Privacy Policy

Xalgorix Labs is the data controller for personal data processed via the Service. Contact our DPO at privacy@xalgorix.com.

Account data: email, name, hashed password (or Google OAuth identifier), company.

Billing data: plan, credit balance, invoices. Card data is handled by our payment processor (Dodo Payments) — we never see or store it.

Scan data: target URLs, scan configurations, findings, and evidence you generate.

Usage logs: IP address, user agent, timestamps. Kept 30 days for security and abuse prevention.

To provide and improve the Service, bill you, secure the platform, and meet legal obligations. Legal bases under GDPR: contract (most processing), legitimate interest (security, abuse prevention), and consent (optional marketing only).

All customer data is stored in EU regions (primary: Frankfurt; backup: Dublin). We do not transfer personal data outside the EU/UK except through Standard Contractual Clauses with named sub-processors.

Account & billing: lifetime of account + 7 years (tax law).

Scan data & findings: lifetime of account, deletable on demand.

Logs: 30 days.

After account closure: 30-day grace window, then permanent deletion.

Only the sub-processors we publish: Cloudflare (edge + storage, EU), Supabase (managed Postgres + authentication, EU), Dodo Payments (billing), and Resend (transactional email). Full current list at /security. We do not sell personal data.

Under GDPR you have the right to access, rectify, erase, port, restrict, and object to processing of your personal data, and to lodge a complaint with your supervisory authority. Email privacy@xalgorix.com — we respond within 30 days.

We use strictly necessary cookies only (authentication, CSRF, preferences). No tracking, no advertising cookies. Details in our Cookie Policy.

The Service is not directed to anyone under 16. We do not knowingly collect data from children.

We post material updates on this page and notify account holders by email at least 30 days before they take effect.