Privacy Policy

Xatask is operated by Xatask OÜ.

For privacy-related questions, requests or concerns, you can contact us at: Email: xatask@xatask.com

Depending on the context, Xatask may act either as a data controller or as a data processor.

We act as a data controller when we determine how and why personal data is processed, for example when managing user accounts, billing, website communications, support requests, product updates and business communications.

We act as a data processor when we process customer content, uploaded sources, conversation data or end-user data on behalf of our business customers, according to their instructions and platform configuration.

This Privacy Policy applies to personal data processed through:

• The Xatask website.
• The Xatask platform and dashboard.
• AI assistants, agents and embedded widgets created through Xatask.
• Uploaded sources, knowledge bases and training materials.
• Conversations between end users and AI assistants.
• Support tickets, contact forms and email communications.
• Integrations such as WhatsApp / Meta, Slack, Stripe, webhooks and other third-party services connected by customers.

This Privacy Policy does not apply to third-party websites, platforms or services that are not controlled by Xatask, even if they are linked to or integrated with our platform. Those services may have their own privacy policies and terms.

We collect different categories of personal data depending on how you interact with Xatask.

We use personal data to provide, operate, maintain and improve Xatask. This includes using data for the following purposes:

• Creating and managing user accounts.
• Providing access to workspaces and dashboards.
• Creating, configuring and deploying AI assistants.
• Processing uploaded sources and customer content.
• Generating AI responses and conversation history.
• Supporting customer-selected integrations.
• Managing subscriptions, billing and payments.
• Responding to support requests and customer inquiries.
• Sending product updates, onboarding messages and commercial communications.
• Sending important service, security, account and billing notifications.
• Preventing spam, abuse, fraud and unauthorized access.
• Monitoring performance, debugging errors and improving reliability.
• Complying with legal, tax, accounting and regulatory obligations.

We do not sell personal data.

Where the GDPR or similar data protection laws apply, we process personal data based on one or more legal bases.

We may process personal data because it is necessary to perform a contract with you, such as providing access to the Xatask platform, managing your account, processing subscriptions and delivering the services you request.

We may process personal data based on our legitimate interests, such as securing the platform, preventing abuse, responding to business inquiries, improving reliability, managing customer relationships and maintaining service performance.

We may process personal data based on consent where required, such as for optional marketing communications or non-essential cookies if introduced in the future.

We may process personal data to comply with legal obligations, including tax, accounting, security, legal or regulatory requirements.

When Xatask processes Customer Content, Conversation Data or end-user data on behalf of a business customer, we generally act as a processor and process such data according to the customer's instructions.

Xatask allows customers to upload or connect content that may be used to configure AI assistants. Customers control the content they provide and are responsible for ensuring that they have the necessary rights and legal basis to use that content with Xatask.

AI assistants may process messages from end users and generate responses based on customer configuration, uploaded sources, selected model providers and available platform settings.

Conversation data may be retained for a limited period depending on the customer's plan, workspace settings, account status or platform configuration. Where available, customers may be able to download, delete or manage conversation data through Xatask features.

Some data may remain in backups, logs or security records for a limited period where necessary for security, debugging, compliance or disaster recovery.

Xatask does not use Customer Content or Conversation Data to train generalized AI models unless this is separately agreed with the customer.

Xatask may use third-party AI model providers to provide AI-related functionality, including response generation, embeddings, text analysis, retrieval and other AI features.

Supported or integrated providers may include:

• OpenAI.
• Anthropic.
• Meta.
• xAI / Grok.

The provider used may depend on the customer's selected model, plan, workspace settings or feature configuration.

To provide AI functionality, Xatask may send prompts, retrieved context, customer content, conversation messages and related metadata to the selected AI provider. This processing is performed only as necessary to deliver the AI features requested by the customer.

Customers should avoid uploading unnecessary sensitive personal data unless they have a lawful basis and appropriate safeguards.

AI-generated responses may be inaccurate, incomplete or unsuitable for certain high-impact contexts. Customers are responsible for reviewing AI outputs and implementing appropriate human oversight where necessary.

Xatask may allow customers to connect external services and integrations, including:

• WhatsApp / Meta.
• Slack.
• Stripe.
• Webhooks.
• Embedded website widgets.
• Other third-party tools or channels enabled by the customer.

When a customer enables an integration, Xatask may process data received from or sent to that integration. The customer is responsible for configuring integrations lawfully and ensuring that their use complies with applicable laws and third-party platform terms.

Third-party services may process personal data under their own privacy policies and terms. Xatask is not responsible for independent processing carried out by third-party services outside our control.

Payments and subscriptions may be processed through Stripe.

When Stripe processes payments, Stripe may collect and process payment information according to its own privacy policy and terms. Xatask may receive limited billing-related information, such as subscription status, invoice references, plan information, customer identifiers and billing email.

Billing data may be retained as necessary for tax, accounting, legal and compliance purposes.

Xatask may use cookies and similar technologies to operate the website and platform, maintain sessions, support authentication, improve security and remember preferences.

Xatask does not currently use external analytics tools such as Google Analytics, Meta Pixel, Hotjar or similar third-party analytics services.

If Xatask introduces optional analytics, advertising or marketing cookies in the future, we will update our cookie practices and request consent where required by applicable law.

For more information, please review our Cookie Policy.

