Privacy Policy
Sria Digital B.V. (operating Xavira AI) takes privacy seriously. This Privacy Policy ("Policy") explains how we collect, use, share, store, and protect personal information when you use the Services at xavira.ai and api.xavira.ai.
If you do not agree with any term in this Policy, please discontinue use of the Services. For questions or concerns about our practices, contact hello@xavira.ai (subject "Privacy").
1.Who we are
Sria Digital B.V., a Dutch private limited company registered with the Dutch Chamber of Commerce (KvK), is the data controller for portal accounts and API usage data. For Customer-provided data processed at your direction (prompts, reference images, generated outputs), Sria Digital B.V. acts as a data processor; see the DPA.
Privacy contact: hello@xavira.ai (subject "Privacy").
2.When we collect personal information
We collect personal information when:
- You sign up for the Services (email + password, or via Google/Apple OAuth).
- You interact with the API, including submitting prompts, reference images, traits, callback URLs, idempotency keys, and any metadata.
- You purchase Prepaid Credits via Finby (we receive a confirmation; payment-card data stays with Finby).
- You contact us by email or social media.
- You view the portal: minimal technical metadata (IP, user-agent, page paths) is logged by Netlify and Cloudflare for security and abuse prevention.
3.Types of personal information we collect
3.1 Account data (you provide directly)
- Email address (required, primary identifier).
- Supabase user ID (UUID generated on signup).
- Hashed password or OAuth provider identity (held by Supabase; we never see plaintext passwords).
- Display name and any optional profile fields you provide.
- Credit balance and transaction history.
- API key prefix (first 16 characters) plus the sha256 hash of the full key; we never store plaintext API keys.
- Webhook signing secret (256-bit random hex, used to sign your outbound webhooks).
- Terms-of-Service acceptance timestamp.
3.2 Usage data (collected per API request)
- The API key used (by identifier, not by plaintext).
- Endpoint, HTTP method, timestamp, response status.
- Prompt text submitted (used for the generation and retained for moderation audit).
- For
POST /v1/characters: trait selections; for reference-image mode, the rehosted image stored on Cloudflare R2. - For every generation: model used, RunPod job ID, generation time, output URL.
- Idempotency keys, callback URLs, webhook delivery attempts and timing.
- Rate-limit counters.
- Source IP address and user-agent (kept 90 days for abuse prevention).
3.3 Information from third parties
- Supabase: your account identity (Google/Apple ID where used) plus authentication metadata.
- Finby: payment confirmations (we receive: transaction ID, amount, status; we do NOT receive card numbers or banking credentials).
- OAuth providers (Google, Apple): email address and verification status only.
4.What we do NOT collect
- No client-side analytics on the portal (no Google Analytics, no Facebook Pixel, no Segment, no Mixpanel).
- No advertising cookies. The only cookies on
xavira.aiare functional: Supabase session cookies for portal login. - No biometric data, no precise location data, no special-category data under GDPR Art. 9 (unless you choose to put it in a prompt, which we discourage; see Section 3.2).
- No data from your downstream end-users. If your end-users generate content via your product calling our API, we see your API key + the prompt; we do not see end-user identities unless you choose to include them in a prompt or metadata field.
5.Why we process it (legal basis under GDPR)
| Purpose | Legal basis (GDPR) |
|---|---|
| Operating the API (auth, generation, storage, billing) | Performance of contract (Art. 6(1)(b)) |
| Moderation logging (rule + AI tier outcomes) | Legitimate interest (legal compliance, child safety) (Art. 6(1)(f)) |
| Abuse prevention (rate limit counters, IP allowlists) | Legitimate interest (Art. 6(1)(f)) |
| Tax and accounting records | Legal obligation under Dutch tax law (Art. 6(1)(c)) |
| Service improvement (aggregate metrics, not per-user) | Legitimate interest (Art. 6(1)(f)) |
| Marketing email to existing customers (transactional + product updates) | Legitimate interest with opt-out (Art. 6(1)(f)) |
6.How we use the information
- To provide and operate the Services: running the API, generating Outputs, delivering webhooks, debiting Credits.
- To prevent abuse: rate limiting, moderation, fraud detection, account-takeover detection.
- To respond to your support requests.
- To send service updates, breaking-change notices, incident communications, and (with opt-out) product news.
- To meet legal, regulatory, and tax obligations.
- To improve the Services: Resultant Data (anonymised and aggregated) only; we do not train Models on your Customer Data without your separate consent.
- With your consent for purposes communicated at the time of collection.
7.Sub-processors
We rely on the following third-party services. Each is bound by its own data-processing terms and committed to GDPR-equivalent obligations. We notify customers of additions or replacements at least 30 days in advance via the email on your Account.
