Privacy Policy

1. Who we are

The xAQUA platform is operated by xFusion Technologies, Inc., a Delaware corporation with offices in California, United States and Pune, India. We are the data controller for personal information collected through our marketing properties and the data processor for data submitted to the platform by our customers under their account.

2. What we collect

From visitors to our websites

• Information you give us: name, email, company, role, and message content when you submit a form, request a demo, apply to a job, or contact us.
• Information collected automatically: IP address, browser type, pages visited, referrer URL, device identifiers, and similar metadata. Used for analytics and security.
• Cookie data: see Section 6 for the full cookie inventory.

From customers and account users

• Account information: name, email, role, organization, password (hashed), authentication method.
• Usage information: sign-ins, prompts, queries, agent activity, configuration changes, billing usage. This is required to operate the platform and is logged for audit purposes.
• Support information: messages, attachments, and call transcripts you share with our support team.

What we do NOT collect

• We do not collect or persist customer business data — the records, fields, and values inside your warehouse, lakehouse, or document store.
• We do not sell personal information.
• We do not use customer data to train foundation models without explicit, written customer authorization.

3. Customer data

When a customer uses the xAQUA platform, the platform may temporarily process customer business data in memory in order to answer a question or complete an automated workflow. This processing occurs under the customer's contractual instructions in their Master Services Agreement and (where applicable) Data Processing Addendum.

We act as a data processor for customer data. The customer is the data controller. Customer data is not retained by xAQUA outside of operational logs, which are themselves subject to retention windows and access controls.

For healthcare workloads under a Business Associate Agreement (BAA), additional restrictions apply per the agreement.

4. How we use information

We use the information we collect to:

• Operate and improve the xAQUA platform and our websites.
• Authenticate users, prevent abuse, and maintain security.
• Respond to inquiries, deliver demos, fulfill contracts, and provide customer support.
• Bill customers and process payments.
• Send service-related communications (incident notifications, security advisories, scheduled maintenance).
• Send marketing communications you have opted into (you can unsubscribe at any time).
• Comply with legal obligations and respond to lawful requests.
• Analyze aggregated, de-identified usage patterns to inform product and roadmap decisions.

5. How we share information

We share information only with parties that are necessary to operate the platform and only under appropriate contractual safeguards.

• Sub-processors: a current list of sub-processors (cloud hosting, identity, analytics, support tooling) is available on request and via your account team.
• Service providers: vendors that operate critical parts of our infrastructure (e.g., AWS, Stripe, our identity provider, our support platform) under standard data processing agreements.
• Professional advisors: auditors, lawyers, and accountants under confidentiality obligations.
• Legal and safety: we may disclose information when required by law, by valid legal process, or where necessary to protect rights, safety, or property.
• Corporate transactions: in the event of a merger, acquisition, or sale of assets, information may be transferred subject to standard transaction protections and notice obligations.

We do not sell personal information. We do not share personal information with advertising networks for cross-context behavioral advertising.

6. Cookies & tracking

Our marketing websites use a small number of cookies. Strictly necessary cookies are always active. Analytics and preference cookies are opt-in for visitors in jurisdictions that require it.

• Strictly necessary: session management, security tokens, load balancing.
• Analytics: aggregated traffic and engagement measurement (a privacy-respecting analytics provider, with IP anonymization).
• Preferences: region, language, dark/light theme preferences.

You can manage your cookie preferences via the consent banner or your browser settings.

7. Data retention

We retain personal information only as long as needed to provide the services, comply with our legal obligations, and resolve disputes. Specifically:

• Account information: retained while the account is active and for a reasonable period after termination per our customer agreements.
• Operational logs: retained for the duration set in the customer's deployment configuration (typically 30 to 365 days, customer-configurable in private deployments).
• Marketing contact information: retained until unsubscribe, plus a short suppression-list window to ensure your preference is honored.
• Backup copies: retained on a rolling basis and overwritten per our backup policy.

8. Security

xAQUA maintains a robust security program described in detail at our Security Center. Highlights include encryption at rest (AES-256) and in transit (TLS 1.3), SSO/SAML support, role-based access control, audit logging, and SOC 2 Type II attestation. No system is perfectly secure; we work continuously to identify and remediate risks. To report a security concern, see the disclosure process at the Security Center.

9. International transfers

xAQUA operates globally. Personal information may be transferred to, processed in, and accessed from countries other than the country in which it was originally collected. Where we transfer personal information out of the European Economic Area, the United Kingdom, or Switzerland, we use Standard Contractual Clauses or another lawful transfer mechanism. EU-region hosting is available for customer workloads where data residency is required.

10. Your rights

Depending on where you live, you may have rights regarding your personal information. We respect these rights regardless of jurisdiction wherever practical:

• Access: request a copy of the personal information we hold about you.
• Correction: request correction of inaccurate information.
• Deletion: request deletion of your personal information, subject to legal exceptions.
• Portability: request a machine-readable copy of your information.
• Objection / restriction: object to or restrict certain processing.
• Withdraw consent: withdraw consent where processing is based on consent.
• Marketing: opt out of marketing communications at any time.

To exercise these rights, contact privacy@xaqua.io. For California residents, your CCPA/CPRA rights are honored regardless of jurisdiction.

11. Children

xAQUA is an enterprise platform. The services are not directed to children under 16, and we do not knowingly collect personal information from children. If you believe a child has provided personal information to us, please contact privacy@xaqua.io and we will delete it.

12. Changes to this policy

We update this policy periodically as the platform evolves and as the regulatory landscape changes. We post the revised policy with a new effective date. For material changes, we provide at least 30 days' notice via email or in-product notification.

13. How to contact us

For privacy questions, requests, or complaints:

• Email: privacy@xaqua.io
• Mail: xFusion Technologies, Inc., Attn: Privacy Office, California, United States
• EU representative: available on request for GDPR matters

If we cannot resolve your concern, you have the right to contact your local data protection authority.