Privacy Notice
Last updated: September 20, 2024
This Privacy Notice describes the information collection, use, retention, and sharing practices of Xano, Inc. and its affiliates and subsidiaries (“Xano”, “we”, “us”, “our”) when you interact with us online through our website, www.xano.com and its subdomains (e.g., security.xano.com) (collectively, the “Website”) or when you purchase our backend software or API (collectively, “Services”).
OUR ROLE IN DATA PROCESSING
The entity responsible for the collection and use (processing) of your personal information when you use the Website or enquire about or engage or Services is Xano, Inc., which, for purposes of General Data Protection Regulation (“GDPR”) and the UK Data Protection Act 2018 (“DPA”), is the Data Controller. You can contact Xano by emailing us at privacy@xano.com or by mail at 21600 Oxnard Street, Suite 910 Woodland Hills, CA 91367.
The entity responsible for the processing of your personal information when you use our backend software of APIs is Xano, Inc., which for purposes of General Data Protection Regulation (“GDPR”) and the UK Data Protection Act 2018 (“DPA”), is the Data Processor.
This Privacy Notice does not apply to the extent we process personal information in the role of a processor or service provider on behalf of our customers, including but not limited to where our customers create their own websites and applications running on our backend software.
PERSONAL INFORMATION WE COLLECT, HOW WE USE IT, AND HOW WE SHARE IT
We collect personal information, which is information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, to you, when you engage with the Website. As used in this Privacy Notice, “personal information” includes “Personal Data”, as defined under the GDPR and DPA. We will retain your information for as long as necessary for the purpose of the processing as more specifically set forth in this Privacy Notice unless we receive a request to delete this information and no exception to your right to deletion applies.
When you interact with our customer’s websites built using our Services, to the extent the General Data Protection Regulation (“GDPR”), Regulation (EU) 2016/679, and the UK Data Protection Act 2018 (“DPA”) apply to our customer, our role in connection with the data that we process to provide such services is that of a processor. To exercise your rights under the GDPR and/or the DPA, please file a request with the applicable customer and we will assist them in fulfilling your request.
When we collect or process your personal information on behalf of our customer, we are acting as a Service Provider under the California Privacy Rights Act (“CPRA”) and a Processor under EU/UK data protection laws or other US state comprehensive privacy laws (as applicable). We process and retain your personal information in accordance with the data processing agreement in place with our customer and applicable law.
Where Xano processes your personal information in the capacity of a data processor/service provider, and you seek to submit a privacy rights request, we will provide your request to our customer (or the ultimate data controller), or you can contact them directly and we will cooperate with the customer to facilitate your request.
If you are interacting with us on behalf of your organization, this includes when you:
Sign up for our solutions. When you sign up for any of our solutions, we collect, from you, your personal identifiers (name and email address) and your professional or employment-related information (company name). We use this information to create and manage your account. To the extent the EU or UK data protection laws apply, the legal basis for this collection is the performance of a contract. We share this information with our customer relationship management platform provider, lead enrichment provider, and event outreach provider to help manage the client relationship. To the extent the EU or UK data protection laws apply, the legal basis for the sharing with the event outreach provider is your consent. To the extent the EU or UK data protection laws apply, the legal basis for the remaining processing is our legitimate interest in providing the Services and maintaining the relationship more efficiently. In the event you are asked to sign documents in relation to your engagement of the Services, we will share this information with our e-signature provider. To the extent the EU or UK data protection laws apply, the legal basis for this processing is our legitimate interest in efficiently obtaining a legally binding execution of our agreement. This information may also be used for internal business analytics to assess Xano’s performance. To the extent the EU or UK data protection laws apply, the legal basis for this processing is our legitimate interest in improving the Services.
Make a payment. When you make a payment, we collect, from you or from our third-party payment processor, your personal identifiers (name and email address), and your professional or employment-related information (organization name). We use this information to complete the transaction. We share your information with our third-party payment processor. To the extent the EU or UK data protection laws apply, the legal basis for this collection is the performance of a contract.
