XIRA

Privacy Policy

Effective April 2026

Who We Are

XIRA is an AI compliance platform operated from Colorado. Our public website is xira-ai.com. We help teams understand which AI and algorithmic decision making rules may apply to them, starting with a free exposure scan and continuing into the signed-in dashboard when you choose to use it. Rules for using the site and scanner are in our Terms of Service.

What We Collect

When you use the scanner, dashboard, or related flows, we only collect what you choose to give us and what we need to run the product. Today that includes:

  • Email address if you voluntarily submit it to receive scan results, vendor documentation requests, compliance notifications, or related messages.
  • Company name if you optionally provide it. You do not have to.
  • Scan parameters: the states you select, the AI tools you pick, your industry, company size, and how you describe your role (deployer, developer, both, or not sure).
  • Scan history and results when you save scans to your account or generate reports, including matched regulation lists and risk scores derived from your inputs.
  • Dashboard and company profile data when you sign in: company profile fields, states of operation, AI tool inventory (including catalog links and deployment details), and compliance case metadata (case titles, regulation selections, control statuses, and linked evidence references).
  • Workspace and document content when you use compliance workspaces: answers you enter in forms, draft and finalized document JSON, document hashes for integrity, and export activity tied to your account.
  • Basic analytics, such as page views and referral source, so we can see how people find and use the site. Where enabled, we use Vercel Analytics for aggregated, privacy-oriented traffic metrics (not ad retargeting).
  • Session and authentication data when you sign in through WorkOS AuthKit, including session cookies and identifiers needed to keep you logged in and protect your account.

We do not collect payment card data through the product today. Uploaded files or attachments may be introduced in specific workflows; when they are, we describe the handling on this page and bump the effective date. If collection practices change in a material way, we will update this policy.

Children's Privacy

We are adding standard disclosures here as the product matures. Counsel will review this page before we onboard large enterprise customers.

XIRA is not directed at children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us at privacy@xira-ai.com.

How We Use It

Email: we use it to send your scan results PDF when you ask for it, and occasionally to share product updates if you have agreed to hear from us that way.

Scan data: we use it to generate your compliance style report and to improve how we match scans to obligations in our database.

Dashboard and case data: we use it to render your company profile, obligation progress, workspaces, evidence links, and proof exports you request.

Workspace content: we store it so you can edit, finalize, and export compliance documents, and so integrity hashes and audit trails stay consistent with what you approved.

Analytics: we use it to understand traffic patterns and improve the site experience.

We do not sell your personal data. We do not share it with third parties for their own marketing. We do not send your scan answers or free text to a large language model to produce results. The scanner works against a pre-classified regulation database. No customer input is sent to an LLM for that matching today.

For certain optional compliance workspace features, XIRA may use Anthropic's language model to generate draft document sections based on your company profile and tool information. This feature is controlled by server configuration and is not enabled by default. When enabled, only structured company and tool metadata is sent to the language model provider. Scan results and jurisdiction matching never use language models.

Where Your Data Lives

The website is hosted on Vercel, which publishes SOC 2 Type II reports for its platform. Our application database is hosted on Supabase, which runs on AWS and encrypts data at rest. Transactional email is delivered through Resend, which sends mail using Amazon SES. All browser connections to the site use HTTPS.

International Transfers

We are adding standard disclosures here as the product matures. Counsel will review this page before we onboard large enterprise customers.

XIRA's services are hosted in the United States. If you access our services from outside the United States, your information may be transferred to and processed in the United States. By using our services, you consent to this transfer.

Data Retention

We are adding standard disclosures here as the product matures. Counsel will review this page before we onboard large enterprise customers.

We retain your data for as long as your account is active or as needed to provide our services. Compliance documents and evidence are retained for a minimum period consistent with regulatory requirements. Scan data and email records are retained for up to two years. You may request deletion of your data by contacting privacy@xira-ai.com.

Email Communications

If you receive product or newsletter style messages, you can unsubscribe at any time using the link in those emails. You can also use our unsubscribe page where that applies.

Delivery of a scan results PDF you requested is a one-time transactional email. It is not the same thing as signing up for ongoing marketing.

If you join our newsletter separately, you can leave that list at any time with the same kind of link.

Your Rights

You can ask us to delete personal data we hold about you by writing to privacy@xira-ai.com. We will respond in line with applicable law and what we can verify about your request.

If you live in Colorado, the Colorado Privacy Act gives you rights that include access, correction, and deletion of certain personal data, subject to exceptions in the law.

If you live in California, the CCPA and related rules give you rights that include knowing what categories of personal information we collect and requesting deletion, again subject to legal limits.

Cookies

We use essential cookies so the site can function, for example keeping a session or preference where needed. Authentication through WorkOS AuthKit relies on cookies (or similar browser storage) to maintain your signed-in session securely.

We use analytics cookies or SDK-based analytics (such as Vercel Analytics) to understand how the site is used in aggregate. We do not use advertising cookies or cross-site tracking cookies for ad retargeting.

Changes

When our practices change in a material way, we will update this page. The effective date under the title at the top reflects the latest revision.

When we change product rules or disclaimers, we post those in our Terms of Service.

Contact

Questions about this policy: privacy@xira-ai.com

This document was last reviewed in April 2026. XIRA is not a law firm and this does not constitute legal advice.