Privacy Policy

Last Updated: January 11, 2025

1. Introduction

Xenonlabs.AI ("we," "our," or "us") operates XeRAG, an AI-powered document management and retrieval system. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our Service.

2. Information We Collect

2.1 Information You Provide

Account Information:

  • Name
  • Email address
  • Organization name
  • Password (encrypted)
  • Profile information

Content You Upload:

  • Documents (PDFs, Word, Excel, PowerPoint, text files)
  • Queries and search terms
  • Chat history
  • Folder structure and organization
  • File metadata

Payment Information:

  • Billing address
  • Payment card details (processed by our payment processor, not stored by us)
  • Transaction history

Communications:

  • Contact form submissions
  • Email correspondence
  • WhatsApp messages
  • Support tickets
  • Feedback and surveys

2.2 Information Automatically Collected

Usage Data:

  • Pages visited
  • Features used
  • Time spent on the Service
  • Click patterns
  • Document access patterns
  • Query performance metrics

Device Information:

  • IP address
  • Browser type and version
  • Operating system
  • Device identifiers
  • Screen resolution
  • Time zone settings

Cookies and Tracking:

  • Session cookies
  • Authentication tokens
  • Preference settings
  • Analytics cookies
  • Performance monitoring

3. How We Use Your Information

3.1 To Provide the Service

  • Process and analyze your documents
  • Generate AI-powered responses to your queries
  • Maintain your account and preferences
  • Provide search and retrieval functionality
  • Store and organize your content
  • Enable collaboration features

3.2 To Improve the Service

  • Analyze usage patterns
  • Identify and fix bugs
  • Develop new features
  • Optimize performance
  • Enhance AI model accuracy
  • Improve user experience

3.3 To Communicate With You

  • Send service announcements
  • Provide customer support
  • Respond to inquiries
  • Send marketing communications (with your consent)
  • Notify you of updates and changes
  • Request feedback

3.4 For Security and Compliance

  • Detect and prevent fraud
  • Protect against unauthorized access
  • Enforce our Terms of Service
  • Comply with legal obligations
  • Respond to legal requests
  • Protect our rights and property

4. How We Share Your Information

4.1 We Do Not Sell Your Data

We never sell, rent, or trade your personal information or document content to third parties for marketing purposes.

4.2 Service Providers

We share information with trusted service providers who help us operate the Service:

Cloud Infrastructure:

  • Amazon Web Services (AWS) - for hosting and data storage
  • Data is stored in encrypted format
  • Location: [Specify AWS region, e.g., ap-southeast-2]

AI Processing:

  • AWS Bedrock - for AI model processing
  • Anthropic Claude - for natural language processing
  • Your data is processed but not used to train public models

Payment Processing:

  • [Payment processor name] - for subscription payments
  • They handle payment card information according to PCI-DSS standards

Analytics:

  • Usage analytics for service improvement
  • Anonymized and aggregated data only

Communication:

  • Email service providers for transactional emails
  • Customer support platforms

4.3 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your information becomes subject to a different privacy policy.

4.4 Legal Requirements

We may disclose information if required to:

  • Comply with law, regulation, or legal process
  • Respond to government requests
  • Enforce our Terms of Service
  • Protect our rights, privacy, safety, or property
  • Protect users or the public from harm

4.5 With Your Consent

We may share information for other purposes with your explicit consent.

5. Data Security

5.1 Security Measures

We implement industry-standard security measures:

Encryption:

  • TLS/SSL for data in transit
  • AES-256 encryption for data at rest
  • Encrypted database connections
  • Secure API communications

Access Controls:

  • Multi-factor authentication options
  • Role-based access controls
  • Regular access audits
  • Principle of least privilege

Infrastructure Security:

  • AWS security best practices
  • Regular security updates
  • Firewalls and intrusion detection
  • DDoS protection
  • Security monitoring and logging

Application Security:

  • Regular security audits
  • Penetration testing
  • Secure coding practices
  • Input validation and sanitization
  • Protection against common vulnerabilities (OWASP Top 10)

5.2 Security Limitations

No security system is impenetrable. While we use reasonable efforts to protect your information, we cannot guarantee absolute security. You are responsible for:

  • Maintaining confidentiality of your credentials
  • Choosing a strong password
  • Not sharing your account
  • Reporting suspected security breaches

6. Data Retention

6.1 Active Accounts

We retain your information for as long as your account is active or as needed to provide services.

