xeref.ai logo
xeref.ai

Privacy Policy

How we handle your data at xeref.ai

1. Overview

xeref.ai is operated by Bugra Karsli, based in Turkey. We are committed to protecting your personal data and respecting your privacy. This Privacy Policy explains what information we collect, how we use it, and your rights regarding that information when you use our platform.

By using xeref.ai, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

We collect the following categories of data:

  • Account Data: Your email address and, if you sign in via Google OAuth, your name and profile picture provided by Google.
  • Usage Data: Feature interactions, model selections, agent configurations, and chat history generated while using the platform.
  • Connected Account Tokens:When you connect a third-party service (GitHub, Gmail, Google Calendar, Notion, Slack, Vercel, or Telegram), we receive and store an OAuth access token or bot token issued by that provider. Tokens are encrypted at rest using AES-256-GCM and are used only to call the provider's API on your behalf. You can revoke any token at any time by disconnecting the service in /customize/connectors.
  • Uploaded Content & Memory: Files you upload to the Memory view (PDFs, text, images — up to 50 MB per file) are stored in Supabase Storage. Their text content is chunked, embedded, and stored as vectors in Pinecone to enable semantic search during AI Chat. Manual memory entries are stored in the same index.
  • Payment Data: Subscription and billing transactions are handled entirely by Creem. We never store your credit card or payment card details on our servers.
  • Agent Message Bus Data (XerefHermes): When agent workflows publish messages via the XerefHermes inter-agent bus (for example, saving a summary to long-term memory), the message payload and metadata are stored temporarily in our database with a status lifecycle (queued → processing → done). Payloads that trigger the memory handler are additionally written to Pinecone as vector embeddings associated with your user ID and are subject to the same deletion rights as other memory data.
  • Technical Data: IP address, browser type, device information, and page visit logs collected automatically by our hosting infrastructure (Vercel) to maintain service reliability.

3. How We Use Your Information

We use the data we collect to:

  • Provide, operate, and maintain the xeref.ai platform and its features
  • Process your subscription and manage billing through Creem
  • Authenticate your identity and secure your account
  • Connect to and interact with third-party services you have explicitly authorized (GitHub, Gmail, Google Calendar, Notion, Slack, Vercel, Telegram)
  • Enable semantic memory search by embedding your uploaded content into a personal vector index
  • Route inter-agent messages via the XerefHermes bus to registered handlers — for example, writing content to your Pinecone long-term memory namespace on your behalf
  • Respond to support requests and communicate service-related updates
  • Analyze aggregate usage patterns to improve product features
  • Comply with our legal obligations under Turkish law

We do not sell, rent, or trade your personal data to third parties for marketing purposes.

4. Data Storage & Security

Your data is stored on Supabase (database and authentication) and served via Vercel (hosting and edge infrastructure). Both providers implement industry-standard security measures including encryption in transit (TLS) and encryption at rest.

While we take reasonable steps to protect your data, no method of electronic storage or transmission over the internet is 100% secure. We cannot guarantee absolute security but are committed to using best practices to safeguard your information.

5. Third-Party Services

xeref.ai integrates with the following third-party services to deliver its functionality. Each is subject to their own privacy policies:

  • Supabase — authentication, database storage, and file storage for uploaded documents
  • Creem — subscription billing and payment processing
  • OpenRouter — routing of AI chat messages to underlying model providers (Anthropic, OpenAI, Google, DeepSeek). Your chat messages are transmitted to these providers when you use AI Chat.
  • Pinecone — vector storage for semantic memory and document embeddings
  • Vercel — hosting, CDN, and edge functions
  • GitHub, Google (Gmail / Calendar), Notion, Slack, Vercel API, Telegram — only when you explicitly connect them via /customize/connectors. We store only the access token needed to act on your behalf; we do not mirror or retain the content from those services beyond what is required to fulfill your request.

When you use AI features, the content of your messages is transmitted to AI model providers (Anthropic, OpenAI, Google, DeepSeek) through OpenRouter. Do not send sensitive personal information in AI chat sessions.

When you enable the Filesystem connector, agents can read and write files in directories you explicitly allow on your local machine. File contents are not uploaded to xeref.ai servers unless you choose to copy them into a chat or upload them to Memory.

6. Cookies

We use cookies solely for authentication session management — to keep you logged in across page navigations. We do not use advertising, tracking, or analytics cookies from third parties. You can disable cookies in your browser settings, but doing so will prevent you from staying logged in.

7. Your Rights (KVKK)

Under the Turkish Personal Data Protection Law (KVKK — Kişisel Verilerin Korunması Kanunu No. 6698), you have the following rights regarding your personal data:

  • Right to Access: Request a copy of the personal data we hold about you
  • Right to Correction: Request that inaccurate data be corrected
  • Right to Deletion: Request erasure of your personal data where there is no legitimate reason for us to continue processing it
  • Right to Restriction: Request that we restrict processing of your data in certain circumstances
  • Right to Data Portability: Request transfer of your data in a structured, machine-readable format
  • Right to Object: Object to processing of your data where we rely on legitimate interests

To exercise any of these rights, contact us at support@xeref.ai. We will respond within 30 days.

8. Data Retention

We retain your personal data for as long as your account is active. If you delete your account, we will delete or anonymize your personal data within 30 days, except where we are required to retain it for legal or financial compliance purposes (e.g., transaction records).

Disconnecting a third-party connector immediately revokes the stored token and deletes it from our database. Deleting a memory item removes its record from Supabase and its corresponding vector chunks from Pinecone.

9. Children's Privacy

xeref.ai is not directed to individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a minor, please contact us and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email or an in-app banner at least 7 days before the changes take effect. Continued use of the service after the effective date constitutes acceptance of the updated policy.

11. Contact Us

For any privacy-related questions, data requests, or concerns, please contact us at:

support@xeref.ai

12. Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of the Republic of Turkey, including the Personal Data Protection Law (KVKK No. 6698). Any disputes arising in connection with this policy shall be subject to the exclusive jurisdiction of the courts of Istanbul, Turkey.

Last updated: June 9, 2026