Privacy Policy
Xpander, Inc., including our subsidiaries and affiliates (collectively “xpander”, “we”, “our” or “us”), develops and operates an Agentic Interface, an innovative API-like solution (the “Platform”) designed to help companies and individuals (our “Customers”) facilitate seamless communication between AI tools and diverse systems and software programs.
Our solution provides a wide range of configurations, supported by two main services: 1. Managed Runtime Solutions, where xpander controls and operates the runtime environment on behalf of the Customer. 2. Unmanaged Runtime Solutions, where the Customer controls and operates the runtime environment.
Please note: This Privacy Policy does not apply to Unmanaged Runtime Solutions when two conditions are simultaneously met: an AI Service Provider other than xpander is used, and private connectors are being utilized. In such cases the Customer is the Controller for all processing activities.
This Privacy Policy describes how we collect, store, use and disclose personal data of:
- Users who are registered to xpander’s Platform.
- Representatives who interact with us as the business contacts of our Customers.
- Prospects who visit our website at https://www.xpander.ai (the “Website”), interact with our online ads and content, surveys, emails or other communications under our control or (collectively with the Platform, the “Services”) or any other representative of a prospective customer (collectively – “you” or “your”).
Privacy is important to us, and we are strongly committed to transparency and fairness in our data processing activities. Please read this Privacy Policy carefully and make sure that you fully understand and agree to our practices.
You are not legally required to provide us with any personal data, and may do so (or avoid doing so) at your own free will.
If you do not wish to provide us with your personal data, or to have it processed by us, please avoid any interaction with us or with our Services, or submit a request to exercise your rights as further explained in Section 9 below but please keep in mind that limiting our processing may also result in us not being able to provide you the ability to use our Services, or with the best user experience when using our Services.
Specifically, this Privacy Policy describes our practices regarding –
- Data Collection
- Data Uses & Business Purposes
- Data Location
- Data Retention
- Data Disclosure
- Cookies and Tracking Technologies
- Communications
- Data Security
- Data Subject Rights
- Additional Information and Contact Details
- Data Collection
When we use the terms “personal data” or “personal information” in this Privacy Policy, we mean information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to an individual. It does not include aggregated or anonymized information that is maintained in a form that is not reasonably capable of being associated with or linked to an individual.
We may collect or generate the following types of personal data about you:
Usage and device information: Connectivity, technical and usage data, such as IP addresses and approximate general locations derived from such IP addresses, device and application data (like type, operating system, mobile device or app id, browser version, location and language settings used); system logs of actions and events attributed to those IP addresses, devices and applications; the relevant cookies and pixels installed or utilized on your device; and the recorded activity (sessions, clicks, use of features, logged activities and other interactions) of Prospects and Users in connection with our Services. We collect and generate this information automatically, including through the use of analytics and system monitoring tools (including cookies and pixels) – which collect data such as: how often Prospects visit or use the Website, which pages they visit and when, which website, ad or email message brought them there, how Users interact with and use the Platform and its various features, and technical data concerning the performance, functionality and stability of the Platform.
Content Data: Interactions with the Platform or resulting APIs. This includes prompts or Platform responses, which may include text, files and documents, photos and images, other materials and associated metadata and information or any other content that was inserted to the chat interface or API.
User Account data: personal data collected for Users’ registration to the Platform, including full name, contact information and password.
Business Details Information: including your contact details, position and workplace, contractual and billing details.
Direct interactions and communications with us: personal data contained in any forms and inquiries that you may submit to us, including form submissions, emails, and chats with us, recordings and transcripts of your calls (e.g., for customer service, feedback and support).
We may obtain the categories of personal information listed above from the following categories of sources:
- Directly from you: You may provide us with personal data when you choose to use our Services, request information from us or contact us for any other reason, including via email or through your interactions with the Platform.
- Data automatically collected or generated: When you interact with or use our Services, we may collect certain technical data about your device (such as your operating system, IP address, device identifier, browsing history, etc.) We collect or generate such data either independently or with the help of our Service Providers (as detailed in Section 5 below), including through the use of “cookies” and other tracking technologies (as further detailed in Section 6 below).