6.2 Account Deletion

When you delete your account:

  • Your documents and content are deleted within 30 days
  • Backup copies are deleted within 90 days
  • Some information may be retained for legal compliance

6.3 Legal Requirements

We may retain certain information for:

  • Legal obligations (e.g., tax, accounting)
  • Dispute resolution
  • Enforcing our agreements
  • Preventing fraud and abuse

7. Your Rights and Choices

7.1 Access and Portability

You have the right to:

  • Access your personal information
  • Download your documents
  • Export your data in a portable format
  • Request a copy of your information

7.2 Correction and Deletion

You can:

  • Update your profile information
  • Correct inaccurate data
  • Delete documents and content
  • Request account deletion

7.3 Data Processing

You can:

  • Object to certain processing activities
  • Restrict processing of your data
  • Withdraw consent where processing is based on consent

7.4 Marketing Communications

You can opt out of:

  • Marketing emails (via unsubscribe link)
  • Promotional communications
  • Newsletter subscriptions

You cannot opt out of:

  • Service-related announcements
  • Security alerts
  • Billing notifications

7.5 Cookies

You can control cookies through your browser settings. However, disabling cookies may affect Service functionality.

8. Children's Privacy

XeRAG is not intended for users under 18 years of age. We do not knowingly collect information from children. If you believe a child has provided us with personal information, please contact us.

9. International Data Transfers

Your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place to protect your information in accordance with this Privacy Policy.

Data Transfer Mechanisms:

  • Standard Contractual Clauses
  • Privacy Shield equivalent protections
  • Adequacy decisions where applicable

10. AI and Data Processing

10.1 How We Use AI

  • AI models process your documents to enable search and Q&A functionality
  • AI-generated responses are based solely on your uploaded content
  • We use AWS Bedrock and Anthropic Claude models
  • Processing happens in real-time and is not stored separately

10.2 AI Training

Your Data is NOT Used:

  • We do not use your documents to train public AI models
  • Your content is not shared with other users
  • Your queries are not used to improve models for other customers

Aggregated Data:

  • We may use anonymized, aggregated usage patterns for service improvement
  • This data cannot be traced back to individual users

10.3 AI Accuracy

  • AI responses may contain errors
  • You should verify critical information
  • We are not responsible for decisions based on AI outputs

11. Third-Party Links and Services

Our Service may contain links to third-party websites or integrate with third-party services. We are not responsible for their privacy practices. We encourage you to read their privacy policies.

12. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights:

Right to Know: What personal information we collect, use, and share Right to Delete: Request deletion of your personal information Right to Opt-Out: Of sale of personal information (we don't sell data) Right to Non-Discrimination: For exercising your privacy rights

To exercise these rights, contact us at contact@xenonlabs.ai.

13. European Privacy Rights (GDPR)

If you are in the European Economic Area, you have rights under GDPR:

Legal Basis for Processing:

  • Contract performance (to provide the Service)
  • Legitimate interests (to improve and secure the Service)
  • Consent (for marketing communications)
  • Legal obligations

Data Protection Officer: [Contact information if applicable]

Supervisory Authority: You have the right to lodge a complaint with your local data protection authority.

14. Changes to This Privacy Policy

14.1 Updates

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Updated" date.

14.2 Material Changes

For material changes, we will:

  • Notify you via email
  • Display a prominent notice on the Service
  • Request your consent if required by law

14.3 Your Continued Use

Continued use of the Service after changes constitutes acceptance of the updated Privacy Policy.

15. Contact Us

15.1 Privacy Inquiries

For questions about this Privacy Policy or our privacy practices:

Email: contact@xenonlabs.ai WhatsApp: +91-9845398678 Mail: [Your physical address]

15.2 Data Subject Requests

To exercise your privacy rights or make data requests, please contact us using the methods above. We will respond within the timeframe required by applicable law.

16. Data Processing Agreement (DPA)

Enterprise customers requiring a Data Processing Agreement should contact us at contact@xenonlabs.ai.

17. Security Incidents

If we become aware of a security incident affecting your personal information, we will:

  • Notify you promptly as required by law
  • Take steps to mitigate the impact
  • Provide information about the incident
  • Describe steps you can take to protect yourself

18. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significant effects on you.

19. Biometric Data

We do not collect or process biometric data.

20. Acknowledgment

By using XeRAG, you acknowledge that you have read and understood this Privacy Policy and agree to its terms.

For the most current version of our Privacy Policy, please visit this page regularly.

Last updated: December 2, 2025