This Privacy Policy describes how Xalorra (“we,” “us,” “our”) handles information when you use our websites and platform services (collectively, the “Services”).
Website and marketing: We typically act as a data controller for personal data collected from visitors, prospects, and customers interacting with our marketing pages, forms, and communications.
Platform processing: When your organization uploads datasets, runs queries, trains models, or stores artifacts in Xalorra, we generally process that data to provide the Services and in accordance with your organization’s instructions and agreements.
If you are using Xalorra through an organization account, your organization may have its own policies governing how it manages and authorizes access to data within your tenant.
- Personal Data: information that identifies or can reasonably be linked to an individual.
- Customer Content: datasets, files, queries, configurations, prompts, retrieved context, artifacts, metrics, and outputs submitted to or produced by the platform under a customer tenant.
- Tenant: an isolated organizational boundary within Xalorra, used to scope access and processing.
- Trace / Lineage: metadata that links datasets, versions, runs, models, artifacts, and outputs to support auditability and reproducibility.
- Subprocessor: a service provider we use to help deliver parts of the Services (e.g., hosting, monitoring), under contractual obligations.
We collect information in three ways: (1) information you provide, (2) information collected automatically, and (3) information from integrations you enable.
- Account data: name, email, organization name, role/title (optional), authentication identifiers (e.g., SSO identifiers where applicable).
- Support communications: messages, tickets, and any content you choose to include when requesting support.
- Business and procurement data: billing contact details and purchase references where applicable.
- Device and usage data: IP address, browser type, timestamps, pages/actions, referrers, and coarse location derived from IP (where applicable).
- Security and reliability logs: event logs that help detect abuse, troubleshoot errors, and maintain service reliability.
Depending on your usage, Customer Content may include datasets (CSV/Parquet/JSON), schema and profiling metadata, SQL queries, pipeline configurations, model artifacts, evaluation outputs, and trace/lineage records that connect inputs and outputs across runs.
Customers control what they upload and how sensitive data is handled within their tenant. You are responsible for ensuring you have the right to upload and process Customer Content.
Xalorra is built around tenant boundaries and clear operational artifacts. That means we may store run metadata (like run IDs, timestamps, dataset version labels, model version labels) to support reproducibility—subject to your configuration and agreements.
We use information to operate and improve the Services, including to:
- Provide core functionality: authenticate users, enforce tenant isolation, run lakehouse operations, execute pipelines, serve versioned models, and deliver outputs.
- Maintain reliability and safety: detect abuse, rate-limit suspicious traffic, debug incidents, and prevent unauthorized access.
- Support governance: maintain trace/lineage metadata and run logs aligned to your settings to enable auditing and long-term explainability.
- Communicate with you: service updates, security notices, support responses, and administrative messages.
- Sales and marketing (website/prospects): respond to requests, schedule demos, and provide product information.
We do not sell personal information. We do not run a hosted foundation-model service; where GenAI is enabled, external providers are configured by you and subject to your chosen provider’s terms.
Xalorra is not a hosted foundation model provider. When you enable GenAI workflows, the platform may send prompts and context to external model providers based on your configuration.
- Prompt text you submit, plus system instructions configured by your tenant.
- Retrieved context/snippets (for RAG-style workflows) chosen by your retrieval configuration.
- Tool parameters and structured inputs necessary to fulfill a request.
- You choose providers and credentials (e.g., bring-your-own-key) and can rotate keys at any time.
- You can define what is logged, whether prompt/context logging is enabled, and retention expectations—subject to platform features and your agreement.
- You decide what content is included in prompts and what data is permitted for retrieval.
External providers process data under their own policies. If your organization requires stricter controls (regulated data, internal-only processing), you should select providers and settings aligned with your compliance requirements and restrict what is included in prompt/context.
We retain information only as long as needed to provide the Services, meet contractual commitments, and satisfy legal obligations. Retention depends on the type of data and how your tenant is configured.
- Account records: retained while your account is active and for a reasonable period afterward for operational and legal purposes.
- Operational logs: retained to maintain security, debug incidents, and ensure service reliability.
- Customer Content: retained according to your instructions and agreements. Customers control what they upload and request to delete.
- Trace and lineage: retained to support auditability and reproducibility, subject to customer settings and agreements.
When retention periods expire or upon valid deletion requests, we delete or de-identify data unless we must retain it for legal reasons.
We implement administrative, technical, and organizational measures designed to protect information, including:
- Access controls and least-privilege practices.
- Encryption in transit (and, where applicable, at rest).
- Monitoring and logging for security and reliability.
- Tenant and namespace scoping controls to reduce cross-tenant risk.
- Incident response practices designed to investigate and remediate issues.
No system is perfectly secure. Customers are responsible for configuring user access, secrets (including API keys), and data classification appropriate to their environment.
Depending on your jurisdiction, you may have rights to access, correct, delete, or export personal data, object to or restrict certain processing, or withdraw consent where processing is based on consent.
If Xalorra processes Customer Content on behalf of an organization tenant, requests related to that content may need to be handled through your organization’s administrator.
To submit a request, email privacy@xalorra.com.
If we transfer data across borders, we use safeguards appropriate to the data type and applicable law. The exact mechanism depends on customer agreements and the nature of the transfer.
We may update this policy from time to time. We will post the updated version and revise the “Last updated” date. If changes are material, we may provide additional notice through the Services or other channels where appropriate.
For privacy questions and requests, contact us at privacy@xalorra.com.
For enterprise evaluation and procurement, use the CTAs below. We keep it straightforward: you tell us your constraints, we show you how Xalorra handles isolation, traceability, and provider routing.