Conduct a video or voice call to discuss our services. When we conduct a video call with you, we will collect your personal identifiers (name and business email address), visual and auditory information (sound of your voice and appearance through the video), and anything else you discuss or write in the chat during the video call. We will use this information to communicate with you. The legal basis for this processing is the performance of a future contract with you. This information will be shared with our video conference provider to provide the video conference services. To the extent the EU or UK data protection laws apply, the legal basis for this processing is the legitimate interest in providing an efficient and effective videoconference experience. With your consent, we may use our meeting assistance and note-taking software to help us take notes during the video call and share them with the participants. To the extent the EU or UK data protection laws apply, the legal basis for this processing is the legitimate interest in providing an efficient and effective videoconference experience. When we conduct a voice call, we will collect your personal identifiers (name and business telephone number) and anything else you discuss during the call. We will use this information to conduct the call. To the extent the EU or UK data protection laws apply, the legal basis for this processing is the performance of a future contract with you. This information will be shared with our telephone provider to provide the telephone communication services. To the extent the EU or UK data protection laws apply, the legal basis for this processing is the legitimate interest in providing an efficient and effective calling experience.
Request technical support. When you submit a ticket for technical support, we will collect your personal identifiers (name, business email address, business telephone number), and employment information (company name, position). We use this information to process the ticket and troubleshoot the issue. To the extent the EU or UK data protection laws apply, the legal basis for this processing is the performance of a contract. We share this information with our support ticket management and chat provider, as well as our project and task management provider to process the request, keep track of the request, resolve the request, and keep a history of the tickets your company has submitted. To the extent the EU or UK data protection laws apply, the legal basis for this processing is the legitimate interest in providing an efficient and effective technical support and troubleshooting experience.
Communicate regarding our Services. When you communicate with us via e-mail or Slack channel, we will collect your personal identifiers (name and email address) and your professional or employment-related information (company name), and any information you include in your communication with us. We will use this information to communicate with you about our current or potential Services. To the extent the EU or UK data protection laws apply, the legal basis for this processing is the performance of a contract. We will share this information with our communication provider. To the extent the EU or UK data protection laws apply, the legal basis for this is the legitimate interest in providing efficient communication with our clients.
If you are a Website visitor, this includes when you:
Contact us. When you contact us through the Website, we collect, from you, your personal identifiers (name), your professional or employment-related information (work email address), and any additional information you choose to include in your message. To the extent the EU or UK data protection laws apply, the legal basis for this processing is that it is necessary for the performance of the service requested by you.
Interact with the website Virtual Assistant (“Chatbot”). With your consent, we collect any identifier (name), and any other information that you share with our Chatbot in the course of communicating with us through the chatbot. We share the content of your communications with our chatbot service provider to facilitate the use of the chatbot on the Website. To the extent the EU or UK data protection laws apply, the legal basis for this processing is consent.
Interact with us on social media. When you interact with our social media pages on social networking websites, such as Bettermode, X (formerly known as Twitter) and LinkedIn (each a “Social Media Page”, collectively “Social Media Pages”), we collect basic engagement metrics and use it to tailor content and marketing and use it to improve user experience as set forth in this section. Please note that we do not control the use or storage of the information that you have posted to any social networking websites. This information is collected and processed by the social networking websites for their own purposes, including marketing. For more information on how Bettermode, X, or LinkedIn uses your personal information, please see, Bettermode’s Privacy Policy, X’s Privacy Policy and LinkedIn’s Privacy Policy.
Social Media Pages. When interacting with us on our Social Media Pages, we collect, from you, your personal identifiers (first and last name) and visual information (photograph (i.e., profile picture)), as well as any information that you provide when interacting with our Social Media Pages (e.g., commenting, sharing, and rating). We use this information to advertise our products, for events and invitations, and to communicate with users via the contribution and comment function. To the extent the EU or UK data protection laws apply, the legal basis for the processing is our legitimate interest in advertising our products via our Social Media Page and communicating with users, customers, and interested parties. Because our Social Media Pages are publicly accessible, when you use them to interact with other users, for example by posting, leaving comments or liking or sharing posts, any personal information that you post in them or provide when registering can be viewed by others or used by them as they see fit. The content posted on our Social Media Pages or other public areas of social networking websites can be deleted in the same way as other content that you have created. If at any time you want content posted to be deleted, please email your request to us at privacy@xano.com. Our Social Media Page incorporates a third party artificial intelligence chatbot search feature. To the extent the EU or UK data protection laws apply, the legal basis for the processing is our legitimate interest in providing efficient and effective search capabilities.
