Privacy Policy — Xcelion AI

This Privacy Policy explains what personal information Xcelion AI, LLC ("Xcelion," "we," "us") collects when you use the Xcelion mobile app, our website, and related services (the "Service"), how we use it, who we share it with, and what choices you have. We have written this policy in plain language. Where US state or non-US law gives you specific rights, we honor them, and we describe how to exercise them below.

01Summary

The short version:

We collect the minimum we need to deliver a news-reading service: your email, the names you choose to track, basic device and usage signals.
We do not collect brokerage credentials, account numbers, balances, trade history, Social Security numbers, or any other financial-account information.
We do not sell or share your personal information for cross-context behavioral advertising.
We do not use your data to train any AI model, and we have configured our AI subprocessors not to use it for their training either.
We do not use the iOS Identifier for Advertisers (IDFA), do not track you across other apps or websites, and do not present an App Tracking Transparency prompt because we do not engage in tracking.

02Who we are

The data controller for the Service is Xcelion AI, LLC, a Delaware limited liability company with a US registered office. You can reach our privacy team at xcelionai@gmail.com.

03What we collect

Category	Examples	Source
Account information	Email address, password hash, account creation timestamp, subscription status	You
Reservation & payment records	Founding Member reservation status, Stripe transaction identifiers, receipt email, amount, currency, refund status	You, Stripe
Tracked names	The list of US-listed ticker symbols and corporate names you add to your watchlist	You
Usage data	Briefings opened, citations clicked, in-app navigation, time-of-use, feature interactions	Automatically
Device data	Device model, OS version, app version, language, time zone, crash diagnostics	Automatically
Network data	IP address (used for security and approximate region only; truncated at the application layer)	Automatically
Support correspondence	Messages you send to support, feedback, bug reports	You
Subscription & receipt	Apple-issued anonymous transaction identifiers, purchase status, renewal status	Apple

04What we do not collect

// Affirmatively excluded

Brokerage usernames, passwords, OAuth tokens, or session cookies.
Account numbers, routing numbers, or balances.
Trade history, position sizes, dollar amounts, P&L, cost basis, or any record of actual trading activity.
Social Security number, government identification number, or driver's license number.
Payment card data (handled directly by Apple under your Apple ID or by Stripe for website reservations).
Health, biometric, or genetic data.
Precise geolocation. Location features rely only on device time zone unless you explicitly grant permission for finer location, which we currently do not request.
Contacts, photos, microphone, camera, or other personal device content.
Identifier for Advertisers (IDFA) or any cross-app/cross-site tracker.

05How we use it

Deliver the Service. Generate briefings for the names you have added; show you previously delivered briefings; manage your account and subscription.
Operate the Service. Fix bugs, monitor reliability, prevent abuse, secure systems, prevent fraud, and protect against threats.
Improve the Service. Understand which features are used and how, in aggregated and de-identified form. We do not profile individual users for any consequential decision.
Communicate with you. Send transactional messages (account, security, subscription, service updates).
Comply with law. Respond to lawful requests, enforce our Terms, and exercise legal rights.

06AI processing & subprocessors

Briefings are generated by sending the names you have added, together with publicly available news, filings, and contextual content, to large language models operated by third parties. We engage the following subprocessors. Each receives only the minimum data needed to perform its function. We have signed a data processing agreement with each.

Subprocessor	Function	Data category	Region
Supabase	Database (Postgres) and authentication	Account, tracked names, usage	United States
Stripe	Website reservation payment processing	Receipt email, payment status, transaction identifiers	United States
Anthropic	Claude language model for briefing generation	Tracked-name strings, prompt context	United States
OpenAI	Text embedding for content matching	Public content text only (no user PII)	United States
Apple	App distribution, subscription billing, push notifications	Apple-issued identifiers, push token	United States
Sentry	Crash and error monitoring	Device data, crash stack, sanitized logs	United States
Resend	Transactional email delivery	Email address, message content	United States
Vercel	Hosting for the public website	IP address (transient), basic request logs	Global edge

We maintain a current list of subprocessors at xcelion.ai/subprocessors. We will provide reasonable advance notice of any new or replacement subprocessor.

07No training on your data

We do not use your inputs to train any artificial intelligence model. Specifically, we have configured our use of the Anthropic and OpenAI APIs to opt out of any model training on the data we submit, consistent with their published commercial terms. Anthropic does not train its models on customer API content unless the customer explicitly opts in; we have not. OpenAI does not train its models on data submitted via the API by default; we have additionally enabled zero-data-retention where available for embedding traffic.

We also do not sell or share your inputs with any third party for the purpose of training that third party's models.

Note on legal preservation orders. Our subprocessors retain operational logs for limited periods (typically 30 days at Anthropic, 30 days at OpenAI). In rare cases, a court order may require a subprocessor to retain logs for longer; the order against OpenAI in The New York Times Co. v. OpenAI, Inc. (S.D.N.Y. 2025–2026) is an example. We will publish material updates here if any preservation order changes the retention applicable to our user data.

