Privacy Policy

This Privacy Policy applies to visitors, prospects, customers, customer users, suppliers, and other individuals whose personal data we process in connection with our websites, applications, APIs, managed services, and commercial operations.

Depending on the relationship, XYLEX may act as a controller for data used to operate our business, or as a processor acting on behalf of a customer. Where customer data is processed on behalf of a customer, the customer's instructions and contract documents control that processing.

We may collect or receive the following categories of information:

• identity and profile data, such as your name, company, title, and account identifiers;
• contact data, such as email address, phone number, billing details, and business address;
• technical and usage data, such as IP address, device information, browser type, pages viewed, referring URLs, timestamps, and feature interaction events;
• communications data, such as information you send through contact forms, support requests, sales conversations, and contractual discussions;
• customer content and operational data that customers choose to store, transmit, or process through XYLEX services; and
• compliance and security data, such as audit logs, authentication events, fraud indicators, and incident records.

• Directly from you when you contact us, request a demo, sign a contract, subscribe to updates, or create an account.
• Automatically when you use our websites or services, including through server logs, security telemetry, and cookies or similar technologies.
• From your employer or organization when they provision access for you, designate you as a contact person, or authorize you as a user.
• From integrated third parties, resellers, payment partners, identity providers, or infrastructure providers where necessary to deliver the service.

Typical processing purposes include:

• providing, securing, maintaining, and improving our services;
• setting up accounts, authenticating users, and managing access;
• responding to support, sales, contractual, and billing matters;
• monitoring reliability, detecting abuse, preventing fraud, and investigating security events;
• performing analytics needed to understand product usage and service demand;
• complying with legal obligations, enforcing contracts, and protecting our rights and the rights of customers and users; and
• sending service messages and, where permitted, updates about our products and business.

Where required by law, we rely on consent, contract performance, legitimate interests, legal obligations, or other recognized legal bases. More detail for GDPR-related processing appears on our GDPR page.

• With hosting, infrastructure, communications, analytics, security, customer support, and other vendors acting under contractual confidentiality and data protection obligations.
• With professional advisers, insurers, auditors, corporate affiliates, and transaction counterparties where needed for legitimate business operations.
• With law enforcement, regulators, courts, or other third parties where disclosure is required by applicable law or is necessary to establish, exercise, or defend legal claims.
• In connection with a merger, financing, acquisition, reorganization, or sale of assets, subject to appropriate confidentiality measures.

When personal data is transferred across borders, we use measures designed to provide an adequate level of protection under applicable law. Depending on the transfer, those measures may include contractual safeguards, internal governance requirements, security controls, and supplementary technical or organizational measures.

Customers that require a contractual data transfer framework should refer to our Data Processing Addendum or their signed services agreement.

• Access to systems and data is limited according to business need and subject to authentication, logging, and review processes.
• We design services to use encryption in transit and other security controls that reduce the risk of unauthorized access, alteration, or loss.
• Personal data is retained only for as long as needed for the purpose collected, to satisfy contractual commitments, to comply with law, or to resolve disputes and enforce agreements.
• Backup, business continuity, and restoration practices are further described on our Data Recovery Policy page.

Depending on your location, those rights may include the right to:

• access and receive a copy of your personal data;
• correct inaccurate or incomplete data;
• delete personal data in certain circumstances;
• restrict or object to particular processing activities;
• receive data in a portable format where technically feasible;
• withdraw consent where processing is based on consent; and
• lodge a complaint with the relevant supervisory authority.

We may need to verify your identity before acting on a request. If we process your data on behalf of a customer, we may direct your request to that customer because they control the underlying processing decision.

For a fuller description of the technologies we may use, the reasons we use them, and the controls available to you, see our Cookie Policy.

Material updates will be posted on this page with a revised effective date. If a change materially affects customers under contract, we may also provide notice through the relevant service or account contact.

Privacy questions, access requests, or legal inquiries can be submitted through our contact page or routed through your existing commercial contact with XYLEX.