- Data received from third party services: Our Services may be used in connection with third party services, sites, and mobile applications. If you use our Services with or through such third parties, we may receive personal data about you from such third parties. Please note that when you directly engage with such third-party services, sites and mobile applications, any aspect of that engagement that is not directly related to the Services and directed by xpander is beyond the scope of xpander’s Terms of Use and this Privacy Policy, and their own terms and privacy policies will govern your use of those services.
For the purposes of the California Consumer Privacy Act (“CCPA”), in the last 12 months, we may have collected the following categories of Personal Information, as defined in the CCPA: identifiers; customer record information; internet or other electronic network activity information; professional or employment-related information; commercial information; and inferences.
- Data Uses
We use your personal data as described in Section 1 as necessary for the performance of our Services (“Performance of a Contract”); to comply with our legal and contractual obligations (“Legal Obligations”); and to support our legitimate interests in maintaining and improving our Services (“Legitimate Interests”).
If you reside or are using the Services in a territory governed by privacy laws which determine that “consent” is the only or most appropriate legal basis for the processing of Personal Data as described in this Privacy Policy (either in general, based on the types of personal data you expect or elect to process or have processed by us or via the Service, or due to the nature of such processing) (“Consent”), your acceptance of our Terms of Service and of this Privacy Policy will be deemed as your consent to the processing of your personal data for all purposes detailed in this Privacy Policy, unless the applicable law requires a different form of consent. If you wish to withdraw such consent, please contact us at privacy@xpander.ai.
Specifically, we collect and use personal data for the following purposes (and in reliance on the legal bases for processing noted next to them, as appropriate):
Purpose | Legal basis for processing |
Users and Prospects personal data | |
To facilitate, operate, enhance, and provide usage of our Services. | Performance of a ContractLegitimate InterestsConsent |
To provide you with assistance and support. | Performance of a ContractLegitimate Interests |
To develop, customize and improve the Services and our Users’ and Prospects’ experience, based on common or personal preferences, experiences, difficulties and feedback. | Performance of a Contract Legitimate InterestsConsent |
Users personal data | |
To authenticate the identity of our Users, and to allow them to access and use our Services. | Performance of a ContractLegitimate Interests |
Individual Users only: to train and refine our AI models. This purpose refers strictly to individual Users and Prospects. We do not train on personal data of Users and Prospects who are using our Platform on behalf of a corporate Customer. | Legitimate Interests |
Users, Representatives and Prospects personal data | |
To contact you with general or personalized service-related messages (such as password-retrieval or billing); or with promotional messages (such as newsletters, special offers, new features etc.); and to facilitate, sponsor and offer certain events and promotions. | Performance of a Contract Legitimate Interests Consent |
To support and enhance our data security measures, including for the purposes of preventing and mitigating the risks of fraud, error or any illegal or prohibited activity. | Performance of a ContactLegitimate InterestsLegal Obligations |
To create aggregated statistical data, inferred non-personal data or anonymized or pseudonymized data (rendered non-personal), which we or our business partners may use to provide and improve our respective services or for any other business purpose. | Legitimate Interests |
To facilitate and optimize our marketing campaigns, ad management and sales operations, and to manage and deliver advertisements for our Services more effectively, including on other websites and applications. Such activities allow us to highlight the benefits of using our Services, and thereby to increase your engagement and overall satisfaction with our Services. | ConsentLegitimate Interests |
To comply with our contractual and legal obligations and requirements, and maintain our compliance with applicable laws, regulations and standards | Performance of a ContractLegitimate InterestsLegal Obligations |
For any other lawful purpose, or other purpose that you consent to in connection with provisioning our Services | Legal ObligationsConsent |
- Data Location
We and our authorized Service Providers (defined below) maintain, store and process personal data in Israel, the European Union, USA, and other locations as reasonably necessary for the proper performance and delivery of our Services, or as may be required by law.
xpander is headquartered in Israel, a jurisdiction which is considered by the European Commission, the UK Information Commissioner’s Office (ICO), and the Swiss Federal Data Protection and Information Commissioner, to be offering an adequate level of protection for personal data of individuals residing in EU Member States, the UK and Switzerland, respectively. We transfer data from the EEA, the UK and Switzerland to Israel on this basis.
