XFactorAi — Privacy Policy

1. Who We Are
XFACTORAI INC, registered in Vanuatu, with its registered office at Top Floor Kumul Hwy, Port Vila, Vanuatu (“XFactorAi,” “we,” “us”), provides AI-powered negotiation and communication tools (the “Services”). We respect your privacy and are committed to protecting it.

2. What This Policy Covers
This Policy explains how we handle personal data when you use our Services, including:
• What data we collect and process
• Our role vs. your role in processing
• Retention, transfers, and sub-processors
• Your rights under laws like GDPR and CCPA/CPRA

3. Our Role vs. Your Role
• You (or your organization) are the Data Controller. You decide why and how to process your content.
• We are the Data Processor. We act strictly on your instructions, process User Content to deliver the Services, and delete it when no longer needed.
• If you store threads, you remain responsible for ensuring you have the right to keep that data (e.g., emails that involve other people).

By submitting User Content, you confirm you have obtained all necessary rights and consents. If you upload third-party data without a valid lawful basis, you are solely liable for any resulting claims, fines, or penalties. XFactorAi disclaims all responsibility.

4. What Data We Process
a. User Content
• Emails, messages, documents, or recordings you submit.
• Default: Deleted at the end of each session.
We record minimal operational telemetry (routing decisions, analyzer gating, compliance mode, anonymized risk bands). This data is masked or anonymized and may be sent to third-party systems you configure (e.g., Salesforce, Slack, Zapier) via signed webhooks. You control these integrations.
• If storage enabled: Retained only at your request and until you delete it or close your account.
b. Operational Data
• Metadata such as timestamps, request size, browser/device type, and status codes.
• Used for security, auditing, and performance monitoring.
• Does not include the contents of your inputs or outputs.

5. How We Use Data
We use data only to:
• Process your inputs and generate outputs
• Provide and improve our Services
• Maintain security and performance
• Comply with legal obligations
We do not:
• Sell your data
• Use User Content for advertising
Default retention & residency: Unless you set stricter admin controls, we retain Raw Inputs for up to 90 days (session data auto-deletes unless storage enabled), Derived Metrics & Telemetry for up to 365 days, and Backups for a rolling 30-day cycle. Data is stored in your selected residency region (EU, US, AU, etc.) and never replicated cross-region without legal safeguards.
• Repurpose User Content for unrelated purposes

6. Data Retention
We retain data only as long as necessary:
• Session Content: Deleted at session end unless thread storage is enabled.
• Stored Threads: Kept until you delete them or close your account.
• Logs: Operational metadata retained for security, auditing, or legal compliance.
• Anonymization: Where possible, we may anonymize data instead of deleting it to preserve service integrity without retaining personal information.
Retention is guided by factors such as sensitivity of data, legal requirements, and technical feasibility.

7. Sub-Processors
We may use trusted sub-processors, including:
• OpenAI API (for outputs)
We store and process data in your selected residency region. Cross-border transfers occur only with legal safeguards such as SCCs/UK Addendum or equivalent. In regions requiring localization (e.g., CN), processing is limited to that region.
• Cloud hosting providers (infrastructure)
We ensure all sub-processors apply appropriate security and privacy protections. Customers will be notified of new sub-processors.

8. International Data Transfers
We acknowledge requests within 10 business days where required (e.g., CCPA/CPRA) and respond within the legal timeframe (EU/UK: 1 month; US-CA/CO/VA/CT/UT: 45 days, extendable once). Exports include all metadata. Deletes cascade to backups and indices within 24h of completion.
• EU/UK Users: We rely on Standard Contractual Clauses (SCCs) and the UK Addendum for transfers.
• California Users: We comply with CCPA/CPRA rules for service providers.
• Global Users: Transfers are protected by appropriate safeguards as required.

9. Your Rights
Depending on your jurisdiction, you may have the right to:
• Access – receive a copy of your personal data
• Correct – update inaccurate or incomplete data
• Delete – request erasure of your data (“right to be forgotten”)
• Restrict – limit how your data is used in certain cases
• Portability – request a copy in a structured, machine-readable format
• Object – object to certain types of processing
• Withdraw consent – if processing is based on consent, withdraw at any time
To exercise these rights, contact us at compliance@xfactorai.com We will respond in accordance with applicable laws.
California-specific disclosure:
We do not sell personal information. We only act as a service provider as defined under the CCPA/CPRA.

10. Security
We use encryption, access controls, monitoring, and regular reviews to protect data. However, no system is 100% secure. We encourage you to use caution when sharing sensitive content.
If required by law, we will notify you of any data breach affecting your personal data.

11. Children’s Privacy
Our Services are not directed at children under 18. We do not knowingly collect data from minors.

12. Changes to This Policy
We may update this Policy from time to time.
• Material changes: We will notify you through the Services or by email.
• Minor updates: Reflected in the Policy posted online.

13. Jurisdictional Use of Services
You are responsible for ensuring that your use of the Services complies with the laws and regulations of your jurisdiction, including any restrictions on processing personal data. Certain features of the Services (such as automated processing of emails, texts, or recordings) may not be lawful in all regions.
By using the Services, you confirm that you have the necessary rights, permissions, and consents to upload or process any personal data through XFactorAi in your jurisdiction. XFactorAi does not accept responsibility for unlawful use of the Services in violation of applicable law.

14. Contact Us
For privacy questions or requests, contact us at:
XFACTORAI INC (Vanuatu)
contact@xfactorai.com