Privacy Policy

1. Controller

The controller responsible for data processing within the meaning of the GDPR is Xenya GmbH, Musterstraße 12/3, 1010 Vienna, Austria. For privacy-related questions, please contact us at privacy@xenya.ai.

2. Data we process

In the course of using Xenya, we process the following categories of personal data:

• Account data: Name, email address, company, role, password (hashed).
• Meeting data: Audio and video recordings, transcripts, metadata (date, participants, duration).
• Calendar data: With your explicit consent, we access your Google or Microsoft calendar to identify scheduled meetings.
• Usage data: Login times, IP address, browser type, device information.
• Billing data: Billing address, payment method (processed via Stripe).

3. Purpose and legal basis

Processing is carried out for the performance of a contract with you (Art. 6(1)(b) GDPR), on the basis of your consent (Art. 6(1)(a) GDPR), and to pursue our legitimate interests (Art. 6(1)(f) GDPR).

4. Storage of meeting recordings

Recordings and transcripts are stored exclusively on servers within the European Union (provider: Hetzner Online GmbH, Falkenstein). Data is encrypted (AES-256) and accessible only to authorised persons.

You can configure the retention period in your account settings (default: 365 days). After expiry, data is irrevocably deleted.

5. Consent of meeting participants

Important notice: As a user of Xenya, you are responsible for ensuring that all participants in your meetings have been informed about the recording and analysis and have given their consent. Xenya automatically identifies itself as a notetaker in the meeting.

6. Processors

We work with carefully selected processors with whom we have concluded GDPR-compliant agreements:

• Recall.ai (third country — USA): Bot integration for Zoom, Teams, Meet — data transfer on the basis of standard contractual clauses.
• AssemblyAI: Speech-to-text transcription.
• OpenAI: Generation of summaries and coaching recommendations (data is not used for training).
• Stripe: Payment processing.
• Hetzner Online GmbH: Hosting within the EU.

7. Your rights

You have the right at any time to:

• Access (Art. 15 GDPR)
• Rectification (Art. 16 GDPR)
• Erasure (Art. 17 GDPR)
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Objection (Art. 21 GDPR)
• Lodge a complaint with the supervisory authority (Austrian Data Protection Authority, Barichgasse 40-42, 1030 Vienna)

8. Cookies

We use only technically necessary cookies (session cookies for login) and — with your consent — anonymised analytics cookies (Plausible Analytics, hosted in the EU).

9. SSL encryption

This site uses SSL/TLS encryption for security reasons. You can recognise an encrypted connection by the browser address bar changing from "http://" to "https://".

10. Changes to this Privacy Policy

We reserve the right to update this Privacy Policy to ensure it always reflects current legal requirements. The updated policy will apply to your next visit.