Legal
Privacy Policy
Effective date: May 15, 2026
The short version:
- —The CLI collects no data by default. It runs entirely on your machine.
- —The Website collects only what it needs: basic usage telemetry to keep the service running.
- —We do not sell your data. We do not use your configurations to train AI models.
- —You can request deletion of your data at any time.
- —We are GDPR and CCPA conscious. If you are in the EU or California, your additional rights are described below.
1. Data Controller
This Privacy Policy is issued by Saero AI, a company registered in the Republic of the Philippines ("Saero AI," "we," "us," or "our"). Saero AI is the data controller for personal data collected through xcaffold.com.
For privacy inquiries, contact our Data Protection Officer (DPO) at [email protected].
2. What This Policy Covers
This Policy covers two distinct products with very different data profiles:
xcaffold CLI
Open-source, runs entirely on your local machine. By default, the CLI collects no telemetry, sends no data to Saero AI servers, and does not require authentication. When you run xcaffold commands, your .xcaf blueprint files and generated provider directories stay on your disk.
xcaffold Website
The xcaffold.com website serves documentation, marketing pages, and legal information. It does not currently require accounts or process user-uploaded content. This section of the Policy describes the limited data collected through the Website.
3. Data We Collect on the Website
3.1 Usage Telemetry
To operate and improve the Website, we collect basic web analytics:
- —Page views and navigation events
- —Session metadata (browser type, operating system, approximate geographic region)
- —Error logs (stack traces, not user content)
- —API request metadata (endpoint, response time, HTTP status code) — not request bodies
Analytics are collected via PostHog, which is loaded only after you grant consent via the cookie consent banner.
3.2 Payment Data
The Website does not currently process payments. When billing is activated, payment processing will be handled by a third-party payment processor. This section will be updated to describe the specific processor and data practices at that time.
3.3 Communications
If you contact us via email or submit a support inquiry, we retain that correspondence to respond and to improve our support quality.
4. How We Use Your Data
Service Delivery. To serve documentation and marketing content on the Website.
Product Improvement. Aggregate, anonymized usage telemetry helps us understand which pages are most visited and where users encounter friction. We do not use configuration content for this purpose.
Security and Abuse Prevention. To detect and prevent unauthorized access, fraud, and misuse of the Website.
Legal Compliance. To comply with applicable laws, respond to lawful requests from authorities, and enforce our Terms of Service.
Support. To respond to your support requests and diagnose technical issues.
No AI Training. We do not use your configuration files, agent definitions, or any content you submit to train machine learning models — ours or third parties'. Your intellectual property stays yours.
5. Who We Share Data With
We do not sell, rent, or trade your personal data. We share data only in the following circumstances:
Service Providers
We use sub-processors (e.g., cloud hosting, error monitoring, analytics) who process data on our behalf under data processing agreements. These providers may not use your data for their own purposes.
Legal Requirements
We may disclose data if required by law, court order, or government request, or if we believe disclosure is necessary to protect the rights, property, or safety of Saero AI, our users, or the public.
Business Transfers
If Saero AI is involved in a merger, acquisition, or asset sale, your data may be transferred as part of that transaction. We will notify you before your data becomes subject to a different privacy policy.
6. Data Storage and Retention
6.1 Where Data is Stored. Website data is stored on cloud infrastructure located in the United States. Data may be processed by sub-processors in additional jurisdictions in accordance with applicable data transfer mechanisms (e.g., Standard Contractual Clauses for EU data).
6.2 Retention Periods.
| Data Type | Retention |
|---|---|
| Usage telemetry (event logs) | 24 months rolling |
| API access logs | 12 months |
| Support correspondence | 3 years |
| Anonymized, aggregated analytics | Indefinite |
7. Security
We implement industry-standard security measures to protect your data, including:
- —TLS 1.2+ encryption for all data in transit
- —AES-256 encryption for sensitive data at rest
- —Role-based access controls limiting internal data access to personnel who require it
- —Regular security reviews of our infrastructure
No security system is impenetrable. In the event of a data breach affecting your personal data, we will notify you and the relevant supervisory authority within 72 hours of discovery, as required by applicable law including GDPR and the Philippine Data Privacy Act (RA 10173).
