues, and prevent abuse. | Log Data, Usage Data |
| Enforce our Terms of Service and other policies. | Account Data, Log Data, Customer Data |
| Comply with legal obligations and respond to lawful requests. | All categories as required |
| Analyze aggregate, de-identified usage trends to improve the Service. | De-identified Usage Data |
| Conduct security research, fraud detection, and threat modeling. | Log Data, Usage Data |
5. Legal Bases for Processing (EEA / UK / Switzerland)
Where GDPR or equivalent legislation applies, we rely on the following legal bases:
| Processing Activity | Legal Basis |
|---|---|
| Providing the Service pursuant to a contract. | Performance of a contract (Art. 6(1)(b) GDPR) |
| Processing payments. | Performance of a contract (Art. 6(1)(b) GDPR) |
| Sending transactional communications. | Performance of a contract (Art. 6(1)(b) GDPR) |
| Sending marketing communications. | Consent (Art. 6(1)(a) GDPR) — withdrawable at any time |
| Security monitoring and fraud prevention. | Legitimate interests (Art. 6(1)(f) GDPR) |
| Analytics on de-identified data. | Legitimate interests (Art. 6(1)(f) GDPR) |
| Compliance with legal obligations. | Legal obligation (Art. 6(1)(c) GDPR) |
| Processing special category data (if applicable). | Explicit consent or as permitted by Art. 9 GDPR |
Where we rely on legitimate interests, we have conducted a balancing test and concluded that our interests do not override the fundamental rights and freedoms of data subjects. You may request a copy of our legitimate interests assessment by contacting our DPO.
6. How We Share Your Information
We do not sell, rent, or trade Personal Data. We share information only as described below:
6.1 Service Providers (Sub-processors)
We engage trusted third-party companies to help operate the Service. These parties are contractually bound to process data only on our instructions and to maintain appropriate security measures. Current categories of sub-processors include:
- Cloud infrastructure and hosting (e.g., Google Cloud Platform, Vercel)
- Database services (e.g., Google Firestore)
- Payment processing (e.g., Stripe)
- Transactional email delivery (e.g., SendGrid / Resend)
- Error monitoring and logging (e.g., Sentry)
- Customer support tooling (e.g., Intercom)
- Analytics (e.g., PostHog — self-hosted or privacy-configured)
A complete and up-to-date list of sub-processors is available upon request and will be provided in a timely manner at privacy@xelurel.com.
6.2 Business Transfers
If we are involved in a merger, acquisition, financing, bankruptcy, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will provide notice before Personal Data is transferred and becomes subject to a materially different privacy policy.
6.3 Legal Requirements
We may disclose your information if required to do so by law or in the good-faith belief that such action is necessary to: (a) comply with a legal obligation or valid legal process; (b) protect the rights, property, or safety of Xelurel AI, our Customers, or the public; (c) detect, prevent, or address fraud, security, or technical issues; or (d) enforce our Terms of Service.
Where legally permissible, we will notify you of any government or law-enforcement request for your data before complying.
6.4 Aggregated or De-identified Data
We may share aggregated or de-identified information that cannot reasonably be used to identify you — for example, industry benchmark reports or platform-wide statistics.
7. Data We Process on Behalf of Customers (Processor Role)
When Customers submit Customer Data to the API, Xelurel AI acts as a data processor and the Customer acts as the data controller. Our processing is governed by a Data Processing Agreement ("DPA") incorporated by reference into our Terms of Service. Key commitments under the DPA include:
- We process Customer Data only on documented Customer instructions.
- We do not use Customer Data to train AI models or for any purpose beyond delivering the Service.
- We impose equivalent contractual obligations on all sub-processors.
- We implement technical and organizational measures appropriate to the risk (see Section 10).
- We notify Customers of any Personal Data breach affecting Customer Data within 72 hours of becoming aware, where required by applicable law.
- We assist Customers in fulfilling their obligations to respond to data subject requests.
- We delete or return Customer Data upon contract termination, at the Customers election.
Customers who require a signed DPA (e.g., for GDPR Article 28 compliance) may request one at legal@xelurel.com.
8. Cookies and Tracking Technologies
| Category | Purpose | Can Be Disabled? |
|---|---|---|
| Strictly necessary | Authentication tokens, session management, CSRF protection. Required for the Service to function. | No — essential for security |
| Functional | Remembering your preferences (e.g., sidebar state, display settings). | Yes, via browser settings |
| Analytics | Understanding how the Service is used in aggregate to improve features. We use privacy-respecting analytics with IP anonymization. | Yes, via cookie banner or browser settings |
| Marketing | We do not currently serve advertising cookies. If this changes, we will update this section and re-request consent. | N/A |
You can control cookies through your browser settings. Note that disabling certain cookies may impair Service functionality, including authentication. For residents of the EEA, UK, or California, you will see a cookie consent banner on your first visit.
9. Data Retention
| Data Category | Retention Period |
|---|---|
| Account Data | Duration of the account plus 90 days after deletion request, then permanently deleted (except as required by law). |
| Billing Records | 7 years from the transaction date, as required by financial regulations. |
| Customer Data (API payloads) | Retained for the period specified in the Customer's plan (default: 90 days rolling), then automatically purged. Customers may configure shorter retention or request immediate deletion. |
| Server Logs | 30 days for operational logs; up to 12 months for security logs. |
| Support Communications | 3 years from ticket closure, then deleted. |
| De-identified / Aggregated Data | Indefinitely — no Personal Data is contained. |
| Backup copies | Deleted within 30 days of the primary data deletion. |
Retention periods may be extended where required by applicable law, regulatory obligation, or active legal proceedings. We will inform you of any such extension where legally permitted.
