Privacy Policy

Xpylon Ltd ("Xpylon", "we", "us", or "our") operates the Xpylon Connect mobile application and website (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

1. Information We Collect

1.1 Information You Provide

Account information: Phone number (for authentication via OTP), first name, last name, email address, company name, job title/role, industry, and bio.
Profile data: Professional information you share to help us match you with relevant contacts and opportunities.
Communications: Messages, files, and attachments you send through the platform's chat feature.
Opportunity listings: Business opportunities you create, including titles, descriptions, tags, and visibility preferences.
Call recordings: Audio recordings of calls, only when both participants explicitly consent to recording. Recordings are used solely for transcription and summary generation.

1.2 Information Collected Automatically

Device information: Push notification tokens for delivering notifications to your device.
Usage data: Online/offline status, last seen timestamps, and message read/delivery receipts.
AI-generated data: Profile embeddings (mathematical representations of your professional profile) used for smart matching. These are not human-readable.

1.3 Information We Do NOT Collect

Location data
Contact list or address book
Browsing history
Financial or payment information
Biometric data

2. How We Use Your Information

Authentication: We use your phone number to verify your identity via one-time passcodes (OTP) sent by SMS.
Smart matching: We use AI to analyze your professional profile and match you with relevant professionals and business opportunities.
Messaging: We store and deliver your messages, attachments, and call data to facilitate communication between connected users.
Call transcription and summaries: When both parties consent, we transcribe call recordings and generate AI-powered summaries to help you track discussions and action items.
Content moderation: We use AI to screen business opportunities for scams, fraud, and policy violations to maintain platform integrity.
Notifications: We send push notifications for new messages, connection requests, incoming calls, reminders, and opportunity matches.
Follow-up reminders: When you set a reminder, we store it and notify you at the scheduled time.

3. Call Recording & Transcription

Xpylon Connect offers an optional call recording feature designed to help professionals keep track of business discussions. This feature has strict privacy safeguards:

Dual consent required: Recording can only begin after both participants explicitly consent. Either party can decline, and either can stop the recording at any time.
Transparency: A visible recording indicator is shown to all participants throughout the recording.
Purpose limitation: Recordings are used solely to generate transcriptions and AI summaries. They are not shared with third parties, used for advertising, or retained longer than necessary.
Professional focus: AI summaries extract only business-relevant content (topics, decisions, next steps) and exclude personal conversation.
Content safety: AI automatically flags potentially inappropriate or harmful content and notifies platform administrators.

4. Privacy-First Networking

Your profile privacy is central to Xpylon Connect's design:

Anonymized suggestions: When you appear as a match suggestion, other users see only your role, industry, and bio — never your name, company, or contact details.
Mutual consent: Your full profile is revealed only after you accept a connection request.
No public profiles: There are no publicly searchable profiles. Connections are made through AI matching or personal invitations only.

5. Data Sharing

We do not sell your personal information. We share data only in these limited circumstances:

With connected users: When you accept a connection, your profile information becomes visible to that contact.
Service providers: We use the following third-party services to operate the platform:
- Twilio — SMS delivery for authentication and invitations
- OpenAI — AI matching, content moderation, call transcription (Whisper), and conversation summaries (GPT)
- Expo — Push notification delivery
Legal requirements: We may disclose information when required by law, regulation, or legal process.

6. Data Security

All API communication uses HTTPS encryption in transit.
Authentication tokens (JWT) are short-lived (15 minutes) with secure refresh tokens (7 days).
Passwords are never stored — we use OTP-based authentication.
File uploads are validated and restricted (no executable files).
WebSocket connections are authenticated and membership-verified for every operation.
Call recordings are processed and deleted after transcription is complete.

7. Legal Basis for Processing (GDPR Art. 6)

We process your personal data under the following legal bases:

Consent (Art. 6(1)(a)): You provide explicit consent when creating your account by agreeing to this Privacy Policy. You may withdraw consent at any time by deleting your account.
Performance of a contract (Art. 6(1)(b)): Processing necessary to provide you with the Service (authentication, messaging, opportunity matching).
Legitimate interests (Art. 6(1)(f)): Content moderation, fraud prevention, and platform security to maintain a trustworthy environment.

8. Data Retention

Account data: Retained as long as your account is active. Upon account deletion, all personal data is anonymized or erased immediately.
Messages: Stored until you delete them (soft delete — marked as deleted but content removed). When you delete your account, all your messages are marked as deleted.
Call recordings: Audio files are deleted after transcription is complete. Transcription text and summaries are retained in the conversation. Removed when the account is deleted.
Reminders: Stored until they are sent or cancelled by you. Deleted when the account is removed.
AI embeddings: Updated whenever your profile changes, permanently deleted when your account is removed.
Consent records: We retain a timestamp of when you agreed to this Privacy Policy, even after account deletion, to comply with legal obligations.

9. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), the United Kingdom, or any jurisdiction with similar data protection laws, you have the following rights:

Right of access (Art. 15): You may request a copy of the personal data we hold about you.
Right to rectification (Art. 16): You may update your profile information at any time through the app settings.
Right to erasure / "Right to be forgotten" (Art. 17): You may permanently delete your account and all associated data directly from the app (Profile > Delete account). This immediately anonymizes your personal information, removes your messages, opportunities, and connections. Other users will see a "Deleted User" placeholder.
Right to restriction of processing (Art. 18): You may request that we restrict the processing of your data in certain circumstances.
Right to data portability (Art. 20): You may request your personal data in a structured, machine-readable format.
Right to object (Art. 21): You may object to processing based on legitimate interests.
Right to withdraw consent (Art. 7(3)): You may withdraw your consent at any time by deleting your account. Withdrawal does not affect the lawfulness of processing before withdrawal.

How to exercise your rights: Most rights can be exercised directly through the app. To delete your account: go to Profile > Delete account. For other requests, please contact us at the address listed below. We will respond within 30 days as required by GDPR.

10. Account Deletion

When you delete your account, the following actions are taken immediately:

Your personal information (name, email, phone number, bio, role, company, profile embedding) is permanently anonymized.
All messages you sent are marked as deleted. Other users will see "Message deleted".
All opportunities you created are removed.
All your connections are disconnected.
All notification tokens, reminders, and in-app notifications are deleted.
A system message is posted in your conversations informing other participants that a user has deleted their account.
Your authentication tokens are invalidated.

This process is irreversible. We retain only a minimal anonymized record to maintain database integrity.

11. International Data Transfers

Your data may be processed by third-party service providers (Twilio, OpenAI, Expo) located outside the EEA. Where such transfers occur, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission.

12. Demo Mode

Xpylon Connect offers a demo mode for exploring the platform with sample data. In demo mode:

No real SMS or emails are sent
Demo data is fully isolated from real user data
No personal phone numbers are required — you can use pre-configured demo accounts
Push notifications may still be sent to your device for demonstration purposes

13. Children's Privacy

Xpylon Connect is designed for business professionals and is not intended for use by individuals under the age of 18. We do not knowingly collect information from minors.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date. Your continued use of the Service after changes constitutes acceptance of the updated policy.

15. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at:

Xpylon Ltd
2203 Timberloch Pl, Ste 215
The Woodlands, TX 77380
United States

Email: info@xpylon.com
For GDPR-specific requests: info@xpylon.com (subject: "GDPR Request")

Company Information