Xenia Privacy Policy (v1)
Page URL: https://xeniadata.com/privacy
Page version: v1 (Day 1 draft, 2026-05-13)
Effective date: Upon Scope A internal MVP launch (target: 2026-05-19)
Applies to: All users of xeniadata.com and related Xenia services
1. Who we are
Xenia is operated by Xenia Data ("Xenia," "we," "us," or "our"), with its principal place of business at 4438 Ingraham St, PMB 216, San Diego, CA 92109. For privacy-related questions, contact us at privacy@xeniadata.com.
2. Scope of this policy
This Privacy Policy describes how Xenia collects, uses, shares, and protects personal information of users of the Xenia service ("you"). It applies to all features of Xenia (xeniadata.com, internal.xeniadata.com, partner portal, public website, and any future apps or APIs).
It does NOT apply to information about properties that Xenia aggregates as part of its core data product. Property information (room counts, amenities, locations, etc.) is governed by Xenia's Terms of Service and the Methodology page.
3. Information we collect
3.1 Information you provide directly
- Account information. Email address, name, account password (hashed), authentication factors.
- Property owner information. If you submit on behalf of a property: your name, contact email, the property's identity, your authority to represent the property.
- Submitted content. Reviews, attestations, photographs, dispute submissions, and any content you submit through the Service. (Note: submitted content is governed by the Terms of Service license grant — see Section 6.1 of the Terms.)
- Communications. Emails, support requests, dispute correspondence.
3.2 Information collected automatically
- Usage data. Pages viewed, queries made, features used, timestamps.
- Technical data. IP address, browser type, device type, operating system, referring URL.
- Cookies and similar. Session cookies (for authentication), preference cookies (for UI settings), and limited analytics cookies. We do not use third-party advertising cookies. See Section 8 for cookie details.
- Audit log entries. Every data action on the Service is logged for compliance and security purposes; logs include user identifier and timestamp where applicable.
3.3 Information from third parties
- Property data sources. Information about properties from licensed APIs (Cloudbeds, Google Places, Walk Score, etc.), public web pages, government records, and other sources described in the Methodology page. This is property data, not personal data about you.
- Verification data. For guest review submissions, we may verify booking confirmations through the property's property management system (e.g., Cloudbeds) to confirm you stayed at the property.
4. How we use your information
We use personal information for the following purposes:
| Purpose | Legal basis (where required) |
|---|---|
| To provide and maintain the Service | Contract (performance of these Terms) |
| To authenticate you and secure your account | Contract / Legitimate interest |
| To process and respond to your submissions and inquiries | Contract |
| To verify your stay before publishing a guest review | Legitimate interest in review integrity |
| To improve the Service through analytics | Legitimate interest |
| To send service announcements and important updates | Legitimate interest |
| To send optional marketing communications (only with your consent) | Consent |
| To detect, investigate, and prevent fraud, abuse, and security incidents | Legitimate interest / Legal obligation |
| To comply with legal obligations and respond to lawful requests | Legal obligation |
| To enforce our Terms of Service | Legitimate interest / Contract |
We do NOT use your personal information to train AI models that generate content about you specifically, except where you have submitted content under the explicit license grant in Section 6.1 of the Terms.
5. How we share your information
We share personal information only as described below:
5.1 Service providers
We share information with vendors and contractors who process data on our behalf and under contract to assist with Service operation (e.g., hosting, email delivery, authentication). All service providers are bound by confidentiality and data-protection obligations. Current service providers include:
- Cloudflare (hosting, edge compute, R2 object storage, D1 database, email transport)
- DMCA agent registration with the U.S. Copyright Office (publicly listed contact information only)
- Additional service providers will be listed here as they are engaged
5.2 Property owners (limited circumstances)
If you submit a review of a property where you stayed, the property may see the review and the verified-stay confirmation. We do not share your full account profile with the property; we share only the review content and the stay verification.
5.3 Aggregate and anonymized data
We may share aggregate and anonymized statistics about Service usage (e.g., "Xenia served X million property page views in Q1") with partners, in marketing materials, and publicly. Aggregate data does not identify any individual.
5.4 Legal obligations
We may disclose personal information to comply with applicable law, regulation, legal process, or government request; to enforce our Terms; to protect the rights, property, or safety of Xenia, our users, or others; or in connection with a merger, acquisition, or sale of assets (with continuing privacy protections).
5.5 No sale or sharing for cross-context behavioral advertising
Xenia does NOT sell personal information. Xenia does NOT share personal information for cross-context behavioral advertising. For California residents, these terms have specific meanings under the California Privacy Rights Act — see Section 9.
