Privacy Policy

1. Who We Are

XEROML Inc. ("XEROML", "we", "us", or "our") operates the website xeroml.com and the XeroML application at app.xeroml.com. This Privacy Policy explains what personal data we collect when you use our services, why we collect it, and how we handle it.

2. Data We Collect

When you sign in using Google (via WorkOS AuthKit), we receive the following information from Google's OAuth service:

• Email address — used to identify your account
• Full name — provided by your Google profile
• Profile photo URL — provided by your Google profile

We also generate and store API keys on your behalf when you request them. These keys are stored as irreversible SHA-256 hashes — the raw key is shown to you exactly once and never stored by us.

We do not collect passwords, payment information, location data, or any sensitive personal information.

3. How We Use Your Data

Your data is used exclusively for the following purposes:

• Authentication — verifying your identity when you sign in
• Account identification — displaying your email in the app interface
• API key ownership — linking API keys you generate to your account using an opaque internal user ID

We do not use your data for advertising, analytics profiling, machine learning training, or any purpose beyond the authentication and account functions described above.

4. Data Storage & Security

Authentication sessions are managed by WorkOS AuthKit, which stores your session in an encrypted HTTP-only cookie (wos-session) on your device. We never see or store your Google OAuth tokens directly.

API key ownership is stored in our backend using only your opaque WorkOS user ID — not your email, name, or any other identifying information. API keys themselves are stored exclusively as SHA-256 hashes.

5. Data Retention

Session data is retained for the duration of your authenticated session and expires automatically. API key records (hashes and ownership mappings) are retained until you revoke the key or request account deletion. We do not retain Google profile data (name, photo) beyond the active session.

6. Third-Party Services

We use the following third-party service that may process your personal data:

• WorkOS — identity and authentication provider. WorkOS processes your Google profile data to create and maintain your authentication session. See WorkOS Privacy Policy.

We do not share your personal data with advertising networks, analytics platforms, data brokers, or any other third parties.

7. Your Rights & Data Deletion

You have the right to:

• Request a copy of the data we hold about you
• Request correction of inaccurate data
• Request deletion of your account and all associated data
• Revoke Google's access to our application at any time via your Google Account permissions

To exercise any of these rights, contact us at privacy@xeroml.com. We will respond within 30 days.

8. Cookies

We use a single session cookie (wos-session) that is essential for authentication. It is HTTP-only, encrypted, and contains no personally identifiable information. We do not use tracking, advertising, or analytics cookies.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. Continued use of our services after any changes constitutes acceptance of the updated policy.

10. Contact

If you have questions about this Privacy Policy, please contact us at:
privacy@xeroml.com
XEROML Inc.