Privacy Policy
This Privacy Policy explains how XEROTECH LTD (“we”, “us”, “our”) collects, uses, stores and protects your personal data when you use any of our products and services, including CallGPT 6X, Xeroland, VisionXI, TechFinds Auto Publisher, and our websites at xerotech.io and callgpt.co.uk (collectively, the “Services”).
We are committed to protecting your privacy and handling your data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and applicable international data protection laws.
1. Data Controller
XEROTECH LTD
71-75 Shelton Street, Covent Garden
London, WC2H 9JQ, United Kingdom
Company Registration No: 14474495
ICO Registration No: ZC065188
Contact: privacy@xerotech.io
2. Information We Collect
2.1 Information You Provide
| Data Type | Examples | Purpose |
|---|---|---|
| Account Information | Name, email address, password (hashed) | Create and manage your account |
| Payment Information | Processed by Stripe — we do not store card details | Process subscriptions and payments |
| Communication Content | Chat messages, prompts, uploaded files | Provide AI conversation and productivity services |
| Support Communications | Emails, support tickets, feedback submissions | Respond to your enquiries |
| User-Uploaded Media | Videos, images, documents uploaded to our platforms | Provide content processing, publishing and automation services |
2.2 Information Collected Automatically
| Data Type | Examples | Purpose |
|---|---|---|
| Usage Data | Features used, session duration, message counts, video upload activity | Improve services and enforce usage limits |
| Technical Data | IP address, browser type, device information, operating system | Security, troubleshooting, analytics |
| Cookies | Session cookies, preference cookies | Essential service functionality |
2.3 AI-Generated Content
When you use CallGPT 6X, your prompts are processed by third-party AI providers (OpenAI, Anthropic, Google, xAI, DeepSeek, Moonshot) to generate responses. We implement automatic privacy protection that detects and replaces sensitive information (such as National Insurance numbers, payment card numbers, NHS numbers and phone numbers) in your browser before any message is transmitted. This filtering is patent pending.
2.4 Third-Party Platform Data
When you connect third-party accounts to our Services (such as TikTok or Google Drive), we access only the data necessary to provide the requested functionality. See Section 11 for product-specific details.
3. How We Use Your Information
| Purpose | Legal Basis (UK GDPR) |
|---|---|
| Provide and maintain our Services | Contract performance (Art. 6(1)(b)) |
| Process payments and subscriptions | Contract performance (Art. 6(1)(b)) |
| Send service-related communications | Contract performance (Art. 6(1)(b)) |
| Respond to support requests | Contract performance (Art. 6(1)(b)) |
| Publish content to third-party platforms on your behalf | Contract performance (Art. 6(1)(b)) |
| Prevent fraud and abuse | Legitimate interests (Art. 6(1)(f)) |
| Improve and develop our Services | Legitimate interests (Art. 6(1)(f)) |
| Comply with legal obligations | Legal obligation (Art. 6(1)(c)) |
| Send marketing communications (with consent) | Consent (Art. 6(1)(a)) |
4. Data Sharing
4.1 Service Providers
| Provider | Purpose | Location | Safeguards |
|---|---|---|---|
| Vercel Inc. | Website and application hosting | United States | Standard Contractual Clauses |
| MongoDB Inc. | Database hosting | Ireland (EU) | EU Adequate |
| Stripe Inc. | Payment processing | United States | EU-US Data Privacy Framework |
| OpenAI LLC | AI processing (CallGPT) | United States | Standard Contractual Clauses |
| Anthropic PBC | AI processing (CallGPT) | United States | Standard Contractual Clauses |
| Google LLC | AI processing, Google Drive integration | United States | EU-US Data Privacy Framework |
| xAI Corp. | AI processing (CallGPT) | United States | Standard Contractual Clauses |
| DeepSeek | AI processing (CallGPT) | China | Standard Contractual Clauses |
| Moonshot AI (Kimi) | AI processing (CallGPT) | China | Standard Contractual Clauses |
| ElevenLabs Inc. | Text-to-speech processing | United States | Standard Contractual Clauses |
| TikTok (ByteDance) | Video publishing (TechFinds Auto Publisher) | United States / Singapore | Standard Contractual Clauses |
| Resend Inc. | Email delivery | United States | Standard Contractual Clauses |
4.2 Other Disclosures
We may also disclose your data:
- To comply with legal obligations or court orders
- To protect our rights, property, or safety
- In connection with a business transfer or merger (with prior notice)
We do not sell your personal data to third parties.
5. International Transfers
Some of our service providers are located outside the UK and European Economic Area (EEA). When we transfer your data internationally, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs): Approved contractual terms that provide adequate protection
- EU-US Data Privacy Framework: For US companies certified under this framework
- Adequacy Decisions: For countries the UK has deemed to provide adequate protection
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Account information | Duration of account + 30 days after deletion |
| Chat messages and sessions (CallGPT) | Duration of account + 30 days after deletion |
| Generated artifacts | Duration of account + 30 days after deletion |
| OAuth tokens (TikTok, Google) | Duration of active connection — deleted on disconnection |
| Video upload metadata | 90 days after successful publication |
| Payment records | 7 years (legal requirement) |
| Support communications | 3 years |
| Server logs | 90 days |
After these periods, data is securely deleted or anonymised.
7. Your Rights
Under UK GDPR, you have the following rights:
| Right | Description |
|---|---|
| Access | Request a copy of your personal data |
| Rectification | Request correction of inaccurate data |
| Erasure | Request deletion of your data (“right to be forgotten”) |
| Restriction | Request limitation of processing |
| Portability | Receive your data in a portable format |
| Objection | Object to processing based on legitimate interests |
| Withdraw Consent | Withdraw consent at any time where consent is the legal basis |
To exercise any of these rights, contact us at privacy@xerotech.io. We will respond within one month.