Xatask may send service-related communications, including account notices, security alerts, billing messages, support replies and important platform updates. These communications are necessary for the operation of the service and cannot always be opted out of.

Xatask may also send commercial communications, product updates, onboarding messages, feature announcements or educational content. Users may unsubscribe from marketing communications by using the unsubscribe link provided in the email or by contacting us.

Even if you unsubscribe from marketing messages, we may still send transactional or service-related communications where necessary.

We may share personal data with trusted service providers and partners that help us operate, secure and deliver Xatask.

These may include:

• Hosting and infrastructure providers.
• Database, storage and monitoring providers.
• AI model providers such as OpenAI, Anthropic, Meta and xAI / Grok.
• Payment providers such as Stripe.
• Email and communication providers.
• Customer support tools.
• Security, logging and error monitoring providers.
• Integration providers enabled by customers.
• Professional advisers, such as legal, accounting or compliance advisers.
• Authorities or regulators where legally required.

We only share personal data where necessary to provide the service, comply with legal obligations, protect the platform, support integrations or fulfill customer instructions.

We do not sell personal data.

Xatask may process or transfer personal data outside the European Economic Area where necessary to use global infrastructure, AI providers, payment processors or other service providers.

Where required by applicable law, we rely on appropriate safeguards such as adequacy decisions, Standard Contractual Clauses or other lawful transfer mechanisms.

Customers should review the terms and privacy practices of any AI providers or integrations they choose to enable.

We retain personal data only for as long as necessary for the purposes described in this Privacy Policy, unless a longer retention period is required by law.

Account data is generally retained while the account remains active and for a reasonable period afterward where needed for legal, security, billing or operational purposes.

Customer Content is retained while the workspace or account remains active unless deleted earlier by the customer or according to platform settings.

Conversation Data may be retained for a limited period depending on the customer's plan, workspace settings or platform configuration. Where available, customers may download, delete or manage conversation history through Xatask features.

Billing data may be retained for tax, accounting and legal compliance purposes.

Support records may be retained for as long as necessary to resolve issues, maintain business records and improve support operations.

Deleted data may remain in backups for a limited period before being overwritten or permanently removed.

We use technical and organizational measures designed to protect personal data against unauthorized access, loss, misuse, alteration or disclosure.

These measures may include access controls, encryption in transit, secure infrastructure, authentication, logging, monitoring, backups and restricted internal access.

However, no system can be guaranteed to be completely secure. Customers are responsible for protecting their account credentials, API keys, workspace access, integrations and user permissions.

If we become aware of a security incident affecting personal data, we will take appropriate steps in accordance with applicable legal obligations.

Business customers are responsible for how they use Xatask and for the data they upload, connect or process through the platform.

Customers are responsible for:

• Ensuring they have a lawful basis to process and upload personal data.
• Providing privacy notices to their own users where required.
• Configuring AI assistants and integrations lawfully.
• Managing workspace users, roles and permissions.
• Avoiding unnecessary sensitive personal data.
• Reviewing AI outputs where appropriate.
• Responding to end-user privacy requests where they act as controller.
• Complying with applicable laws for their own websites, users and business activities.

Depending on your location and applicable data protection laws, you may have certain rights regarding your personal data.

These rights may include:

• The right to access your personal data.
• The right to correct inaccurate data.
• The right to request deletion of your data.
• The right to restrict processing.
• The right to object to processing.
• The right to data portability.
• The right to withdraw consent where processing is based on consent.
• The right to lodge a complaint with a data protection authority.

If Xatask processes your data as a processor on behalf of a business customer, we may need to forward your request to that customer or assist the customer in responding.

To exercise your rights, contact us at xatask@xatask.com.

Where Xatask processes Customer Content, Conversation Data or end-user data on behalf of a business customer, Xatask may act as a data processor and the customer may act as data controller.

Where required, Xatask may provide or enter into a Data Processing Agreement with business customers.

A Data Processing Agreement may cover processing instructions, confidentiality, subprocessors, security measures, international transfers, assistance with privacy requests, deletion or return of data and other processor-related obligations.

If a Data Processing Agreement applies, it may take precedence over this Privacy Policy for processor-related matters.

Xatask may use subprocessors to provide infrastructure, AI processing, payments, email delivery, storage, monitoring, support and integrations.

Subprocessors may include AI providers, infrastructure providers, payment processors, communication providers and other service providers necessary to operate the platform.

Xatask remains responsible for selecting service providers that support appropriate confidentiality, security and data protection commitments.

Xatask may provide additional information about subprocessors upon request or through a dedicated subprocessor list in the future.

Xatask is intended for business and professional users aged 18 or older.

We do not knowingly collect personal data from individuals under 18. If we become aware that we have collected personal data from someone under 18, we will take appropriate steps to delete it where required.

Customers must not intentionally use Xatask to collect personal data from children unless they have a lawful basis and appropriate safeguards.

We may update this Privacy Policy from time to time to reflect changes in our services, legal obligations, security practices or data processing activities.

When we update this Privacy Policy, we will revise the "Last updated" date. If changes are material, we may notify users by email, platform notice or website notice where appropriate.

Your continued use of Xatask after an updated Privacy Policy becomes effective means that the updated policy applies, where permitted by law.

If you have any questions about this Privacy Policy, how Xatask handles personal data, or if you wish to exercise your privacy rights, you can contact us at:

Xatask OÜ — Email: xatask@xatask.com