Privacy Policy
Effective date: 19 April 2026. This policy explains how Xenith Intelligence Ltd. processes personal data as a controller. When we process personal data on behalf of our business customers, we do so as a processor under our Data Processing Addendum.
1. Who we are
Xenith Intelligence Ltd.(“Xenith”, “we”) is a company registered in England and Wales and is the controller for personal data described in this policy. For privacy questions, contact privacy@xenithintelligence.com.
2. Personal data we collect
- Account data — name, email, hashed password (via Supabase Auth), company name, country, timezone.
- Billing data — top-up amounts, transaction history, last four digits of payment method. Full card details are handled directly by Stripe and never touch our servers.
- Usage data — agents created, calls placed, call duration, cost breakdown, webhook deliveries, feature usage.
- Technical data — IP address, user-agent, log data, cookies strictly necessary for authentication and session management.
- Communications — support tickets, emails, and any information you choose to send us.
Where our customers use the Services to record calls with their end users, any personal data in those calls is Customer Data and we act as a processor on the customer’s behalf — see our DPA.
3. How we use personal data & legal bases (UK/EU GDPR)
| Purpose | Legal basis |
|---|---|
| Provide, operate, and secure the Services | Contract (Art. 6(1)(b)) |
| Bill for usage and process payments | Contract & legal obligation (Art. 6(1)(b), (c)) |
| Prevent fraud, abuse, and TCPA/PECR violations | Legitimate interest (Art. 6(1)(f)) |
| Improve reliability and performance | Legitimate interest |
| Send service and security notifications | Contract / legitimate interest |
| Marketing emails (with opt-out) | Legitimate interest / consent where required |
| Comply with legal obligations | Legal obligation |
We do not use identifiable Customer Data to train generalised AI models.
4. Who we share data with
We share personal data with service providers that help us run the Services. These act as our processors or, where relevant, as independent controllers for limited purposes:
- Voice AI infrastructure provider — voice AI orchestration (calls, transcripts).
- Supabase — authentication and database hosting.
- Vercel — application hosting and CDN.
- Stripe — payment processing.
- Telephony carriers (e.g. Twilio, Vonage) — PSTN connectivity, where you use our phone numbers.
- Email & support providers — transactional email and ticketing.
A current list of sub-processors is maintained in our DPA. We may also disclose personal data to comply with legal obligations, enforce our Terms, or protect rights, property or safety.
5. International transfers
Some of our providers are located outside the UK/EEA (primarily the United States). Where we transfer personal data outside the UK/EEA, we rely on appropriate safeguards such as the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or the EU Standard Contractual Clauses, and carry out transfer risk assessments where required.
6. Retention
We retain personal data for as long as your account is active and as needed to provide the Services. After account closure, we delete or anonymise data within 30 days unless a longer period is required for legal, accounting, dispute resolution or anti-fraud purposes (for example, invoice records are kept for 6 years under UK tax law).
7. Your rights
Under the UK/EU GDPR you have the right to access, rectify, erase, restrict or object to our processing of your personal data, to data portability, and to withdraw consent where processing is based on consent. You can exercise these rights by emailing privacy@xenithintelligence.com. You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ico.org.uk) or your local EU supervisory authority.
California residents have rights under the CCPA/CPRA to know, delete, correct and opt out of the “sale” or “sharing” of personal information. We do not sell personal information and do not share it for cross-context behavioural advertising.
8. Security
We use industry-standard technical and organisational measures, including TLS in transit, encryption at rest for databases, access controls, HMAC-signed webhooks, and audit logging. No method of transmission or storage is completely secure; we cannot guarantee absolute security.
9. Cookies
We use strictly necessary cookies for authentication and session management. We do not use advertising cookies or third-party trackers for profiling. If this changes, we will update this policy and, where required, obtain your consent.
10. Children
The Services are not directed to individuals under 16 and we do not knowingly collect personal data from children.
11. Changes
We may update this policy from time to time. Material changes will be notified via email or in-app notice before they take effect.
12. Contact
Xenith Intelligence Ltd., registered in England and Wales. Privacy enquiries: privacy@xenithintelligence.com.