Privacy Policy

Xybern Ltd. ("Xybern," "we," "us," or "our") is committed to protecting your privacy and ensuring the security of your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered reasoning platform and related services.

This policy applies to:

• Users of the Xybern platform and services
• Visitors to our website (xybern.com)
• Enterprise customers and their authorized users
• Individuals who contact us for support or inquiries
• Job applicants and candidates

By using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our Services.

Data Controller: Xybern Ltd. is the data controller responsible for your personal data.

EU Representative: For users in the European Economic Area, you may also contact our EU representative at eu-privacy@xybern.com.

We collect different types of information depending on how you interact with our Services:

3.1 Information You Provide

• Account Information: Name, email address, password (hashed), job title, organization name, phone number (optional)
• Profile Information: Professional role, department, preferences, profile photo (optional)
• Workspace Content: Documents you upload, prompts you submit, research queries, annotations, and notes
• Communication Data: Support tickets, feedback, emails, and chat messages with our team
• Payment Information: Billing address, payment method details (processed by our payment provider)
• Job Applications: Resume, cover letter, work history, references (for applicants)

3.2 Information Collected Automatically

• Usage Data: Features used, actions taken, time spent, search queries, click patterns
• Device Information: Device type, operating system, browser type and version, screen resolution
• Log Data: IP address, access times, pages viewed, referring URLs, error logs
• Location Data: General geographic location based on IP address (not precise location)
• Cookies & Tracking: Session identifiers, preferences, analytics data (see Section 13)

3.3 Information from Third Parties

• SSO Providers: Identity information from your organization's identity provider
• Connected Services: Data from integrations you authorize (S3, SharePoint, databases)
• Business Partners: Referral information, enterprise customer data
• Public Sources: Publicly available professional information

We use your personal data for the following purposes:

4.1 Service Delivery

• Providing and maintaining the Xybern platform
• Processing your prompts and generating AI-powered outputs
• Managing your account and workspace
• Enabling collaboration features
• Processing payments and managing subscriptions

4.2 Service Improvement

• Analyzing usage patterns to improve features (using aggregated, anonymized data)
• Developing new products and services
• Conducting research and analytics
• Testing and quality assurance

4.3 Communication

• Sending service-related notifications and updates
• Responding to your inquiries and support requests
• Providing technical assistance
• Sending marketing communications (with your consent)

4.4 Security & Compliance

• Protecting against fraud, abuse, and security threats
• Enforcing our Terms of Service
• Complying with legal obligations
• Maintaining audit logs for compliance purposes

Under the General Data Protection Regulation (GDPR), we process your personal data based on the following legal grounds:

Xybern uses artificial intelligence and machine learning to provide our Services. Here's how we handle your data in relation to AI:

6.1 How AI Processing Works

• Prompt Processing: Your prompts are sent to AI models to generate responses. This data is processed in real-time and not retained by model providers for training.
• Multi-Model Routing: We may route prompts to multiple AI models to achieve consensus and improve accuracy.
• Workspace Isolation: Your data is logically isolated from other customers' data.

6.2 Model Provider Agreements

Our agreements with AI model providers (such as OpenAI) include:

• Strict prohibitions on using customer data for model training
• Data processing agreements compliant with GDPR
• Confidentiality obligations
• Security requirements

6.3 Automated Decision-Making

Our Services may involve automated processing, but we do not make decisions with legal or similarly significant effects based solely on automated processing without human review.

We do not sell your personal data. We may share your data in the following circumstances:

7.1 With Your Organization

If you use Xybern through an enterprise account, your organization's administrators may have access to your account information and usage data.

7.2 Service Providers

We share data with trusted service providers who assist in operating our Services, subject to confidentiality obligations. See Section 8 for our subprocessor list.

7.3 Legal Requirements

We may disclose data when required by law, legal process, or government request, or to protect the rights, property, or safety of Xybern, our users, or others.

7.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of the transaction. We will notify you of any such change.

7.5 With Your Consent

We may share data with third parties when you have given explicit consent.

We use the following categories of subprocessors to deliver our Services:

Enterprise customers may request a complete subprocessor list and receive notifications of changes as part of their Data Processing Agreement.

Your data may be transferred to and processed in countries outside your country of residence, including the United States and United Kingdom.

9.1 Transfer Mechanisms

When transferring data outside the EEA/UK, we use appropriate safeguards:

• Standard Contractual Clauses (SCCs): EU-approved contractual terms
• UK International Data Transfer Agreement: For UK data transfers
• Adequacy Decisions: Transfers to countries with adequate protection
• Supplementary Measures: Additional technical and organizational measures

9.2 Data Residency Options

Enterprise customers may request:

• EU-only data residency
• UK-only data residency
• US-only data residency
• Dedicated infrastructure environments

We retain your data only as long as necessary for the purposes described in this policy:

Upon account termination, we will delete or anonymize your data within the retention periods specified above, unless legally required to retain it longer.

We implement comprehensive security measures to protect your data:

11.1 Breach Notification

In the event of a data breach affecting your personal data, we will:

• Notify affected users within 72 hours of becoming aware
• Notify relevant supervisory authorities as required by law
• Provide information about the nature of the breach and remediation steps

Depending on your location, you may have the following rights regarding your personal data:

Exercising Your Rights

To exercise any of these rights, please contact us at privacy@xybern.com. We will respond within 30 days (or as required by applicable law).

Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority if you believe your data protection rights have been violated. In the UK, this is the Information Commissioner's Office (ICO).

We use cookies and similar technologies to enhance your experience:

13.1 Types of Cookies

13.2 Managing Cookies

You can control cookies through your browser settings. Note that disabling essential cookies may affect the functionality of our Services.

13.3 Do Not Track

We currently do not respond to "Do Not Track" browser signals. We do not engage in cross-site tracking.

Our Services are not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.

If you believe we have inadvertently collected data from a child, please contact us at privacy@xybern.com.

Given that our Services are used by legal, finance, and compliance professionals, we take additional precautions with sensitive data:

15.1 Financial Data

• We do not store complete payment card numbers (handled by Stripe)
• Financial documents you upload are encrypted and access-controlled
• We maintain PCI DSS compliance for payment processing

15.2 Legal Professional Privilege

• We implement technical measures to protect privileged communications
• We will not access your workspace content without authorization
• Enterprise customers can implement additional access controls

15.3 Special Categories of Data

We do not intentionally collect special categories of personal data (e.g., health data, biometric data, political opinions). If you upload documents containing such data, you are responsible for ensuring you have the appropriate legal basis.

We may update this Privacy Policy from time to time. When we make material changes:

• We will update the "Last Updated" date at the top of this policy
• We will notify you by email or through the Services
• For material changes, we will provide at least 30 days' notice

Your continued use of the Services after the effective date of changes constitutes acceptance of the updated policy.

If you have questions about this Privacy Policy or our data practices, please contact us: