xeref.ai logo
xeref.ai

Privacy Policy

How we handle your data at xeref.ai

1. Overview

xeref.ai is operated by Bugra Karsli, based in Turkey. We are committed to protecting your personal data and respecting your privacy. This Privacy Policy explains what information we collect, how we use it, and your rights regarding that information when you use our platform.

By using xeref.ai, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

We collect the following categories of data:

  • Account Data: Your email address and, if you sign in via Google OAuth, your name and profile picture provided by Google.
  • Usage Data: Feature interactions, model selections, agent configurations, and chat history generated while using the platform.
  • Payment Data: Subscription and billing transactions are handled entirely by Creem. We never store your credit card or payment card details on our servers.
  • Technical Data: IP address, browser type, device information, and page visit logs collected automatically by our hosting infrastructure (Vercel) to maintain service reliability.

3. How We Use Your Information

We use the data we collect to:

  • Provide, operate, and maintain the xeref.ai platform and its features
  • Process your subscription and manage billing through Creem
  • Authenticate your identity and secure your account
  • Respond to support requests and communicate service-related updates
  • Analyze aggregate usage patterns to improve product features
  • Comply with our legal obligations under Turkish law

We do not sell, rent, or trade your personal data to third parties for marketing purposes.

4. Data Storage & Security

Your data is stored on Supabase (database and authentication) and served via Vercel (hosting and edge infrastructure). Both providers implement industry-standard security measures including encryption in transit (TLS) and encryption at rest.

While we take reasonable steps to protect your data, no method of electronic storage or transmission over the internet is 100% secure. We cannot guarantee absolute security but are committed to using best practices to safeguard your information.

5. Third-Party Services

xeref.ai integrates with the following third-party services to deliver its functionality. Each is subject to their own privacy policies:

  • Supabase — authentication and database storage
  • Creem — subscription billing and payment processing
  • OpenRouter — AI model routing (your messages are processed by AI providers via OpenRouter)
  • Vercel — hosting, CDN, and edge functions

When you use AI features, the content of your messages is transmitted to AI model providers through OpenRouter. Do not send sensitive personal information in AI chat sessions.

6. Cookies

We use cookies solely for authentication session management — to keep you logged in across page navigations. We do not use advertising, tracking, or analytics cookies from third parties. You can disable cookies in your browser settings, but doing so will prevent you from staying logged in.

7. Your Rights (KVKK)

Under the Turkish Personal Data Protection Law (KVKK — Kişisel Verilerin Korunması Kanunu No. 6698), you have the following rights regarding your personal data:

  • Right to Access: Request a copy of the personal data we hold about you
  • Right to Correction: Request that inaccurate data be corrected
  • Right to Deletion: Request erasure of your personal data where there is no legitimate reason for us to continue processing it
  • Right to Restriction: Request that we restrict processing of your data in certain circumstances
  • Right to Data Portability: Request transfer of your data in a structured, machine-readable format
  • Right to Object: Object to processing of your data where we rely on legitimate interests

To exercise any of these rights, contact us at support@xeref.ai. We will respond within 30 days.

8. Data Retention

We retain your personal data for as long as your account is active. If you delete your account, we will delete or anonymize your personal data within 30 days, except where we are required to retain it for legal or financial compliance purposes (e.g., transaction records).

9. Children's Privacy

xeref.ai is not directed to individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a minor, please contact us and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email or an in-app banner at least 7 days before the changes take effect. Continued use of the service after the effective date constitutes acceptance of the updated policy.

11. Contact Us

For any privacy-related questions, data requests, or concerns, please contact us at:

support@xeref.ai

12. Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of the Republic of Turkey, including the Personal Data Protection Law (KVKK No. 6698). Any disputes arising in connection with this policy shall be subject to the exclusive jurisdiction of the courts of Istanbul, Turkey.

Last updated: April 25, 2026