PRIVACY POLICY

This Privacy Policy explains how Xirsys, LLC ("Xirsys," "we," "us," "our") handles Client Personal Data and other information. Capitalized terms not defined here have the meanings in the Terms of Service (/tos). For processing terms and international transfers, see the DPA and SCC Addendum.

1) Scope & Audience

• Clients: organizations/individuals that contract directly with Xirsys.
• Visitors: individuals who visit our websites or dashboard.
• End Users: individuals using Client applications that rely on the Xirsys relay. We do not collect or store End Users’ communications content or identifiers via Service Traffic.

2) Data We Handle

2.1 Client Personal Data. Name, email, business details, account credentials, billing info (processed by Stripe), support communications, and account-level Metrics Data (e.g., session counts, bytes transferred).

2.2 Service Traffic (not stored). WebRTC media and related real-time signaling relayed through our STUN/TURN infrastructure are encrypted (DTLS-SRTP) end-to-end between peers. We do not decrypt, inspect, or store communications content.

2.3 Metrics Data (stored). We store aggregated account-level metrics (e.g., counts of sessions, total bytes transferred, availability/error rates, regional capacity use). Metrics Data excludes communications content and is not used to profile End Users.

3) How We Collect

• Directly from Clients during signup, billing, and support.
• Automatically through cookies and session tokens for secure login/session management.
• From third-party tools used on our sites (Intercom, Google Analytics) for product analytics and support.

4) Why We Use Data

• Provide, operate, secure, and improve the Services.
• Billing, account administration, fraud/abuse prevention, and diagnostics.
• Communicate about service updates, security, and changes to terms or policies.
• Legal compliance.

5) Cookies & Similar Technologies

We use cookies/web storage for authentication, session continuity, preferences, and site analytics. You may control cookies via your browser; some features may not function without them.

6) Third-Party Providers

• Payments: Stripe (we don’t store full card numbers).
• Product support/analytics: Intercom (opt-out requests: privacy@xirsys.com).
• Web analytics: Google Analytics (aggregated insights).

Providers act as our sub-processors under contractual confidentiality and security.

7) Sharing & Disclosure

We may share Client Personal Data with service providers, professional advisors, acquirers (in a transaction), and authorities where legally required or necessary to protect rights, safety, or security. We do not sell Personal Data.

8) Security

We use industry-standard safeguards: encryption in transit and at rest for Client Personal Data, access controls, logging/monitoring, least-privilege access, and vulnerability management.

9) Retention

• Client Personal Data is retained while the account is active and deleted within 30–60 days after closure, except where law requires longer retention (e.g., tax).
• Service Traffic content is never stored.
• Metrics Data is retained for operational, billing, security, and planning purposes consistent with our retention schedule.

10) Your Rights

Depending on your jurisdiction (e.g., GDPR/UK GDPR, CPRA), you may have rights to access, correct, delete, or port Client Personal Data, and to object/restrict certain processing. Submit requests to privacy@xirsys.com. End Users should contact the relevant Client.

11) International Transfers

Xirsys is U.S.-based and operates globally. Transfers of Client Personal Data outside the EEA/UK are protected by the EU 2021 Standard Contractual Clauses and the UK Addendum (see the SCC Addendum).

12) Children

Services are not directed to children under 13. We do not knowingly collect data from children.

13) Contact

Custodian of Records – Privacy
Xirsys, LLC
25350 Magic Mountain Parkway, Suite 300, Santa Clarita, CA 91355
privacy@xirsys.com

14) Changes

We may update this Policy; material changes will be posted with 30 days’ advance notice. Continued use after the effective date signifies acceptance.

Last Updated: September 16, 2025