Privacy Policy

1. Introduction

Xyon AI ("Xyon AI," "we," "us," or "our") operates the Xyon AI application and related services (collectively, the "Service"). Xyon AI is a multi-platform AI aggregation and content generation service available on iOS, Android, Web, macOS, and Windows.

This Privacy Policy explains how we collect, use, store, share, and protect your information, and outlines your rights under applicable data protection laws, including the GDPR, CCPA/CPRA, and other global privacy frameworks.

We are committed to a privacy-first, local-first architecture, minimizing server-side data collection wherever possible.

2. Scope of This Policy

This Privacy Policy applies to:

• The Xyon AI mobile, desktop, and web applications
• Related websites and services operated by Xyon AI
• Communications between you and Xyon AI related to the Service

This Policy does not apply to third-party AI providers or payment processors whose services you access through Xyon AI. Their practices are governed by their own privacy policies.

3. Information We Collect

3.1 Information Collected Automatically

When you use the Service, we may automatically collect:

Device and Technical Information

• Device identifier (randomly generated, non-hardware-based)
• Device type, operating system, and app version
• Platform type (iOS, Android, Web, macOS, Windows)

Authentication Identifiers

• Firebase Anonymous Authentication UID
• This UID is automatically generated
• No name, phone number, or government ID is required

Usage and Entitlement Data

• Subscription tier and entitlement status
• Daily usage counters (text, image, video quotas)
• Device authorization status

We do not collect precise location data or IP address logs for user profiling.

3.2 Information You Voluntarily Provide

Email Address (Optional)

• Provided only if you choose to enable cross-platform subscription syncing or account recovery
• Used for verification, device linking, and subscription association
• Permanently linked unless you delete your account

Payment-Related Information

• Processed exclusively by third-party payment providers (Stripe, RevenueCat)
• We receive limited metadata such as subscription status, product ID, and renewal state
• We do not store full payment card details

User Content

• Prompts, messages, images, and generation requests submitted to AI services
• Conversation titles and history
• Uploaded images for vision analysis

By default, user content is stored locally on your device, not on Xyon AI servers.

Third-Party API Keys

• Optional API keys you choose to provide
• Stored only in encrypted local storage on your device

3.3 Error Reporting and Diagnostics (Optional)

If enabled by you, we collect:

• Crash reports and stack traces
• Performance metrics and session diagnostics
• Device and app version metadata

This data is collected via Sentry and can be disabled at any time in app settings.

4. How We Use Information

We use information for the following purposes:

Purpose	Description
Service Delivery	Generate AI responses, images, and videos
Authentication & Security	Authenticate users, authorize devices, prevent abuse
Subscription Management	Verify entitlements and synchronize subscriptions
Customer Support	Respond to inquiries and resolve issues
Service Improvement	Debugging, performance optimization (opt-in only)
Legal & Compliance	Enforce terms, comply with legal obligations

We do not use your data for advertising or sell personal information.

5. Legal Bases for Processing (GDPR)

For users in the EEA and UK, we process personal data under the following legal bases:

Legal Basis	Application
Contractual Necessity	To provide the Service you requested
Consent	Error reporting, optional features, email linking
Legitimate Interests	Security, fraud prevention, service reliability
Legal Obligation	Compliance with applicable laws and regulations

6. Data Storage and Architecture

6.1 Local-First Data Storage

By design:

• Conversations and prompts are stored locally on your device
• API keys are encrypted and stored locally
• Preferences and settings remain on-device
• No automatic cloud backup of conversations occurs

Deleting the app removes locally stored data unless otherwise retained by your device OS.

6.2 Server-Side Data Storage

We store limited data on secure servers (Firebase):

• Authentication identifiers (UID)
• Subscription and entitlement metadata
• Linked email records (if enabled)
• Device authorization records
• Temporary verification codes (time-limited)

All server-side access is restricted via Firebase security rules and Cloud Functions.

7. Data Security

We use industry-standard safeguards, including:

• TLS/HTTPS encryption for all network traffic
• Encrypted storage (Keychain, Keystore, AES-GCM)
• Hashed verification codes (SHA-256)
• Rate-limited authentication endpoints
• Principle of least privilege for server access
• Regular dependency and security reviews

No system is completely secure, but we continuously improve our protections.

8. Sharing and Disclosure

We do not sell personal data. We may share data only as follows:

8.1 Service Providers

Provider	Purpose	Privacy Policy
Firebase (Google)	Cloud infrastructure, authentication	firebase.google.com/support/privacy
Sentry	Error reporting (opt-in)	sentry.io/privacy
SendGrid	Email delivery	sendgrid.com/policies/privacy

8.2 Payment Processors

Provider	Purpose	Privacy Policy
Stripe	Web and desktop payments	stripe.com/privacy
RevenueCat	Mobile in-app purchases	revenuecat.com/privacy

8.3 AI Service Providers

Your prompts and content are transmitted to the AI provider you select:

Provider	Features	Privacy Policy
OpenAI	ChatGPT, DALL-E	openai.com/privacy
Anthropic	Claude	anthropic.com/privacy
Google	Gemini	policies.google.com/privacy
Perplexity	Search-augmented generation	perplexity.ai/privacy
DeepSeek	Text generation	deepseek.com/privacy
Stability AI	Stable Diffusion	stability.ai/privacy-policy
Groq	Llama	groq.com/privacy-policy
fal.ai	Image and video generation	fal.ai/privacy

Processing is governed by each provider's privacy policy.

8.4 Legal and Business Disclosures

We may disclose data for:

• Compliance with legal requests or court orders
• Protection of rights, safety, and property
• Business transfers (merger, acquisition, asset sale)

9. Data Retention

Data Type	Retention
Local conversations	Until deleted by user
Account identifiers	Until account deletion
Subscription records	Duration of subscription + legal requirements
Verification codes	Automatically deleted (~10 minutes)
Error reports	Per Sentry retention policy (~90 days)

10. Your Rights and Choices

10.1 General Rights

• Access your data
• Correct inaccurate information
• Delete your account and server-side data
• Disable diagnostics and error reporting

10.2 GDPR Rights (EEA/UK)

• Right of access, rectification, erasure
• Right to restrict or object to processing
• Right to data portability
• Right to withdraw consent

10.3 California Rights (CCPA/CPRA)

• Right to know what personal data is collected
• Right to delete personal data
• Right to non-discrimination
• We do not sell or share personal data for advertising

Categories of Personal Information Collected:

• Identifiers (device ID, email address if provided)
• Commercial information (subscription history)
• Internet or network activity (usage data)

Requests can be made via the contact details below.

11. Children's Privacy

The Service is not intended for children under:

• 13 years old (or 16 where required by law)

We do not knowingly collect personal data from children. If you believe we have collected information from a child, please contact us immediately.

12. International Data Transfers

Data may be processed in countries where our service providers operate, including the United States. We rely on appropriate safeguards such as standard contractual clauses and data processing agreements.

13. Cookies and Tracking

• No advertising or tracking cookies
• Essential cookies only for web session functionality
• No cross-site tracking
• Mobile and desktop apps do not use cookies

14. API Key Security

If you provide your own AI service API keys:

• Keys are stored only in encrypted local storage on your device
• Keys are transmitted only to the respective AI service endpoints
• Keys are never logged, collected, or transmitted to our servers
• You are responsible for managing and securing your API keys

15. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated through the app or website. Continued use of the Service constitutes acceptance of the revised Policy.

16. Contact Information