Legal

Privacy Policy

How xaltoAI collects, uses, and protects your personal information — including Google Sign-In data.

Last updated: April 10, 2026

This Privacy Policy (“Policy”) describes how xaltoai (“Company,” “we,” “us,” or “our”) collects, uses, stores, and protects your personal data when you access or use our website at xaltoai.com (“Platform”) and the products and services offered through it (collectively, “Services”). In this Policy, “you” and “your” refer to any individual or entity using our Services, whether registered or not.

We encourage you to read this Policy carefully before accessing our Services. By using or continuing to use the Platform, you acknowledge that you have read, understood, and agree to the practices described herein. We may update this Policy from time to time, and such changes take effect immediately upon publication. We recommend reviewing this page periodically.

By using our Services, you expressly consent to the collection, storage, analysis, use, and disclosure of your personal data as described in this Policy.

1. Purpose & Scope

xaltoai is committed to safeguarding user privacy and handling personal data responsibly. This Policy outlines the categories of personal data we collect, how we process and use it, with whom it may be shared, and the rights available to you under applicable data protection laws.

This Policy applies to all personal data collected through the Platform, including data provided during registration, ongoing usage, and interactions with our support team. Depending on your relationship with us or the nature of your usage, additional privacy notices may apply.

2. Data We Collect

We collect personal data from users through various means as described below. Some data is required for access to the Services, while other data is optional. We will always make the distinction clear to you.

Information You Provide Directly

When you create an account or interact with the Platform, you may provide us with:

  • Your name and email address
  • Profile photo (if you sign in through a third-party authentication provider such as Google)
  • Any other details you voluntarily submit through forms, support requests, or feedback channels

Information Generated Through Usage

When you use our AI-powered tools, we collect the content you provide as input and the outputs generated by the platform. This includes:

  • Text prompts, uploaded images, reference files, and other inputs
  • AI-generated images, videos, text, and other outputs (Deliverables)

Information Collected Automatically

We may automatically collect certain technical and usage data when you access the Platform, including:

  • IP address and approximate geographic location
  • Browser type, version, and language preferences
  • Device type, operating system, and screen resolution
  • Pages visited, features used, time spent, and navigation patterns
  • Referring URLs and domain information

We do not access or store contact lists, files, or other data from your device beyond what you explicitly upload to the Platform. We do not sell your personal data to any third party under any circumstances.

Google Sign-In Data

When you choose to sign in using your Google account, we request access to the following limited scopes only: email, profile, and openid. We use this information exclusively to:

  • Create and authenticate your xaltoai account using your verified Google email as a unique identifier
  • Display your name and profile picture within the application interface (for example, in your account menu and profile page)
  • Send account and service-related communications to your registered email address

We do not request, access, store, or transfer any other Google user data — including but not limited to Gmail messages, Drive files, Calendar entries, Contacts, or Photos. xaltoai's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. You may revoke xaltoai's access to your Google account at any time through your Google Account permissions page.

3. How We Use Your Data

We use the data we collect for the following purposes:

  • To deliver, operate, and maintain the Services and provide a seamless user experience
  • To develop, improve, and refine our existing tools, features, and platform capabilities
  • To build and test new products, features, and AI models
  • To process transactions, manage billing, and fulfill subscription obligations
  • To identify and authenticate users and maintain account security
  • To communicate with you — responding to inquiries, sending service updates, and providing support
  • To send promotional communications about products, features, and events similar to those you've used or expressed interest in (you may opt out at any time)
  • To personalize your experience and surface relevant content and recommendations
  • To monitor and improve platform performance, reliability, and security
  • To detect, prevent, and address fraud, abuse, and unauthorized activity
  • To protect the rights, property, and safety of xaltoai, our users, and the public
  • To comply with applicable laws, regulations, and legal obligations

If we determine that any data you have provided violates this Policy or our Terms of Service, we reserve the right to remove or delete such data without liability to you.

We may also use, reproduce, distribute, and analyze non-personally identifiable, aggregated, or de-identified data derived from your usage for analytics, research, and service improvement purposes.