10. Security
We maintain a comprehensive information security program that includes:
- Encryption in transit: TLS 1.2+ enforced for all API and dashboard communications.
- Encryption at rest: AES-256 encryption for all data stored in our databases and object storage.
- Access controls: Role-based access control (RBAC), principle of least privilege, mandatory MFA for all internal systems.
- Network security: VPC isolation, Web Application Firewall (WAF), DDoS protection, and regular penetration testing.
- Vulnerability management: Continuous dependency scanning, static analysis, and a responsible disclosure program.
- Incident response: A documented incident response plan with defined SLAs for detection, containment, and notification.
- Employee training: Annual security awareness training and background checks for employees with data access.
- Vendor risk management: Security review of all sub-processors before onboarding.
Despite these measures, no method of electronic transmission or storage is 100% secure. If you believe your account has been compromised, please contact us immediately at security@xelurel.com.
11. International Data Transfers
Xelurel AI, Inc. is headquartered in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States and other countries where our infrastructure and sub-processors operate.
For transfers of Personal Data from the European Economic Area (EEA), United Kingdom, or Switzerland to countries not recognized as providing an adequate level of protection, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission (including the 2021 SCCs for controller-to-processor transfers);
- The EU–U.S. Data Privacy Framework (DPF) and UK Extension, where applicable; and
- Transfer Impact Assessments (TIAs) conducted for each transfer mechanism.
You may request a copy of our SCCs or TIAs by contacting privacy@xelurel.com.
12. Your Rights and Choices
12.1 Rights for EEA, UK, and Swiss Residents (GDPR)
- Right of access: Obtain a copy of the Personal Data we hold about you.
- Right to rectification: Correct inaccurate or incomplete data.
- Right to erasure ("right to be forgotten"): Request deletion of your data, subject to legal retention obligations.
- Right to restriction: Ask us to restrict processing in certain circumstances.
- Right to data portability: Receive your data in a structured, machine-readable format.
- Right to object: Object to processing based on legitimate interests or for direct marketing.
- Rights related to automated decision-making: We do not make solely automated decisions that produce legal or similarly significant effects on individuals.
- Right to lodge a complaint: You may lodge a complaint with your local supervisory authority. A list of EU supervisory authorities is available at edpb.europa.eu.
12.2 Rights for California Residents (CCPA / CPRA)
- Right to know: Request disclosure of the categories and specific pieces of Personal Information we have collected, used, disclosed, or sold.
- Right to delete: Request deletion of your Personal Information, subject to certain exceptions.
- Right to correct: Request correction of inaccurate Personal Information.
- Right to opt out of sale or sharing: We do not sell or share Personal Information for cross-context behavioral advertising.
- Right to limit use of sensitive personal information: We do not use sensitive personal information beyond what is necessary to provide the Service.
- Right to non-discrimination: We will not deny, charge different prices for, or provide a different level of service because you exercised your privacy rights.
California residents may designate an authorized agent to make requests on their behalf. We will verify the agent's authority before processing the request.
12.3 How to Exercise Your Rights
Submit a request by emailing privacy@xelurel.com with the subject line "Privacy Request." We will respond within 30 days (or within any shorter period required by applicable law). We may need to verify your identity before processing the request; we will not use the data provided for verification for any other purpose.
12.4 Marketing Opt-Out
You may unsubscribe from marketing emails at any time by clicking the "Unsubscribe" link in any marketing email or by emailing privacy@xelurel.com. Unsubscribing from marketing does not affect transactional communications related to your account.
13. Children's Privacy
The Service is intended for business use by individuals who are at least 18 years old. We do not knowingly collect Personal Data from children under the age of 13 (or 16 in the EEA). If we become aware that we have inadvertently collected Personal Data from a child below the applicable age threshold, we will take steps to delete it promptly. If you believe we have collected such information, please contact us at privacy@xelurel.com.
14. Third-Party Links
The Site and Service may contain links to third-party websites, integrations, or services that are not operated by us. Clicking those links will take you away from our Service. We have no control over, and assume no responsibility for, the content, privacy policies, or practices of any third-party sites. We encourage you to review the privacy policy of every site you visit.
15. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Update the "Effective date" and "Last updated" dates at the top of this page;
- Post a prominent notice on the Site or send you an email notification; and
- Where required by law, obtain your consent before the changes take effect.
Your continued use of the Service after the effective date of any revised Policy constitutes your acceptance of the changes, to the extent permitted by applicable law. If you do not agree to the revised Policy, you should stop using the Service and may request deletion of your account.
16. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us using the details below. We take privacy seriously and will respond to all inquiries promptly.
General Privacy Inquiries & Data Protection Officer
privacy@xelurel.comLegal / DPA Requests
legal@xelurel.comYou also have the right to lodge a complaint with a supervisory authority. In the EU, you may contact the supervisory authority of your Member State. In the UK, the relevant authority is the Information Commissioner's Office (ICO) at ico.org.uk.