Community Management. With the help of a third party we collect, from you, your interactions, including "likes", shares, messages and other interactions with the content, in order to analyze and evaluate how our content is perceived, to learn from it, and to improve our public relations efforts. To the extent the EU and UK data protection laws apply, the legal basis for analyzing your content is our legitimate interest in organizing, facilitating, and optimizing communication with our users and the general public.
Interact with the Website. In addition to the personal information you provide directly to us, we also collect information from you automatically as you interact with our Website, including via cookies, pixels, web beacons, and similar tracking technologies. This includes, but is not limited to, the following internet or other electronic network activity information described below.
If you visit our Trust Center (security.xano.com), we will collect your internet or other electronic network activity information (IP address, device identification information) to allow you to access the site. To the extent the EU and UK data protection laws apply, the legal basis for the processing is necessary to fulfill a contract with you. We cannot provide the Trust Center if you do not provide this information.
We use essential, performance, marketing, and analytics cookies to collect your usage, device, and location information when you interact with the Website. We use this information to: (i) track you within the Website; (ii) enhance user experience; (iii) conduct analytics to improve the Website; (iv) prevent fraudulent use of the Website; (v) diagnosis and repair Website errors, and, in cases of abuse, track and mitigate the abuse; and (vi) provide targeted advertising. To the extent the EU or UK data protection laws apply, the legal basis for the placement and access of strictly necessary cookies is the performance of a contract. Particular third-party cookies to note on our Website include the following:
Google Analytics. We use Google Analytics to collect information on your use of the Website for its improvement. To collect this information, Google Analytics installs cookies on your browser or reads cookies that are already there. Google Analytics also receives information about you from applications you have downloaded that partner with Google. We do not combine the information collected through the use of Google Analytics with personal information. Google’s ability to use and share information collected by Google Analytics about your visits to our Website or to another application which partners with Google is restricted by the Google Analytics Terms of Use and Privacy Policy. To prevent your data from being used by Google Analytics, you can download the Google Analytics opt-out browser add-on, which can be accessed here.
LogRocket. With your consent, we use LogRocket to collect and analyze information about how you use and navigate the Services. The cookies may contain a cookie value that allows LogRocket to detect if you are a returning visitor or a first-time visitor. We will collect a recording of your session on the Services, scroll behavior, click behavior, custom events, page navigation flow, browser type, country, device ID, device type, operating system, and session code errors. In order to collect this information, LogRocket may set cookies on your browser, or read cookies that are already there. For more information about how LogRocket collects your information, please visit LogRocket’s Privacy Policy.
Aggregate and anonymize data. We aggregate and anonymize the data we collect for benchmarking purposes and for internal analytics. We maintain and use this data in de-identified form. We will not attempt to re-identify the data, unless it is necessary to determine whether our deidentification processes satisfy applicable data protection laws.
Xano will also use the personal information we collect as described in this section to comply with the law, to efficiently maintain our business, and for other limited circumstances as described in HOW WE SHARE YOUR PERSONAL INFORMATION.
DATA RETENTION
Unless otherwise stated in this Privacy Notice, we retain your personal information until we no longer need your information to fulfill the purposes for which we collected it or until we receive a valid request to delete the information, subject to certain exceptions. We may need to use and retain your personal information for longer than the periods indicated above for purposes of:
Compliance with our legal obligations. For example, retaining your records for the purpose of accounting, dispute resolution, and compliance with labor, tax, and financial regulations.
Meeting our safety and security commitments. Such as keeping our properties secure and preventing fraud.