4. Information Sharing & Third Parties

We do not sell, rent, or trade your personal data. We may share your information only in the following circumstances:

  • Service Providers (sub-processors): We work with trusted third-party vendors who process data on our behalf under confidentiality and data protection agreements. Our current sub-processors are listed below.
  • Legal Requirements: We may disclose your data if required by law, regulation, court order, or governmental request
  • Protection of Rights: We may share data when necessary to enforce our Terms of Service, protect our rights or property, or ensure the safety of our users
  • Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of the transaction, subject to the same level of privacy protection

Current Sub-processors

The following service providers may process your data in the course of delivering the Services. Each operates under its own privacy policy and contractual commitments to us:

  • Supabase — authentication, database, and file storage (account, profile, generations metadata)
  • Vercel — application hosting, edge functions, logs, product analytics (Vercel Analytics + Speed Insights — cookieless)
  • Cloudflare R2 — object storage and CDN for generated media
  • ImageKit — image processing and delivery CDN
  • Razorpay — payment processing for Indian and international customers (PCI-DSS compliant)
  • Google Cloud (Gemini, Veo) — AI model inference for selected tools
  • KIE (Kie.ai) — AI model inference for selected tools
  • Google Analytics 4 — site-usage analytics (loaded only after you accept cookies)
  • Microsoft Clarity — session replay and heatmaps for UX research (loaded only after you accept cookies)

This list may be updated from time to time as we add, replace, or remove sub-processors. Material changes will be reflected in this section.

5. Your Rights & Choices

Depending on your location and applicable data protection laws, you have the following rights regarding your personal data:

  • Consent Management: You may grant or withdraw consent for data collection and processing at any time
  • Access & Correction: You may request access to the personal data we hold about you and ask us to correct any inaccuracies
  • Deletion & Anonymization: You may request that we delete or anonymize your personal data, subject to legal retention obligations
  • Restriction & Objection: You may restrict or object to certain types of processing, including direct marketing communications
  • Data Portability: Where technically feasible, you may request a copy of your data in a structured, machine-readable format
  • Third-Party Disclosure: You may restrict the sharing of your data with third parties beyond what is necessary to deliver the Services

Please note that exercising certain rights (such as deletion or withdrawal of consent) may limit our ability to provide the Services effectively.

To exercise any of these rights, please reach out via our contact form.

6. Children's Privacy

Our Services are not designed for or directed at children under the age of 13. We do not knowingly collect personal data from anyone under 13 years of age. Individuals between 13 and 18 years of age should use the Services only under the guidance and supervision of a parent or legal guardian. If we become aware that we have inadvertently collected data from a child under 13, we will take steps to delete it promptly.

7. Cookies & Tracking Technologies

We use cookies and similar technologies (such as local storage and pixel tags) to enhance your experience, analyze usage patterns, remember your preferences, and deliver relevant content. Cookies may be classified as:

  • Essential Cookies: Required for the Platform to function properly (authentication, security, session management)
  • Analytics Cookies: Help us understand how users interact with the Platform so we can improve performance and usability
  • Preference Cookies: Remember your settings and choices for a more personalized experience

You can manage or disable cookies through your browser settings. Please note that disabling certain cookies may affect the functionality of the Platform.

8. Data Retention

We retain your personal data only for as long as is necessary to fulfill the purposes for which it was collected, or as required by applicable law, whichever is longer. When data is no longer needed, we take reasonable steps to securely delete or de-identify it.

You acknowledge and agree that de-identified or aggregated data that can no longer be linked to you may be retained and used by xaltoai without restriction for analytics, research, and service improvement purposes, in accordance with applicable law.

9. Data Security

We implement industry-standard technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit using TLS/SSL protocols
  • Access-controlled storage facilities with restricted permissions
  • Regular security assessments and monitoring

However, no method of electronic transmission or storage is entirely secure. While we strive to use commercially reasonable safeguards, we cannot guarantee absolute security. Your use of the Services is at your own discretion and risk. In the event of a security breach, we will take all reasonable steps to mitigate the impact and will endeavor to notify affected users promptly.

10. Updates to This Policy

We reserve the right to modify this Privacy Policy at any time. Changes become effective immediately upon publication on this page. Material changes will be communicated through a prominent notice on the Platform or via email. Your continued use of the Services after any modification constitutes your acceptance of the updated Policy. We encourage you to review this page regularly.

11. Dispute Resolution

Any dispute, claim, or controversy arising out of or relating to this Privacy Policy shall be resolved in accordance with applicable laws through standard legal proceedings. Both parties agree to attempt good-faith negotiation before pursuing formal action.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please reach out to us via our contact form.