Privacy Policy
Last updated: April 14, 2026
Xavu is a privacy-first file transfer service. We believe in your right to privacy and have designed our service to protect it with multiple transfer options.
1. Information We Don't Collect (P2P Transfers)
For standard P2P transfers, Xavu is designed to minimize data collection:
- We do not store your files - Files are transferred directly between users using WebRTC
- We don't track file content - We have no access to the files you transfer
- We don't require personal information - You can use our service without creating an account
- We don't sell your data - We have no user data to sell from P2P transfers
Note: Pro users who choose cloud storage will have files stored on our encrypted servers. See section 4 for details.
2. How Xavu Works
Xavu uses peer-to-peer (P2P) technology to enable direct file transfers:
- Files are transferred directly between sender and receiver devices
- Transfer connections are established using WebRTC
- Our servers only facilitate the initial connection handshake
- Once connected, files never pass through our servers
3. Data Collection and Processing
We collect and process the following categories of data:
3.1 P2P Transfer Data
- Connection metadata - Temporary WebRTC signaling data for establishing connections (deleted immediately after transfer)
- Transfer statistics - Anonymous usage metrics to improve service performance
- Technical logs - Error reports and system diagnostics for service maintenance
3.2 Account Data (Pro Users Only)
- Authentication credentials - Email addresses and hashed passwords
- Payment information - Processed by third-party processors, not stored on our servers
- Account preferences - User settings and configuration data
3.3 Cloud Storage Data (Pro Users Only)
- Encrypted files - Client-side encrypted files stored for 7 days
- File metadata - File names, sizes, and transfer timestamps
- Access logs - Records of file access and downloads
4. Pro Features and Cloud Storage
For users who choose Pro features:
- Email addresses are stored securely for authentication purposes only
- Payment information is processed by third-party payment processors (Stripe/Lemon Squeezy)
- We never store credit card details on our servers
- Cloud storage files are stored on our encrypted servers - Only when you explicitly choose cloud mode
- Cloud files are encrypted client-side before upload and stored for 7 days
- Only you (and recipients with your link/password) can access cloud-stored files
5. Data Security
Security is fundamental to our privacy approach:
- P2P transfers use end-to-end encryption via WebRTC
- Cloud storage uses AES-256 encryption (client-side encryption before upload)
- Optional password protection adds an additional security layer
- Transfer links expire automatically to prevent unauthorized access
- Cloud files are automatically deleted after 7 days
6. Cookies and Local Storage
We use minimal cookies and local storage:
- Essential cookies - For maintaining user preferences and session state
- Local storage - For storing UI preferences and temporary transfer data
- No tracking cookies - We don't use third-party analytics or advertising cookies
7. Third-Party Services
We integrate with minimal third-party services:
- Payment processors - Stripe/Lemon Squeezy for subscription management
- Authentication - Firebase Auth for user accounts (optional)
- Cloud storage - Firebase Storage for Pro users (optional)
Each service has its own privacy policy, and we only share necessary information for service functionality.
8. Data Retention
We retain personal data only as long as necessary for the purposes outlined in this policy:
8.1 Retention Periods
- P2P transfer metadata - Deleted immediately after transfer completion
- Cloud storage files - Automatically deleted after 7 days
- Account data - Retained until account deletion by user
- Error logs - Retained for 30 days for debugging purposes
- Payment records - Retained for 7 years as required by tax law
- Legal compliance data - Retained as required by applicable law
8.2 Data Deletion
When data is no longer needed, we will securely delete it using industry-standard methods. For cloud storage, files are cryptographically erased and storage space is overwritten.
9. Your Legal Rights
9.1 GDPR Rights (EU Residents)
If you are an EU resident, you have the right to:
- Access - Request a copy of your personal data
- Rectification - Request correction of inaccurate data
- Erasure - Request deletion of your personal data
- Portability - Request transfer of your data to another service
- Objection - Object to processing of your data
- Restriction - Request limitation of processing
9.2 CCPA Rights (California Residents)
If you are a California resident, you have the right to:
- Know - Request disclosure of personal data collected and used
- Delete - Request deletion of your personal data
- Opt-out - Opt-out of sale or sharing of personal data
- Non-discrimination - Not receive discriminatory treatment for exercising privacy rights
9.3 Exercise Your Rights
To exercise these rights, contact us at privacy@xavu.app. We will respond within the timeframes required by applicable law (typically 30 days for GDPR, 45 days for CCPA).
10. International Data Transfers
Your data may be transferred to and processed in countries other than your own. We ensure appropriate safeguards for international data transfers:
10.1 Transfer Mechanisms
- Standard Contractual Clauses - EU-approved contractual provisions for transfers outside the EEA
- Adequacy Decisions - Transfers to countries recognized by the EU as providing adequate protection
- Binding Corporate Rules - Internal rules for intra-organizational transfers
10.2 Data Locations
Our data processing and storage may occur in:
- United States (primary location)
- European Union (for EU users where applicable)
- Other jurisdictions as required for service delivery
11. Children's Privacy
Our service is not intended for children under 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected such information, we will delete it promptly.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify users of significant changes by:
- Posting the updated policy on our website
- Updating the "Last updated" date
- Emailing account holders for major changes (if applicable)
13. Contact Information
If you have questions about this Privacy Policy or want to exercise your rights, please contact us at:
- Email: privacy@xavu.app
- Mailing address: Available upon request
For privacy-related legal notices, please send to: Jacob Bryant, c/o Xavu, 5000 Eldorado Pkwy STE 150-193, Frisco, Texas 75033
14. Regulatory Compliance
14.1 Applicable Regulations
This Privacy Policy is designed to comply with:
- GDPR - General Data Protection Regulation (EU 2016/679)
- CCPA - California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq.)
- CPRA - California Privacy Rights Act (amendments to CCPA)
- PIPEDA - Personal Information Protection and Electronic Documents Act (Canada)
- LGPD - Lei Geral de Proteção de Dados (Brazil)
- Other applicable privacy regulations
14.2 Lawful Basis for Processing
We process personal data based on the following lawful bases:
- Consent - When you provide explicit consent for processing
- Contractual necessity - To provide the services you've requested
- Legal obligation - When required by applicable laws
- Legitimate interests - For our legitimate business interests, balanced with your rights
14.3 Data Breach Notification
In the event of a personal data breach, we will:
- Notify affected individuals without undue delay (within 72 hours for GDPR)
- Notify relevant regulatory authorities as required by law
- Provide information about the breach and its potential impact
- Describe measures taken to address the breach
Back to Xavu