1. Introduction
Xail ("we," "us," or "our") provides a lightweight email client with split-channel secure messaging. This Privacy Policy explains how we collect, use, and protect your information when you use the Xail web application, desktop app, or mobile applications (collectively, the "Service").
By using Xail, you agree to the practices described in this policy. If you do not agree, please do not use the Service.
2. Our Zero-Knowledge Architecture
Xail is architecturally designed so that we never have access to the content of your messages:
- All email reading, composing, and message reconstruction happens locally on your device — in the web application, desktop app, or mobile app.
- Secure messages are split into cryptographic shares using XorIDA threshold secret sharing and sent across your independent email providers (e.g., Gmail, Outlook, Yahoo). No single share reveals any message content.
- All cryptographic operations — share splitting, reconstruction, HMAC verification — happen entirely on your device.
- Our backend server handles only OAuth token exchange (described below). It never sees, processes, or stores email content.
3. Information We Collect
3.1 Account Information
When you connect an email account via OAuth, we receive your email address and display name from your email provider. This information is stored locally on your device and used to identify your connected accounts within the Xail interface.
3.2 Customer Onboarding & Usage Metering (PRIVATE.ME Platform Products)
For customer-facing products on the PRIVATE.ME platform (such as xBind, xPass, and xVault), we collect and store the following information to provide free tier accounts, enforce usage limits, send notifications, and process upgrades:
- Email address: Your primary account identifier used for account creation, email verification, authentication, and usage notifications
- Email verification status: Whether your email has been verified (required before API key generation)
- Account creation timestamp: When your account was created
- Connection ID: A randomly generated identifier in the format
conn_{product}_{random}that links your account to a specific product subscription - Customer DID: A cryptographic identifier based on your Ed25519 public key, in the format
did:key:z6Mk..., used for secure API authentication - API keys: Cryptographically hashed (using bcrypt) for secure authentication. We never store plaintext API keys.
- Usage metrics: Operation counts per 30-day billing period to enforce free tier limits (100,000 operations per month)
- Product subscriptions: Which PRIVATE.ME products you have subscribed to (e.g., xBind, xPass, xVault)
- Subscription tier: Whether your account is on the Free tier or Pro tier
- Current period spend: Your usage-based charges for the current billing period (Pro tier only)
- Billing data: Payment information is managed entirely by Stripe (our payment processor) and is subject to the Stripe Privacy Policy. We receive only a Stripe customer ID and never see your credit card details.
Why we collect this: To provide free tier accounts with generous usage limits, send warning emails when you approach limits, enforce fair usage policies, and process seamless upgrades to Pro tier.
Data retention: Account data is retained while your account is active. If you delete your account, we perform a 30-day soft delete, after which all personal data is anonymized. Billing records are retained for 7 years as required by tax law.
Third-party sharing: We share your email address with SendGrid (for transactional emails only, such as verification emails and usage warnings) and Stripe (for payment processing, which is PCI DSS compliant). We do not sell or share your data with any other third parties.
3.3 Authentication Data
For PRIVATE.ME platform products, we collect and manage authentication data to provide secure, passwordless access to your account:
- Session tokens: Randomly generated tokens (using
crypto.randomBytes(32)) that authenticate your browser session. Sessions expire after 30 days of inactivity. - Magic link tokens: One-time use authentication tokens sent via email that expire after 15 minutes. These tokens are deleted immediately after use to prevent replay attacks.
- Cookies: We use session cookies with the following security attributes:
HttpOnly— JavaScript cannot access cookies, protecting against XSS attacksSecure— Cookies are only transmitted over HTTPS connectionsSameSite=Lax— Protection against cross-site request forgery (CSRF) attacks
Why we collect this: To provide secure, passwordless authentication to your PRIVATE.ME platform account without requiring password management.
Data retention: Session tokens are deleted after 30 days of inactivity or when you sign out. Magic link tokens are deleted immediately after use or after 15 minutes (whichever comes first).
