Privacy Policy

XALEN Technology Pvt Ltd ("XALEN", "we", "us", or "our") is committed to protecting the privacy and personal data of our users. This Privacy Policy describes how we collect, use, store, and share information when you use the XALEN platform, API, websites, and related services (the "Service").

This policy is designed to comply with the Digital Personal Data Protection Act, 2023 (DPDP Act) of India and applicable international data protection regulations.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

• Name and email address
• Organization name (if applicable)
• Phone number (optional)
• Billing address and GST identification number (for invoicing)
• Password (stored in hashed form only; we never store plaintext passwords)

1.2 Payment Information

Payment processing is handled by Razorpay. We do not store your full credit card numbers, UPI IDs, or bank account details. We receive and store:

• Transaction IDs and payment status
• Last four digits of card numbers (for display purposes)
• Payment method type (UPI, card, net banking)
• Invoice and billing history

1.3 API Usage Data

When you use the API, we collect:

• API request metadata (timestamps, endpoints called, response codes, latency)
• Token consumption counts (input tokens, output tokens per request)
• Model selections and configuration parameters
• Rate limit events and error logs

1.4 API Inputs and Outputs

We process your API inputs (prompts) and outputs (model responses) solely to provide the Service. We do not use your inputs or outputs to train our models unless you explicitly opt in to a data contribution program. API inputs and outputs are retained for up to 30 days for abuse prevention and debugging, after which they are automatically deleted. Enterprise customers can configure custom retention policies, including zero-retention.

1.5 Website Usage Data

When you visit our websites, we may collect:

• IP address and approximate geographic location
• Browser type, operating system, and device information
• Pages visited, time spent, and referral source
• Interactions with website features (clicks, scrolls)

The following table summarizes the data we collect and its purpose:

Data Category	Purpose	Retention
Account information	Authentication, communication, invoicing	Duration of account + 30 days
Payment data	Transaction processing, refunds, compliance	7 years (tax/legal requirement)
API usage metadata	Billing, analytics, rate limiting	12 months
API inputs/outputs	Service delivery, abuse prevention	30 days (configurable for Enterprise)
Website analytics	Product improvement, marketing	24 months

2. How We Use Your Information

We use the information we collect for the following purposes:

• Service delivery: Processing API requests, authenticating users, managing wallets and billing, generating invoices
• Service improvement: Analyzing aggregated, anonymized usage patterns to improve model performance, API reliability, and user experience
• Communication: Sending transactional emails (payment confirmations, low-balance alerts, credit expiry reminders), service announcements, and security notifications
• Security: Detecting and preventing fraud, abuse, rate limit circumvention, and other violations of our Terms of Service
• Legal compliance: Fulfilling tax obligations, responding to legal requests, and maintaining records as required by Indian law
• Support: Responding to your queries, troubleshooting issues, and providing technical assistance

We do not use your data for advertising. We do not sell your data. We do not share your API inputs or outputs with third parties except as described in Section 4.

3. Data Storage and Infrastructure

3.1 Infrastructure

All data is stored on Google Cloud Platform (GCP) infrastructure. Our primary data centers are located in:

• India (asia-south1): Mumbai region -- primary data storage for Indian customers
• United States (us-central1): Iowa region -- secondary region for global availability

3.2 Encryption

All data is encrypted at rest using AES-256 encryption and in transit using TLS 1.2 or higher. API keys are stored using one-way cryptographic hashing and are never stored in plaintext.

3.3 Data Residency

For Enterprise customers, we offer data residency options to ensure your data is stored exclusively within a specified geographic region. Contact enterprise@xalen.io for data residency configurations.

3.4 Backups

Database backups are encrypted and stored in the same region as the primary data. Backups are retained for 30 days and are automatically purged thereafter.

4. Data Sharing

We do not sell, rent, or trade your personal data. We share data only in the following limited circumstances:

• Payment processor (Razorpay): Transaction data necessary to process payments
• Cloud infrastructure (Google Cloud Platform): Data is processed on GCP infrastructure under our data processing agreement with Google
• Legal requirements: When required by Indian law, court order, or government authority with valid legal process
• Business transfers: In the event of a merger, acquisition, or asset sale, user data may be transferred to the acquiring entity. We will notify you before your data is transferred and becomes subject to a different privacy policy
• With your consent: When you explicitly authorize us to share specific data with a third party

We do not share your API inputs, outputs, or usage data with any third-party AI model providers, advertisers, data brokers, or analytics companies.

5. Cookies and Tracking

5.1 Cookies We Use

Our websites use the following types of cookies:

• Essential cookies: Required for authentication, session management, and security. These cannot be disabled.
• Analytics cookies: Help us understand how visitors interact with our websites. These are anonymized and do not track individuals across sites.
• Preference cookies: Remember your settings (language, theme, dismissed notices).

5.2 Third-Party Tracking

We do not use third-party advertising trackers, social media pixels, or cross-site tracking technologies. We do not participate in any advertising network.

5.3 Managing Cookies

You can control cookies through your browser settings. Disabling essential cookies may prevent you from using certain features of the Service.

6. Security

We take the security of your data seriously and implement industry-standard measures including:

• Encryption at rest (AES-256) and in transit (TLS 1.2+)
• API key hashing using bcrypt -- keys are never stored in plaintext
• Role-based access control (RBAC) for internal systems
• Regular security audits and penetration testing
• DDoS protection and Web Application Firewall (WAF)
• Automated vulnerability scanning of infrastructure and dependencies
• Incident response procedures with 24-hour notification to affected users
• Employee access logging and least-privilege access policies

If you discover a security vulnerability, please report it responsibly to security@xalen.io. We do not pursue legal action against good-faith security researchers.

7. Your Rights

Under the Digital Personal Data Protection Act, 2023 (DPDP Act) and applicable regulations, you have the following rights:

• Right to Access: You can request a copy of the personal data we hold about you
• Right to Correction: You can request correction of inaccurate or incomplete personal data
• Right to Erasure: You can request deletion of your personal data, subject to legal retention obligations
• Right to Nominate: You can nominate another person to exercise your rights in case of death or incapacity, as provided under the DPDP Act
• Right to Grievance Redressal: You have the right to register a complaint with our Data Protection Officer or, if unsatisfied, with the Data Protection Board of India

To exercise any of these rights, contact us at privacy@xalen.io. We will respond to your request within 30 days. We may ask you to verify your identity before processing your request.

You can also exercise many of these rights directly from your account dashboard, including downloading your data, updating your information, and deleting your account.

8. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided personal data to us, please contact us at privacy@xalen.io and we will promptly delete that information.

In accordance with the DPDP Act, 2023, we will not process personal data of children (persons under 18 years of age) without verifiable consent from a parent or legal guardian. We do not engage in tracking, behavioral monitoring, or targeted advertising directed at children.

9. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Notify registered users by email at least 14 days before the changes take effect
• Provide a summary of key changes in the notification

Your continued use of the Service after the updated policy takes effect constitutes acceptance of the changes. If you disagree with any changes, you may close your account as described in our Terms of Service.

10. Contact Us

For questions, concerns, or requests related to this Privacy Policy or your personal data, contact us at:

XALEN Technology Pvt Ltd
Pune, Maharashtra, India

Data Protection Officer: privacy@xalen.io
General inquiries: hello@xalen.io
Security issues: security@xalen.io
Billing questions: billing@xalen.io

If you are not satisfied with our response to your privacy concern, you have the right to lodge a complaint with the Data Protection Board of India as established under the DPDP Act, 2023.