While privacy laws may vary between jurisdictions, xpander and its affiliates and Service Providers are each committed to protect personal data in accordance with this Privacy Policy, customary industry standards, and such appropriate lawful mechanisms and contractual terms requiring adequate data protection, regardless of any lesser legal requirements that may apply in the jurisdiction from which such data originated. For data transfers from the EU, the UK, or Switzerland to countries that are not considered to be offering an adequate level of data protection by the relevant data protection authority, we and the relevant data exporters and importers enter into Standard Contractual Clauses (“SCC”), you can obtain a copy by contacting us as indicated in Section 11 below.
- Data Retention
We may retain your personal data for as long as it is reasonably necessary to provide you with the ability to use our Services and offerings and to maintain and expand our relationship; to comply with our legal and contractual obligations; or to protect ourselves from any potential disputes (e.g. as required by laws applicable to log-keeping, records and bookkeeping, and in order to have proof and evidence concerning our relationship, should any legal issues arise following your discontinuance of use), all in accordance with applicable laws and regulations.
If you have any questions about our data retention policy, please contact us at: privacy@xpander.ai.
- Data Disclosure
We may disclose your personal data in the following instances:
Service Providers: we may engage selected business partners, third-party companies and individuals, affiliates, subcontractor and sub-processors (collectively “Service Providers”) to perform services complementary to our own (e.g., payment processing, IT and system administration services, data backup, security and storage services, data analytics, marketing etc.).
As part of our Services, Customers can choose a Large Language Model (LLM) from our list of supported AI Service Providers. The processing of personal data by AI Service Providers is governed by their respective privacy policies. We encourage you to review the privacy policies of the AI Service Providers used in connection with our Services. Please be aware that we are not responsible for the privacy practices of any AI Service Providers, including those we offer or those selected for use with our Services.
Our Service Providers may have access to some or all of your personal data processed by us, depending on each of their specific roles and purposes in facilitating and enhancing our Services, and may only use it for such purposes.
Protecting Rights and Safety: we may share your personal data with others if we believe in good faith that this will help protect the rights, property or personal safety of xpander, any of our Users, Prospects, Representatives or any members of the general public.
Third-Party Websites and Services: our Services may include links to third-party websites, and integrations with third-party services. Such websites and third-party services, and any information you process, submit, transmit or otherwise use with such websites and third-party services, are beyond the scope of xpander’s Terms of Service and Privacy Policy and will therefore be governed by such third-party’s terms and privacy practices and policies, and not by this Privacy Policy. We encourage you to carefully read the terms and privacy policies of such websites and third-party services.
Legal Compliance: in exceptional circumstances, we may disclose or allow government and law enforcement officials access to your personal data, in response to a subpoena, search warrant or court order (or similar requirement), or in compliance with applicable laws and regulations, with or without notice to you. Such disclosure or access may occur if we believe in good faith that: (a) we are legally compelled to do so; (b) disclosure is appropriate in connection with efforts to investigate, prevent, or take action regarding actual or suspected illegal activity, fraud, or other wrongdoing; or (c) such disclosure is required to protect our legitimate business interests, including the security or integrity of our products and Services.
xpander Subsidiaries and Affiliated Companies; Change of Control: We may share personal data internally within our group companies, for the purposes described in this Privacy Policy. In addition, should xpander or any of its affiliates undergo any change in control or ownership, including by means of merger, acquisition or purchase of its assets, or will be found eligible for a governmental grant, your personal data may be shared (to the extent necessary and customary) with the parties involved in such an event. If we believe that such event might materially affect your personal data then stored with us, we will notify you of this event and the choices you may have via e-mail or prominent notice on our Services.