3.4 OAuth Tokens (Transient Server Processing — Xail Product Only)
For the Xail email client specifically, our backend server participates in the OAuth 2.0 token exchange process. During this exchange, the server temporarily receives an authorization code, exchanges it with your email provider (Google, Microsoft, or Yahoo) for access and refresh tokens, and returns those tokens to your device. The server does not persist or store tokens after the exchange completes. Tokens are stored encrypted on your device using AES-256-GCM via the Web Crypto API.
3.5 Email Content (Never Collected by Xail — Xail Product Only)
Xail accesses your email through your email provider's API (e.g., Gmail API) to:
- Display messages in the Xail inbox
- Read incoming share fragments for secure message reconstruction
- Send regular email and encrypted share fragments
- Create and manage a "Xail Shares" label to organize share fragments out of your primary inbox
All email API calls go directly from your device to your email provider's servers. Our servers never proxy, intercept, or store email content.
3.6 Local Metadata Index (Xail Product Only)
Xail maintains an encrypted local database on your device containing message summaries and keywords (for search functionality), extracted entities (names, dates, amounts), contact information and security tier configurations, and delivery status information. This data is encrypted with AES-256-GCM and never leaves your device.
3.7 On-Device AI Processing (Xail Product Only)
Xail's core AI features — summarization, entity extraction, natural language search, and intelligent threading — run entirely on your device using platform-native capabilities:
- iOS: Apple Foundation Models API (built into iOS, on-device only)
- Android: Gemini Nano (built into supported devices, on-device only)
- Browser/Desktop: Regex-based extraction and optional local WebLLM inference
No email message content is ever sent to any cloud AI service, Xail server, or third party for on-device AI processing.
3.8 AI Assistant Interactions (Ren and Kaia)
Xail provides two optional AI assistants — Ren (sales assistant on public pages) and Kaia (in-app support assistant). These assistants support both text chat and voice conversations. Unlike on-device AI (Section 3.5), assistant interactions involve third-party AI services:
3.8.1 Text Chat
When you type a message to Ren or Kaia, your message is sent to our server, which forwards it to our AI service provider for generating a response. Our server does not store conversation history — messages are held only in your browser's memory for the duration of the chat session.
3.8.2 Voice Conversations
When you enable voice mode, your browser establishes a direct WebRTC peer connection to OpenAI's Realtime API. During a voice session:
- Microphone audio is streamed directly from your browser to OpenAI for speech recognition and response generation. Audio does not pass through Xail's servers.
- An ephemeral session token is created through our server (which holds the API key) and provided to your browser. The token expires within 60 seconds.
- OpenAI's voice response audio is streamed back directly to your browser via WebRTC.
3.8.3 Account Context Shared with AI Assistants
To provide personalized guidance, Kaia's in-app assistant receives limited, non-identifying account metadata:
- Number of connected accounts (e.g., "2")
- Email provider names (e.g., "Gmail, Outlook") — not your email addresses
- Your security tier (e.g., "Blue")
- The current page you are viewing (e.g., "inbox" or "settings")
This context allows Kaia to give specific advice (e.g., "Add a third account to reach Green tier") rather than generic responses. No email addresses, message content, OAuth tokens, or contact information is ever shared with AI assistants.
3.8.4 AI Data Retention
Xail does not store AI assistant conversation history on its servers. Conversations exist only in your browser memory and are cleared when you close the chat or navigate away. For data retention by our AI providers, please refer to the respective provider's privacy policy.
3.9 Aggregate Usage Metrics
Xail collects anonymized, aggregate metrics to improve the Service. These include total messages sent per day, active user counts, and feature usage statistics. These metrics are aggregated across all users and contain no personal identifiers — we cannot tie any metric to a specific user or email.
We do not perform per-user per-email tracking. We do not record individual send timestamps, per-message locations, or behavioral sequences. We do not use third-party analytics services, advertising SDKs, or tracking pixels.
3.10 Country-Level Location
At signup and login, Xail derives your country-level location from your IP address. This is captured once per session — not per email or per action. No GPS, city-level, or precise geolocation data is collected. Country data is used solely for aggregate market analysis and is not tied to individual message activity.