6. Data retention
| Data category | Retention |
|---|---|
| Account information | Lifetime of the account + 12 months |
| Submitted content (reviews, attestations) | Lifetime of the underlying derivative use + 7 years (Section 11 lawful-acquisition log) |
| Usage data | 12 months |
| Audit log entries | 24 months (per Xenia Legal Framework Section 7.2) |
| DMCA notice / takedown logs | 7 years |
| Communications | 24 months unless ongoing |
| Cookies | Per cookie type (see Section 8) |
Where required by law, we may retain information longer (e.g., financial records for tax purposes).
7. Security
Xenia implements administrative, technical, and physical safeguards to protect personal information against unauthorized access, alteration, disclosure, or destruction. Specific measures include:
- Encryption in transit (TLS 1.2+ for all connections)
- Encryption at rest for sensitive data
- Access controls (role-based, least privilege)
- Audit logging of administrative actions
- Cloudflare-hosted infrastructure with WAF and bot protection
- Regular security review and incident response procedures
No method of transmission or storage is 100% secure. If you become aware of a security incident affecting your information, contact us immediately at security@xeniadata.com.
8. Cookies and similar technologies
We use the following categories of cookies:
| Category | Purpose | Duration | Required? |
|---|---|---|---|
| Strictly necessary | Authentication, session management, security | Session or persistent (90 days) | Yes — cannot be disabled |
| Functional | UI preferences (theme, language) | 1 year | No — can be disabled |
| Analytics | Aggregate usage analysis | 90 days | No — can be disabled |
We do NOT use:
- Third-party advertising cookies
- Cross-site tracking pixels
- Behavioral profiling cookies
You can manage cookie preferences through your browser settings or through the Xenia cookie banner on first visit. Most browsers allow you to block all cookies; doing so may prevent some Service features from working.
9. California residents — CCPA / CPRA rights
Under the California Consumer Privacy Act and California Privacy Rights Act, California residents have the following rights:
9.1 Right to know
You have the right to request that we disclose what personal information we have collected, used, disclosed, or sold about you. Specifically, you can request:
- Categories of personal information we have collected
- Categories of sources from which the information was collected
- Business or commercial purpose for collecting the information
- Categories of third parties with whom we share the information
- Specific pieces of personal information we have collected about you
9.2 Right to delete
You have the right to request that we delete personal information we have collected about you, subject to certain exceptions (e.g., information necessary to complete a transaction, comply with a legal obligation, or detect security incidents).
9.3 Right to correct
You have the right to request that we correct inaccurate personal information we have about you.
9.4 Right to opt out of sale or sharing
As stated in Section 5.5, Xenia does NOT sell personal information and does NOT share personal information for cross-context behavioral advertising. There is no opt-out to exercise because there is no sale or sharing in those senses.
9.5 Right to limit use of sensitive personal information
To the extent Xenia collects "sensitive personal information" as defined under the CPRA, you have the right to limit its use. Xenia's data collection minimizes sensitive personal information; most data we collect about users is not sensitive.
9.6 Right to non-discrimination
We will not discriminate against you for exercising your CCPA / CPRA rights.
9.7 Authorized agents
You may authorize an agent to make a request on your behalf by providing the agent with signed written authorization and verifying your identity directly with us.
9.8 How to exercise your rights
Send a request to privacy@xeniadata.com with the subject line "CCPA Request." Include enough information for us to verify your identity (e.g., the email address associated with your account) and the specific right you are exercising. We will respond within 45 days, or 90 days for complex requests (with notice).
10. International users
Xenia is operated from the United States. If you access the Service from outside the United States, you understand that your information will be transferred to and processed in the United States, where data-protection laws may differ from those in your jurisdiction.
For users in the European Economic Area, the United Kingdom, or other jurisdictions with data-protection laws comparable to the GDPR: Xenia processes personal information on the legal bases identified in Section 4. You have rights of access, rectification, erasure, restriction, portability, and objection. Contact us at privacy@xeniadata.com to exercise these rights. You also have the right to lodge a complaint with your local data-protection authority.
Currently, Xenia's Scope A and Scope B do not target users outside the United States. If you are accessing Xenia from outside the U.S., note that the Service is intended for U.S. users.
11. Children
The Service is intended for users 18 and older. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, contact us immediately at privacy@xeniadata.com and we will delete the information.
For users 13–17: the Service is not directed at you. You may not register an account on the Service.
12. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. Material changes will be announced on the Service at least 30 days in advance of taking effect. The "Last updated" date below indicates the most recent revision.
13. Contact
| Topic | |
|---|---|
| Privacy questions and rights requests | privacy@xeniadata.com |
| Security concerns | security@xeniadata.com |
| Account deletion | privacy@xeniadata.com |
| DMCA notices | dmca@xeniadata.com |
Mailing address: Xenia Data Attn: Privacy 4438 Ingraham St, PMB 216 San Diego, CA 92109
Last updated
2026-05-13. Version 1 (Day 1 draft). This Privacy Policy has not yet been reviewed by a California-licensed attorney. Counsel review is scheduled before Scope C commercial