Xygeni Logo White
Try Free
Book a Demo

Privacy Policy

Last update: April 20, 2026

This Privacy Policy applies to personal data collected through our website (xygeni.io) and our Platform (in.xygeni.io). It is incorporated by reference into both our Website Terms of Use and Platform Terms of Use. Any capitalised terms not defined here have the meanings given to them in those Terms. Our use of cookies is governed separately by our Cookie Policy at https://xygeni.io/legal/cookie-policy. Where Xygeni processes personal data on behalf of business customers through the Platform, such processing is additionally governed by our Data Processing Agreement (DPA) at https://xygeni.io/legal/dpa.

1. Data Controller

The data controller responsible for your personal data is:

Company: Xygeni Security, S.L.
Registered address: Calle Pasión 4, 2 Planta, 47001 Valladolid, Spain
VAT: B09620287
Privacy contact: privacy@xygeni.io
Legal contact: legal@xygeni.io

This Privacy Policy is issued pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the “GDPR”) and Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales (“LOPDGDD”). If you have questions about how we handle your personal data, contact us at privacy@xygeni.io.

2. Personal Data We Collect

We collect personal data in different ways depending on how you interact with us:

The table below summarises the categories of personal data we collect, with examples and the parties with whom we may share each category. Section 5 describes these sharing relationships in detail.

CategoryExamplesShared with
Contact & account dataName, email, username, job title, company name, roleService providers, business partners
Device & technical dataIP address, browser type, device ID, operating systemService providers, analytics partners
Web analyticsPages visited, session duration, referring URL, usage patternsAnalytics partners, service providers
Platform activity dataLogin events, API calls, scan activity, feature usage, timestampsService providers
Security finding metadataRepository names, file paths of findings, dependency metadata, pipeline referencesService providers (hosting only)
Payment & billing dataInvoicing contact details, company name. Card numbers not stored.Payment processor, service providers
Communications dataEmails, support tickets, form submissions, correspondenceService providers, customer support vendors
 

3. Data we do not collect

Xygeni does not collect special category personal data (such as health, biometric or political data) and does not knowingly collect personal data from individuals under the age of 16. Our Platform is not directed at consumers.
 
For standard security scanning, source code is not stored on or transmitted to Xygeni servers. For AI-powered features, only specific code segments necessary for the feature are processed, as described in our Platform Terms of Use. Xygeni does not use customer code to train AI models.

4. Sources of Personal Data

We collect personal data from the following sources:
 
  • Directly from you: When you register an account, complete a form, request a demo, sign up for our newsletter, contact us, or otherwise interact with our website or Platform.
  • Automatically through your use of our services: Technical and usage data collected through cookies, web analytics tools and Platform logs when you visit our website or use our Platform. See our Cookie Policy for details.
  • From third-party sources: We may receive contact or company information from CRM providers, lead generation partners or publicly available professional directories (such as LinkedIn) for marketing purposes, where permitted by applicable law. Any such data is handled in accordance with this Privacy Policy.
  • From your employer or organisation: Where your employer or organisation contracts with Xygeni for access to the Platform, we may receive your contact and account details from them to provision your account.

5. Lawful Basis for Processing

We process your personal data only where we have a valid lawful basis under GDPR Article 6:
 
 
Lawful basisProcessing activityApplies toGDPR arcticle
Legitimate interestsWebsite analytics, security monitoring, service improvement, fraud preventionWebsite visitors, Platform usersArt. 6(1)(f)
Contract performanceAccount management, service delivery, billing, supportPlatform users, customersArt. 6(1)(b)
ConsentMarketing communications, non-essential cookiesNewsletter subscribers, website visitorsArt. 6(1)(a)
Legal obligationTax records, responding to legal requests, GDPR complianceAll data subjectsArt. 6(1)(c)

Where we rely on legitimate interests, we have assessed that our interests are not overridden by your rights and freedoms. You may request details of our legitimate interests assessment by contacting us at privacy@xygeni.io.

Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

6. How We Use Your Personal Data

We use the personal data we collect for the following purposes:

  • Providing and improving our Platform and website, including troubleshooting, security monitoring and feature development.
  • Managing your account and delivering the services you have contracted with us.
  • Processing payments and managing billing.
  • Responding to your inquiries, support requests and feedback.
  • Sending service-related communications, including updates to these policies, security notices and maintenance notifications.
  • Sending marketing communications about our products and services, where you have provided consent or where permitted under applicable law. You may opt out at any time.
  • Complying with legal obligations, including tax, accounting and regulatory requirements.
  • Protecting the security and integrity of our systems and detecting fraudulent or unauthorised activity.
  • Conducting aggregated, anonymised analytics to understand how our services are used.

7. Data Sharing and Recipients

We do not sell your personal data. We share personal data only in the following circumstances:

7.1 Subprocessors

We engage third-party service providers (subprocessors) to help us deliver our services. Each subprocessor is bound by data processing agreements with obligations equivalent to those in this Privacy Policy. Our current list of subprocessors, including their purpose and location, is published at https://xygeni.io/legal/subprocessors.

7.2 Business transfers

If Xygeni is involved in a merger, acquisition, reorganisation or sale of assets, your personal data may be transferred as part of that transaction. We will notify you of any such change and any new privacy terms that apply.

We may disclose your personal data where required to do so by applicable law, court order, regulatory requirement or to protect the rights, property or safety of Xygeni, our users or others. Where legally permitted, we will notify you of such disclosure.

We may share your personal data with third parties where you have provided explicit consent to do so.