Exercising or defending legal claims. We also may need to retain personal information for longer than the periods indicated above in order to respond to legal process or enforceable governmental requests, or to enforce our contracts, including investigation of potential violations.
HOW WE SHARE YOUR PERSONAL INFORMATION
Xano shares personal information as described in the PERSONAL INFORMATION WE COLLECT, HOW WE USE IT, AND HOW WE SHARE IT section, and generally in the following instances:
Within Xano. We share your personal information within Xano for the legitimate business purposes of efficiently and effectively providing the Services. Access to your personal information is limited to those on a need-to-know basis. To the extent EU/UK data protection law applies, the legal basis for this is our legitimate interest in providing the Services more efficiently.
With service providers. We share personal information with service providers that assist us in providing the Services. These service providers are described more specifically in the PERSONAL INFORMATION WE COLLECT, HOW WE USE IT, AND HOW WE SHARE IT section of this Notice. Generally, we may share your personal information with third-party contractors, partners, vendors, and providers we use to perform functions on our behalf for business purposes, including hosting or enriching data, support ticket provider, customer relationship management, tech and security support, payment processing, communications, and advertising.
In the event of a corporate reorganization. In the event that we enter into, or intend to enter into, a transaction that alters the structure of our business, such as a reorganization, merger, acquisition, sale, joint venture, assignment, consolidation, transfer, change of control, or other disposition of all or any portion of our business, assets or stock, we would share personal information with third parties, including the buyer or target (and their agents and advisors) for the purpose of facilitating and completing the transaction. We will also share personal information with third parties if we undergo bankruptcy or liquidation, in the course of such proceedings. To the extent EU/UK data protection law applies, the legal basis for this is our legitimate interest in carrying out our business operations or, if required by law, consent.
For legal purposes. We share personal information where we are legally required to do so, such as in response to court orders, subpoenas, governmental/regulatory bodies, law enforcement or legal process, including for national security purposes. We may share your information with our legal advisors or auditors to establish, protect, or exercise our legal rights or as required to enforce our terms of use or other contracts or to defend against legal claims or demands. We also share this information with third parties as necessary to: detect, investigate, prevent, or take action against illegal activities, fraud, or situations involving potential threats to the rights, property, or personal safety of any person; to comply with the requirements of any applicable law; or to comply with our legal obligations. To the extent EU/UK data protection law applies, the legal basis for this is compliance with legal obligations or our legitimate interest in compliance with other laws that apply to us.
With your consent. Apart from the reasons identified above, we may request your permission to share your personal information for a specific purpose. We will notify you and request consent before you provide the personal information or before the personal information you have already provided is shared for such purpose. You may revoke your consent at any time by emailing us at privacy@xano.com.
YOUR INFORMATION CHOICES
You have the following choices with respect to your personal information:
Opt out of marketing communications. You may opt out of receiving marketing emails from us by clicking the “unsubscribe” link provided at the bottom of each email we send. Please note that we will continue to send you notifications necessary to the Services.
Opt out of email tracking. You can disable this tracking by blocking automatic loading of images in your email.
Correct or view your information. You may send an email to privacy@xano.com to correct or view certain personal information of yours in our possession.
Delete your personal information. You have the right to request the deletion of your personal information that we collect or maintain, subject to certain exceptions. For example, if we are required by law to retain the information that you are asking to be deleted, we would not be able to delete the information until we are legally permitted to delete it. To exercise your right to delete your personal information, you may fill out the following form or send an email to privacy@xano.com.
Opt out of Google Analytics. To prevent your data from being used by Google Analytics, you can download the Google Analytics opt-out browser, which can be accessed here.
