Privacy Policy
Your data, handled responsibly.

1. Who we are and what this covers

This Privacy Policy describes how NCLAY Compute, Inc. ("GoXylo," "we," "our," or "us") collects, uses, and shares information when you use the goxylo.com website, the GoXylo platform, any tenant workspace we provision for you at .goxylo.com, XyloChat and other AI features, and any related services (together, the "Service").

This policy applies to people who:

• browse goxylo.com or any tenant workspace we host,
• sign up for a trial or paid subscription,
• use an admin or user account inside a tenant workspace,
• or interact with our support, sales, or marketing channels.

If you are an end customer of a GoXylo tenant (for example, you are receiving an invoice from a business that runs on GoXylo), the tenant — not GoXylo — controls your data in their workspace. GoXylo acts as a processor (in GDPR terms) or service provider (in CCPA terms) for that data, processing it on the tenant's behalf under our agreement with them. Direct questions about your data to the tenant first; they will loop us in if they need to.

Data Processing Addendum. Business customers subject to GDPR, UK GDPR, or the CCPA can request our standard Data Processing Addendum (DPA) — which incorporates the EU Standard Contractual Clauses, the UK International Data Transfer Addendum, and our service-provider obligations under California law — by emailing [email protected]. The signed DPA forms part of your subscription agreement and governs in case of conflict on data-protection matters.

2. What we collect

2.1 Information you give us

• Account and business details: name, email address, phone number, business name, chosen workspace URL (slug), industry, and similar basics.
• Credentials: the password you set for your account. We store only a cryptographic hash — we never see your plaintext password.
• Billing information: plan selection, promo code, and billing address. Card details are entered directly into Stripe and are never stored on our servers.
• Content you create in your workspace: customer records, contacts, invoices, estimates, tasks, calendar events, messages, website copy, uploaded files, and anything else you put into the tools.
• Support conversations: anything you send us by email or chat.

2.2 Information we collect automatically

• Device and browser data: user agent, browser type, screen size, operating system, language.
• Log data: IP address, request method, URL, response status, timestamps, and error messages, kept in rolling server logs.
• Usage data: which pages you view, which features you use, and similar product analytics used to improve the Service.
• Approximate location: derived from your IP address (typically city-level).
• Cookies and similar technologies: session cookies required for login, preference cookies for settings, and analytics identifiers. We describe cookies in Section 9.

2.3 Information we get from third parties

• From Stripe: customer ID, subscription ID, subscription status (active, past due, canceled), last four digits of your card, and the result of each charge. Your full card number is never shared with us.
• From identity / authentication providers if you connect them (for example, Google or Microsoft for single sign-on): the profile fields you authorize, typically name and email.
• From your own integrations: data from any third-party service you choose to connect to your workspace flows through us only to the extent needed to run the integration.

3. How we use your information

We use the information we collect to:

• provision and run your workspace, authenticate you, and keep it isolated from other tenants;
• process subscription payments through Stripe and, if you enable Stripe Connect, to help you take payments from your own customers (see Section 8);
• send you transactional messages: welcome emails, password resets, receipts, billing alerts, and security notices;
• respond to support requests and troubleshoot issues;
• detect, investigate, and prevent fraud, abuse, spam, and security incidents;
• improve the Service — usually working with de-identified or aggregated data;
• comply with legal obligations and enforce our Terms of Service;
• send you occasional marketing emails about GoXylo features or pricing. You can unsubscribe at any time using the link in every email.

4. AI features (XyloChat and embedded AI)

GoXylo includes AI features such as XyloChat (the concierge chat you see on goxylo.com and inside your tenant workspace) and in-app assistants that help you complete specific tasks. These features rely on third-party large language model providers. Here is what you should know:

• Your prompts and the context we attach to them (for example, the customer name you are drafting an email about) are sent over TLS to the AI provider, which processes them to generate a response.
• We contractually require AI providers not to use your content to train their general-purpose models. Do not rely on that contractual commitment to protect highly sensitive information. Treat AI inputs as you would treat data sent to an outsourced vendor.
• AI output is not always correct. You are responsible for reviewing anything an AI produces before sending it, publishing it, or acting on it. GoXylo does not give legal, financial, tax, medical, or compliance advice through AI or otherwise.
• Do not put regulated sensitive personal data into AI prompts (such as Social Security numbers, government IDs, payment card numbers, or protected health information).

5. How we share information

We share information only when we have a specific reason to. The categories are:

5.1 Service providers (sub-processors)

We use vendors that help us run the Service. Each receives only the information needed for its specific job, under contract. Current material sub-processors include:

• Hetzner Online GmbH — hosting / virtual servers (Ashburn, Virginia, USA).
• Cloudpepper — managed Odoo infrastructure partner.
• Stripe, Inc. — payment processing for platform subscriptions (and, where you enable it, Stripe Connect for taking payments from your own customers).
• Cloudflare, Inc. — DNS, CDN, edge security, Web Analytics, and R2 object storage for goxylo.com and tenant subdomains.
• SMTP2GO — transactional and marketing email delivery (welcome emails, password resets, receipts, notifications).
• AI / large-language-model providers — as described in Section 4 for XyloChat, Apps Concierge, and embedded AI features.
• Sentry — application error tracking and performance monitoring.
• UptimeRobot — external uptime monitoring of public endpoints.
• Openfort — non-custodial wallet infrastructure (TEE-protected key management) for users who opt in to the on-chain Xy wallet feature described in Sections 25.3 and 25.8 of the Terms of Service.
• LayerZero Labs — cross-chain messaging network used by the optional Xy cross-chain transfer feature described in Section 25.10 of the Terms of Service.

We update this list as our stack changes. You can email [email protected] for the current version.

5.2 Within a tenant workspace

If you are an admin, you can grant other people inside your workspace access to data you stored. You are responsible for managing those permissions.

5.3 Legal and safety

We may disclose information when we reasonably believe it is necessary to comply with a law, a valid subpoena, or a court order; to enforce our agreements; to investigate fraud or security incidents; or to protect the rights, property, or safety of GoXylo, our users, or the public.

5.4 Business transfers

If GoXylo or its parent company NCLAY Compute, Inc. is acquired or merges with another business, information may transfer as part of that transaction, subject to customary confidentiality protections.

5.5 With your direction

We share information outside the above when you tell us to — for example, by connecting a third-party integration from your workspace.

5.6 We do not sell your personal information.

We do not and will not sell your personal information to third parties for money. We also do not engage in "sharing" of personal information for cross-context behavioral advertising as defined under California law.

6. Stripe and Stripe Connect

Platform subscription payments: Stripe processes your GoXylo subscription. Your card details are entered into a Stripe-hosted form and never touch our servers. Stripe's own privacy policy covers how they handle your payment data.

Stripe Connect (if you use GoXylo to take payments from your customers): when you enroll in Stripe Connect through GoXylo, you create your own Stripe connected account. Your customers pay you through Stripe — GoXylo is not the merchant of record for those transactions. We help connect the flow and may take a small platform fee, but Stripe holds your funds and handles KYC, payout, and regulatory compliance. See our Terms of Service Section 7 for the full relationship.

7. Where we store data

Primary data is stored on servers we lease from Hetzner in Ashburn, Virginia, USA. Backups and snapshots live in the same region. Some sub-processors may store limited data in other regions (for example, Stripe is United States and Ireland; Cloudflare operates globally). If you are outside the United States, your data will be transferred to and processed in the United States under our standard contractual protections.

8. How long we keep data

• While your account is active, we keep your data as long as we need it to run the Service.
• After you cancel, your tenant workspace is retained for 30 days to allow reactivation or export, then deleted.
• Billing and tax records are retained for the period required by applicable law (typically 7 years).
• Server logs and backups age out on a rolling basis, typically within 90 days for logs and 1 year for encrypted backups.
• We may retain specific records longer if required by law, to resolve a dispute, or to enforce our agreements.

9. Cookies and tracking

We use cookies and similar storage for:

• Strictly necessary: authentication, CSRF protection, session state, journey-session id, and the post-checkout welcome-build handoff cookie. These are exempt from consent requirements under GDPR / ePrivacy because the Service does not function without them.
• Preference: language, theme, dismissed notices.

