Xyronex Ltd is the data controller for information processed through the Xyronex platform.
Account information: Your name (if provided), email address, and password (stored as a one-way hash — we cannot read it).
Workspace content: Conversations with Atlas, notes you save, documents you upload, governance decisions, and any other content you create within the platform. This is the core of the service.
Usage data: Which features you use, when you log in, session duration, and error events. We use this to operate and improve the service.
Technical data: IP address, browser type, and device information. Collected automatically when you access the platform.
| Purpose | Legal basis (UK GDPR) |
|---|---|
| Providing and operating the Xyronex service | Contract (Art. 6(1)(b)) |
| Processing your questions through AI models | Contract (Art. 6(1)(b)) |
| Sending account and security emails (password reset, verification) | Contract (Art. 6(1)(b)) |
| Security, fraud prevention, and abuse detection | Legitimate interests (Art. 6(1)(f)) |
| Improving and developing the platform | Legitimate interests (Art. 6(1)(f)) |
| Complying with legal obligations | Legal obligation (Art. 6(1)(c)) |
We use the following third parties to deliver the service. Each is bound by a data processing agreement.
| Processor | Purpose | Location |
|---|---|---|
| Anthropic | AI language model processing (Claude) | United States |
| OpenAI | AI language model processing (optional fallback) | United States |
| Google (Gemini) | AI language model processing (optional fallback) | United States |
| DigitalOcean | Cloud hosting and infrastructure | United Kingdom / EU |
| Resend | Transactional email delivery | United States |
| OpenAI | Text embeddings for semantic search | United States |
When your questions are processed by an AI model, the text of your question and relevant context from your workspace is sent to that provider. These providers are prohibited from using your data to train their models under our agreements with them.
Several of our AI and infrastructure providers are based in the United States. Transfers to these providers are made under the UK International Data Transfer Agreement (UK IDTA) or Standard Contractual Clauses (SCCs) as approved by the UK ICO. You can request a copy of the relevant safeguards by emailing [email protected].
Under UK GDPR, you have the right to:
To exercise any of these rights, email [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).
We implement technical and organisational measures to protect your data, including TLS encryption in transit, bcrypt password hashing, encrypted database backups, and access controls that limit which staff can access production data. No system is perfectly secure — if you discover a vulnerability, please report it to [email protected].
Xyronex does not currently use tracking or advertising cookies. We store your authentication token in browser local storage to keep you logged in. No third-party analytics cookies are set.
Xyronex is not directed at children under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact [email protected] and we will delete it promptly.
We may update this policy from time to time. Material changes will be notified by email to registered account holders at least 14 days before taking effect. The "last updated" date at the top of this page reflects the current version. Continued use of the service after changes take effect constitutes acceptance of the revised policy.
For any privacy questions or to exercise your rights: