XAVVI HOLDINGS — Privacy Policy (Legally Binding)

Last updated: October 2, 2025

1. Scope

This Privacy Policy (the “Policy”) describes how XAVVI HOLDINGS, a California corporation with offices at 801 S FIGUEROA ST STE 500, LOS ANGELES, CA 90017, USA (“Xavvi,” “we,” “us,” or “our”), collects, uses, discloses, and protects information in connection with our websites located at xavvi.com and postiz.xavvi.com, our software and APIs, our self‑hosted Postiz instance, and related services that enable customers to manage social accounts, messaging, advertising, analytics, automations, and AI‑assisted functionality (collectively, the “Services”).

A separate privacy notice may apply to services offered by our European affiliate. This Policy covers Xavvi’s US automation/software Services.

2. Roles and responsibilities

Customer relationship. For data in customer workspaces (including content, media, messages, insights, and advertising data) we act as a processor/service provider to our customer, who is the controller/business and determines the purposes and means of processing. For our own business operations data (account, billing, diagnostics, security logs, marketing), we act as a controller.

If required by law or contract, Xavvi offers a Data Processing Addendum (DPA) that governs processing performed as a processor/service provider. In the event of a conflict between this Policy and a DPA, the DPA controls for processor activities.

3. Definitions

“Personal Data” (or “personal information”) means information that identifies or is reasonably capable of being associated with an identified or identifiable natural person. “Process” means any operation performed on Personal Data. Terms such as controller, processor, business, and service provider have the meanings given in the GDPR and the California Consumer Privacy Act as amended by the CPRA (“CCPA/CPRA”). “Platforms” means third‑party services you choose to connect, including Meta products (Facebook, Instagram, Threads, Messenger, WhatsApp), TikTok, X (Twitter), YouTube/Google, Discord, Telegram, Xiaohongshu/RED, and others we may add.

4. Categories of Personal Data we collect

We collect the following categories (illustrative, not exhaustive):

1. Account & workspace data: names, business contact information, login identifiers, roles/permissions, organization details, billing contacts, audit trails and timestamps.
2. Connected account identifiers & credentials: Platform account/page/channel IDs; OAuth tokens, refresh tokens, app secrets; scopes, expiry, and webhook subscriptions (encrypted at rest).
3. Content & media: drafts, captions, hashtags, thumbnails, schedules, media files (images/video/audio) and derivative/transcoded copies you upload or generate.
4. Messaging data: message metadata (sender IDs, timestamps) and—if you enable Inbox/automation—message content for Instagram/Messenger/WhatsApp/TikTok/X/Discord/Telegram, subject to Platform rules (e.g., IG/Messenger 24‑hour windows, WhatsApp templates).
5. Advertising & analytics data: ad account/campaign/creative IDs, budgets, targeting, delivery, performance and cost metrics; events and Conversions API data; aggregated reports.
6. Technical/telemetry data: device and browser information, IP address and coarse location, Service logs, error diagnostics, security events, and cookie/SDK data.
7. Customer‑provided materials: brand assets, datasets, prompts, instructions, and other files you supply for analysis, generation, editing, or automation.

We do not intentionally collect sensitive Personal Data unless you provide it or it appears in content/messages you choose to process. Do not submit special‑category data unless necessary for the Services and permitted by law.

5. Sources of Personal Data

We obtain Personal Data directly from you and your users; from the Platforms you connect and their webhooks; from service providers (e.g., hosting, analytics, email); and from automated collection on our sites and applications.

6. Purposes of processing

We process Personal Data to: (i) authenticate and connect accounts; (ii) provide and secure scheduling/publishing, messaging, moderation, analytics, advertising, approvals, and team features; (iii) operate automations (auto‑reply, routing, moderation, rules, anomaly alerts, best‑time scheduling); (iv) provide AI/ML features you invoke (LLM‑assisted generation/summary/translation/classification; image/audio/video generation or editing; insights); (v) provide reporting and recommendations; (vi) enforce security and compliance (fraud/abuse detection, rate‑limit compliance, credential rotation, logging), and (vii) satisfy legal obligations.

AI and model use

We process customer‑provided data to power AI features at your direction. Unless expressly authorized in writing, we do not use your data to train foundation or frontier AI models. We may fine‑tune customer‑scoped models or rules only for your workspace if you enable such functionality. When we rely on third‑party model providers, we engage them as subprocessors and require contractual commitments prohibiting training/advertising use of your data and requiring appropriate security.

7. Legal bases (EEA/UK)

Where required, our legal bases include: contract (perform our obligations), legitimate interests (security, service improvement with minimal impact), and consent (optional features, certain cookies). We rely on our customers to establish a lawful basis when they are the controller.

8. Disclosure of Personal Data

We disclose Personal Data to: (a) Platforms you connect, to perform your instructions (e.g., publish content, manage messaging, fetch insights, manage ads); (b) service providers/subprocessors (hosting, storage/CDN, monitoring, email delivery, AI processing); (c) affiliates as needed to provide the Services; (d) professional advisors; (e) authorities where required by law; and (f) parties to a business transfer (e.g., merger or asset sale). We maintain a current list of subprocessors at https://xavvi.com/subprocessors.