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Authentication (email/password + OAuth) | EU (Frankfurt) |
| Neon | Postgres database: customer, generation, ledger data | EU (Frankfurt) |
| Netlify | Static + serverless function hosting | US + global CDN |
| Cloudflare | R2 object storage for generated images/videos; DNS | EU + global |
| RunPod | GPU compute (ComfyUI serverless workers) | EU (Romania) |
| OpenRouter (with Mistral models) | Content moderation: Tier 2 text + Tier 3 vision | US (relayed via OpenRouter) |
| Finby | Payment processing (SEPA + crypto) | EU (Slovakia) |
| Hostnet | Domain registrar for xavira.ai | NL |
Cross-border transfers to the United States (Netlify, OpenRouter) rely on the EU Commission's Standard Contractual Clauses (SCCs) under GDPR Article 46.
8.How we share personal information
We may share information with:
- Sub-processors as listed in Section 7, only to the extent strictly necessary to operate the Services.
- Professional advisors (accountants, auditors, legal counsel) under confidentiality.
- Law enforcement or regulators where required by valid legal process, court order, or to protect the legal rights or safety of Xavira, our customers, or third parties.
- Successors in a merger, acquisition, asset purchase, or reorganisation; successor is bound by this Policy or one materially equivalent.
- With your consent for any other purpose disclosed at the time we collect the information.
We do not sell your personal information. We do not "share" it in the technical sense defined by California or other US state privacy laws (no cross-context behavioural advertising).
9.How long we keep it
- Account data: for the lifetime of your Account, plus 30 days after closure for billing reconciliation.
- Generation rows + Output URLs: indefinitely while you have credits and an active Account. On Account closure, deleted within 30 days (earlier deletion on request).
- Credit transaction ledger: 7 years (Dutch tax retention obligation).
- Moderation audit logs: 2 years (safety incidents have long tails).
- Webhook delivery payloads: 30 days for successful deliveries, 90 days for failed (debugging).
- Server access logs (IP, user-agent): 90 days.
- Customer support correspondence: 2 years.
10.Your rights
Under GDPR (and equivalent laws in other jurisdictions) you have the right to:
- Access the personal information we hold about you.
- Rectification: correct inaccurate or incomplete information.
- Erasure ("right to be forgotten"): delete your data, subject to retention required by law.
- Restriction of processing in specific circumstances.
- Portability: receive your data in a structured, commonly used, machine-readable format. You can already export your generation history via
GET /v1/portal/generations. - Objection to processing based on legitimate interests, including marketing.
- Withdraw consent at any time for processing based on consent.
Exercise these rights by emailing hello@xavira.ai with "Data request" in the subject. We respond within 30 days (extendable by 60 days for complex requests, with notification).
You have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, autoriteitpersoonsgegevens.nl) or your local supervisory authority in the EU.
11.Online tracking technologies
We use a minimal set of strictly functional cookies on xavira.ai:
- Supabase session cookies (required for portal login; expire on sign-out or after session timeout).
- A small set of preference flags in
localStorage/sessionStorage(e.g. the post-signup terms-acceptance handoff).
We do not use advertising cookies, third-party analytics cookies, or fingerprinting. Your browser can block or delete cookies at any time; if you block the session cookies you will not be able to log in.
12.Security
- Plaintext API keys are never stored; we store sha256 hashes only.
- Webhook signing secrets are 256-bit random hex, scoped per customer.
- All API and portal traffic is served over HTTPS (TLS 1.3, certificates auto-rotated by Netlify).
- Database connections use TLS 1.3; data is encrypted at rest by Neon.
- R2 objects are served over HTTPS with unguessable URL paths.
- Production access to Sub-processor dashboards is limited to two named operators with 2FA. Access events are logged for 90 days.
In the event of a personal-data breach we will notify affected customers and (where required) the Dutch Data Protection Authority within 72 hours of detection, per GDPR Articles 33–34.
13.Children's privacy
Xavira AI is a business-to-business adult-content API. We do not knowingly collect data from anyone under 18. The Services block generation requests depicting under-18 characters at the moderation layer. If you become aware that a child has provided us with personal data, contact us immediately.
14.Links to other websites
Our pages may link to third-party sites (e.g. sub-processor websites). We do not control those sites' privacy practices. Review their policies before sharing data with them.
15.U.S. state-specific notice
We do not "sell" or "share" personal information as those terms are defined under the California Consumer Privacy Act (CCPA/CPRA) or comparable laws in other US states. Where we act as a service provider / processor for Customer Data, we process it only on Customer's documented instructions.
16.Changes to this Policy
We may revise this Policy. Material changes are notified by email to the address on your Account 30 days before they take effect. Minor edits (typos, clarifications, sub-processor list updates) take effect on publication. The effective date at the top of this page reflects the latest version. Your continued use after the effective date constitutes acceptance.
17.Contact
Sria Digital B.V.
The Netherlands · Dutch KvK registration on file
Privacy + data requests: hello@xavira.ai (subject "Privacy")
General contact: hello@xavira.ai