4. How We Use Your Information
| Information | Purpose | Stored Where |
|---|---|---|
| Email address (Xail) | Account identification in UI | Your device only |
| Email address (Platform) | Account creation, verification, authentication | Our servers (encrypted database) |
| Connection ID (Platform) | Link email to product subscription | Our servers (encrypted database) |
| Customer DID (Platform) | Cryptographic API authentication | Our servers (encrypted database) |
| API keys (Platform) | Authenticate API requests | Our servers (bcrypt hashed) |
| Session tokens (Platform) | Maintain authenticated sessions (30 days) | Our servers (encrypted, HttpOnly cookies) |
| Magic links (Platform) | Passwordless authentication (15 minutes) | Our servers (one-time use, deleted after redemption) |
| Usage metrics (Platform) | Enforce free tier limits, send warnings | Our servers (encrypted database) |
| Billing data (Platform) | Process Pro tier payments | Stripe (PCI DSS compliant) |
| OAuth tokens (Xail) | Authorize email API access | Your device (AES-256-GCM encrypted) |
| Email content (Xail) | Display inbox, send/receive messages | Your email provider + device memory (not persisted) |
| Local metadata (Xail) | Search, threading, summaries | Your device (AES-256-GCM encrypted) |
| AI outputs (Xail) | Summaries, entities, search index | Your device (AES-256-GCM encrypted) |
| AI assistant conversations | Text/voice support, personalized guidance | Browser memory only (not persisted); processed by third-party AI providers |
| Account context for AI | Personalized assistant responses | Sent per-session to AI providers; not stored |
| Aggregate metrics | Service improvement, capacity planning | Our servers (anonymized, no personal identifiers) |
| Country (at signup/login) | Aggregate market analysis | Our servers (not tied to individual activity) |
5. Information We Do NOT Collect
For clarity, Xail does not collect or have access to:
- Email message bodies, subjects, or attachments on our servers
- Browsing history or activity outside Xail
- Precise location or GPS data (only country-level at signup/login — see Section 3.10)
- Device advertising identifiers
- Phone contact lists
- Biometric data
- Keystroke or input data
6. Data Sharing and Disclosure
Xail does not sell, rent, trade, or share your personal information with any third party. We do not monetize user data in any form. The only external data transmissions that occur are:
- OAuth token exchange: Your device communicates with our backend server to exchange OAuth authorization codes for tokens (Section 3.2).
- Email provider APIs: Your device communicates directly with Gmail, Outlook, and/or Yahoo APIs to read and send email.
- AI assistant text chat: When you use Ren or Kaia's text chat, your messages are processed by a third-party AI provider via our server. No email content is included — only your chat messages and limited account context (Section 3.6).
- AI assistant voice: When you use voice mode, your microphone audio is streamed directly to a third-party AI provider (via WebRTC). Xail's server provides only an ephemeral session token — audio does not pass through our infrastructure.
We may disclose information if required by law, regulation, legal process, or governmental request. We will attempt to notify you before such disclosure unless prohibited by law.
7. Enterprise Tier
Organizations using Xail's Enterprise tier may deploy a Corporate Xail Server that provides compliance features including eDiscovery, data loss prevention (DLP), key escrow, delegation, and audit logging. In the Enterprise context:
- Compliance copies of messages are encrypted and stored on the organization's own infrastructure — never on Xail's servers.
- The organization's designated compliance officer controls the compliance encryption keys.
- Xail (the company) cannot read or decrypt enterprise compliance copies.
- Enterprise data handling is governed by the organization's own policies and your employment agreement.
When sending a secure message to a recipient whose account is managed by an Enterprise organization, the sender is notified before sending that the message may be subject to the recipient organization's compliance policies.
8. Data Retention
- Email messages reside in your own email accounts (Gmail, Outlook, Yahoo). Xail does not maintain a separate server-side copy.
- Local metadata index persists on your device until you clear it from Settings or uninstall Xail.
- OAuth tokens are stored encrypted on your device until you disconnect an account or they are revoked.
- Reconstructed secure messages are held in device memory only during viewing and are discarded when you navigate away. They are never written to disk in plaintext.
- Active customer accounts (PRIVATE.ME platform products) are retained indefinitely while the account is in use.