For traffic analytics on the public pages of goxylo.com we use Cloudflare Web Analytics, which is intentionally cookieless and does not fingerprint visitors. No persistent identifier is set in your browser for analytics purposes.

We do not engage in cross-context behavioral advertising and we do not "sell" or "share" personal information as those terms are defined under California's CPRA. Because of that, Global Privacy Control (GPC) and similar opt-out signals do not change our behavior — there is nothing to opt out of. If we ever start sharing data in a way GPC is designed to opt out of, we will respect the signal automatically. We do not honor Do Not Track (DNT) signals because the standard was deprecated without consensus.

Most browsers let you block or delete cookies. If you block strictly-necessary cookies, core features (like staying logged in or completing checkout) will not work.

10. Your privacy rights

10.1 Rights everyone has

Whatever jurisdiction you are in, you can:

• Ask for a copy of the personal information we hold about you.
• Ask us to correct it if it is wrong.
• Ask us to delete it, subject to the retention carve-outs in Section 8.
• Export it in a machine-readable format.
• Unsubscribe from marketing email.

Email [email protected] from the email address on your GoXylo account, or — if you don't have an account — provide enough information for us to match you to the records we hold. We will respond within the timeframes required by applicable law (generally 45 days under CCPA / CPRA and 30 days under GDPR, extendable by up to 60 additional days for complex requests with notice). For your protection, before acting on access, correction, or deletion requests we will verify your identity (typically by matching account email + a one-time code, or by sworn declaration where law permits). We will never charge a fee for a reasonable first request in a 12-month period.

10.2 California residents (CCPA/CPRA)

In the last 12 months we collected the categories of personal information described in Section 2: identifiers, customer records, commercial information, internet/network activity, geolocation, and professional information. We do not sell personal information or share it for cross-context behavioral advertising.

You have the rights to know, correct, delete, limit the use of sensitive personal information, and be free from discrimination for exercising those rights. California residents can also designate an authorized agent to act on their behalf; we will verify the agent's authority before acting.

10.3 EEA, United Kingdom, and Switzerland (GDPR/UK GDPR)

If you are in the EEA, UK, or Switzerland, our legal bases for processing include contract performance (running your account), legitimate interests (security, fraud prevention, product improvement), consent (for optional cookies and marketing email), and legal obligation. You have rights of access, rectification, erasure, restriction, portability, and objection. You may also lodge a complaint with your local data protection authority.

10.4 Other US state laws

We extend the core access / correction / deletion / portability / opt-out rights to residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Tennessee, Iowa, Indiana, and any other state that adopts an equivalent consumer privacy law.

11. Security

We use industry-standard measures to protect your data, including TLS in transit, encryption at rest on backups, role-based access for our staff, hardened OS configuration, server-side webhook signature verification, rate limiting, and monitoring. No system is perfectly secure. We cannot and do not guarantee absolute security. If we discover a security incident that affects your personal information, we will notify you in the manner and timeframe required by applicable law.

12. Children

The Service is built for businesses and is not directed at children. We do not knowingly collect personal information from anyone under 16. If you believe a child has given us personal information, email [email protected] and we will delete it.

13. Third-party sites and integrations

Pages on the Service may link to or embed content from third parties. Once you click through or connect an integration, the third party's own privacy policy governs. We are not responsible for third-party practices.

14. Automated decisions

We do not make decisions that produce legal or similarly significant effects about you using only automated processing. Anti-fraud systems may temporarily flag a signup or charge for human review.

15. Changes to this policy

We may update this Privacy Policy as the Service or the legal landscape evolves. The current version always lives at goxylo.com/privacy with the "Last updated" date at the top. If a change materially reduces your rights, we will give you reasonable prior notice by email or in-product banner. Your continued use of the Service after a change takes effect is your acceptance of the updated policy.

16. How to reach us

• Privacy inquiries and data requests: [email protected]
• Legal and compliance: [email protected]
• General support: [email protected]
• Mailing address: NCLAY Compute, Inc., 5820 S Lewis St, Littleton, CO 80127, USA