This Privacy Policy explains how Xcos Global (“we”, “us”, “our”) collects, uses, stores, and protects your personal data when you use the Xcos service (“the Service”). We are committed to protecting your privacy and handling your data transparently.
This policy applies to all users globally, including users in the European Economic Area (EEA), United Kingdom, India, and other jurisdictions with data protection laws.
Xcos Global is the data controller for the personal data processed through the Service. For users in the EEA/UK, we are the controller under the General Data Protection Regulation (GDPR).
| Data | Purpose | Retention |
|---|---|---|
| Phone number | Authentication (OTP login) | Until account deletion |
| Email address | Billing, notifications, support | Until account deletion |
| Display name | Personalisation | Until account deletion |
When you use the Service, we process business data you provide through conversations, including:
This data is stored as structured claims in our memory system, scoped to your business (tenant). It is never shared with other users or businesses.
We store the text of your conversations with Xcos to provide context-aware responses and maintain conversation history. Conversations are tied to your account and business, and are not used to train AI models.
| Data | Purpose |
|---|---|
| Message count, token usage | Billing, usage limits, service operation |
| IP address | Security, fraud prevention |
| Browser/device info | Service compatibility, debugging |
| Access timestamps | Security auditing |
When you connect third-party services (Shopify, Razorpay, HubSpot, etc.), we access data from those services on your behalf. This data is processed in real-time and displayed in your conversations. We store integration credentials (encrypted) and cache aggregated metrics for performance. We do not permanently store raw data from third-party services beyond what is needed for active conversations.
We process your data for the following purposes:
We do not use your data to: train AI models, sell to third parties, serve advertising, or build profiles for purposes unrelated to the Service.
For users in the EEA/UK, we process personal data under the following legal bases:
| Purpose | Legal Basis | GDPR Article |
|---|---|---|
| Service delivery & memory | Performance of contract | Art. 6(1)(b) |
| Authentication & security | Legitimate interest | Art. 6(1)(f) |
| Billing & invoicing | Performance of contract | Art. 6(1)(b) |
| Third-party integrations | Consent (you connect them) | Art. 6(1)(a) |
| Service improvement | Legitimate interest (anonymised) | Art. 6(1)(f) |
| Legal obligations | Legal obligation | Art. 6(1)(c) |
Xcos uses artificial intelligence (large language models) to process your messages and generate responses. This involves:
Xcos does not make fully automated decisions with legal or similarly significant effects on you. All high-risk actions (financial transactions, external communications, pricing changes) require explicit human approval before execution.
Under GDPR Article 22, you have the right not to be subject to purely automated decision-making with significant effects. Xcos’s design ensures human oversight for all material actions.
We use Anthropic’s Claude as our primary AI model. Under our agreement with Anthropic, your data sent for processing is not used to train their models. Data is processed in-session and not retained by Anthropic beyond the API request lifecycle.
We share your data with the following categories of recipients, only as necessary to provide the Service:
| Provider | Purpose | Data Shared |
|---|---|---|
| Anthropic | AI model inference | Conversation text, business context |
| Razorpay | Payment processing | Email, payment details |
| Cloud hosting provider | Infrastructure | All data (encrypted at rest) |
| Email service provider | Transactional email | Email address, message content |
When you connect a third-party service, we access their APIs on your behalf. We share only the authentication tokens and API requests necessary to fulfil your instructions. You can disconnect any integration at any time.
We may disclose your data if required by law, subpoena, or court order, or if we believe in good faith that disclosure is necessary to protect the rights, safety, or property of Xcos Global, our users, or the public.
Your data may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place:
| Data Type | Retention Period |
|---|---|
| Account data | Until you delete your account |
| Business memory (claims) | Until you delete your account, with automated confidence decay |
| Conversation history | Until you delete your account or individual threads |
| Billing records | 7 years after creation (legal obligation) |
| Audit logs | 3 years (legitimate interest: security) |
| Usage metrics | Aggregated and anonymised after 12 months |
After account deletion, we remove personal data within 30 days. Anonymised and aggregated data may be retained indefinitely for statistical purposes.
Depending on your jurisdiction, you have the following rights regarding your personal data:
In addition to the above, you have:
Under the Digital Personal Data Protection Act 2023, you have similar rights including access, correction, erasure, and grievance redressal. Contact our Grievance Officer at privacy@xcos.ai.
You can exercise most rights directly through the Service:
For any request we cannot fulfill through the UI, email privacy@xcos.ai. We will respond within 30 days (or sooner if required by law).
We implement appropriate technical and organisational measures to protect your data:
No system is 100% secure. If we discover a data breach that affects your personal data, we will notify you and relevant authorities in accordance with applicable law (within 72 hours for GDPR).
Xcos uses minimal client-side storage:
We do not use advertising cookies, analytics trackers, or third-party tracking scripts. We do not fingerprint devices or track users across websites.
The Service is not directed at individuals under 18 years old (or the age of majority in their jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at privacy@xcos.ai and we will promptly delete it.
We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notification at least 30 days before they take effect. The “Last updated” date at the top reflects the most recent revision.
For privacy-related questions, requests, or complaints:
If you are unsatisfied with our response, EEA/UK users can lodge a complaint with their local Data Protection Authority. Indian users can contact the Data Protection Board of India.