Additional Sharing: we may share your personal data in additional manners, pursuant to your request or explicit approval, or if we are legally obligated to do so, or if we have successfully rendered such data non-personal, non-identifiable and anonymous. We may transfer, share or otherwise use non-personal and non-identifiable data at our sole discretion and without the need for further approval.
When we disclose personal data for a purpose listed above, we enter into a contract that describes the purpose and requires the recipient to both keep that personal data confidential and not use it for any purpose except performing the contract.
- Cookies and Tracking Technologies
Our Services utilize “cookies”, anonymous identifiers, pixels, container tags and other technologies in order to provide and monitor our Services, to ensure that they perform properly, to analyze our performance and marketing activities, and to personalize your experience. Such cookies and similar files or tags may also be temporarily placed on your device. Certain cookies and other technologies serve to recall personal data, such as an IP address, as indicated by you.Under some data protection laws, like the CCPA and other US state privacy laws, our disclosure of this data to third parties for targeted advertising may considered as a “sale” or “sharing” of personal information.
We use web analytics tools, including Google Analytics, which help us understand Prospects’ behavior on our Website. Further information about Google Analytics’ privacy practices is available at: www.google.com/policies/privacy/partners. Further information about your option to opt-out of these analytics services is available at: https://tools.google.com/dlpage/gaoptout.
Please note that we do not change our practices in response to a “Do Not Track” signal in the HTTP header from a browser or mobile application, however, most browsers allow you to control cookies, including whether or not to accept them and how to remove them. You may set most browsers to notify you if you receive a cookie, or to block or remove cookies altogether.
For more information about the type of cookies we use and how to exercise your right to opt out of such data selling or sharing please visit our Cookie Policy.
- Communications
We engage in service and promotional communications, through social media, e-mail, phone, surveys, SMS and notifications.
Service Communications: we may contact you with important information regarding our Services. For example, we may send you notifications to inform you of changes or updates to our Services, billing issues, etc. You can control your communications and notifications in accordance with the instructions included in the communications sent to you. Please note that you will not be able to opt-out of receiving certain service communications which are integral to your use of the Services.
Notifications and Promotional Communications: we may send you messages and notifications about new features, surveys, offerings, events and special opportunities, and any other information we think you will find valuable. We may provide such notices through any of the contact means available to us (e.g., SMS, mobile notifications or e-mail), through the Services, or through our marketing campaigns on any other sites or platforms. Furthermore, we may send you promotions and marketing materials about our other services and products.
If you wish not to receive such promotional communications via notifications or e-mail, you may notify xpander at any time by e-mailing us at privacy@xpander.ai or by following the “unsubscribe”, “stop” or “change e-mail preferences” instructions contained in the promotional communications you receive.
- Data Security
In order to protect your personal data held with us and our Service Providers, We and our Service Providers implement systems, applications and procedures to secure your personal data, to minimize the risks of theft, damage, loss of information, or unauthorized access or use of information. These measures provide sound industry-standard security, however, please be aware that regardless of any security measures used, we cannot and do not guarantee the absolute protection and security of any personal data stored with us or with any third parties.
- Data Subject Rights
Under certain laws, including the EU or UK General Data Protection Regulation (GDPR), the CCPA and the Israeli Protection of Privacy Law, individuals have rights regarding their personal data. These rights include – each to the extent applicable to you – the right to request information about or request access to your personal data, or to request its correction, portability or erasure. You may also have the right to restrict or object to the processing of your personal data. Under some regulatory frameworks you may also have the right to lodge a complaint with the relevant supervisory authority.
We will not charge a fee to process or respond to your verifiable privacy request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request. Alternatively, we may refuse to comply with your request in such circumstances.
To the extent applicable to you, you may also designate an authorized agent, in writing or through a power of attorney, to request to exercise your privacy rights on your behalf. The authorized agent may submit a request to exercise these rights by emailing us.