08Sharing & disclosure

We share personal information only as described here:

With our subprocessors, listed above, to operate the Service.
With Apple, for app distribution and subscription billing under your Apple ID.
With Stripe, for optional pre-launch website reservations.
For legal reasons, in response to a lawful request, subpoena, or court order, or where we believe disclosure is necessary to protect our rights, your safety, or the safety of others, or to investigate fraud or security incidents. We push back against overbroad requests.
In a corporate transaction, such as a merger, acquisition, financing, or sale of assets. We will notify you of any such change in control before your data becomes subject to a different policy.

We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We do not engage in "targeted advertising" or "profiling that produces legal or similarly significant effects" as those terms are defined under US state privacy laws.

09Retention

Data	How long we keep it
Account information	For the life of your account, plus up to 30 days after deletion, unless legal hold extends this
Tracked names	For the life of your account; deleted with your account
Generated briefings	Up to 24 months, then deleted or de-identified
Usage / analytics events	Up to 24 months in identifiable form, then aggregated
Crash diagnostics	Up to 90 days
Support correspondence	Up to 36 months for records and dispute resolution
Subscription receipts & invoices	Up to 7 years for tax and accounting
Subprocessor API logs (Anthropic, OpenAI)	Per subprocessor's published policy, typically 30 days

If you delete your account, we delete or de-identify the above on the schedule shown, except where law requires longer retention or where the data is necessary for ongoing legal claims, fraud investigation, or compliance.

10Security

We use administrative, technical, and physical safeguards designed to protect personal information from loss, misuse, and unauthorized access. These include encryption in transit (TLS 1.2+), encryption at rest, role-based access controls, audit logging, secret rotation, multi-factor authentication for our staff, code review, and least-privilege subprocessor scoping. No method of transmission or storage is perfectly secure; we cannot guarantee absolute security. We will notify you of a security incident affecting your personal information without undue delay where required by law.

11Your privacy rights

Depending on where you live, you may have the right to:

Know what personal information we have collected about you and request a copy.
Correct inaccurate personal information.
Delete your personal information.
Port your personal information to another service in a machine-readable format.
Opt out of the sale or sharing of personal information for cross-context behavioral advertising. (We do not engage in either.)
Limit the use of sensitive personal information. (We do not collect or process sensitive personal information.)
Opt out of profiling in furtherance of decisions that produce legal or similarly significant effects. (We do not conduct such profiling.)
Appeal a denied request.
Non-discrimination for exercising any of these rights.

To exercise any of these rights, email xcelionai@gmail.com from the address associated with your account, or use the in-app Settings > Privacy screen. We will respond within the period required by your jurisdiction, generally 45 days for US state laws and one month for the GDPR. We may need to verify your identity before completing the request.

12California (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act ("CCPA"), as amended by the California Privacy Rights Act ("CPRA") and the California Privacy Protection Agency regulations effective January 1, 2026, gives you the rights listed in Section 11, plus:

Right to know the categories and specific pieces of personal information we have collected, the categories of sources, the business purposes, and the categories of third parties to whom we have disclosed personal information.
Right to limit use of sensitive personal information. We do not collect or use sensitive personal information as defined under the CCPA.
Do Not Sell or Share. We do not sell or share personal information for cross-context behavioral advertising. There is therefore no opt-out link required, but we honor browser Global Privacy Control signals as an opt-out preference for any future sharing.
Authorized agent. You may designate an authorized agent to make a request on your behalf. We will require proof of authorization.
"Shine the Light" (Cal. Civ. Code §1798.83). We do not disclose personal information to third parties for their own direct marketing.

The chart below summarizes our CCPA-required disclosures for the prior twelve months:

CCPA category	Collected	Sold	Shared (cross-context ads)
Identifiers (email, IP)	Yes	No	No
Internet/network activity	Yes (in-app usage)	No	No
Geolocation (coarse, region only)	Yes (from IP)	No	No
Commercial information (subscription status)	Yes	No	No
Inferences (usage patterns)	Yes (aggregated)	No	No
Sensitive personal information	No	No	No

13Other US state privacy rights

If you are a resident of any of the states below, you have the rights described in Section 11, with state-specific variations. We honor verifiable requests from residents of:

State	Statute	Effective
Virginia	VCDPA	Jan 1, 2023
Colorado	CPA	Jul 1, 2023
Connecticut	CTDPA	Jul 1, 2023
Utah	UCPA	Dec 31, 2023
Texas	TDPSA	Jul 1, 2024
Florida	FDBR	Jul 1, 2024
Oregon	OCPA	Jul 1, 2024
Montana	MTCDPA	Oct 1, 2024
Iowa	ICDPA	Jan 1, 2025
Delaware	DPDPA	Jan 1, 2025
New Jersey	NJDPA	Jan 15, 2025
Tennessee	TIPA	Jul 1, 2025
Minnesota	MCDPA	Jul 31, 2025
Maryland	MODPA	Oct 1, 2025
Indiana	INCDPA	Jan 1, 2026
Kentucky	KCDPA	Jan 1, 2026
Rhode Island	DTPPA	Jan 1, 2026

To exercise your rights, contact xcelionai@gmail.com. If we deny a request, you may appeal by responding to our denial; we will review and respond within the period required by your state's law.

