← Back

Privacy Policy

Last updated: 15 May 2026

1. Data Controller

Xpirit AI is the data controller for personal data processed through this service. Contact: [email protected]

2. Data We Collect

  • Account data: Email address, display name, hashed password
  • Conversation data: Messages you send and AI responses
  • Usage data: Timestamps, IP addresses (for security)
  • Feedback data: Thumbs up/down ratings (only if training consent enabled)
  • Consent records: Your consent preferences and timestamps

3. Google User Data

When you choose "Sign in with Google", Xpirit AI uses Google's OAuth 2.0 service strictly for authentication. The Google API scopes we request are openid, email, and profile — these are Google's standard non-sensitive sign-in scopes. We do not request access to Gmail, Drive, Calendar, Contacts, Photos, YouTube, Maps, Chat, Meet, Tasks, Keep, or any other Google service.

3.1 Data Accessed

From your Google Account, Xpirit AI accesses only the following fields, returned by Google's ID token and UserInfo endpoint:

  • Google Account identifier (sub): an opaque, Google-issued numeric ID that uniquely identifies your Google Account.
  • Email address: the primary email address associated with your Google Account.
  • Email verification status: whether Google has verified that email address.
  • Display name: the name shown on your Google Account.
  • Given name and family name: the first and last name fields from your Google profile, if present.
  • Profile picture URL: the URL of your Google Account avatar image, if present.
  • Locale: the language/locale preference set on your Google Account, if present.

No other Google user data is requested, accessed, downloaded, copied, scraped, or read.

3.2 Data Usage

Xpirit AI uses the Google user data described in Section 3.1 strictly for the following purposes:

  • Authentication: verifying that you control the Google Account you are signing in with, by validating Google's signed ID token.
  • Account creation and linking: creating an Xpirit AI account on first sign-in, or matching subsequent sign-ins to the existing Xpirit AI account associated with the same Google Account identifier (sub) or verified email.
  • Account display: showing your display name and profile picture inside the Xpirit AI web application so you can confirm which account you are signed in to.
  • Account communication: sending transactional service messages (password-reset, security alerts, account-deletion confirmations) to the email address associated with your account. We do not send marketing email to Google-provided email addresses without separate, explicit opt-in.

Google user data is never used for the following:

  • Training, fine-tuning, evaluating, or improving any AI or machine-learning model (including Xpirit AI's own models). The Google API Services User Data Policy's Limited Use requirements for AI/ML training are strictly observed: Google user data, including derived information, is excluded from every training, fine-tuning, evaluation, RLHF, distillation, embedding, or retrieval-augmentation pipeline operated by Xpirit AI or any sub-processor.
  • Advertising, ad targeting, ad measurement, or any advertising-related purpose.
  • Selling, renting, leasing, or licensing to any third party.
  • Profiling for purposes other than authentication and account management as described above.

3.3 Data Storage and Sharing

The fields listed in Section 3.1 are stored only in Xpirit AI's authentication database (PostgreSQL, hosted on infrastructure in the United Kingdom) as part of your user record. Xpirit AI does not share Google user data with any third party except where strictly necessary to provide the service (the database hosting provider, acting as a processor under a data-processing agreement) or where legally required.

Google user data is not shared with any third-party AI or machine-learning provider, including but not limited to OpenAI, Anthropic, Google AI, OpenRouter, Hugging Face, RunPod, or any inference vendor.

3.4 Data Retention and Deletion

Google user data is retained for as long as your Xpirit AI account is active. You can delete your Xpirit AI account at any time from Settings > Account > Delete account, which deletes all stored Google user data within 30 days. You can also revoke Xpirit AI's access at any time from your Google Account permissions page.

3.5 Google API Services User Data Policy

Xpirit AI's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

4. Legal Basis (GDPR Art. 6)

  • Service delivery: Art. 6(1)(b) — necessary for contract performance
  • AI training: Art. 6(1)(a) — your explicit consent (opt-in only)
  • Security & audit: Art. 6(1)(f) — legitimate interest in preventing abuse

5. AI Training Data

By using the Service, messages you explicitly rate (thumbs up/down) are collected as training pairs to improve the Xpirit AI model. Only rated interactions are collected — your full conversation history is never bulk-harvested. This is enabled by default as stated in the Terms of Use.

You can disable this at any time via the "Improve AI" toggle in the sidebar or Settings > Privacy. When disabled, no new training pairs are collected. Previously collected pairs are retained unless you request deletion via a Data Subject Request (Art. 17). Legal basis: GDPR Art. 6(1)(b) contract performance (service improvement) with Art. 21 right to object.

6. Your Rights (GDPR Art. 15-21)

  • Access (Art. 15): Request a copy of your personal data
  • Rectification (Art. 16): Correct inaccurate data
  • Erasure (Art. 17): Delete your account and all associated data
  • Portability (Art. 20): Export your data in machine-readable JSON
  • Objection (Art. 21): Object to data processing for training

To exercise these rights, use the in-app settings or contact [email protected]. We respond within 30 days.

7. Data Retention

  • Conversations: retained until you delete them or your account
  • Training pairs: retained until consent withdrawal or account deletion
  • Audit logs: retained for 2 years (legal compliance, Art. 17(3)(e))
  • Account data: deleted within 30 days of account deletion request

8. Data Security

We implement technical measures including: encrypted connections (TLS), scrypt password hashing, immutable audit logs with SHA-256 checksums, rate limiting, IP blocking, content filtering, and admin 2FA via Telegram OTP.

9. EU AI Act Transparency

In compliance with EU AI Act Article 52, we disclose: you are interacting with an AI system (Xpirit-Davinci, a custom fine-tuned 7B-parameter language model). The system is classified as limited-risk. It does not perform automated decision-making with legal effects. Technical details available at /api/v1/compliance/transparency.

10. International Transfers

Your data is processed on servers located in the United Kingdom. For EU users, UK adequacy decision (June 2021) applies. RunPod cloud inference (when active) processes data in the EU/US under standard contractual clauses.

11. Contact

Data Protection Officer: [email protected]
You have the right to lodge a complaint with your national data protection authority (e.g., ICO in the UK, CNIL in France).