Privacy Policy

📄 Your Documents

What: The documents or approved content you upload or sync to xillix products (PDFs, DOCX, XLSX, PPTX, TXT, MD files), stored encrypted to power search and citations.

Why: To index and process them so xillix products can answer questions from approved content.

How long: For the duration of your subscription. Deleted within 30 days of cancellation (Enterprise can request immediate deletion).

💬 Usage Data

What: Questions asked, answers generated, documents retrieved, timestamps, source/citation metadata, and user identities where authentication is used.

Why: For audit logs, troubleshooting, reporting, and improving answer accuracy.

How long: 90 days (standard plans), 1 year (Enterprise, configurable up to 7 years for compliance).

🌐 Website Visitor Conversations

What: For LuxonLeadAssist and LuxonFlow, this can include website visitor chat messages, contact details visitors choose to provide, handoff requests, agent replies, conversation transcripts, source/citation metadata, and admin or agent access logs.

Why: To answer visitor questions from approved customer-facing content, support follow-up, route or review human handoff requests, and help customers understand common questions.

How long: Based on the applicable plan and customer configuration, subject to deletion rights and account cancellation terms.

👤 Account Information

What: Account admin name, email, company name, billing information.

Why: To manage your account, billing, and provide support.

How long: For the duration of your subscription plus 7 years for tax/legal requirements.

🌐 Technical Data

What: IP addresses, browser type, device type, access times.

Why: For security monitoring, troubleshooting, and abuse prevention.

How long: 90 days in access logs.

🚫 No Behavioral Tracking

We do not use third-party analytics, tracking pixels, or advertising cookies on xillix product applications. No Google Analytics, no Facebook Pixel, no tracking scripts.

🚫 No Personal Content Analysis

We do not read, analyze, or mine the content of your documents for any purpose other than answering your queries. Automated processing only.

🚫 No Selling or Sharing of Data

We never sell, rent, or share your data with third parties for marketing purposes. Your documents and usage data are yours alone.

✅ Providing the Service

• Indexing and processing your documents
• Answering questions with citations
• Maintaining search functionality and access controls
• Supporting customer-facing website chat, visitor follow-up, human handoff, and agent inbox workflows where enabled

✅ Security & Compliance

• Monitoring for unauthorized access or abuse
• Generating audit logs for compliance requirements
• Detecting and preventing security threats

✅ Account Management

• Billing and invoicing
• Customer support and troubleshooting
• Service updates and notifications

🤖 OpenAI API

xillix uses OpenAI's API for natural language processing. Two options:

1. BYOK (Bring Your Own Key):

• You provide your own OpenAI API key
• Your queries go directly to OpenAI using your key
• OpenAI does not train on API data per their terms
• You control your OpenAI account and data retention settings

2. xillix-Managed Keys (Enterprise):

• xillix provides and manages the OpenAI API key
• Zero data retention (ZDR) enforced with OpenAI
• Query data is not used for training
• Processed data is not stored by OpenAI beyond the API request

🚫 We Never Train Models on Your Data

Your documents, queries, and answers are not used to train xillix models or third-party AI models. This is handled through product configuration and vendor terms where applicable.

Third-Party Services We Use

xillix uses the following subprocessors to deliver the service. Each has a Data Processing Agreement (DPA) in place.

Service	Purpose	Data Shared
Cloud Hosting Provider	Infrastructure hosting	Documents, user data (encrypted)
OpenAI	Natural language processing	Query text, visitor messages, and relevant document or approved-content excerpts where needed for answers
Cloudflare	Zero Trust access control	Authentication requests, IP addresses
Payment Processor	Billing and payments	Billing info, payment data (PCI compliant)

Note: We update this list if subprocessors change. Enterprise customers are notified 30 days before new subprocessors are added.

✅ Data Access

You can export your documents and data at any time in standard formats (PDF, DOCX, JSON). Enterprise customers have admin dashboards for self-service export.

✅ Data Correction

Update or correct your account information at any time via your admin dashboard or by contacting support.

✅ Data Deletion

Delete specific documents or your entire account. Upon account deletion, all data is removed within 30 days (Enterprise can request immediate deletion).

✅ Data Portability

Export your data in machine-readable formats. No vendor lock-in—take your documents and go.

✅ Right to Object

Object to data processing for specific purposes (e.g., request that certain documents not be indexed). Contact support to exercise this right.

Data Type	Retention Period
Documents	Duration of subscription + 30 days after cancellation
Usage Logs and Conversation Transcripts	90 days (standard plans), 1 year (Enterprise, configurable), unless a product plan or customer configuration specifies a different transcript retention period
Account Info	7 years after cancellation (tax/legal requirements)
Technical Logs	90 days

xillix infrastructure is hosted in the United States. If you are located outside the US, your data will be transferred to and processed in the US.

EU/UK Customers: We provide Standard Contractual Clauses (SCCs) for GDPR compliance. Enterprise customers can request data residency in EU regions.

Data Sovereignty: Enterprise customers in regulated industries can request dedicated instances in specific geographic regions.

xillix is not intended for use by individuals under 16 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us immediately.

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date.

Material Changes: If we make material changes that affect how your data is used, we will notify you by email (for account admins) at least 30 days before the change takes effect.