Specific notes:

Right to correct is recognized in California, Virginia, Colorado, Connecticut, Texas, Oregon, Montana, Delaware, New Jersey, Tennessee, Minnesota, Maryland, Indiana, Kentucky, and Rhode Island. Utah and Iowa do not currently grant a right to correct.
Right to opt out of profiling for decisions that produce legal or similarly significant effects is recognized in California, Virginia, Colorado, Connecticut, Texas, Oregon, Montana, Delaware, New Jersey, Tennessee, Minnesota, Maryland, and Rhode Island. We do not conduct such profiling and therefore there is nothing to opt out of, but we honor the request.
Maryland imposes the strictest data minimization standard. We process only what is reasonably necessary to deliver the Service and do not sell sensitive personal information of any Maryland resident.

14Health data clarification (Washington, Nevada, Connecticut)

Washington's My Health My Data Act (RCW 19.373), Nevada's SB 370, and the consumer-health-data provisions of the Connecticut Data Privacy Act regulate "consumer health data" broadly, including data that is used or could be used to infer health-related information. To eliminate any ambiguity:

We do not collect health, biometric, mental-health, reproductive, or genetic data.
We do not use, infer, or derive any health information from the names you track or from any other data you provide.
We do not sell, share, or transfer any data to a third party for the purpose of inferring or marketing on the basis of any consumer health condition or status.

15International users (EEA, UK, Switzerland)

The Service is operated from the United States and is primarily directed to US residents. If you access the Service from the European Economic Area, the United Kingdom, or Switzerland, the following additional terms apply.

Legal bases (GDPR Article 6)

Performance of a contract (Art. 6(1)(b)) — to provide the Service you requested.
Legitimate interests (Art. 6(1)(f)) — to operate, secure, and improve the Service, prevent abuse, and protect our rights, balanced against your interests and rights.
Compliance with a legal obligation (Art. 6(1)(c)).
Consent (Art. 6(1)(a)) — only where required (for example, certain optional cookies). You can withdraw consent at any time.

We do not process special-category data (Article 9 GDPR) and do not solicit it.

Your rights

You have the rights granted by the GDPR, the UK GDPR, and the Swiss Federal Act on Data Protection (revFADP), including the rights to access, rectify, erase, restrict processing of, object to processing of, and port your personal data, and the right to lodge a complaint with your supervisory authority. To exercise any right, contact xcelionai@gmail.com.

International transfers

Your personal data is transferred to and processed in the United States, which may have different data-protection rules than your country. Where required, we rely on the European Commission's Standard Contractual Clauses (Module 2, controller-to-processor) and the UK International Data Transfer Addendum, supported by transfer impact assessments. If we are required to designate an EU/UK representative, we will appoint one before crossing the relevant threshold and update this section accordingly.

16Automated processing

The Service generates briefings automatically using large language models. These briefings are general informational content distributed on a regular schedule. They do not constitute "decisions based solely on automated processing" that produce legal or similarly significant effects on you within the meaning of GDPR Article 22 or analogous US state laws. Briefings are not credit decisions, employment decisions, insurance decisions, healthcare decisions, or housing decisions, and we do not use them to make any consequential decision about you.

If you would like a human review of any briefing or summary that concerns you, contact xcelionai@gmail.com.

17Children

The Service is intended for adults aged 18 and over and is not directed to children under 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13, we will delete it without undue delay. A parent or guardian who believes a child has provided us personal information may contact xcelionai@gmail.com. This Service complies with the Children's Online Privacy Protection Act ("COPPA"), 15 U.S.C. §§6501–6506, and the FTC's COPPA Rule, 16 C.F.R. Part 312, as amended in 2025.

18Apple-specific disclosures

App Privacy Details

The "App Privacy" details displayed on our App Store listing accurately reflect the categories above. If you spot a discrepancy, please contact us so we can correct it.

App Tracking Transparency

We do not engage in "tracking" as Apple defines that term. We do not access the IDFA, do not link your data with data collected by other apps or websites for advertising or measurement purposes, and do not share data with data brokers. We therefore do not present an App Tracking Transparency prompt.

Required Reason API usage

The iOS app accesses certain Required Reason APIs solely for the purposes documented in our privacy manifest, including reading user defaults, file timestamps, system boot time, and disk space, all for app-functionality reasons. These accesses are not used to track you.

Push notifications

If you opt in to push notifications, we use Apple Push Notification service to deliver them. You can disable push notifications at any time in Settings > Notifications > Xcelion.

19Cookies (web only)

The website at xcelion.ai uses only strictly necessary cookies and similar technologies for security, session management, and basic preference storage. We do not use advertising cookies, do not embed third-party trackers for advertising or measurement, and do not run an analytics product on the marketing site. We will update this section if we ever introduce optional analytics, in which case we will request your consent in jurisdictions that require it.

20Changes to this policy

We may update this Privacy Policy from time to time. The "Effective" date at the top reflects the most recent version. If we make a material change, we will give you reasonable advance notice (for example, by email or in-app notice) before it takes effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

21Contact

Xcelion AI, LLC
Delaware, United States
xcelionai@gmail.com