Privacy Policy - Xerotier

// 01

Scope

This policy covers Xerotier.ai: the public site, the dashboard, the inference router, and the agent mesh that fulfills requests. It does not cover third-party model providers when you route to them directly through your own keys; their policy controls that traffic.

"You" means the operator who signed up. "Your users" means people whose prompts pass through your endpoints. Both sets of data are described below; the controls are yours.

// 02

Data categories

Five categories, named by the system that holds them. Every other field on this page derives from this table.

Data categories: what we hold, the legal basis, and the default retention window.
Category	What it is	Legal basis	Default retention
account	Email, hashed password, project memberships, billing address handed to the payment processor, and date of birth for age verification.	Contract	Life of the account
prompts & completions	The request and response bodies of inference calls when chat history is enabled. Disabled by default for shared endpoints; opt-in per project.	Contract	Until you delete the conversation
uploaded content	Files, images, documents, artifacts, and models you upload.	Contract	Until you delete it
derived intelligence	Facts, memories, summaries, embeddings, and inferred decisions and milestones the product extracts from your conversations to power recall and search.	Contract, legitimate interest (product function)	With the conversation or project; removed on erasure
ledger & usage	Token counts, model id, endpoint id, timestamp, latency, project id. No request or response bodies.	Contract, legitimate interest (billing integrity)	Usage events 90 days, then retained as aggregated rollups for billing integrity
operational telemetry	Mesh lease metadata, audit logs, request logs, activity records, and abuse or compliance reports. Not tool inputs or outputs.	Legitimate interest, legal obligation	Audit logs 90 days; request logs and activity records about 30 days; mesh lease metadata about 30 days

Soft-deleted rows are purged after 90 days. Operators can lower this floor per project to a minimum of one day.

// 03

Why we hold it

Only what the service needs to run. No advertising profiles. No data brokerage. No re-sale.

Route inference requests and bill them.
Surface usage, quotas, and consumption rollups in the dashboard.
Detect abuse, run rate-limiting, and respond to security incidents.
Improve scheduling and prefix-cache affinity using ledger and mesh transcripts; never using prompt or completion bodies.
Comply with tax, accounting, and lawful-process requirements.

// 04

Retention

Retention is per category, listed in the data-categories table above. Two cross-cutting rules:

A soft delete starts a 90-day countdown to hard delete. The hard-delete worker runs on a scheduled queue; receipts are emitted to the operator who initiated the request.
Per-project overrides can lower the soft-delete window to a minimum of one day. Operators set the value in project settings; the router enforces it.

// 05

What we do not do

Easier to state than the inverse, and worth stating:

We do not train models on your prompts or completions. The platform does not produce training-set exports of customer content.
We do not sell or rent personal information to third parties. CCPA "do not sell" is the default.
We do not embed advertising trackers on the public site or the dashboard.
We do not read tool-call inputs or outputs off the mesh. Bodies travel encrypted and are decrypted by the calling agent; the router sees lease metadata only.

To power recall, naming, and search, the product may send your conversation content to a model endpoint to extract memories and summaries. By default that endpoint is ours; you can configure your own. This is processing to run the service for you, not training, and we do not use it to train our models.

// 06

Security

Detail and posture live on the compliance page. Summary:

Transport. TLS at the edge; CurveZMQ with Curve25519 mutual authentication between router and agents.
At rest. AES-256-GCM for service data. Field-level encryption available for sensitive customer columns on request.
Access. Role-based, least-privilege. Production access is logged and scoped per-task.
Disclosure. Vulnerability reports go to contact@xerotier.ai. We acknowledge inside two business days.

// 07

Sub-processors

The third parties that touch your data, by role:

Payment processing. Stripe (billing address, card metadata; full card number never reaches our servers).
Transactional email. Postmark (account, billing, security notifications).
Colocation. Tier-III facilities in the United States. SOC 2 Type II attestations covering the physical environment; see /compliance for the matrix.
Inference and extraction. The default model endpoint that powers chat, naming, memory and intelligence extraction, and humanize. Operated by us unless you configure your own.
Embeddings. The default embedding endpoint used for search and de-duplication.
Web search. The configured search backend when you use research tools.
Model providers (optional). When you bring keys for OpenAI, Anthropic, or another provider, those vendors process the requests you send them. Their privacy policy applies to that traffic.

We update this list when it changes. Material additions are announced before they take effect; the announcement runs in-app and to the email on file.

// 08

Rights and controls

One row per right, one column per control. Every control is something you can do today.

Rights you have under GDPR and CCPA, where the control lives in the product, and how to exercise it.
Right	Where it lives	How to exercise
access	Dashboard → Settings → Data export	Triggers a full data export (account, ledger, prompts when enabled, mesh metadata). Email when ready.
rectification	Dashboard → Settings → Account	Edit name, email, billing address inline. Other fields by emailing contact@xerotier.ai.
erasure	Dashboard → Project → Delete project	Project: Dashboard → Project → Delete project (soft delete now, hard delete after the retention window). Account: Dashboard → Settings → Delete account (self-service, with a grace period). Email contact@xerotier.ai only if you cannot reach the in-product control.
portability	Same as access	Export ships JSON for structured records, ndjson for ledger rows.
objection / restriction	Email contact@xerotier.ai with subject `RESTRICT`	We confirm in writing within 30 days and freeze processing while we work through it.
do not sell / share (CCPA)	Default	We do not sell or share personal information, so this matches our default. We honor Global Privacy Control (GPC) signals as an opt-out request and record the preference.
complaint	Supervisory authority	EU/EEA residents can complain to their national DPA. We will cooperate with the DPA on any inquiry.

// 09

International transfers

Shared services run in the United States. If your account is in the EU/EEA, the UK, or Switzerland, your data crosses borders to reach those services. We rely on Standard Contractual Clauses for the transfer; a Data Processing Agreement covering the SCCs is available on request to contact@xerotier.ai.

Enterprise deployments can pin data residency to a region of your choice; see /compliance.

EU/EEA, UK, and Swiss specifics -- our legal bases, EU representative, and Data Protection Officer -- are published in our EU Privacy Addendum (forthcoming). Contact contact@xerotier.ai for the current DPA and SCCs.

// 10

Children

Xerotier.ai is for adults. You must be 18 to use it. We do not knowingly collect personal information from anyone under 18. If you believe someone under 18 has an account, tell us at contact@xerotier.ai and we will remove it.

// 11

Changes to this policy

Material changes are announced in-app and to the email on file at least 30 days before they take effect. The "last updated" and "effective" dates at the top of this page track every change. Continued use after the effective date means you accept the new terms.

// 12

Contact

Privacy questions, rights requests, DPA requests: contact@xerotier.ai.

Security vulnerabilities: contact@xerotier.ai.

Compliance and DPA paperwork: contact@xerotier.ai.

Postal mail can be requested via contact@xerotier.ai; we confirm an address out-of-band so it stays current.

Privacy policy.