8. International Transfers

Xygeni’s primary infrastructure is hosted on Amazon Web Services (AWS) in Ireland (EU), within the European Economic Area. Personal data processed through the Platform is therefore generally processed within the EEA.
 
Certain subprocessors — including HubSpot and Google Workspace — are based in the United States. Where personal data is transferred outside the EEA, we ensure appropriate safeguards are in place in accordance with GDPR Chapter V, including Standard Contractual Clauses (SCCs) adopted by the European Commission pursuant to Implementing Decision (EU) 2021/914. Details of applicable transfer mechanisms are set out in our Subprocessors list.
 
Where AI-powered features of our Platform process code segments, this processing occurs through our AI provider in accordance with our Platform Terms of Use and the applicable DPA. Where customers use their own AI model, all processing occurs within the customer’s infrastructure and no transfer to Xygeni’s subprocessors takes place.

9. Data Retention

We retain personal data only for as long as necessary for the purposes set out in this Privacy Policy, or as required by applicable law. Our standard retention periods are:
 
  • Account data: retained for the duration of the contractual relationship and for such additional periods as required by applicable tax and accounting law (generally 5–7 years in Spain).
  • Platform scan data and security findings: retained while the account is active and for 3 months following subscription end, after which it is automatically deleted. Users may request earlier deletion.
  • Trial account data: retained for 1 month after trial expiration.
  • Website inquiry and contact data: retained for up to 2 years from the date of your last interaction with us.
  • Marketing consent records: retained until consent is withdrawn plus such additional period as required to demonstrate compliance.
  • Legal and compliance records: retained for the periods required by applicable Spanish and EU law.
 
When personal data is no longer required, we delete or anonymise it securely. Backups are overwritten in accordance with our data retention schedule.

9. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

9.1 Right of access (Art. 15)

You may request a copy of the personal data we hold about you and information about how we process it.

9.2 Right to rectification (Art. 16)

You may request correction of inaccurate or incomplete personal data we hold about you.

9.3 Right to erasure (Art. 17)

You may request deletion of your personal data where there is no legitimate reason for us to continue processing it — for example, where you withdraw consent and there is no other lawful basis, or where the data is no longer necessary for the purpose for which it was collected.

9.4 Right to restriction of processing (Art. 18)

You may request that we restrict the processing of your personal data in certain circumstances — for example, while we verify the accuracy of data you have contested.

9.5 Right to data portability (Art. 20)

Where processing is based on consent or contract and carried out by automated means, you may request a copy of your personal data in a structured, commonly used, machine-readable format, and the right to transmit that data to another controller.

9.6 Right to object (Art. 21)

You may object to processing based on our legitimate interests or for direct marketing purposes. Where you object to direct marketing, we will cease processing immediately. For other legitimate interest processing, we will assess whether our interests override your rights.
Xygeni does not make decisions about you based solely on automated processing that produce legal or similarly significant effects.

9.8 Right to lodge a complaint

If you believe that our processing of your personal data infringes GDPR, you have the right to lodge a complaint with the Spanish Data Protection Authority (Agencia Española de Protección de Datos — AEPD) at https://www.aepd.es, or with the supervisory authority of the EU Member State in which you habitually reside or work.

9.9 How to exercise your rights

To exercise any of the above rights, contact us at privacy@xygeni.io. We will respond within one (1) month of receiving your request. In complex cases or where we receive a high number of requests, we may extend this period by a further two months, and will notify you accordingly. We may need to verify your identity before processing your request.

10. Platform Users — Business Customers

Where Xygeni processes personal data on behalf of our business customers in the course of providing the Platform, Xygeni acts as a data processor and the customer acts as the data controller. In such cases, the Data Processing Agreement (DPA), available at https://xygeni.io/legal/dpa, governs that processing.

If you are an employee, contractor or other representative of one of our business customers and have questions about how your employer uses the Platform, please contact your employer directly. Xygeni processes your data in accordance with the instructions of the relevant customer and is not the appropriate contact for individual data subject requests relating to data processed on behalf of that customer.

11. Security

Xygeni implements appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction or alteration, consistent with our ISO 27001 certified information security management system. These measures include encryption in transit (TLS 1.2+) and at rest (AES-256), access controls, network segmentation and regular security testing.

No transmission over the internet or electronic storage is completely secure. If you become aware of any security incident affecting your personal data, please contact us immediately at legal@xygeni.io.

12. Cookies

Our use of cookies and similar tracking technologies is governed by our Cookie Policy, available at https://xygeni.io/legal/cookie-policy. Please refer to that document for detailed information about the cookies we use, their purposes and how to manage your preferences.

13. Children’s Privacy

Our website and Platform are not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data without parental consent, please contact us at privacy@xygeni.io and we will delete such data promptly.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting a notice on our website and, where appropriate, by email to registered users. We will update the “Last updated” date at the top of this page. We encourage you to review this Policy periodically.

Your continued use of our website or Platform after the effective date of an updated Privacy Policy constitutes your acceptance of the changes, to the extent permitted by applicable law.

14. Contact us

For any questions, requests or concerns regarding this Privacy Policy or our processing of your personal data:

Email: privacy@xygeni.io
Post: Xygeni Security, S.L., Calle Pasión 4, 2 Planta, 47001 Valladolid, Spain


We aim to respond to all privacy enquiries within 30 days. For complaints about our handling of your data, you may also contact the AEPD at https://www.aepd.es.

 
Xygeni Logo White

© 2026 Xygeni. All rights reserved

Linkedin-in X-twitter Youtube

Products

Resources

Company

Legal