Privacy Policy

1. Introduction

XeOps.ai ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered cybersecurity platform and services.

By using XeOps.ai, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our services.

2. Information We Collect

2.1 Information You Provide

• Account Information: Email address, name, company name, password (encrypted)
• Billing Information: Payment details processed securely through Stripe (we do not store full credit card numbers)
• Scan Data: Target URLs, scan configurations, and security findings from vulnerability scans you initiate
• Communications: Messages you send us via email, chat, or support tickets

2.2 Automatically Collected Information

• Usage Data: Pages visited, features used, time spent, scan history
• Device Information: IP address, browser type, operating system, device identifiers
• Cookies: Session cookies, analytics cookies (with your consent)
• Log Data: Server logs including timestamps, API requests, error messages

3. How We Use Your Information

We use the collected information for the following purposes:

• Service Provision: To provide, maintain, and improve our vulnerability scanning services
• Security Analysis: To perform AI-powered security testing and generate vulnerability reports
• Account Management: To create and manage your account, process payments, and enforce usage quotas
• Communication: To send service updates, security alerts, billing notifications, and respond to inquiries
• Product Improvement: To analyze usage patterns, fix bugs, and develop new features
• Security: To detect and prevent fraud, abuse, and unauthorized access
• Legal Compliance: To comply with legal obligations and respond to lawful requests

4. Data Retention

We retain your information for as long as necessary to fulfill the purposes outlined in this policy:

• Account Data: Retained until you delete your account, plus 30 days for backup purposes
• Scan Results: Retained for 30 days after scan completion (configurable in Enterprise plans)
• Billing Records: Retained for 7 years to comply with tax and accounting regulations
• Anonymized Analytics: Retained indefinitely for statistical purposes

5. Data Sharing and Disclosure

We do not sell your personal information. We may share your data with:

5.1 Service Providers (Data Processors)

• Stripe: Payment processing (PCI DSS compliant)
• Google Cloud Platform (GCP): Infrastructure hosting and database services
• Vercel: Frontend hosting and CDN
• SendGrid: Transactional email delivery

All third-party processors are contractually bound to GDPR-compliant Data Processing Agreements (DPAs).

5.2 Legal Requirements

We may disclose your information if required by law, court order, or governmental request, or to protect our rights, property, or safety.

6. Your Rights Under GDPR

If you are in the European Economic Area (EEA), you have the following rights:

• Right to Access: Request a copy of all personal data we hold about you
• Right to Rectification: Request correction of inaccurate or incomplete data
• Right to Erasure ("Right to be Forgotten"): Request deletion of your account and associated data
• Right to Data Portability: Receive your data in a machine-readable format (JSON)
• Right to Restrict Processing: Request limitation of data processing in certain circumstances
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw previously given consent at any time

To exercise these rights, please contact us at privacy@xeops.ai or use the account settings in your dashboard.

7. Data Export and Account Deletion

7.1 Data Export

You can request a complete export of your data at any time through:

• Dashboard Settings → "Export My Data" (available for all plans)
• API endpoint: GET /api/users/data-export
• Email request to privacy@xeops.ai

The export includes: account details, scan history, API keys, billing information, and all associated metadata in JSON format.

7.2 Account Deletion

You can permanently delete your account through:

• Dashboard Settings → "Delete Account" (requires password confirmation)
• API endpoint: DELETE /api/users/me

Account deletion is permanent and irreversible. All associated data (scans, reports, API keys) will be deleted within 30 days. Billing records are retained for legal compliance (7 years).

8. Security Measures

We implement industry-standard security measures to protect your data:

• Encryption: TLS 1.3 for data in transit, AES-256 for data at rest
• Authentication: JWT tokens with 7-day expiration, bcrypt password hashing (10 rounds)
• Infrastructure: Google Cloud Platform with private VPCs, firewall rules, and IAM
• Access Control: Principle of least privilege, multi-factor authentication for internal access
• Monitoring: Real-time security monitoring, intrusion detection, automated alerts
• Compliance: Regular security audits, penetration testing, and vulnerability assessments

However, no method of transmission over the internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

9. Cookies and Tracking

We use cookies and similar technologies:

9.1 Essential Cookies (Always Active)

• Session Cookies: Maintain your login state (expires after browser close)
• Security Cookies: Prevent CSRF attacks and verify authentication

9.2 Analytics Cookies (Opt-in Required)

• Usage Analytics: Track feature usage, page views, and user flows (anonymized)
• Performance Monitoring: Measure page load times and API response latency

You can manage cookie preferences through the cookie banner or browser settings. Disabling essential cookies may impact service functionality.

10. International Data Transfers

XeOps.ai operates globally with primary infrastructure in the European Union (GCP eu-west1 region). If you access our services from outside the EU, your data may be transferred to and processed in countries with different data protection laws.

For transfers to third countries, we rely on:

• EU Standard Contractual Clauses (SCCs)
• Adequacy decisions by the European Commission
• Privacy Shield frameworks (where applicable)

11. Children's Privacy

Our services are not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal data, please contact us immediately.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. For material changes, we will notify you via email or prominent notice in the dashboard. Continued use of our services after changes constitutes acceptance of the updated policy.

13. Contact Us

For questions, concerns, or requests regarding this Privacy Policy or your personal data: