Privacy Policy

Sria Digital B.V. (operating Xavira AI) takes privacy seriously. This Privacy Policy ("Policy") explains how we collect, use, share, store, and protect personal information when you use the Services at xavira.ai and api.xavira.ai.

Effective date: 2026-05-21 · Version: 1.1 · Last updated 2026-05-21
Draft template. Reviewed for completeness but not by counsel. If you operate in regulated industries or need a controller-level privacy notice for your end-users, build your own. This document covers Xavira's relationship with you (the developer / business), not your end-users.

If you do not agree with any term in this Policy, please discontinue use of the Services. For questions or concerns about our practices, contact hello@xavira.ai (subject "Privacy").

1.Who we are

Sria Digital B.V., a Dutch private limited company registered with the Dutch Chamber of Commerce (KvK), is the data controller for portal accounts and API usage data. For Customer-provided data processed at your direction (prompts, reference images, generated outputs), Sria Digital B.V. acts as a data processor; see the DPA.

Privacy contact: hello@xavira.ai (subject "Privacy").

2.When we collect personal information

We collect personal information when:

3.Types of personal information we collect

3.1 Account data (you provide directly)

3.2 Usage data (collected per API request)

3.3 Information from third parties

4.What we do NOT collect

5.Why we process it (legal basis under GDPR)

PurposeLegal basis (GDPR)
Operating the API (auth, generation, storage, billing)Performance of contract (Art. 6(1)(b))
Moderation logging (rule + AI tier outcomes)Legitimate interest (legal compliance, child safety) (Art. 6(1)(f))
Abuse prevention (rate limit counters, IP allowlists)Legitimate interest (Art. 6(1)(f))
Tax and accounting recordsLegal obligation under Dutch tax law (Art. 6(1)(c))
Service improvement (aggregate metrics, not per-user)Legitimate interest (Art. 6(1)(f))
Marketing email to existing customers (transactional + product updates)Legitimate interest with opt-out (Art. 6(1)(f))

6.How we use the information

7.Sub-processors

We rely on the following third-party services. Each is bound by its own data-processing terms and committed to GDPR-equivalent obligations. We notify customers of additions or replacements at least 30 days in advance via the email on your Account.

Sub-processorPurposeLocation
SupabaseAuthentication (email/password + OAuth)EU (Frankfurt)
NeonPostgres database: customer, generation, ledger dataEU (Frankfurt)
NetlifyStatic + serverless function hostingUS + global CDN
CloudflareR2 object storage for generated images/videos; DNSEU + global
RunPodGPU compute (ComfyUI serverless workers)EU (Romania)
OpenRouter (with Mistral models)Content moderation: Tier 2 text + Tier 3 visionUS (relayed via OpenRouter)
FinbyPayment processing (SEPA + crypto)EU (Slovakia)
HostnetDomain registrar for xavira.aiNL

Cross-border transfers to the United States (Netlify, OpenRouter) rely on the EU Commission's Standard Contractual Clauses (SCCs) under GDPR Article 46.

8.How we share personal information

We may share information with:

We do not sell your personal information. We do not "share" it in the technical sense defined by California or other US state privacy laws (no cross-context behavioural advertising).

9.How long we keep it

10.Your rights

Under GDPR (and equivalent laws in other jurisdictions) you have the right to:

Exercise these rights by emailing hello@xavira.ai with "Data request" in the subject. We respond within 30 days (extendable by 60 days for complex requests, with notification).

You have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, autoriteitpersoonsgegevens.nl) or your local supervisory authority in the EU.

11.Online tracking technologies

We use a minimal set of strictly functional cookies on xavira.ai:

We do not use advertising cookies, third-party analytics cookies, or fingerprinting. Your browser can block or delete cookies at any time; if you block the session cookies you will not be able to log in.

12.Security

In the event of a personal-data breach we will notify affected customers and (where required) the Dutch Data Protection Authority within 72 hours of detection, per GDPR Articles 33–34.

13.Children's privacy

Xavira AI is a business-to-business adult-content API. We do not knowingly collect data from anyone under 18. The Services block generation requests depicting under-18 characters at the moderation layer. If you become aware that a child has provided us with personal data, contact us immediately.

14.Links to other websites

Our pages may link to third-party sites (e.g. sub-processor websites). We do not control those sites' privacy practices. Review their policies before sharing data with them.

15.U.S. state-specific notice

We do not "sell" or "share" personal information as those terms are defined under the California Consumer Privacy Act (CCPA/CPRA) or comparable laws in other US states. Where we act as a service provider / processor for Customer Data, we process it only on Customer's documented instructions.

16.Changes to this Policy

We may revise this Policy. Material changes are notified by email to the address on your Account 30 days before they take effect. Minor edits (typos, clarifications, sub-processor list updates) take effect on publication. The effective date at the top of this page reflects the latest version. Your continued use after the effective date constitutes acceptance.

17.Contact

Sria Digital B.V.
The Netherlands · Dutch KvK registration on file
Privacy + data requests: hello@xavira.ai (subject "Privacy")
General contact: hello@xavira.ai