Please note that when you or an authorized agent ask us to exercise any of your rights under this policy or applicable law, we may need to ask you to provide us with certain credentials to make sure that you are who you claim you are, to avoid disclosure to you of personal data related to others and to ask you to provide further information to better understand the nature and scope of data regarding which you request to exercise your rights. Such additional data may be then retained by us for legal, compliance and auditing purposes (e.g., as proof of the identity of the person submitting the request or proof of request fulfillment). We will not fulfill your request unless you have provided sufficient information that enables us to reasonably verify that you are the individual about whom we collected the personal data.
We may redact from the data that we will make available to the requesting data subject any personal data related to others.
Please also note that if you request deletion of your personal data, we may deny your request or may retain certain elements of your personal data if it is necessary for us or our Service Providers. We will provide details of our reasoning to you in our correspondence on the matter.
Each right may be executed to the extent available to you under the laws which apply to you and is subject to various exclusions and exceptions under applicable laws.
Please contact us by e-mail at: privacy@xpander.ai if you wish to exercise your privacy rights.
- Data Controller/Processor
Certain data protection laws and regulations, such as the EU GDPR, UK GDPR, and CCPA, typically distinguish between two main roles for parties processing personal data: the “data controller” (or under the CCPA, “business”), who determines the purposes and means of processing; and the “data processor” (or under the CCPA, “service provider”), who processes the data on behalf of the data controller (or business). Below we explain how these roles apply to our Services, to the extent that such laws and regulations apply.
xpander is the “data controller” of Users’, Prospects’ and Representatives’ personal data. With respect to such data, we assume the responsibilities of data controller (to the extent applicable under law), as set forth in this Privacy Policy. In such instances, our service providers processing such data will assume the role of “data processor”.
- Requirements under US State Privacy Laws
This Privacy Policy describes the categories of personal information we may collect and the sources of such information (in Section 1 above), and our retention (Section 4) and deletion (Section 9) practices. We also included information about how we may process your information (in Sections 1 through 8), which includes “business purposes” under the CCPA and similar state laws, as applicable. We do not use or disclose sensitive personal information outside of the purposes allowed by applicable laws. We may disclose personal data to third parties or allow them to collect personal data from our Services as described in Sections 5 and 6 above, if those third parties are our authorized Service Providers who have agreed to our contractual limitations as to their retention, use, and disclosure of such personal data, or if you direct us to disclose your personal data to third parties, or as otherwise described in Section 5 above. You may also designate an authorized agent, in writing or through a power of attorney, to request to exercise your privacy rights on your behalf. The authorized agent may submit a request to exercise these rights by emailing us. We will not discriminate against you by withholding our Services from you or providing a lower quality of service to you for requesting to exercise your rights under the law.
If you have any questions or would like to exercise your rights under any applicable US State privacy laws, you can contact privacy@xpander.ai.
- Additional Information and Contact Details
Updates and amendments: we may update and amend this Privacy Policy from time to time by posting an amended version on our Services. The amended version will be effective as of the date it is published. We will provide prior notice if we believe any substantial changes are involved via any of the communication means available to us or via Services. After such notice period, all amendments shall be deemed accepted by you.
External links: while our Services may contain links to other websites or services, we are not responsible for their privacy practices, and encourage you to pay attention and to read the privacy policies of each and every website and service you visit. This Privacy Policy applies only to our Services.
Our Services are not designed to attract children under the age of 16: we do not knowingly collect personal data from children and do not wish to do so. If we learn that a child is using the Services, we will attempt to prohibit and block such use and to promptly delete any personal data stored with us which we deem to relate to such child. If you believe that we might have any such data, please contact us at privacy@xpander.ai.
Questions, Concerns or Complaints: if you have any comments or questions regarding our Privacy Policy, or if you have any concerns regarding your personal data held with us, or if you wish to make a complaint about how your personal data is being processed by xpander, you can contact us at privacy@xpander.ai.
Last updated: September 8th, 2024