7.1 Account Deletion
You can delete your account and all associated data at any time by emailing privacy@xerotech.io. For CallGPT 6X users, self-service deletion is available via Dashboard → Settings → Delete Account.
Upon deletion, we will:
- Remove your account and profile information
- Delete all stored content, sessions and artifacts
- Revoke and delete all third-party OAuth tokens (TikTok, Google Drive)
- Cancel any active subscriptions
- Retain only data required by law (e.g. payment records for 7 years)
8. Data Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption in transit (TLS 1.2+)
- Encryption at rest (AES-256)
- Secure password hashing
- Access controls and authentication
- Regular security assessments
- Incident response procedures
- Browser-side PII detection and filtering (CallGPT 6X — patent pending)
Our infrastructure providers maintain industry certifications including SOC 2 Type II and ISO 27001.
9. Children’s Privacy
Our products have different age requirements based on their intended audience:
| Product | Minimum Age | Notes |
|---|---|---|
| CallGPT 6X | 18 | General-purpose AI platform — adult users only |
| TechFinds Auto Publisher | 18 | TikTok requires users to be 18+ for API access |
| Xeroland | 13 (with parental/institutional consent) | Educational platform deployed through schools — governed by institutional data agreements |
| VisionXI | 13 (with parental consent) | Visual AI assistant |
We do not knowingly collect personal data from children under 13. If you believe we have collected data from a child under the applicable minimum age, please contact us immediately at privacy@xerotech.io.
10. Cookies
We use essential cookies to operate our Services and optional analytics cookies with your consent. Essential cookies enable core functionality such as authentication and session management. Analytics cookies help us understand how our Services are used so we can improve them. You can manage cookie preferences through your browser settings.
11. Product-Specific Data Practices
11.1 CallGPT 6X
CallGPT 6X routes your prompts to third-party AI providers to generate responses. Our browser-side privacy filter detects and replaces sensitive personal information (NI numbers, card details, NHS numbers, postcodes, phone numbers) with secure placeholders before any message leaves your device. We use API configurations that request data not be used for training where such options are available. We do not use your content to train our own AI models.
11.2 Xeroland
Xeroland is deployed through educational institutions under data processing agreements. Student data is processed in accordance with institutional policies and UK education data protection requirements. Schools act as the data controller for student data; XEROTECH acts as the data processor.
11.3 TechFinds Auto Publisher — TikTok Integration
This section applies specifically to users of the TechFinds Auto Publisher, which integrates with TikTok’s Content Posting API.
What data we access from TikTok
When you connect your TikTok account to TechFinds Auto Publisher, we request authorisation for the following scopes:
- user.info.basic — Your TikTok display name, avatar and open ID, used to identify your connected account within our system
- video.upload — Permission to upload video files to your TikTok account on your behalf
- video.publish — Permission to publish uploaded videos to your TikTok profile or save them as drafts
We do not access your TikTok followers, following lists, liked videos, comments, direct messages, analytics or any other TikTok data beyond the scopes listed above.
How we handle your data
- Video files: Videos are sourced from your connected Google Drive account, temporarily downloaded for processing, uploaded to TikTok via their Content Posting API, and then deleted from our systems. We do not retain copies of your video files after successful publication.
- OAuth tokens: Your TikTok access token and refresh token are stored securely on our servers using AES-256 encryption. Access tokens expire every 24 hours and are refreshed automatically. Refresh tokens are valid for 365 days. All tokens are permanently deleted when you disconnect your TikTok account.
- Upload metadata: We store a record of each upload (video title, upload timestamp, publication status) for 90 days to provide you with upload history and troubleshooting. This metadata does not include the video content itself.
- Google Drive access: We access only the specific Google Drive folder(s) you designate for video uploads. We do not browse, index or access any other files in your Google Drive.
What we do not do
- We do not access other TikTok users’ data through your account
- We do not post content to your TikTok account without your explicit instruction or pre-configured automation rules
- We do not sell, share or use your TikTok data for advertising, analytics or any purpose other than providing the publishing service
- We do not use your videos or TikTok data to train AI models
- We do not store your TikTok password — authentication is handled entirely through TikTok’s OAuth 2.0 flow
Disconnecting your TikTok account
You can disconnect your TikTok account at any time through the TechFinds Auto Publisher settings. Upon disconnection:
- All stored OAuth tokens are permanently deleted
- Any pending scheduled uploads are cancelled
- Upload history metadata is deleted within 30 days
- You can also revoke access from TikTok’s side via Settings → Security → Manage app permissions
11.4 Google Drive Integration
When you connect Google Drive to any of our Services, we access only the files and folders you explicitly authorise. We use Google’s OAuth 2.0 authentication and request the minimum scopes required. Files are accessed on demand, processed for the requested operation (such as video upload to TikTok), and not retained on our systems beyond the time necessary to complete the operation. You can revoke Google Drive access at any time through your Google Account settings at myaccount.google.com/permissions.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by:
- Posting a notice on our website
- Sending an email to your registered address (where applicable)
The “Last updated” date at the top indicates when the policy was last revised.
13. Complaints
If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):
Information Commissioner’s Office
Wycliffe House, Water Lane
Wilmslow, Cheshire, SK9 5AF
Website: ico.org.uk
Telephone: 0303 123 1113
14. Contact Us
For any questions about this Privacy Policy or our data practices:
Email: privacy@xerotech.io
Address: XEROTECH LTD, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