- Deleted accounts undergo a 30-day soft delete period, after which all personal data is anonymized. Connection IDs and usage statistics may be retained in anonymized form for billing reconciliation.
- Audit logs are retained for 7 years to comply with financial regulations and legal requirements.
- Billing records are retained for 7 years as required by tax law and financial auditing standards.
9. Your Rights and Choices
9.1 Xail Product (Email Client)
You have full control over your data at all times:
- Disconnect accounts: Remove any connected email account from Settings. This revokes Xail's OAuth access and deletes stored tokens.
- Clear local data: Delete the encrypted metadata index, contact database, and security log from Settings.
- Uninstall: Removing the Xail extension or app deletes all local data including encrypted IndexedDB stores.
- Revoke access at the provider: You can revoke Xail's access directly from your email provider's security settings (e.g., Google Account → Security → Third-party apps with account access).
- Export: Your emails remain in your email provider accounts. There is no Xail-specific data export needed since we don't hold your data.
9.2 PRIVATE.ME Platform Products (GDPR Rights)
For PRIVATE.ME platform products (xBind, xPass, xVault), you have the following rights under GDPR Article 17 (Right to Erasure) and related privacy regulations:
- Account deletion: You may delete your account at any time through the account dashboard or by contacting contact@private.me.
- 30-day soft delete: When you request account deletion, your account enters a 30-day soft delete period. During this time, you can contact us to restore your account.
- Data anonymization: After 30 days, all personal data (email address, Customer DID, API keys) is permanently anonymized. Connection IDs and aggregated usage statistics may be retained in anonymized form for billing reconciliation.
- Retention exceptions: We retain certain records for legal compliance:
- Audit logs: 7 years (financial regulations)
- Billing records: 7 years (tax law)
- These records are retained in minimal form and cannot be used to identify you after anonymization
- Right to access: Request a copy of your account data by contacting contact@private.me.
- Right to rectification: Correct inaccurate account information through the account dashboard.
- Right to data portability: Export your API keys and usage data in machine-readable format.
9.3 Additional Privacy Rights
If you are located in the European Economic Area (EEA), United Kingdom, or California, you may have additional rights under GDPR, UK GDPR, or CCPA respectively. Contact us at contact@private.me for any data rights requests.
10. Security Measures
Xail protects your data through architectural design and the following measures:
- All local storage encrypted with AES-256-GCM via the Web Crypto API
- OAuth 2.0 with PKCE (Proof Key for Code Exchange) for all provider authentication
- HMAC-SHA256 integrity verification on every message share before reconstruction
- No plaintext message content ever transmitted to any Xail server
- Content Security Policy headers preventing script injection
- Cryptographic library based on peer-reviewed academic algorithm for independent verification
- Encrypted security event logging for audit purposes (stored locally)
11. Google API Services User Data Policy
Xail's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- Xail uses access to Google user data solely to provide and improve the email client features described in this policy.
- Xail does not transfer Google user data to third parties except as necessary to provide the Service, as required by law, or with explicit user consent.
- Xail does not use Google user data for serving advertisements.
- Xail does not allow humans to read Google user data unless: (a) the user has given explicit consent for support purposes, (b) it is necessary for security investigation, or (c) it is required by applicable law.
12. Children's Privacy
Xail is not directed to children under the age of 13 (or the equivalent minimum age in your jurisdiction). We do not knowingly collect personal information from children. If you believe a child under 13 has provided us with personal information, please contact us at contact@xail.io and we will take steps to delete it.
13. International Considerations
Because Xail processes data locally on your device, your data generally does not cross international borders through our infrastructure. The OAuth token exchange (Section 3.2) is processed by servers located in the United States. Your email provider may process your data in accordance with their own privacy policies and applicable data transfer mechanisms.
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy at this URL and revising the "Last Updated" date. For significant changes, we will provide notification within the Xail application. Your continued use of Xail after changes are posted constitutes acceptance of the updated policy.
15. Contact Us
If you have questions about this Privacy Policy or our privacy practices, contact us at:
Xail
Email: contact@xail.io
Web: https://xail.io
Los Angeles, California, United States
This privacy policy was last reviewed on May 18, 2026.