Privacy

Privacy Policy

As of March 2026 | Pursuant to GDPR (EU) 2016/679

1. Data Controller

XERON Engine

Contact: support@xeron-labs.com

For all data protection inquiries, please contact us at the email above.

2. Principles of Data Processing

We process personal data only to the extent necessary and in accordance with applicable law, particularly the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG). Data is processed on the following legal bases:

  • Art. 6(1)(b) GDPR โ€” Performance of a contract (providing the service)
  • Art. 6(1)(a) GDPR โ€” Consent (e.g. cookies, marketing)
  • Art. 6(1)(c) GDPR โ€” Legal obligation (e.g. invoicing records)
  • Art. 6(1)(f) GDPR โ€” Legitimate interests (e.g. security, fraud prevention)

3. Data We Collect

Account Data: Email address, username, password (hashed), plan/subscription status, created date. Collected during registration. Used to provide your account.

Payment Data: Billing information is processed exclusively by Stripe (our payment processor). XERON Engine only stores a Stripe Customer ID and purchase consent records. We never store full card details.

Usage Data: Prompts submitted, generated content, project names, credit transactions. Used to deliver the service and improve AI quality.

Server Logs: IP address, browser/device info, timestamps. Retained for 30 days for security purposes. Legal basis: Art. 6(1)(f) GDPR.

Cookies: Session cookies (required), theme preference, cookie consent. See our Cookie Policy in the cookie banner.

4. Data Processors

We use the following sub-processors who may process personal data:

  • Supabase (Database & Auth) โ€” EU-hosted, GDPR compliant
  • Stripe (Payments) โ€” PCI DSS Level 1 certified, EU data residency option
  • Anthropic (AI โ€” Claude) โ€” US-based; prompts processed but not retained for training without consent
  • Google (AI โ€” Gemini) โ€” US-based; subject to Google Cloud DPA
  • Vercel (Hosting) โ€” US-based; EU edge network used where possible

All processors have signed Data Processing Agreements (DPAs) as required by Art. 28 GDPR.

5. Your Rights

You have the following rights regarding your personal data:

  • Right of Access (Art. 15 GDPR) โ€” Request a copy of your data
  • Right to Rectification (Art. 16 GDPR) โ€” Correct inaccurate data
  • Right to Erasure (Art. 17 GDPR) โ€” Request deletion of your account and data
  • Right to Portability (Art. 20 GDPR) โ€” Export your data in machine-readable format
  • Right to Object (Art. 21 GDPR) โ€” Object to processing based on legitimate interests

To exercise your rights, contact: support@xeron-labs.com

6. Data Retention

Account data is retained for the duration of your account plus 30 days after deletion (to allow recovery). Payment and consent records are retained for 10 years as required by German tax law (ยง 147 AO). Server logs are deleted after 30 days.

7. International Transfers

Some processors (Anthropic, Google, Vercel) are based outside the EU/EEA. Transfers are conducted under Standard Contractual Clauses (SCCs) or other appropriate GDPR safeguards.