Privacy Policy
Last updated: March 26, 2026Introduction
This Privacy Policy explains how XSEE ("we," "us") collects, uses, discloses, and protects information when you use our website, products, and services (collectively, the "Service").
By using the Service, you agree to this policy. If you do not agree, please do not use the Service.
Data We Collect
Account Information
- Name, email address, and company name
- Billing details processed securely by our payment partner Paddle (we do not store full card numbers)
Usage Data
- Scan results, feature usage, and product analytics
- Technical logs (e.g. IP, user agent) for security and reliability
AWS Scan Data
- Asset metadata, IAM structure, and network topology as observed via read-only access
- Attack-path analysis outputs derived from that metadata
How We Use Data
We use information to:
- Provide, operate, and improve the Service
- Authenticate users, prevent fraud, and secure our platform
- Communicate about the Service, billing, and policy updates
- Comply with legal obligations and enforce our terms
AI Processing
When you use AI-powered features, structured security metadata from your scan (attack paths, validation results, asset types, risk scores) is sent to Anthropic's Claude API to generate explanations and summaries. This data does not include raw file contents, database records, passwords, or credentials. Anthropic's privacy policy applies to data processed through their API. We do not use your data to train AI models.
Legal Basis (EEA/UK)
Where GDPR or UK GDPR applies, we rely on appropriate bases such as: performance of a contract, legitimate interests (e.g. securing the Service, product improvement, provided we balance your rights), consent where required, and legal obligation.
Data Sharing & Processors
We share data only with:
- Payment processing: Paddle (merchant of record) for subscriptions, invoicing, and tax compliance as applicable.
- Infrastructure providers: e.g. cloud hosting and database services under strict agreements.
- Professional advisors or authorities when required by law or to protect rights and safety.
International Transfers
We may process data in the United States and other countries where we or our subprocessors operate. Where required, we use appropriate safeguards (such as Standard Contractual Clauses) for transfers from the EEA, UK, or Switzerland.
Your Rights
Depending on your location, you may have rights to access, correct, delete, export, or restrict processing of your personal data, and to object to certain processing or withdraw consent where processing is consent-based.
To exercise rights, contact sales@xsee.io. You may also lodge a complaint with your local supervisory authority.
Retention
We retain personal data as long as needed to provide the Service, meet legal, tax, and accounting requirements, and resolve disputes. Scan-related outputs are retained according to your plan and account settings, and as described at account closure.
Security
We implement technical and organizational measures designed to protect data, including encryption in transit, access controls, and organizational isolation. See our Security page for an overview.
Cookies & Similar Technologies
We use cookies and similar technologies for essential site operation, preferences, analytics, and (where applicable) security. You can control cookies through your browser settings; some features may not work if essential cookies are disabled.
Children
The Service is not directed to children under 16 (or the age required in your jurisdiction). We do not knowingly collect personal data from children. Contact us if you believe we have done so in error.
Contact
Privacy inquiries: sales@xsee.io
For payment data handled by Paddle, you may also exercise rights through Paddle as described in their privacy policy and your checkout experience.