1. Introduction
Amalgam Holdings Pty Ltd (ABN pending) ("we," "us," "our") operates XESO, a knowledge management platform. This Privacy Policy explains how we collect, use, disclose, retain, and protect your personal information when you use our Service. We are committed to complying with the Australian Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and, where applicable, the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). By using the Service, you consent to the practices described in this policy.2. Information We Collect
2.1 Account Information. When you create an account, we collect your name, email address, and profile photograph (if provided by your authentication provider).
2.2 User Content. We store the content you submit to the Service, including URLs, documents, text, and the structured notes, summaries, and metadata generated from that content.
2.3 Usage Data. We automatically collect non-identifiable technical data including browser type, operating system, device type, pages visited, features used, session duration, and performance metrics.
2.4 Payment Information. If you subscribe to a paid plan, payment is processed by Stripe, Inc. We do not store your credit card number, CVV, or full payment details on our servers.
2.5 Cookies and Similar Technologies. We use strictly necessary cookies (session tokens, CSRF protection) to operate the Service. We do not use advertising cookies, tracking pixels, or third-party analytics.3. How We Use Your Information
We use your information exclusively to: (a) provide, maintain, and improve the Service; (b) authenticate your identity and maintain account security; (c) process transactions and send billing-related communications; (d) transmit User Content to third-party AI model providers for processing as part of core Service functionality; (e) generate embeddings and search indexes to enable knowledge retrieval; (f) send Service-related notifications; and (g) comply with legal obligations. We do not use your personal information for advertising, profiling, or automated decision-making. We do not sell your personal information to third parties under any circumstances.4. Third-Party Data Processing
Google (Gemini API): Used for natural language processing, summarisation, conversational AI, and generating text embeddings. Data submitted through the paid API tier is not used by Google to train models.
Google (OAuth): Used for authentication. We receive your name, email, and profile photo via Google Sign-In.
Stripe: Used for payment processing. Stripe is PCI DSS Level 1 certified and processes payment data in accordance with their privacy policy.4a. Training Data Pledge
We do not use your content to train AI models — ours or anyone else's. This is a hard commitment, not a marketing line:
4a.1 No training by XESO. We do not train, fine-tune, distill, or evaluate any model (proprietary, open-source, or third-party) on your notes, chat transcripts, prompts, embeddings, uploaded files, or any content you submit to the Service.
4a.2 Contractual no-training with providers.Our LLM providers are used under enterprise terms that explicitly prohibit the use of customer content for training. Specifically: Google Gemini paid API (per Google's Generative AI Data Governance terms, customer prompts and responses are not used to improve Google's models) and, if enabled, OpenAI API (per OpenAI's API data usage policy, prompts and completions are not used to train OpenAI models).
4a.3 No aggregate or anonymised exception.We also do not build “anonymised” training corpora from your data. De-identification is still derivation, and we do not derive models from your content.
4a.4 Bring-your-own-key fully respected.When you supply your own Anthropic or OpenAI API key, your data flows directly from our backend to your configured provider under your account's terms. We do not retain a copy beyond the minimum required to serve the request.
4a.5 Audit. A machine-readable version of this pledge is published at /.well-known/ai-training-pledge.txt and mirrored in docs/security/DATA_HANDLING.md in our source repository for verification.
If we ever change this policy, we will: (a) notify all active users by email at least 30 days before the change takes effect, (b) make the change opt-in rather than opt-out, and (c) publish a dated record of the change in our Trust Center.5. Data Storage and Security
Your data is stored in encrypted PostgreSQL databases protected by industry-standard security measures including: TLS encryption in transit, AES-256 encryption at rest, network isolation, access control, regular security patches, and automated backups.6. Data Retention
We retain your account information and User Content for as long as your account is active. If you delete your account, we will delete your personal information and User Content within 30 days, except where retention is required by law. Backup copies may persist in encrypted archives for up to 90 days after deletion.7. Your Rights
Depending on your jurisdiction, you may have the following rights: Access, Correction, Deletion, Export, Restriction, Objection, and Non-discrimination. To exercise any of these rights, contact us at privacy@xeso.ai. We will respond within 30 days.8. International Data Transfers
Your data may be processed in jurisdictions outside your country of residence, including the United States and Australia. Where data is transferred outside the European Economic Area, we rely on Standard Contractual Clauses or other approved transfer mechanisms.9. Children's Privacy
The Service is not directed to individuals under 16 years of age. We do not knowingly collect personal information from children under 16. If you believe a child under 16 has provided us with personal information, contact us at privacy@xeso.ai.10. Data Breach Notification
In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will: (a) notify the relevant supervisory authority within 72 hours; (b) notify affected individuals without undue delay; and (c) provide details of the nature of the breach, the data affected, and the measures taken to address it.11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or in-app notification at least 14 days before the changes take effect.12. Contact Us
If you have questions, concerns, or complaints about this Privacy Policy, contact us at:
Amalgam Holdings Pty Ltd
Email: privacy@xeso.ai