Privacy Policy
Draft pending final legal review — accurate to how the Service works today; confirm with counsel before relying on it commercially.
Last updated: 9 June 2026.
Xyra Chat (the "Service"), operated by Mll Nexus Group SL (trading as Mll Studio) ("we", "us"), is a multi-channel customer-messaging platform. This policy explains what personal data we process, why, and the rights you have. It is written to align with the EU General Data Protection Regulation (GDPR) and the UK GDPR.
1. Controller vs. processor
For the conversation data our customers handle through the Service — the messages, contacts, and channel identifiers of the people they talk to — the customer (the business using Xyra Chat) is the data controller and we act as a data processor on their instructions. For our own account and analytics data (your name, email, billing, product usage), we are the controller.
2. Data we process
- Account data: name, email, hashed password, role, organization, availability.
- Customer conversation data (on behalf of customers): message contents, contact names / phone numbers / emails / social handles, attachments, tags, notes, conversation metadata.
- Channel credentials: access tokens for connected channels, encrypted at rest in Supabase Vault (only a vault reference lives in the database).
- Billing data: plan, subscription status, and a Stripe customer reference. Card details are handled by Stripe — we never see or store them.
- Usage analytics: feature events via PostHog (EU). We do not record sessions or capture message contents in analytics.
3. AI processing
When a customer enables the AI assistant, message text and that customer's own knowledge sources are sent to Anthropic (Claude) to generate replies and to OpenAI to compute embeddings for knowledge search. These providers act as sub-processors and, per their API terms, do not train their models on data sent via their APIs. AI features can be disabled per channel.
4. Legal bases (GDPR Art. 6)
- Performance of a contract — to provide the Service.
- Legitimate interests — security, product analytics, abuse prevention.
- Consent — non-essential cookies (EU visitors) and marketing.
- Legal obligation — tax, accounting, lawful requests.
5. Sub-processors
We share data with the following sub-processors strictly to run the Service:
| Sub-processor | Purpose | Region |
|---|---|---|
| Supabase | Database, auth, file storage, realtime | EU (Frankfurt) |
| Vercel | Application hosting + edge network | Global (EU/US) |
| Anthropic | AI assistant + reply generation (Claude) | US |
| OpenAI | Text embeddings for knowledge search | US |
| Stripe | Subscription billing + payments | US/EU |
| Resend | Inbound + outbound email channel | US/EU |
| Meta Platforms | WhatsApp + Instagram + Messenger channels | Global |
| Telegram | Telegram bot channel | Global |
| PostHog | Product analytics (no session recording) | EU |
6. International transfers
We host primary data in the EU where possible (Supabase Frankfurt, PostHog EU). Some sub-processors (e.g. Anthropic, OpenAI) process data in the US under Standard Contractual Clauses and/or the EU–US Data Privacy Framework.
7. Retention
We use soft-deletion across the platform. When an organization cancels, its data is retained for up to 30 days and then permanently purged. You can request earlier erasure at any time. Account data is kept for the life of the account plus any legally required period.
8. Your rights
Under the GDPR you may request access, rectification, erasure, restriction, portability, and object to processing. Signed-in users can export their data (/api/gdpr/export) and request erasure (/api/gdpr/delete), or email us. End customers of our business users should contact that business (the controller); we assist them as processor.
9. Cookies
We use essential cookies for authentication. Analytics cookies (PostHog) load only after consent for visitors in the EEA, via our cookie banner.
10. Security
Data is isolated per organization via row-level security, channel access tokens are encrypted in Supabase Vault, API keys are stored only as salted hashes, and all webhooks are signature-verified.
11. Contact
Privacy questions: privacy@xyrachat.com. Operator: Mll Nexus Group SL (trading as Mll Studio), Calle Poetas Españoles 1, Local 1, 38678 Armeñime, Santa Cruz de Tenerife, Spain. As an EU-established company we are not required to appoint an Article 27 EU representative; we have not appointed a dedicated Data Protection Officer — privacy enquiries reach us at the address above.