Opt out of interest-based advertising. All session cookies are temporary and expire after you close your web browser. Persistent cookies can be removed by following your web browser’s directions. To find out how to see what cookies have been set on your computer or device, and how to reject and delete the cookies, please visit: https://www.aboutcookies.org/. Please note that each web browser is different. To find information relating to your browser, visit the browser developer’s Website and mobile application. If you reset your web browser to refuse all cookies or to indicate when a cookie is being sent, some features of our website may not function properly. If you choose to opt out, we will place an "opt-out cookie" on your device. The "opt-out cookie" is browser specific and device specific and only lasts until cookies are cleared from your browser or device. The opt-out cookie will not work for essential cookies. If the cookie is removed or deleted, if you upgrade your browser or if you visit us from a different computer, you will need to return and update your preferences. By clicking on the “Opt-Out” links below, you will be directed to the respective third-party website where your computer will be scanned to determine who maintains cookies on you. At that time, you can either choose to opt out of all interest-based advertising or you can choose to opt out of targeted advertising by selecting individual companies who maintain a cookie on your machine. Please note that Xano adheres to the Digital Advertising Alliance’s self-regulatory principles.
Network Advertising Initiative (NAI) Opt-Out: https://www.networkadvertising.org/managing/opt_out.asp
Digital Advertising Alliance (DAA) Opt-Out: https://optout.aboutads.info
European Union (EU) /European Economic Area (EEA) Opt-Out: http://www.youronlinechoices.eu
In general, to disable cookies and limit the collection and use of information through them, you can set your browser to refuse cookies or indicate when a cookie is being sent.
DATA PRIVACY FRAMEWORK (DPF)
Xano complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, as set forth by the U.S. Department of Commerce. Xano has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this privacy notice and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/
With respect to onward transfers of data subject to the EU-U.S. DPF and the UK Extension to the EU-U.S, Xano remains liable for processing such transfers in accordance with these principles.
With respect to personal data received or processed pursuant to DPF, Xano is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (“FTC”).
Pursuant to the EU-U.S. DPF and the UK Extension to the EU-U.S, EU & UK individuals have the right to obtain confirmation of whether we maintain personal information related to you in the United States. Upon request, we will provide you with access to the personal information that we hold about you. You may also correct, amend, or delete the personal information we hold about you. An individual who seeks access, or seeks to correct, amend, or delete inaccurate information transferred to the United States under EU-U.S. DPF, should direct their inquiry to privacy@xano.com.
We will provide an individual the ability to opt-out or opt-in choice before we share your data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized. To request to limit the use and disclosure of your personal information, please submit a written request to privacy@xano.com.
If we become subject to an FTC or court order based on non-compliance, Xano will make public any relevant DPF-related sections of any compliance or assessment report submitted to the FTC, to the extent consistent with confidentiality requirements.
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Xano commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF to JAMS, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://www.jamsadr.com/DPF-Dispute-Resolution for more information or to file a complaint. The services of JAMS are provided at no cost to you.
If your dispute cannot be resolved through the above channel, under certain conditions, you may invoke binding arbitration and residual claims not resolved by other redress mechanisms. You may do so by clicking here.
RIGHTS OF INDIVIDUALS IN THE EU AND UK
For any functions of the Service that we determine the purpose and means of the processing of your personal information, individuals in the EU and UK are entitled to certain rights under the General Data Protection Regulation (“GDPR”) and the Data Protection Act 2018 (“UK GDPR”). If our processing of your personal information is subject to the GDPR or UK GDPR, you may be entitled to the following rights:
Right to access. When the legal basis for us to process your personal information is consent, performance of a contract, legal obligation, or legitimate interest, you have the right to ask us for copies of your personal information. This right has some exemptions, which means you may not always receive all the personal information we process.
Right to rectification. When the legal basis for us to process your personal information is consent, performance of a contract, legal obligation, or legitimate interest, you have the right to ask us to rectify personal information you think is inaccurate or incomplete.
Right to erasure. When the legal basis for us to process your personal information is consent, to performance of a contract, or legitimate interest, you have the right to ask us to erase your personal information in certain circumstances.
Right to restrict processing. When the legal basis for us to process your personal information is consent, performance of a contract, legal obligation, or legitimate interest, you have the right to ask us to restrict the processing of your personal information in certain circumstances. This means you can limit the way that we use your personal information. You have the right to restrict processing when (1) you contest the accuracy of your personal information and we are verifying the accuracy of the personal information; (2) the personal information has been unlawfully processed and you oppose erasure and request certain restriction instead; (3) we no longer need the personal information but you need us to keep it in order to establish, exercise or defend a legal claim; or (4) you have objected to us processing your personal information under Article 21(1), and we are considering whether our legitimate grounds override yours.
