Privacy Policy

Account data: name, email, hashed password (via Supabase Auth), IP addresses, timestamps.

Workspace data: organisation name, billing details (handled by Stripe), team members.

Integration data: brand credentials you input (encrypted at rest via Supabase Vault), and the stats pulled from them.

Product analytics: anonymised usage events via PostHog, used only to improve the product.

To provide, maintain, and improve the Service. To process payments. To send transactional email (login, billing, security alerts).

Marketing emails are opt-in only. You can unsubscribe at any time with a single click.

Contractual necessity — to deliver the Service you signed up for.

Legitimate interests — to prevent fraud, secure the platform, and operate as a business.

Consent — for optional marketing communications.

You have the right to access, correct, export, or delete your data. You can do this yourself from Settings → Profile, or by emailing privacy@xuly.io.

You can also lodge a complaint with your local data-protection authority.

We use a short list of trusted subprocessors to run the Service:

Supabase (database, auth, storage) — Frankfurt, EU. Vercel (frontend hosting) — global. Stripe (billing) — global. Trigger.dev (background jobs) — global. Resend (transactional email) — EU. Sentry (error tracking) — EU. PostHog (product analytics) — EU, self-hostable.

We use essential cookies for authentication and CSRF. No third-party advertising cookies. Product analytics are anonymous and do not include personally identifiable information.

Active account data: kept while your account is active. Upon deletion, all workspace data is permanently erased within 30 days. Financial records are kept for 7 years as required by law.

TLS 1.3 in transit. AES-256 at rest. Brand credentials encrypted via pgsodium. 2FA enforced on paid plans. Full details at /security.

Data is primarily stored in the EU (Frankfurt). Where transfers are required (e.g. US-based subprocessors), we rely on Standard Contractual Clauses as approved by the European Commission.

xuly.io is not intended for users under 16. We do not knowingly collect data from children.

Our Data Protection Officer: dpo@xuly.io. Postal: xuly.io GmbH, DPO, Berlin, Germany.