We do not “sell” or “share” Personal Data as those terms are defined by the CCPA/CPRA, and we do not use or disclose sensitive Personal Data for purposes inferring characteristics.

9. International data transfers

Primary processing occurs in the United States. Where Personal Data is transferred internationally, we rely on lawful transfer mechanisms (e.g., Standard Contractual Clauses, UK IDTA/UK Addendum) and implement appropriate safeguards.

10. Retention

Unless a different period is specified in an Order, DPA, or workspace setting, we retain: (i) tokens/IDs for as long as the connection remains active (rotated and encrypted; promptly revoked upon disconnect); (ii) media/drafts for 180 days after publish or deletion; (iii) message content (if stored) for 30 days rolling history (metadata may persist longer for audit/security); (iv) logs/audit for 12 months; and (v) backups within a rolling cycle not to exceed 35 days. We may retain limited records as required by law or to establish/defend legal claims.

11. Security

We implement administrative, technical, and physical safeguards, including TLS in transit; encryption at rest for tokens/secrets and stored media; network segmentation; least‑privilege access and periodic access reviews; SSO/MFA for staff; signed webhooks; monitoring and incident response. No method of transmission or storage is 100% secure.

12. Your rights and choices

You may disconnect channels, delete drafts/assets/messages, and export reports using in‑product tools. You may request access, correction, deletion, restriction, or portability by emailing privacy@xavvi.com. We respond within 30 days (or within statutory timeframes) and may require reasonable verification.

California disclosures

We provide the disclosures required by the CCPA/CPRA. We do not sell or share Personal Data for cross‑context behavioral advertising. California residents may exercise rights to access, correction, and deletion by contacting privacy@xavvi.com. We do not knowingly process children’s Personal Data.

EEA/UK disclosures

If you are in the EEA/UK, you have rights under the GDPR, including to lodge a complaint with your supervisory authority. We have not appointed an EU/UK representative; contact privacy@xavvi.com for EU/UK privacy requests.

13. Cookies and similar technologies

We use strictly necessary cookies for authentication and security. With notice/consent where required, we may use analytics and error‑monitoring SDKs. See our Cookies Notice for details and choices.

14. Automated decision‑making

The Services provide automation and recommendations, but we do not engage in solely automated processing that produces legal or similarly significant effects without human involvement.

15. Platform addendum (comprehensive)

This Policy applies to all official APIs and features we enable for the following Platforms. We request the minimum scopes necessary and use data solely to provide the features you choose.

Meta (Facebook, Instagram, Threads, Messenger, WhatsApp)

APIs may include Graph (Pages, Instagram Graph, Business Manager/Assets), Threads API, Messenger Platform (including Handover), WhatsApp Business (Cloud/On‑Prem), Marketing/Ads, Conversions API, Catalog/Commerce, Audience Network, and Webhooks. We comply with messaging windows/tags (e.g., IG/Messenger 24‑hour rules), WhatsApp template/opt‑in policies, and Meta’s platform terms (including Data Use Checkup). We provide User Data Deletion via instructions and, where implemented, a callback (see §16).

TikTok

APIs may include Content Posting (Direct Post), Login Kit, Marketing API/Business Center, Commercial Content Library, Comment/Inbox, Live, and Webhooks. We follow Direct Post UX and posting‑cap guidance and use data to publish, manage messaging (if enabled), and analyze performance.

X (Twitter)

APIs include v2 read/write/media and Ads API. We do not use X content to train or fine‑tune foundation/frontier AI models and do not scrape outside official APIs.

YouTube / Google

APIs include Data API v3, Analytics, and Live Streaming. We comply with the Google API Services User Data Policy (Limited Use): we use Google user data only to provide/improve requested features; we do not transfer it to third parties for advertising; and human access occurs only for security/compliance/support, with consent, or as required by law.

Discord

APIs include OAuth2, Bot, Interactions, Gateway (with privileged message content intent only if approved and necessary), and Webhooks. Message content is processed only for enabled features and retained minimally.

Telegram

APIs include Bot, Webhooks, and optional Login/Widgets. Bot privacy controls are respected unless you configure otherwise.

Xiaohongshu / RED

Where official or partner APIs are available, we use them for posting/analytics you enable and comply with regional law.

16. Meta user data deletion

You may disconnect in‑app or from Meta settings. You may submit a deletion request via https://xavvi.com/meta-data-deletion. If we implement a callback endpoint (e.g., https://api.xavvi.com/meta/data-deletion), Meta may send a signed request which we verify before deleting/pseudonymizing relevant Platform Data and issuing a receipt.

17. Changes

We may modify this Policy; the “Last updated” date will change. Material changes will be communicated to administrators where required.

Contact. Privacy: privacy@xavvi.com · Security: security@xavvi.com · Address: 801 S FIGUEROA ST STE 500, LOS ANGELES, CA 90017, USA