Right to object to processing. When the legal basis for us to process your personal information is legitimate interest, you have the right to object at any time, for reasons arising from your particular situation, to processing of your personal information, which is carried out on the basis of our legitimate interests. When the legal basis for us to process your personal information is your consent, you can withdraw your consent.
Right to data portability. When the legal basis for us to process your personal information is your consent or performance of a contract, you have the right to ask that we transfer the personal information you gave us from one organization to another, or give it to you. Please note this only applies to personal information you have given us.
Right to lodge a complaint. You have the right to lodge a complaint with the relevant Supervisory Authority. You can always submit a complaint directly to your local data protection authority (i.e., EU/EEA Member State data protection authority; UK Information Commissioner’s Office (ICO) or Gibraltar Regulatory Authority (GRA).
To exercise these rights, please contact us at privacy@xano.com.
NOTICE FOR NEVADA RESIDENTS
Certain Nevada consumers may opt out of the sale of “personally identifiable information” for monetary consideration (as defined under Nevada law) to a person who in turn licenses or sells such information to another person. We don’t currently sell or provide your personal information in this manner. To opt out of the sale of your personal information in the future, you may submit a request to us via email to privacy@xano.com. Proof of identification may be required before such a request is granted.
DATA RETENTION
We retain your personal information (i) for as long as the relevant Xano account exists, (ii) until we no longer need your information to fulfill the purposes for which we collected it, or (iii) until we receive a valid request to delete the information, in which case we will delete or anonymize the information within 30 days after receiving the request. However, we may need to use and retain your personal information for longer than the periods indicated above for purposes of:
Compliance with our legal obligations. For example, retaining your records for the purpose of accounting, dispute resolution, and compliance with labor, tax, and financial regulations.
Meeting our safety and security commitments. Such as keeping our properties secure and preventing fraud.
Exercising or defending legal claims. We also may need to retain personal information for longer than the periods indicated above in order to respond to legal process or enforceable governmental requests, or to enforce our contracts or Terms of Use, including investigation of potential violations.
DO NOT TRACK
We do not respond to Do Not Track requests. Do Not Track is a preference you can set in your web browser to inform websites and mobile applications that you do not want to be tracked. You can enable or disable Do Not Track by visiting the Preferences or Settings page of your web browser.
INFORMATION SECURITY
We implement appropriate technical and organizational security measures, such as access controls and encryption, to protect the personal information that we collect and maintain from unauthorized access, destruction, use, modification, or disclosure. Only authorized individuals are permitted to access personal information and they are required to treat this information as confidential. However, no security measure or modality of data transmission is 100% secure, and we are unable to guarantee the absolute security of the personal information we have collected from you. Our systems contain Controlled Unclassified Information (government-created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations, and government-wide policies) with specific requirements imposed by the Department of Defense. Our systems may be subject to other specified requirements associated with certain types of Controlled Unclassified Information such as Export Controlled Information.
CHILDREN'S PRIVACY
The Services are not intended for individuals under the age of eighteen (18) years. If we learn that we have collected or received personal information from individuals under the age of eighteen (18), we will delete the personal information. If you believe we have personal information on individuals under the age of eighteen (18), please contact us at the contact information provided below.
CHANGES TO THIS PRIVACY NOTICE
We may amend this Privacy Notice in our sole discretion at any time. If we do, we will post the changes to this page, and will indicate the date the changes go into effect. We encourage you to review our Privacy Notice to stay informed. If we make changes that materially affect Your Privacy Rights, we will notify you by prominent posting on the Website and/or via email, and obtain your consent, if required.
CONTACT US
If you have any questions or concerns regarding this Privacy Notice, Please contact us by email at privacy@xano.com or by mail at: 21600 Oxnard Street, Suite 910 Woodland Hills, CA 91367.
Last updated