The protection of your personal data is of great importance to us. Below, we inform you about how we process personal data when you use the Xpolicy website and the Xpolicy software.

• 1. Data Controller and Contact
• 2. Type and Scope of Data Processing
• 2.1 Visiting the Website (xpolicy.de)
• 2.2 Registration and Use of the Software (app.xpolicy.de)
• 2.3 Professional Content and Audit Processes (Data Processing on Behalf)
• 3. Use of AI Services (Azure OpenAI & Speech)
• 4. Data Transfer and Storage Location
• 5. Disclosure to Third Parties
• 6. Retention Period
• 7. Your Rights
• 8. Right to Lodge a Complaint

The data controller is:

Xpolicy GmbH
Hetzinger Hof 16
52385 Nideggen
Germany
datenschutz@xpolicy.de

Managing Director: Dr. Stefan Hirschmeier

Depending on whether you visit our website (xpolicy.de) or use the Xpolicy software (app.xpolicy.de), we process personal data to varying extents.

2.1 Visiting the Website (xpolicy.de)

When you access our website, only the technically necessary data is processed in log files (e.g., IP address, browser type, timestamp) in order to display the page securely and reliably.

Cookies

We do not use any analytics or marketing cookies on our marketing website. Only technically necessary cookies are used (e.g., to store your language preference).

Legal basis: Art. 6(1)(f) GDPR in conjunction with § 25(2) TDDDG.

Google Web Fonts

For consistent display, we use Google Web Fonts. In this process, your IP address is transmitted to Google servers. Legal basis: Art. 6(1)(f) GDPR.

For more information, please refer to Google's privacy policy: Google Privacy Policy.

External Resources

We use icons from Font Awesome via a CDN. In this process, your IP address may be transmitted to the CDN provider. Legal basis: Art. 6(1)(f) GDPR.

For more information, please refer to Font Awesome's privacy policy: Font Awesome Privacy Policy.

For the design of our website, we use the CSS framework Tailwind CSS via a CDN. When you access the website, your IP address is transmitted to the CDN provider.
Legal basis: Art. 6(1)(f) GDPR.

2.2 Registration and Use of the Software (app.xpolicy.de)

During registration and use of the Xpolicy software, we process data to create and manage your user account, in particular:

• First and last name
• Business email address
• Organization/employer

Usage Logs

We log basic activities to ensure system operation and prevent misuse (e.g., time of last login, password changes, and technically related error logs).

Cookies & Local Storage

We exclusively use technically necessary session cookies and local storage to manage your login and ensure system security. No tracking for marketing purposes takes place.

Legal basis: Art. 6(1)(b) GDPR (performance of contract).

2.3 Professional Content and Audit Processes (Data Processing on Behalf)

Content that you upload or enter in workspaces (e.g., documents, audio streams, audit responses) is processed by Xpolicy as a data processor pursuant to Art. 28 GDPR on behalf of your administrator (e.g., auditor or employer).

Visibility

Xpolicy is a collaborative platform. Your entries and documents are visible to other authorized users within the same workspace (e.g., auditors, consultants) according to their role-based permissions.

Responsibility

Legal decision-making authority over this content lies with the client.

The legal basis for providing the platform is Art. 6(1)(b) GDPR; for processing on behalf, Art. 28 GDPR applies.

Our software uses AI models for analysis and speech recognition.

• Security: Processing takes place exclusively within our encrypted Azure infrastructure in the West Europe region.
• No training by infrastructure provider: Your data (texts, documents, audio streams) is not used to train or improve foundation models of third-party providers (e.g., Microsoft or OpenAI).
• Purpose limitation: Processing exclusively for providing and optimizing the features within the Xpolicy software.
• Transparency: Audio data for real-time speech models is processed in memory and is not permanently stored by the AI service after transcription.

We use Microsoft Azure infrastructure for hosting.

• Storage location: West Europe region (Netherlands).
• Encryption: Data is encrypted at rest (AES-256) and in transit (TLS 1.2+).
• Third countries: Microsoft is a US-based provider. We have concluded EU Standard Contractual Clauses to ensure an adequate level of data protection. Theoretical access by US authorities (CLOUD Act) cannot be entirely excluded.

Your data is only disclosed to third parties:

• to subcontractors engaged by us (e.g., hosting providers) who are contractually obligated to maintain confidentiality,
• due to legal obligations.

• User data: Deleted once the user account is permanently deactivated and no statutory retention obligations apply.
• Content data: Deleted after termination of the contract with the client in accordance with the periods specified in the Data Act Addendum (typically 30 days after the end of the retrieval period).

You have the following rights with respect to us:

• Access (Art. 15 GDPR): What data do we hold about you?
• Rectification (Art. 16 GDPR): Correction of inaccurate data.
• Erasure (Art. 17 GDPR): Deletion of your data.
• Objection (Art. 21 GDPR): Against processing based on legitimate interest.

Please contact us at: datenschutz@xpolicy.de. As we frequently act as a data processor, we may forward your request to your administrator where applicable.

You have the right to lodge a complaint with a data protection supervisory authority regarding the processing of your data by us.