Privacy Policy

📄 Your Documents

What: The documents you upload or sync to LuxonLink (PDFs, DOCX, XLSX, PPTX, TXT, MD files), stored encrypted to power search and citations.

Why: To index and process them so LuxonLink can answer questions.

How long: For the duration of your subscription. Deleted within 30 days of cancellation (Enterprise can request immediate deletion).

💬 Usage Data

What: Questions asked, answers generated, documents retrieved, timestamps, and user identities (for internal deployments with authentication).

Why: For audit logs, compliance, and improving answer accuracy.

How long: 90 days (LuxonLink), 1 year (Enterprise, configurable up to 7 years for compliance).

👤 Account Information

What: Account admin name, email, company name, billing information.

Why: To manage your account, billing, and provide support.

How long: For the duration of your subscription plus 7 years for tax/legal requirements.

🌐 Technical Data

What: IP addresses, browser type, device type, access times.

Why: For security monitoring, troubleshooting, and abuse prevention.

How long: 90 days in access logs.

🚫 No Behavioral Tracking

We do not use third-party analytics, tracking pixels, or advertising cookies on the LuxonLink application. No Google Analytics, no Facebook Pixel, no tracking scripts.

🚫 No Personal Content Analysis

We do not read, analyze, or mine the content of your documents for any purpose other than answering your queries. Automated processing only.

🚫 No Selling or Sharing of Data

We never sell, rent, or share your data with third parties for marketing purposes. Your documents and usage data are yours alone.

✅ Providing the Service

• Indexing and processing your documents
• Answering questions with citations
• Maintaining search functionality and access controls

✅ Security & Compliance

• Monitoring for unauthorized access or abuse
• Generating audit logs for compliance requirements
• Detecting and preventing security threats

✅ Account Management

• Billing and invoicing
• Customer support and troubleshooting
• Service updates and notifications

🤖 OpenAI API

xillix uses OpenAI's API for natural language processing. Two options:

1. BYOK (Bring Your Own Key):

• You provide your own OpenAI API key
• Your queries go directly to OpenAI using your key
• OpenAI does not train on API data per their terms
• You control your OpenAI account and data retention settings

2. xillix-Managed Keys (Enterprise):

• xillix provides and manages the OpenAI API key
• Zero data retention (ZDR) enforced with OpenAI
• Query data is not used for training
• Processed data is not stored by OpenAI beyond the API request

🚫 We Never Train Models on Your Data

Guaranteed: Your documents, queries, and answers are never used to train LuxonLink's models or any third-party AI models. This is enforced by contract and system architecture.

Third-Party Services We Use

xillix uses the following subprocessors to deliver the service. Each has a Data Processing Agreement (DPA) in place.

Note: We update this list if subprocessors change. Enterprise customers are notified 30 days before new subprocessors are added.

✅ Data Access

You can export your documents and data at any time in standard formats (PDF, DOCX, JSON). Enterprise customers have admin dashboards for self-service export.

✅ Data Correction

Update or correct your account information at any time via your admin dashboard or by contacting support.

✅ Data Deletion

Delete specific documents or your entire account. Upon account deletion, all data is removed within 30 days (Enterprise can request immediate deletion).

✅ Data Portability

Export your data in machine-readable formats. No vendor lock-in—take your documents and go.

✅ Right to Object

Object to data processing for specific purposes (e.g., request that certain documents not be indexed). Contact support to exercise this right.

xillix infrastructure is hosted in the United States. If you are located outside the US, your data will be transferred to and processed in the US.

EU/UK Customers: We provide Standard Contractual Clauses (SCCs) for GDPR compliance. Enterprise customers can request data residency in EU regions.

Data Sovereignty: Enterprise customers in regulated industries can request dedicated instances in specific geographic regions.

xillix is not intended for use by individuals under 16 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us immediately.

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date.

Material Changes: If we make material changes that affect how your data is used, we will notify you by email (for account admins) at least 30 days before the change takes effect.