8. Your Rights and Choices
You have the following rights regarding your personal data. To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
Request a copy of the personal data we hold about you.
Request that we correct inaccurate or incomplete data.
Request deletion of your personal data ("right to be forgotten"). We will delete your data within 30 days of a valid request, subject to legal retention requirements.
Request your data in a machine-readable format.
Object to processing of your personal data for direct marketing or based on our legitimate interests.
Request that we restrict processing of your data while a dispute is under review.
Where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
9. EU and UK Residents — GDPR
9.1 Legal Basis. If you are in the EU or UK, we process your personal data on the following legal bases under GDPR:
- —Legitimate interests: security monitoring, fraud prevention, and aggregate analytics, where our interests are not overridden by your rights (Art. 6(1)(f))
- —Legal obligation: applicable retention and breach notification requirements (Art. 6(1)(c))
- —Consent: analytics cookies, where separately requested via the consent banner (Art. 6(1)(a))
9.2 International Transfers. When we transfer personal data from the EU/EEA to our servers or sub-processors outside the EEA, we do so using Standard Contractual Clauses (SCCs) approved by the European Commission, or other appropriate safeguards.
9.3 Supervisory Authority. You have the right to lodge a complaint with your local data protection authority. For a list of EU supervisory authorities, visit edpb.europa.eu.
9.4 Data Processing Agreements. Users who process EU personal data through the Website may request execution of a GDPR-compliant Data Processing Agreement (DPA) at [email protected].
10. California Residents — CCPA / CPRA
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the CPRA provides you the following additional rights:
- —Know what personal information we collect, use, disclose, or sell
- —Delete personal information we have collected, subject to certain exceptions
- —Opt out of the sale or sharing of personal information — we do not sell or share personal information as defined under CCPA
- —Non-discrimination for exercising your CCPA rights
- —Correct inaccurate personal information
- —Limit use and disclosure of sensitive personal information
To exercise these rights, email us at [email protected] with "CCPA Request" in the subject line. We will verify your identity before processing the request and respond within 45 days.
Do Not Sell or Share. Saero AI does not sell or share (as defined under CCPA/CPRA) your personal information to or with third parties for cross-context behavioral advertising or monetary consideration.
11. Philippine Data Privacy Act (RA 10173)
Saero AI operates under and complies with the Philippine Data Privacy Act of 2012 (RA 10173) and its Implementing Rules and Regulations. As a Philippine entity processing personal data, Saero AI:
- —Registers with the National Privacy Commission (NPC) for processing operations involving personal data exceeding 1,000 records
- —Maintains a Data Protection Officer (DPO) responsible for ensuring compliance with RA 10173
- —Processes personal data only on lawful bases (consent, contract, legitimate interest, legal obligation)
- —Notifies the NPC and affected individuals within 72 hours of a personal data breach
- —Respects the rights of data subjects to access, correction, erasure, and data portability
12. Cookies and Tracking
The Website uses cookies for two purposes: (1) preference cookies to remember your UI settings, and (2) analytics cookies from PostHog, which are loaded only after you grant consent via the cookie consent banner. We do not use third-party advertising cookies, session authentication cookies, or tracking pixels.
| Cookie | Purpose | Duration |
|---|---|---|
| xcf_preferences | Stores UI preferences (theme, layout) | 1 year |
| ph_* | PostHog analytics — tracks feature usage and session behaviour (loaded only with consent) | Up to 1 year |
13. Children's Privacy
The Website is not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a person under 18, we will delete it promptly.
14. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will post a prominent notice on the Website at least 14 days before the changes take effect. The "Effective date" at the top of this page always reflects the current version. Your continued use of the Website after the effective date constitutes acceptance of the updated Policy.
Contact and Complaints
For privacy questions, data subject requests, or to report a concern:
Saero AI — Data Protection Officer
Republic of the Philippines
Email: [email protected]
If you are not satisfied with our response, you have the right to lodge a complaint with the National Privacy Commission of the Philippines (privacy.gov.ph), your EU supervisory authority, or the California Privacy Protection Agency, as applicable.